June 16, 2025 • 46 mins
Security is increasingly viewed as a strategic business advantage rather than just a necessary cost center. The dialogue explores how companies are leveraging their security posture to gain competitive advantages in sales cycles and build customer trust.
• Taylor's journey from aspiring physical therapist to cybersecurity expert through a chance college course
• The importance of diverse experience across different security domains for career longevity
• How healthcare organizations have become prime targets due to valuable data and outdated security
• The emerging AI arms race creating unprecedented security challenges and opportunities
• Voice cloning technology enabling sophisticated social engineering attacks, including an almost successful $20 million fraud
• Emerging trends in security validation with tools pulling data directly from security systems
• The shift from viewing security as a cost center to leveraging it as a sales advantage
• Why enterprises are driving security standards more effectively than regulators
Eden Data provides outsourced security, compliance, and privacy services for technology companies at all stages, from pre-revenue startups to publicly traded enterprises, helping them build robust security programs aligned with regulatory frameworks and customer expectations.
PodMatch Automatically Matches Ideal Podcast Guests and Hosts For Interviews
Digital Disruption with Geoff Nielson
Discover how technology is reshaping our lives and livelihoods.
Listen on: Apple Podcasts Spotify
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
How's it going, Taylor?
Speaker 2 (00:01):
It's great to get you on the podcast, you know we had
this thing scheduled.
I think it was like just beforemy newborn was here, or right
after, or something like that,you know, and it's been a
whirlwind ever since I can onlyimagine Joe so thankful to be
here.
Speaker 1 (00:15):
Thanks for having me on the show and congrats again
on the baby girl.
Speaker 2 (00:21):
Yeah, yeah.
Well, I mean thanks for waitingto come back on and whatnot you
know, but I'm real excited forour conversation.
I think it'll be reallyfascinating, good.
Speaker 1 (00:30):
I mean, I love nerding out about security,
compliance, privacy, but Irealize, I'm totally biased too.
So I'll have to get someinterest out of it.
Speaker 2 (00:40):
Yeah, you know, I feel like when I started in
security no-transcript, and thatyou're starting to like thread
(01:13):
the thread, the line there oflike what you should and
shouldn't be doing.
Speaker 1 (01:17):
Yeah, you're essentially trying to pass a
test all the time and no onelikes taking tests.
One of my colleagues says itbetter than me, but essentially
saying nobody gets jazzed upabout an auditor walking into
the room either.
I have a background being anauditor first before jumping
over to the advisory side, andso either side it doesn't matter
.
Even if you're internal, folksthink that compliance team is
(01:39):
always trying to get them intotrouble.
Oh yeah.
Yeah, I mean, I used to work fora credit bureau and you know we
had nonstop audits, literally,you know, 365 days a year.
Speaker 2 (01:49):
We had our own internal audit compliance team
and they would audit us in frontof you know, like the SOC 2
that's coming up or whatever itis, you know, and I mean we'd be
in a, we'd be in a conferencemeet conference room and they
one of them would walk in like aparty poopers here.
You know like no fun now guysyou know.
Speaker 1 (02:09):
So true, we fall in the same bucket as lawyers,
right, unfortunately?
Speaker 2 (02:13):
Yeah, yeah, that's a really good point.
I didn't think about that.
Well, you know.
Speaker 1 (02:17):
Taylor, why don't we start?
Speaker 2 (02:18):
with how you got into security.
What made you want?
Speaker 1 (02:22):
to go down that path Right.
Speaker 2 (02:25):
Because, it's not really a normal, not really a
normal path.
Speaker 1 (02:26):
I feel like you know you got to have a few screws
loose somewhere.
Speaker 2 (02:30):
You know to like want to go into this field.
Speaker 1 (02:32):
I feel like that's a fair point.
I actually fell into this byaccident.
Huge shout out to Dr First, whowas my MIS 270 professor back
in the day in college.
I thought I was going to be aphysical therapist.
First thought I was going to bea chef.
Then I went into school forphysical therapy and I one was
failing anatomy miserably.
And two I got to.
(02:53):
Everybody has to take abusiness class.
I had early influence from animpactful professor and that
allowed me to jump into the MISprogram, which gave me exposure
to cybersecurity.
And then the big four recruitedpretty heavily from college and
so I got this opportunity tojump over to Deloitte right out
of college and work as an ITauditor initially, but within
(03:15):
the big four it's a lot ofnetworking and meeting different
partners that work on differentengagements, and so I actually
got this great, uniqueopportunity where I got to
bounce back and forth betweencybersecurity and IT audit,
which we were just talking about, compliance and cybersecurity
how they go hand in hand.
That gave me deep exposure andit allowed me to understand
(03:35):
things like control, objectivesand risks and procedures and
policies and all those funbuzzwords.
Yeah, it's really it'sfascinating when you go down the
consulting rabbit hole right,because it's like every day is
you know completely differentand you're supposed to be the
expert in the room when you knowin the beginning you probably
(03:56):
don't feel like you're theexpert by any degree right and I
always wondered what it wouldbe like for me to go down that
path.
Speaker 2 (04:04):
I feel like.
I don't know.
I feel like I might be in adifferent situation.
Speaker 1 (04:08):
I don't know.
Speaker 2 (04:09):
Situation is probably a bad bad word to describe it
right.
Speaker 1 (04:12):
But I would be in a different position, for sure,
yeah.
Speaker 2 (04:14):
Because being able to build your career off of
something like that, it's really, it's really you know,
monumental for your careerbecause you're getting that
diverse range of experiencewhich I think a lot of people
are missing out on nowadays.
Speaker 1 (04:30):
Right, they kind of want to just get into security,
you know and I feel like a lotof people just think about the
offensive side of security, andI remember when I was getting my
master's you know, there wasone whole semester where we took
a pen testing class and thenthe next one we took a defending
class right.
We took a blue team class andyou know, getting to see both
sides of it, the professors, youknow they were from the NSA and
(04:54):
they were saying like this isthe only way that you're going
to figure out one, where youwant to go in security, and two,
you need to figure out, like,if you are going to go red team,
you need to know the blue teamstuff like inside and out.
Speaker 2 (05:05):
And if you're going to go blue team, you need to
know the red team stuff insideand out Like there's no.
There's no in between.
Speaker 1 (05:11):
You can choose a different team or a different
focus, but you need to know itRight, and so I'm bringing it up
, because it's that diverserange of experience that really
pays dividends down the road.
Absolutely, I think it thinkright now we're dealing with a
crisis where securityprofessionals, or aspiring
security professionals, aretrying to get into the space.
They have no experience andtherefore the job market is grim
(05:34):
for them, and so they're kindof stuck in this crux of wanting
to get more experience butneeding to be able to get a job
to allow them to build thatexperience, and so any kind of
exposure that you can get in anydomain allows you to at least
get your foot in the door andthen gives you the credibility
to be able to jump around.
And then, of course, what youjust mentioned, joe, of being
(05:56):
able to understand now that whenI talk to auditors, I at least
have empathy, knowing whatthey're going through and what
they're trying to do.
And then also for my customersperspective when I'm
representing them.
The idea is that I get to nowknow how to protect them against
an auditor.
We always ask them are youprotecting against an auditor or
a hacker?
In the case of an auditor, Iknow exactly what they're
looking for.
I know exactly how to pass anaudit with flying colors.
(06:17):
Those are great fundamentalskills to have, and that's audit
versus just generalcybersecurity.
Those are just two examples ofmany.
The security world has like 112different domains.
I just encourage listeners andfolks trying to get into
security or even in securitytoday like to expand their
horizons Opportunity for us, andit seems like it's changing
quite a bit, especially with therise in AI and such a key area
(06:41):
that I think a lot of people youknow overlook right is getting
that broad range of experienceand I tell this story
sometimes where you know, I wasworking for a fairly well-known
investment firm and someone oneof my coworkers there.
Speaker 2 (06:56):
He wasn't on the security team, it was more like
network security slash help desk, you know, like light on the
security side, more help deskfocus.
But he was at the company forprobably 20 years, I mean at
least 20.
Speaker 1 (07:09):
And I was telling him , I was talking with him when I
first started there.
I said hey, you know, what doyou focus?
Speaker 2 (07:14):
on what do you do, what's your specialty, and all
that sort of stuff.
Speaker 1 (07:17):
And he told me and I said well, why don't you branch
out?
Right, like you should belearning, you know like a step
deeper into network security.
Right, like you know thefirewalls.
Well, let's get you into theWAF.
Right Like, let's you know,learn about this other stuff and
he never.
It never happened, it never youknow, took place for whatever
(07:46):
reason.
And sure enough, you know,seven, eight years go by, right
he thinks that he's going toretire there.
Speaker 2 (07:48):
He's early 50s, right and uh, when layoffs are are
there, he's the first one outthe door, because he was the
first one.
Speaker 1 (07:51):
You know that's most easily to be replaced because
they're just like well, he doeshelp that stuff, like we can
outsource that to india, we cangive that to an intern, we can,
you know.
So he never like diversifiedand ever since then he's
actually had trouble you knowgetting back into the field
because he knew those one youknow systems, he knew that one
way of doing things at that onecompany and he never really
(08:14):
learned how other places do it.
Speaker 2 (08:16):
He never saw different things, and so I
always.
Speaker 1 (08:19):
I always look at that and I think to myself like how
can I make myself?
You know, how can I?
Speaker 2 (08:23):
make myself more difficult to lay off.
Speaker 1 (08:26):
Right, like if you're going to lay me off right, like
you know.
Speaker 2 (08:30):
Let it be a good reason, rather than we.
How can we make sure that we'resticky right?
Speaker 1 (08:45):
And you need to think about that from the standpoint
of if you're an employee, acontractor, a vendor, how can
you add a tremendous amount ofvalue in the security space?
And then, how do you stay ontop of where the industry is
going?
We are up there with thehealthcare industry, where our
industry changes very rapidly.
Technology's changed veryrapidly, our industry changes
very rapidly, technology haschanged very rapidly.
You have to have, as youmentioned, like just even having
(09:06):
network security skills,expanding that into WAF,
expanding that into cloudnetwork capabilities, like you
have to stay on top of where themarket is going.
And I think sometimes peoplejust bury their head in the sand
and say, well, this skill setthat I have is what I want to
master and I don't want to thinkabout all these other domains.
Speaker 2 (09:23):
Yeah, yeah, yeah, when you're thinking about it,
from you know, providing aservice to a customer right and
you're in a space that rapidlyevolves.
Speaker 1 (09:33):
I mean just a couple of years ago right, llms were
something that was brand new ineveryone's face right.
Speaker 2 (09:40):
They existed in some extent for years prior, but now
it turned into something thateveryone uses.
I mean, I use Grok more than Iuse Google, to be completely
honest with you, I'm using Grokheavily for my PhD.
Hopefully my chair doesn't hearthat, but I'm definitely using
it.
How do you look at the market?
Speaker 1 (10:00):
and then say we're going to build a service around
this, Because I'm thinking aboutit from the big four
perspective.
Speaker 2 (10:07):
Right, it probably takes the big four a year to
launch a new service and buildthings around it, build an
offering around it andeverything else like that how do
you adapt, and then how do youalso?
Find that skillset eitherinternally or externally to
actually lead up that practice.
Speaker 1 (10:23):
Yeah, fantastic question.
First of all, on the big four,it takes them sometimes it feels
like a decade to get a newservice off the ground.
I think that they do an okayjob of staying on top of
relevancy for the industry, forthe industries they play in, but
getting an actual service offthe ground not so much.
So on our end, one of thethings that we fundamentally
attempted to do from the get-goat Eden Data is simply be agile,
(10:46):
and so we have a methodologyinternally on when the market is
producing new things let's talkabout.
We're talking about AI, ISO 402001, for example.
That is the latest and greatestframework on the market related
to AI security, and it's thatway to get your digital
certificate on your or yourcertificate on your digital
fridge to brag about thesecurity around your AI.
(11:09):
And so we it's not hard likethat's public information.
We know it was coming.
There are plenty of firms outthere that have never touched
that framework, but we decided,hey, let's figure this out
before it hits the market, notwait for it to play itself out
and wait for people to adopt it,because then it's too late.
And so I encourage everyone tothink about how, like a lot of
(11:31):
the security industry in general.
A lot of the principles remaintrue across multiple domains.
So the idea of why you'reincorporating a system or a
process is always the same it'sto address a risk.
And the idea of having acontrol and a policy and a
procedure, and all of thatcollaborating together, that
knowing that process well isdangerous, Like it's you know
enough to be dangerous in a goodway, and so you can apply those
(11:54):
principles to be able to pickup net new frameworks, for
example.
So I think that, to answer yourquestion succinctly, really
just staying on top of theframeworks that are coming out
and then taking the mindset thatjust because something is new
doesn't mean you need to go geta whole certification in it,
Doesn't mean you need to get aPhD in it that wasn't related to
(12:15):
your PhD, of course, but a lotof people say, oh well, I have
to have all this experience andin reality the security industry
is largely just building uponwhat's already there.
So that's kind of my advice ingeneral.
Speaker 2 (12:27):
Yeah, I feel like the vast majority of the people in
security are really good atmaybe knowing 5 to 10 percent of
a topic and then building offof it and saying, yeah, I can do
it, and then learning fromthere, that's.
I feel like that's almost whatyou know the hiring managers are
overlooking right Like I didn'tknow anything about IAM before
(12:50):
I got an IAM dedicated role.
And now I'm leading thisproduct you know globally right,
Like I didn't know that much.
I knew enough to be able to lookaround and know if something
was wrong or right.
Speaker 1 (13:01):
And I feel like that is something you know that would
definitely change hiringpractices if they just
implemented that and had thatlogic behind it where it's like
okay, they know the basics, youknow they can build from here.
Exactly, and there's ways togauge that quite easily, I think
, in a hiring process alone.
There's ways to gauge thatasynchronously or live, and I do
(13:23):
believe that being able to havethose fundamentals is really
all you need to be able to buildupon.
I think the other importantthing to point out is that most
of these frameworks are eitherfree online or you can get them
for quite cheap.
So ISO 42001, you can go buy itfor like 80 bucks on the ISO
website, nist, csf.
You can download that for free.
(13:43):
Like there are frameworks outthere that you can start to
learn and match the puzzlepieces.
That allows you at least tofigure out how to read pig Latin
in our industry and understandthese principles of how things
are talked about with risk,objectives and controls and all
that good stuff.
Speaker 2 (13:59):
So you were saying how the healthcare industry you
know, changes so rapidly right?
Were you focused more on theHIPAA side of it or the
technology?
Speaker 1 (14:10):
side of it, because at least from my perspective
right, solely an end user.
Speaker 2 (14:15):
I've never worked for a healthcare company or
anything like that right thetechnology side seems to like it
moves along, but it moves alongslowly right, at least from
what I can tell.
But I would imagine that HIPAAis changing constantly, like
pretty frequently, especiallyeven on a per state basis here
in America.
Speaker 1 (14:34):
Yeah, forgive me, I didn't bridge the gap between my
comment around healthcareversus security.
I was actually going broaderthan that and talking about how
the healthcare industry as awhole when we're talking about
health and wellness, that ischanging so rapidly because of
multiple factors right, thevaccines that we release and the
food that we eat.
And now AI is evaluating thingsat a faster scale.
(14:56):
So doctors these days have tostay on top of their knowledge
base.
But I guess, if you were totake it from a security
perspective, if you want to lookat the healthcare industry in
that regard, the healthcareindustry has been largely
laggard when it comes totechnology, just as you
mentioned.
But now, because we have gottento this crisis of security,
where folks are not protectingdata, data breaches are very
(15:17):
prevalent, all that good stuff,all the fear mongering.
The healthcare industry is onethat's been hit the hardest,
coupled with the fact that theyhave the most valuable data on
the market.
So you're seeing a scramble inthe healthcare industry for
folks to try to build towardsthings like high trust because
HIPAA actually it hasn't updated.
There's a HIPAA update comingthat they've talked about for a
(15:38):
while, but it hasn't beentouched in over a decade, and so
the standards are not meetingexpectations for leveling up the
healthcare excuse me, thehealthcare industry.
I'm getting all choked uptalking about HIPAA.
It's a very emotional topic.
(16:00):
Now we're finally starting tosee the regulations catch up
with the with the technology notthe technologies, but the
security practices that thatthat health care industries are
trying to adopt in order to stopthe bleeding.
Speaker 2 (16:12):
Yeah, it's, there's fewer industries that you could
you know with relative easeattack success successfully and
cause just widespread damage.
You know I'm thinking about,you know, other sectors, right,
like the power grid, forinstance, or the banking
industry.
Those would be like verywidespread touches almost
(16:34):
everyone in a region or thecountry, right?
But those are very hard targetsI mean maybe not the power grid
is that?
You know heart of a target.
I have to bring on actuallysome experts in the area to talk
about it.
But you know heart of a target.
I have to bring on actuallysome experts in the area to talk
about it.
But you know, when you look athospitals and medical systems,
those seem to be like lowhanging fruit and you know I'm
based out of.
Chicago, right.
(16:55):
So here we have, you know,Northwestern Memorial Hospital,
lurie Children's Hospital, thoseare like the two biggest you
know hospital systems, for surein the region and I think it was
last year sometime.
Speaker 1 (17:07):
You know one of those hospitals they went down.
I think it was Lurie's yeah,lurie's Children's right.
And I'm not talking you knowout of pocket about anything.
Speaker 2 (17:17):
There was a news article about it, yeah, but they
went hard down for severalmonths.
Right now I don't.
I thought for sure I didn'thave a problem, right, because
why would that matter to me?
I'm out in the burbs, I go tomy, I take my kids to a
different pediatrician.
The region that are linked upto.
Speaker 1 (17:36):
Lurie's because all of them are are down as well
right.
Speaker 2 (17:49):
And then you know, I have someone hitting me up on
the side saying, hey, we'rereally swamped over here.
Speaker 1 (17:55):
We could really use your help.
And I'm sitting over heresaying, like I applied to you
guys six months ago I don't knowwhat you want me to do.
You know I need some money.
Speaker 2 (18:03):
I need a contract.
Speaker 1 (18:04):
You know, I need some legal disclosures before we go
and dive into this.
They were like they wereswamped.
Speaker 2 (18:09):
You know, I have.
Speaker 1 (18:09):
I have a friend that was working at Northwestern and
you know, physically those twobuildings are connected in
Chicago and he was telling mehe's like it is so bad that we
had to, literally physicallyunplug the network connections
between us and them just to makesure that nothing happened to
our network.
Speaker 2 (18:25):
Because they were.
They were hard down, they weredown to you know pads of paper
for managing doctors, schedulesand stuff.
Speaker 1 (18:33):
That's horrible, oh my gosh yeah, our cmo was when,
when they him and his wife hadhis baby, they were hit by a
cyber attack.
That, yeah, the hospital, andso everything was being done by
paper.
It was taking a lot longer.
Those situations hit close tohome, but you have to.
We also get all of thosenotifications on oh, your data
(18:53):
has been ended up in a breach,and a lot of times it's
healthcare entities.
But you pointed out somethingvery important, joe, which is
that a lot of times people arevery reactive and so in this
case, they didn't pay attentionto needing that cybersecurity
support until they were caughtwith their pants down, and then
it's a scramble, and then theywant everything yesterday, and
then there's all this.
There's there's this speedassociated with it that then
(19:16):
causes more issues becauseyou're you're missing things and
it's very lumpy in how peopleinvest in security and why they
invest in it.
They have to have some materialneed, whether they are being
impacted by a breach or theircustomer's not going to sign
with them because they don'thave their SOC 2 attestation or
whatever the case may be, and weneed to get security shining in
(19:38):
the same light as marketing andfinance and these other
departments at any companythat's collecting sensitive data
.
Speaker 2 (19:45):
Yeah, that's a really good point.
You know, I feel like securityis always viewed, as you know,
like a black hole that CEOs andboards just send money to and it
disappears, you know when inall actuality, yeah, it
disappears.
We don't really make thebusiness any money, but surely
we protect the business fromextreme losses.
(20:06):
You know, like, even thathospital breach that I just
discussed, right, if they justhad simple backups, right, and
they tested the backups maybeonce a year, that problem would
be resolved, you know, in anafternoon, in a weekend, right,
with a competent engineer on theother side of it, but lo and
behold they thought they hadbackups and they didn't have any
(20:27):
backups, and so then they werein a situation where they had to
rebuild everything from scratchright, and that's
Speaker 1 (20:33):
where security really shines right.
It's like, hey, you want therest of the business operating
at a high level.
Speaker 2 (20:40):
Well, security enables that.
It allows you to be able to dothat.
It protects your ability to dothat.
Speaker 1 (20:47):
And we got to find a way to shift that narrative.
Yeah, everybody views securityas a cost center and some costs,
and it's just not true.
You can either look at it fromthat perspective of it's not a
sunk cost anymore for thathospital that lost millions and
millions of dollars.
And then also there's this newtrend where you can actually
leverage security in your salescycle and be able to talk about
(21:10):
it in your sales cycle toshowcase hey look, I care about
your data, mr or Mrs Customer,and these are the things we're
doing to protect it.
So there ends up being an ROIon security, and I want to see
more of that, but unfortunatelyregulation's not driving that.
It's more enterprises.
It's enterprises that aredemanding more security
standards across the board,which then, in turn, requires
(21:31):
these companies to invest in it,and so we do need that to be
more prevalent in the industryfor what you just said to catch
on, for folks to look at this ina more positive and necessary
light.
Speaker 2 (21:43):
How do you think we make that change?
You know, because I always lookat like GDPR right.
Speaker 1 (21:49):
And I actually love everything about it for the most
part of what they did wherethey said hey, here's the
standard.
How you enact it is kind of upto you.
Speaker 2 (21:59):
But this is what we're requiring you, you know,
to be able to do thefunctionality and all that to
have with someone's data.
I feel like here in America weneed something like that where
it's like, hey, you know allthese states you can do whatever
you want to do, but here's thebare minimum.
You know you need to.
You know encrypt personal data.
(22:20):
You know you need to store itthis way.
You need to have relevantbackups, all that sort of stuff,
right.
I feel like that's almost theonly way that it'll work,
because each state is just goingto be, you know, completely
different.
And then even from like thesecurity team perspective, am I
really going to like geofence mydata in Texas versus New York
(22:40):
because they have two differentcompliance standards?
Speaker 1 (22:43):
No, typically.
Speaker 2 (22:44):
I'm going to not be very specific with it and I'm
going to make it to the higherstandard across the board and
call it done right, exactly.
So what's the point of thatlower standard?
Yeah?
Speaker 1 (22:56):
I couldn't agree more .
You pick the most comprehensiveand you run towards it.
The issue is that right nowthere's not a lot of enforcement
, and I don't want to be theperson that says that state
regulators need to go andactually issue fines.
But in cases where your lack ofcare for your customers' data
is prevalent, then I do thinkthat those folks are going to
(23:18):
need to be able to have theopportunity to fix it but deal
with the repercussions.
Otherwise, we just do not lookat data as a sensitive asset
anymore, and now the sensitivityof it has changed.
It used to be that you don'twant your social security out on
the internet and your birthdateand your home address and all
that, and that's still true forthe individual.
But we've been just fatigued bydata breaches to where people
(23:40):
don't even care anymore, whichis sad.
But now you have this whole newelement with AI, where we've
got this silicone curtainbetween the USA and Russia and
China and all of these nationstates that are all racing
towards the best LLM, racingtowards the best database, for
lack of a better term andtraining models.
So now it is imperative thatwe're keeping our IP out of
(24:03):
China's hands, for example, andRussia's hands because we're
giving them an unfair advantageand working towards global
catastrophe.
So I know that sounds like fearmongering, but that's kind of
the world we live in now.
So data is definitely worthsomething for both of those
reasons.
Speaker 2 (24:16):
Yeah, yeah, I don't think you're fear mongering.
I mean I don't think thatyou're.
I think that you're probablylike even understating the
importance of this AI arms racethat we're in right now.
Speaker 1 (24:27):
Yeah.
Right, I wonder for theregulatory side of it.
Speaker 2 (24:32):
I wonder if these fines aren't even enough.
Right, because just a couplemonths ago, facebook got fined
some astronomical number, I meanI think it was like what?
$4 billion or something likethat.
And then CNN you know CNN ranthe math and they're like, oh
yeah, they're going to make thatby Friday.
Speaker 1 (24:48):
They're literally going to make that by Friday,
and I'm just sitting here like,well, what's the point, you
think, mark?
Speaker 2 (24:52):
Zuckerberg is worried about that number, then you
know, like, whatever it was Ican't remember what the number
was, but I literally rememberthem- running the math like live
and be like like yeah, thatwouldn't even like keep him up
at night.
Speaker 1 (25:05):
That wouldn't even like mess up his you know his
sleep schedule, let alone, youknow, put a, put a dent in his,
in his vault, you know of $100bills right, like it's um, you
need to have something, you needto have a penalty that's a
little bit steeper or somethinglike okay, well, you're limited
in what data you can actuallymaintain for the next 24 months,
(25:26):
you know like maybe you can'tsell data to advertisers like
you did, or maybe you're onlyallowed to sell them a certain
amount right.
Speaker 2 (25:34):
Limit that sort of stuff, because that's the only
way that these companies arereally going to start falling in
line, because they'll pay likethey will literally pay the fine
every single time.
I literally had a call with aCEO, you know, a couple of weeks
ago, right, and I was makingthe pitch for like a hundred
(25:55):
thousand dollars, just so.
I could see I could buy a toolto allow me to see what's going
on in the cloud.
Speaker 1 (26:01):
And he asked me what's the risk if I don't do
anything?
Speaker 2 (26:04):
I was like well, if we get breached, I'm not going
to even know.
Like I literally won't know,there's nothing I can do about
it.
I won't know for probably threemonths minimum.
And his response was I acceptthe risk, like moving on.
Speaker 1 (26:16):
What are we talking about right now?
Like that, can I accept it.
Speaker 2 (26:21):
It's like okay you know that's an interesting
response, but it's not a rareresponse.
Speaker 1 (26:28):
You know, like CISOs get that every day.
Yeah, it's all too prevalent.
Cisos are getting their handstied behind their backs
constantly.
I think that there needs to besome kind of public shaming
element that goes beyond simplyjust a news article.
I think that if you are foundto be guilty of egregious data
malpractice, that you have topost it on your website and you
(26:51):
have to let every customer thatsigns with you know for the next
24 months that you'veexperienced a data breach.
We have these securityquestionnaires floating around,
right?
Those are a joke because peoplecan just put whatever the heck
they want and there's not anykind of validation.
Right, those are a joke becausepeople can just put whatever
the heck they want and there'snot any kind of validation,
right, all of that is manual,and so there's.
I fill out those questionnairesfor customers fairly often and
(27:11):
they have, uh, they have lineitems in there saying have you
experienced a breach in the last24 months?
You can just say no and nobodywould ever know, which is crazy.
I'm saying that's what I do, uh, just to be clear.
But, uh, it's.
But it's just a wild.
It's the wild west right nowwith how you basically enforce
this, how you validate how youcan believe what your vendors
(27:33):
are telling you, and so thereneeds to be at least better
measures for trusting butverifying when you're dealing
with vendors that are collectingyour most sensitive assets.
Yeah, yeah, the trust butverify piece is going to become,
you know, only more importantbecause of the AI aspect.
(27:53):
Right, the AI genie out of thebottle that we're racing towards
.
I mean, the genie is alreadyout of the bottle, we just don't
know what to do with it yet.
You know, like that's the thing.
Speaker 2 (28:02):
Currently I'm getting my PhD.
Speaker 1 (28:04):
You know in zero trust security on communication
satellites to prepare for postquantum.
And so with that I'm looking at, like the quantum encryption
requirements and what it takesto, you know, maintain that
standard and all this otherstuff right and with that.
Speaker 2 (28:19):
I keep on just continuously thinking like, oh
my God, this is probably notthat my PhD is the most
important thing, but this areais probably the most important
topic or focus area that we'veever seen in humanity, right,
like since the nuclear bomb.
Speaker 1 (28:36):
Right, because with an AI I mean guess what?
Speaker 2 (28:39):
Like I'm getting into that nuclear bunkers computer.
Speaker 1 (28:42):
You know I'm finding a way in, maybe the most one,
one of the most impressive, youknow espionage attacks.
Ever was Stuxnet right.
Speaker 2 (28:51):
Completely air gapped under a mountain, in a, in a
environment that had beenrebuilt right Five, six seven
times all of the cables pulledout of it, all of the cables you
know replaced and whatnot rightand Stuxnet still prevailed in
destroying that environment.
Speaker 1 (29:08):
All of the cables pulled out of it, all of the
cables you know replaced andwhatnot right, and Stuxnet still
prevailed in destroying thatenvironment.
Speaker 2 (29:12):
So what's to say?
You know that this doesn'timpact a siloed network.
You know, in a nuclear missilesilo somewhere right, Like that
Mission Impossible movie thatjust came out I don't know if
you saw it.
I haven't seen it yet.
Speaker 1 (29:21):
It hit a little bit too close to home because I'm
sitting here and I'm like wellthat's possible.
Speaker 2 (29:25):
Yeah, that's possible .
Speaker 1 (29:27):
It's just like going down the list of this almost
sentient AI and how it's likepiecing apart society.
It's like, yeah, that'sactually, that's a real
possibility, terrifying.
(29:52):
Yeah.
I think that we all.
There's a lot of dismissal ofAI simply because it's people
think that it's blown out ofproportion and they can't do
much now.
But we as securitypractitioners at least have to
think about what the next 12, 24, 36 months and beyond
incorporate and what is possibleand what is possible with how
fast it's already developed justin the last 24 months.
You'd be quite ignorant tothink that we're not going to be
at a state by 2030 where the AIis going to be able to just at
(30:15):
the very least, findvulnerabilities in existing
systems today, right, simplybecause it can do so many reps
and so many attempts on anygiven system.
There's so many differentrabbit holes we could go down
with AI.
Speaker 2 (30:27):
Yeah, yeah, I mean, if you look at the DARPA
competition that they wereputting on at DEF CON, you know
they did it for several years ina row.
I don't think they did it thepast couple of years.
Speaker 1 (30:39):
But when they?
Speaker 2 (30:40):
were doing it.
They had these two AI models,you know, on these two servers
attacking each other, and youknow they talked about how it
got to a point where they wereno longer doing.
Speaker 1 (30:50):
You know known vulnerabilities and exploits
like they were finding brand newvulnerabilities that had like
never been seen before.
And they're launching itagainst each other and
everything.
And they kind of stopped itearly, right, Because it started
to find zero days.
And the military is theresaying maybe we should, you know
not disclose that to the publicjust yet you know, and all
(31:12):
these different things right.
Speaker 2 (31:14):
So it's like the AIs are already, they're already
doing it and we kind of likehave this, we have this poor
mentality that we can kind ofcontrol it to some extent right
now, and it's like is itallowing us to think that we?
Can control it right now, orcan we actually?
Speaker 1 (31:29):
control it.
Right now, the movies arecoming true.
Yeah, it is a wild time to bealive.
Yeah, that's for sure.
Speaker 2 (31:34):
Yeah.
Speaker 1 (31:35):
It's going to be fascinating, you know, from a
security perspective, because webring a certain mentality into
everything that we go into right.
Speaker 2 (31:45):
It's like we're going into completely uncharted
territory.
Speaker 1 (31:46):
Yeah, and to tie this back to everything we've been
talking about, I think for thelisteners that are getting into
security or wondering what thenext phase of their security
journey is going to be, there'sa tremendous opportunity of a
market being created rightbefore our eyes around AI
security.
There is absolutely going to bea fundamental need for the good
guys to understand how AI worksand how we can use it
(32:08):
defensively and even potentiallyoffensively, because it's
already being used nefariously.
Speaker 2 (32:14):
Yeah, yeah, I mean it's already being used by, you
know, these hacking groups tocreate malware that we've never
seen before.
To just get into a target thatwas you know would have taken
them months to prepare, forthey're using this AI to get it
done that we've never seenbefore.
To just get into a target thatwas you know would have taken
them months to prepare, forthey're using this AI to get it
done in an afternoon, right.
Speaker 1 (32:29):
It's pretty crazy.
Those phishing emails aregetting legit as hell.
It's crazy.
Speaker 2 (32:34):
I saw I recently I think last week I put out the
clip of it and it's a, it's atrue story right.
Like my, my current CFO got anemail followed by a phone call.
Right.
Speaker 1 (32:47):
From what seemed like our CEO and it sounded exactly
like him on the phone rightSaying hey, I need you to send
20 million to this.
Speaker 2 (32:56):
This you know organization this account or
whatever, and the.
Speaker 1 (33:01):
CFO said.
He said I was 100% convincedlike because this has happened
before he's called me.
Speaker 2 (33:08):
he sent an email and then he called me, requested it,
you know went to the rightplace and everything.
Speaker 1 (33:14):
But we've recently changed the protocol and there
was one final step in theprotocol that he was required to
check right with the person onthe other end of the phone and
the person on the other end ofthe phone or the robot or
whoever didn't know that answerand he immediately hung up and
called security and said hey,this is what just happened.
Speaker 2 (33:34):
I didn't send anything, but can you just look
into it, and I mean the emaillooked totally right.
The headers were manipulated,obviously, but you're not going
to see that you know as a normalend user or whatnot.
Speaker 1 (33:46):
But the email address looked totally right you know
and I heard we pulled up thephone call and the phone call
sounded exactly like him.
Speaker 2 (33:54):
And I'm just sitting here, you know, as a security
professional, and I'm like thiswould have fooled me.
You know, like this absolutelywould have fooled me, like this
absolutely would have fooled me.
Speaker 1 (34:02):
You know my boss telling me to do something,
sends me an email, sends me ateam message gives me a call
afterwards because maybe it's alittle bit out of the norm,
right?
Speaker 2 (34:11):
Maybe it's a little bit, you know, iffy for me to
potentially create this rule inthe firewall, or whatever it
might be right.
Like just a random example.
Speaker 1 (34:19):
Like I wouldn't question it after the phone call
.
Why would I question it?
Like at that point I'm not andwe just don't have great ways to
validate this.
Like we have to stay on ourtoes more and more, but that's
only goes so far.
So what you just said like Iwould have been fooled by the
same thing.
What's wild is someone couldtake this podcast right and
record each of us and use thatnefariously, like it's just
(34:45):
anything that's on the web ofyou talking.
It's being used in cool ways,but it's also being used in
nefarious ways, as you mentioned.
So I can't even imagine apublic figure like a CEO that's
shooting fish in a barrel.
It's too easy to get that audioclip and that into something.
Yeah, I mean they're doinginterviews, they're doing
quarterly calls and all thatsort of stuff, like their voice
(35:06):
is out there it has to be outthere.
Speaker 2 (35:08):
That's the that's the thing too right Like it has to
be out there, because we'rewe're moving into a area where
you kind of have to look at yourown online presence more
closely, even Even what you'reposting on social media, not
just your location not justthings that are up
to date and whatnot right, butyou have to look at it in a way
(35:31):
of an attacker, almost wherethey would say, oh, he said he's
out of town.
I'm going to go rob his house.
I know where it is because Ican do a public title lookup and
see what he owns.
Right, Like that's apossibility.
Well, now you know, like youcould give them unknowingly too
much information online and nowthey mimic your voice by this
(35:52):
podcast.
Right, and they're doingsomething else.
Speaker 1 (35:54):
They're calling your bank and they're.
Speaker 2 (35:56):
You know it sounds like you.
Speaker 1 (36:04):
The banks have the voice detection software right,
they have that software, so it'sgoing to, it's going to check
that box, right.
And I mean that's the thing tooright.
I call my account manager and I, like I, don't have to answer
almost any security questions, Ihave to answer stuff that a
hacker would have you know.
That's the thing I have toanswer stuff that a hacker would
have you know, that's the thingI have to answer stuff that a
hacker would have.
If you made it all the way tothat point where you called my
account manager, you 100% haveall the other stuff that they're
(36:27):
going to ask me about.
And so it's like well, what dowe do?
You know, because that accountmanager can do anything.
Speaker 2 (36:32):
They can get me on the phone with anyone at that
bank.
Speaker 1 (36:35):
You know, yeah, the technology that our tools need
to catch up, the good guys toolsneed to need to catch up and
we're just not there yet.
So it's putting in compensatingcontrols, like what you're
talking about of having multiplepeople involved in a process.
I'm super thankful that my bankuses the voice recognition but
then has additional measures forhow they would validate and
(36:57):
there's separate processes too.
So I think the banks are atleast figuring out.
If your bank does not do thatand you're listening to this
just stop everything you'redoing and go switch banks.
We are at that stage where youdon't even need someone voice
mimicking and calling yourgrandma to get her to send
$5,000 or whatever in the mailbecause you're arrested, and
(37:17):
that trick worked on mygrandparents years ago.
Now I can't even imagine forespecially just the elderly
going through this and notunderstanding the technology,
but getting a call from a lovedone saying I need money.
It's crazy that it is as easyas that, but unfortunately
(37:40):
that's where we're at as asociety.
Speaker 2 (37:41):
Yeah, yeah, we're going into a scary place
honestly.
But you know, taylor, why don'twe touch on?
You know Eden Data and theservices that you provide.
Speaker 1 (37:53):
Why don't we?
Speaker 2 (37:54):
dive into it a little bit and talk about the services
that you're providing the greatcontent that you're putting out
.
Speaker 1 (37:59):
So Eden Data is essentially the outsource,
security, compliance and orprivacy teams for tech companies
around the world.
So when I say tech companies,that's anything from early stage
startups up to now they'recalling themselves, scale ups,
right when they're series C, dand beyond.
And then we have publiclytraded companies, enterprises
(38:20):
and everywhere in between, andso we are typically taking over
the security program or thecompliance program and and
helping them build against theframeworks that they need to
align with, either from aregulatory perspective, like we
talked about, from theexpectations that their
customers set, or we havecustomers that come to us and
just say I I can't sleep atnight because I want to protect
(38:41):
my customer's data and I don'tknow how, and so building a
robust security program aroundthat.
We have the great pleasure ofworking with customers all over
the world.
We have hundreds of customersthat provide all kinds of cool
technology services to theircustomers a lot of software
companies, but law firms andclinics and those kinds of
things as well.
And the other tidbit that I'lladd to this is that it's really
(39:03):
been cool to see we've beenaround for four years now, and
it's really cool to see that theindustry is shifting towards
security used to be very, veryimportant for the series A,
series B and beyond.
Now we've got pre-revenuecustomers coming through the
door left and right when you'rebuilding a new company and
you're offering software.
It's at least becoming moreaccepted that security is a
(39:25):
necessity.
Sometimes the founders arethinking it's a necessity
because they just want to takeit seriously and protect their
customer data.
Oftentimes it's because theyknow if I'm going to sell to the
Walmarts of the world,walmart's going to tell me I
need my SOC 2 and my ISO 27001and all of these things, and so
we are seeing a big uptick in.
More companies at earlierstages invest in security.
(39:47):
Yeah, that's huge that makes alot of sense, though, because
you know, as a young startupcompany, probably the worst
thing that could happen is youget breached and you know your
product is viewed as beinginsecure, especially nowadays,
and so it would make a whole lotof sense for them to pay
attention to it.
Well, they were that companythat got breached.
(40:10):
I really want to give a shoutout to the enterprises of the
world that are really settingthe tone for how security needs
to be enforced and then alsocontinuing to raise the bar.
That's something that I hope tosee continue to expand, because
it's not the regulators doingit, like we already talked about
, and I do think that there are.
I'm seeing this beautiful thingin the world where this next
(40:30):
generation of companies isembracing security from the
start, and that's critical.
These folks are going to go andstart more companies.
They're passing that knowledgealong to the customers that they
do business with, and so we areseeing this kind of uptick and
security becoming fundamentallyimportant.
It's just being tied more tosales than simply the fear,
uncertainty, doubt aspect, whichis fine.
(40:52):
I want people to see a returnon investment for security, and
that's something we obsess aboutover at Eden Data, because
otherwise nobody's ever going tolike us security professionals
right.
Speaker 2 (41:02):
Before we wrap up, what are some top trends in the
industry that people could startfocusing on?
Maybe it's a trend to helpsomeone get into the industry or
get more diverse in theindustry.
Maybe it's a trend that acompany should start adjusting
for and planning for for therest of the year.
Speaker 1 (41:21):
Yeah, I want to try to be give a different answer
than maybe some of your guests,because everybody and their
mother's talking about AI.
So I promise I won't say AI,but I will say touch on one
thing technically, two thingsthat we've already talked about.
One is paying attention to theopportunities being created in
security by AI and, morespecifically, iso 42001.
That is a big trend that'supticking.
(41:42):
Now.
That standard's only beenaround for a year.
It's finally starting to getadopted and enforced by
enterprises.
So when I say by enterprises, Imean for the software companies
that they're doing businesswith, and everybody is using AI
in some capacity in theirbusiness and so pay attention to
that standard.
I think that there's going tobe a lot of job opportunities, a
lot of project opportunitiescoming from that.
(42:04):
And then the second thing isthis rise in using security for
sales, like I talked about.
But more specifically, you'reseeing this big trend in people
being more public about theirsecurity posture in a more
detailed manner.
So today it's really beautifulto see like safe base, which was
acquired by Drada.
There's multiple players in thespace that allow you to build a
(42:25):
beautiful security page thatyou put on your website.
That's more interactive.
But the reason I love thistrend so much is because it's
also there's a validationcomponent.
We talked a lot about how youcould just make crap up as you
go along earlier in the podcastWith these types of tools.
They're pulling data from GRCtools, they're pulling data from
website.
They're pulling.
(42:45):
In some cases, they're doingscans.
Safebase, for example, hasintegration with Qualys and
Nexus and a couple others wherethey'll pull in recent scan
scores, and so now you'restarting to get what's basically
like an automated control, andthat trend is going to continue
to expand.
We're going to rely less onhumans telling us what our
security posture is and more onthe systems telling us, and so I
(43:07):
would encourage folks to payattention to that as well.
Speaker 2 (43:11):
Yeah, it makes sense.
It'll be really interesting tosee where things evolve and
where we end up in 2026,.
I'll have to have you back onand maybe we'll redo like a
trends, a trends episode for2026.
Speaker 1 (43:23):
Heck, yeah, let's put it on the books.
I can't wait to see what we gotright and what we got wrong.
Right, yeah, that'd be awesomeWell.
Speaker 2 (43:30):
Hey, you know, thanks , Taylor for for coming on.
It was a fantastic conversationI really enjoyed our time.
Speaker 1 (43:35):
Yeah, joe, I can't thank you enough for the
opportunity and folks listening.
Feel free to reach out to me onLinkedIn.
I'm obsessed with this industryand would love to nerd out
anytime on security, complianceor privacy.
Speaker 2 (43:47):
Yeah, yeah, absolutely.
I'll put a link to yourLinkedIn in the description.
I'll put a link to your website, Eden Data, down in the
description as well.
Speaker 1 (43:56):
Amazing.
Thank you, joe, awesome.
Speaker 2 (43:58):
Well, thanks, Taylor.
How's it going, Taylor?
Speaker 2 (00:01):
It's great to get you on the podcast, you know we had
this thing scheduled.
I think it was like just beforemy newborn was here, or right
after, or something like that,you know, and it's been a
whirlwind ever since I can onlyimagine Joe so thankful to be
here.
Speaker 1 (00:15):
Thanks for having me on the show and congrats again
on the baby girl.
Speaker 2 (00:21):
Yeah, yeah.
Well, I mean thanks for waitingto come back on and whatnot you
know, but I'm real excited forour conversation.
I think it'll be reallyfascinating, good.
Speaker 1 (00:30):
I mean, I love nerding out about security,
compliance, privacy, but Irealize, I'm totally biased too.
So I'll have to get someinterest out of it.
Speaker 2 (00:40):
Yeah, you know, I feel like when I started in
security no-transcript, and thatyou're starting to like thread
(01:13):
the thread, the line there oflike what you should and
shouldn't be doing.
Speaker 1 (01:17):
Yeah, you're essentially trying to pass a
test all the time and no onelikes taking tests.
One of my colleagues says itbetter than me, but essentially
saying nobody gets jazzed upabout an auditor walking into
the room either.
I have a background being anauditor first before jumping
over to the advisory side, andso either side it doesn't matter
.
Even if you're internal, folksthink that compliance team is
(01:39):
always trying to get them intotrouble.
Oh yeah.
Yeah, I mean, I used to work fora credit bureau and you know we
had nonstop audits, literally,you know, 365 days a year.
Speaker 2 (01:49):
We had our own internal audit compliance team
and they would audit us in frontof you know, like the SOC 2
that's coming up or whatever itis, you know, and I mean we'd be
in a, we'd be in a conferencemeet conference room and they
one of them would walk in like aparty poopers here.
You know like no fun now guysyou know.
Speaker 1 (02:09):
So true, we fall in the same bucket as lawyers,
right, unfortunately?
Speaker 2 (02:13):
Yeah, yeah, that's a really good point.
I didn't think about that.
Well, you know.
Speaker 1 (02:17):
Taylor, why don't we start?
Speaker 2 (02:18):
with how you got into security.
What made you want?
Speaker 1 (02:22):
to go down that path Right.
Speaker 2 (02:25):
Because, it's not really a normal, not really a
normal path.
Speaker 1 (02:26):
I feel like you know you got to have a few screws
loose somewhere.
Speaker 2 (02:30):
You know to like want to go into this field.
Speaker 1 (02:32):
I feel like that's a fair point.
I actually fell into this byaccident.
Huge shout out to Dr First, whowas my MIS 270 professor back
in the day in college.
I thought I was going to be aphysical therapist.
First thought I was going to bea chef.
Then I went into school forphysical therapy and I one was
failing anatomy miserably.
And two I got to.
(02:53):
Everybody has to take abusiness class.
I had early influence from animpactful professor and that
allowed me to jump into the MISprogram, which gave me exposure
to cybersecurity.
And then the big four recruitedpretty heavily from college and
so I got this opportunity tojump over to Deloitte right out
of college and work as an ITauditor initially, but within
(03:15):
the big four it's a lot ofnetworking and meeting different
partners that work on differentengagements, and so I actually
got this great, uniqueopportunity where I got to
bounce back and forth betweencybersecurity and IT audit,
which we were just talking about, compliance and cybersecurity
how they go hand in hand.
That gave me deep exposure andit allowed me to understand
(03:35):
things like control, objectivesand risks and procedures and
policies and all those funbuzzwords.
Yeah, it's really it'sfascinating when you go down the
consulting rabbit hole right,because it's like every day is
you know completely differentand you're supposed to be the
expert in the room when you knowin the beginning you probably
(03:56):
don't feel like you're theexpert by any degree right and I
always wondered what it wouldbe like for me to go down that
path.
Speaker 2 (04:04):
I feel like.
I don't know.
I feel like I might be in adifferent situation.
Speaker 1 (04:08):
I don't know.
Speaker 2 (04:09):
Situation is probably a bad bad word to describe it
right.
Speaker 1 (04:12):
But I would be in a different position, for sure,
yeah.
Speaker 2 (04:14):
Because being able to build your career off of
something like that, it's really, it's really you know,
monumental for your careerbecause you're getting that
diverse range of experiencewhich I think a lot of people
are missing out on nowadays.
Speaker 1 (04:30):
Right, they kind of want to just get into security,
you know and I feel like a lotof people just think about the
offensive side of security, andI remember when I was getting my
master's you know, there wasone whole semester where we took
a pen testing class and thenthe next one we took a defending
class right.
We took a blue team class andyou know, getting to see both
sides of it, the professors, youknow they were from the NSA and
(04:54):
they were saying like this isthe only way that you're going
to figure out one, where youwant to go in security, and two,
you need to figure out, like,if you are going to go red team,
you need to know the blue teamstuff like inside and out.
Speaker 2 (05:05):
And if you're going to go blue team, you need to
know the red team stuff insideand out Like there's no.
There's no in between.
Speaker 1 (05:11):
You can choose a different team or a different
focus, but you need to know itRight, and so I'm bringing it up
, because it's that diverserange of experience that really
pays dividends down the road.
Absolutely, I think it thinkright now we're dealing with a
crisis where securityprofessionals, or aspiring
security professionals, aretrying to get into the space.
They have no experience andtherefore the job market is grim
(05:34):
for them, and so they're kindof stuck in this crux of wanting
to get more experience butneeding to be able to get a job
to allow them to build thatexperience, and so any kind of
exposure that you can get in anydomain allows you to at least
get your foot in the door andthen gives you the credibility
to be able to jump around.
And then, of course, what youjust mentioned, joe, of being
(05:56):
able to understand now that whenI talk to auditors, I at least
have empathy, knowing whatthey're going through and what
they're trying to do.
And then also for my customersperspective when I'm
representing them.
The idea is that I get to nowknow how to protect them against
an auditor.
We always ask them are youprotecting against an auditor or
a hacker?
In the case of an auditor, Iknow exactly what they're
looking for.
I know exactly how to pass anaudit with flying colors.
(06:17):
Those are great fundamentalskills to have, and that's audit
versus just generalcybersecurity.
Those are just two examples ofmany.
The security world has like 112different domains.
I just encourage listeners andfolks trying to get into
security or even in securitytoday like to expand their
horizons Opportunity for us, andit seems like it's changing
quite a bit, especially with therise in AI and such a key area
(06:41):
that I think a lot of people youknow overlook right is getting
that broad range of experienceand I tell this story
sometimes where you know, I wasworking for a fairly well-known
investment firm and someone oneof my coworkers there.
Speaker 2 (06:56):
He wasn't on the security team, it was more like
network security slash help desk, you know, like light on the
security side, more help deskfocus.
But he was at the company forprobably 20 years, I mean at
least 20.
Speaker 1 (07:09):
And I was telling him , I was talking with him when I
first started there.
I said hey, you know, what doyou focus?
Speaker 2 (07:14):
on what do you do, what's your specialty, and all
that sort of stuff.
Speaker 1 (07:17):
And he told me and I said well, why don't you branch
out?
Right, like you should belearning, you know like a step
deeper into network security.
Right, like you know thefirewalls.
Well, let's get you into theWAF.
Right Like, let's you know,learn about this other stuff and
he never.
It never happened, it never youknow, took place for whatever
(07:46):
reason.
And sure enough, you know,seven, eight years go by, right
he thinks that he's going toretire there.
Speaker 2 (07:48):
He's early 50s, right and uh, when layoffs are are
there, he's the first one outthe door, because he was the
first one.
Speaker 1 (07:51):
You know that's most easily to be replaced because
they're just like well, he doeshelp that stuff, like we can
outsource that to india, we cangive that to an intern, we can,
you know.
So he never like diversifiedand ever since then he's
actually had trouble you knowgetting back into the field
because he knew those one youknow systems, he knew that one
way of doing things at that onecompany and he never really
(08:14):
learned how other places do it.
Speaker 2 (08:16):
He never saw different things, and so I
always.
Speaker 1 (08:19):
I always look at that and I think to myself like how
can I make myself?
You know, how can I?
Speaker 2 (08:23):
make myself more difficult to lay off.
Speaker 1 (08:26):
Right, like if you're going to lay me off right, like
you know.
Speaker 2 (08:30):
Let it be a good reason, rather than we.
How can we make sure that we'resticky right?
Speaker 1 (08:45):
And you need to think about that from the standpoint
of if you're an employee, acontractor, a vendor, how can
you add a tremendous amount ofvalue in the security space?
And then, how do you stay ontop of where the industry is
going?
We are up there with thehealthcare industry, where our
industry changes very rapidly.
Technology's changed veryrapidly, our industry changes
very rapidly, technology haschanged very rapidly.
You have to have, as youmentioned, like just even having
(09:06):
network security skills,expanding that into WAF,
expanding that into cloudnetwork capabilities, like you
have to stay on top of where themarket is going.
And I think sometimes peoplejust bury their head in the sand
and say, well, this skill setthat I have is what I want to
master and I don't want to thinkabout all these other domains.
Speaker 2 (09:23):
Yeah, yeah, yeah, when you're thinking about it,
from you know, providing aservice to a customer right and
you're in a space that rapidlyevolves.
Speaker 1 (09:33):
I mean just a couple of years ago right, llms were
something that was brand new ineveryone's face right.
Speaker 2 (09:40):
They existed in some extent for years prior, but now
it turned into something thateveryone uses.
I mean, I use Grok more than Iuse Google, to be completely
honest with you, I'm using Grokheavily for my PhD.
Hopefully my chair doesn't hearthat, but I'm definitely using
it.
How do you look at the market?
Speaker 1 (10:00):
and then say we're going to build a service around
this, Because I'm thinking aboutit from the big four
perspective.
Speaker 2 (10:07):
Right, it probably takes the big four a year to
launch a new service and buildthings around it, build an
offering around it andeverything else like that how do
you adapt, and then how do youalso?
Find that skillset eitherinternally or externally to
actually lead up that practice.
Speaker 1 (10:23):
Yeah, fantastic question.
First of all, on the big four,it takes them sometimes it feels
like a decade to get a newservice off the ground.
I think that they do an okayjob of staying on top of
relevancy for the industry, forthe industries they play in, but
getting an actual service offthe ground not so much.
So on our end, one of thethings that we fundamentally
attempted to do from the get-goat Eden Data is simply be agile,
(10:46):
and so we have a methodologyinternally on when the market is
producing new things let's talkabout.
We're talking about AI, ISO 402001, for example.
That is the latest and greatestframework on the market related
to AI security, and it's thatway to get your digital
certificate on your or yourcertificate on your digital
fridge to brag about thesecurity around your AI.
(11:09):
And so we it's not hard likethat's public information.
We know it was coming.
There are plenty of firms outthere that have never touched
that framework, but we decided,hey, let's figure this out
before it hits the market, notwait for it to play itself out
and wait for people to adopt it,because then it's too late.
And so I encourage everyone tothink about how, like a lot of
(11:31):
the security industry in general.
A lot of the principles remaintrue across multiple domains.
So the idea of why you'reincorporating a system or a
process is always the same it'sto address a risk.
And the idea of having acontrol and a policy and a
procedure, and all of thatcollaborating together, that
knowing that process well isdangerous, Like it's you know
enough to be dangerous in a goodway, and so you can apply those
(11:54):
principles to be able to pickup net new frameworks, for
example.
So I think that, to answer yourquestion succinctly, really
just staying on top of theframeworks that are coming out
and then taking the mindset thatjust because something is new
doesn't mean you need to go geta whole certification in it,
Doesn't mean you need to get aPhD in it that wasn't related to
(12:15):
your PhD, of course, but a lotof people say, oh well, I have
to have all this experience andin reality the security industry
is largely just building uponwhat's already there.
So that's kind of my advice ingeneral.
Speaker 2 (12:27):
Yeah, I feel like the vast majority of the people in
security are really good atmaybe knowing 5 to 10 percent of
a topic and then building offof it and saying, yeah, I can do
it, and then learning fromthere, that's.
I feel like that's almost whatyou know the hiring managers are
overlooking right Like I didn'tknow anything about IAM before
(12:50):
I got an IAM dedicated role.
And now I'm leading thisproduct you know globally right,
Like I didn't know that much.
I knew enough to be able to lookaround and know if something
was wrong or right.
Speaker 1 (13:01):
And I feel like that is something you know that would
definitely change hiringpractices if they just
implemented that and had thatlogic behind it where it's like
okay, they know the basics, youknow they can build from here.
Exactly, and there's ways togauge that quite easily, I think
, in a hiring process alone.
There's ways to gauge thatasynchronously or live, and I do
(13:23):
believe that being able to havethose fundamentals is really
all you need to be able to buildupon.
I think the other importantthing to point out is that most
of these frameworks are eitherfree online or you can get them
for quite cheap.
So ISO 42001, you can go buy itfor like 80 bucks on the ISO
website, nist, csf.
You can download that for free.
(13:43):
Like there are frameworks outthere that you can start to
learn and match the puzzlepieces.
That allows you at least tofigure out how to read pig Latin
in our industry and understandthese principles of how things
are talked about with risk,objectives and controls and all
that good stuff.
Speaker 2 (13:59):
So you were saying how the healthcare industry you
know, changes so rapidly right?
Were you focused more on theHIPAA side of it or the
technology?
Speaker 1 (14:10):
side of it, because at least from my perspective
right, solely an end user.
Speaker 2 (14:15):
I've never worked for a healthcare company or
anything like that right thetechnology side seems to like it
moves along, but it moves alongslowly right, at least from
what I can tell.
But I would imagine that HIPAAis changing constantly, like
pretty frequently, especiallyeven on a per state basis here
in America.
Speaker 1 (14:34):
Yeah, forgive me, I didn't bridge the gap between my
comment around healthcareversus security.
I was actually going broaderthan that and talking about how
the healthcare industry as awhole when we're talking about
health and wellness, that ischanging so rapidly because of
multiple factors right, thevaccines that we release and the
food that we eat.
And now AI is evaluating thingsat a faster scale.
(14:56):
So doctors these days have tostay on top of their knowledge
base.
But I guess, if you were totake it from a security
perspective, if you want to lookat the healthcare industry in
that regard, the healthcareindustry has been largely
laggard when it comes totechnology, just as you
mentioned.
But now, because we have gottento this crisis of security,
where folks are not protectingdata, data breaches are very
(15:17):
prevalent, all that good stuff,all the fear mongering.
The healthcare industry is onethat's been hit the hardest,
coupled with the fact that theyhave the most valuable data on
the market.
So you're seeing a scramble inthe healthcare industry for
folks to try to build towardsthings like high trust because
HIPAA actually it hasn't updated.
There's a HIPAA update comingthat they've talked about for a
(15:38):
while, but it hasn't beentouched in over a decade, and so
the standards are not meetingexpectations for leveling up the
healthcare excuse me, thehealthcare industry.
I'm getting all choked uptalking about HIPAA.
It's a very emotional topic.
(16:00):
Now we're finally starting tosee the regulations catch up
with the with the technology notthe technologies, but the
security practices that thatthat health care industries are
trying to adopt in order to stopthe bleeding.
Speaker 2 (16:12):
Yeah, it's, there's fewer industries that you could
you know with relative easeattack success successfully and
cause just widespread damage.
You know I'm thinking about,you know, other sectors, right,
like the power grid, forinstance, or the banking
industry.
Those would be like verywidespread touches almost
(16:34):
everyone in a region or thecountry, right?
But those are very hard targetsI mean maybe not the power grid
is that?
You know heart of a target.
I have to bring on actuallysome experts in the area to talk
about it.
But you know heart of a target.
I have to bring on actuallysome experts in the area to talk
about it.
But you know, when you look athospitals and medical systems,
those seem to be like lowhanging fruit and you know I'm
based out of.
Chicago, right.
(16:55):
So here we have, you know,Northwestern Memorial Hospital,
lurie Children's Hospital, thoseare like the two biggest you
know hospital systems, for surein the region and I think it was
last year sometime.
Speaker 1 (17:07):
You know one of those hospitals they went down.
I think it was Lurie's yeah,lurie's Children's right.
And I'm not talking you knowout of pocket about anything.
Speaker 2 (17:17):
There was a news article about it, yeah, but they
went hard down for severalmonths.
Right now I don't.
I thought for sure I didn'thave a problem, right, because
why would that matter to me?
I'm out in the burbs, I go tomy, I take my kids to a
different pediatrician.
The region that are linked upto.
Speaker 1 (17:36):
Lurie's because all of them are are down as well
right.
Speaker 2 (17:49):
And then you know, I have someone hitting me up on
the side saying, hey, we'rereally swamped over here.
Speaker 1 (17:55):
We could really use your help.
And I'm sitting over heresaying, like I applied to you
guys six months ago I don't knowwhat you want me to do.
You know I need some money.
Speaker 2 (18:03):
I need a contract.
Speaker 1 (18:04):
You know, I need some legal disclosures before we go
and dive into this.
They were like they wereswamped.
Speaker 2 (18:09):
You know, I have.
Speaker 1 (18:09):
I have a friend that was working at Northwestern and
you know, physically those twobuildings are connected in
Chicago and he was telling mehe's like it is so bad that we
had to, literally physicallyunplug the network connections
between us and them just to makesure that nothing happened to
our network.
Speaker 2 (18:25):
Because they were.
They were hard down, they weredown to you know pads of paper
for managing doctors, schedulesand stuff.
Speaker 1 (18:33):
That's horrible, oh my gosh yeah, our cmo was when,
when they him and his wife hadhis baby, they were hit by a
cyber attack.
That, yeah, the hospital, andso everything was being done by
paper.
It was taking a lot longer.
Those situations hit close tohome, but you have to.
We also get all of thosenotifications on oh, your data
(18:53):
has been ended up in a breach,and a lot of times it's
healthcare entities.
But you pointed out somethingvery important, joe, which is
that a lot of times people arevery reactive and so in this
case, they didn't pay attentionto needing that cybersecurity
support until they were caughtwith their pants down, and then
it's a scramble, and then theywant everything yesterday, and
then there's all this.
There's there's this speedassociated with it that then
(19:16):
causes more issues becauseyou're you're missing things and
it's very lumpy in how peopleinvest in security and why they
invest in it.
They have to have some materialneed, whether they are being
impacted by a breach or theircustomer's not going to sign
with them because they don'thave their SOC 2 attestation or
whatever the case may be, and weneed to get security shining in
(19:38):
the same light as marketing andfinance and these other
departments at any companythat's collecting sensitive data
.
Speaker 2 (19:45):
Yeah, that's a really good point.
You know, I feel like securityis always viewed, as you know,
like a black hole that CEOs andboards just send money to and it
disappears, you know when inall actuality, yeah, it
disappears.
We don't really make thebusiness any money, but surely
we protect the business fromextreme losses.
(20:06):
You know, like, even thathospital breach that I just
discussed, right, if they justhad simple backups, right, and
they tested the backups maybeonce a year, that problem would
be resolved, you know, in anafternoon, in a weekend, right,
with a competent engineer on theother side of it, but lo and
behold they thought they hadbackups and they didn't have any
(20:27):
backups, and so then they werein a situation where they had to
rebuild everything from scratchright, and that's
Speaker 1 (20:33):
where security really shines right.
It's like, hey, you want therest of the business operating
at a high level.
Speaker 2 (20:40):
Well, security enables that.
It allows you to be able to dothat.
It protects your ability to dothat.
Speaker 1 (20:47):
And we got to find a way to shift that narrative.
Yeah, everybody views securityas a cost center and some costs,
and it's just not true.
You can either look at it fromthat perspective of it's not a
sunk cost anymore for thathospital that lost millions and
millions of dollars.
And then also there's this newtrend where you can actually
leverage security in your salescycle and be able to talk about
(21:10):
it in your sales cycle toshowcase hey look, I care about
your data, mr or Mrs Customer,and these are the things we're
doing to protect it.
So there ends up being an ROIon security, and I want to see
more of that, but unfortunatelyregulation's not driving that.
It's more enterprises.
It's enterprises that aredemanding more security
standards across the board,which then, in turn, requires
(21:31):
these companies to invest in it,and so we do need that to be
more prevalent in the industryfor what you just said to catch
on, for folks to look at this ina more positive and necessary
light.
Speaker 2 (21:43):
How do you think we make that change?
You know, because I always lookat like GDPR right.
Speaker 1 (21:49):
And I actually love everything about it for the most
part of what they did wherethey said hey, here's the
standard.
How you enact it is kind of upto you.
Speaker 2 (21:59):
But this is what we're requiring you, you know,
to be able to do thefunctionality and all that to
have with someone's data.
I feel like here in America weneed something like that where
it's like, hey, you know allthese states you can do whatever
you want to do, but here's thebare minimum.
You know you need to.
You know encrypt personal data.
(22:20):
You know you need to store itthis way.
You need to have relevantbackups, all that sort of stuff,
right.
I feel like that's almost theonly way that it'll work,
because each state is just goingto be, you know, completely
different.
And then even from like thesecurity team perspective, am I
really going to like geofence mydata in Texas versus New York
(22:40):
because they have two differentcompliance standards?
Speaker 1 (22:43):
No, typically.
Speaker 2 (22:44):
I'm going to not be very specific with it and I'm
going to make it to the higherstandard across the board and
call it done right, exactly.
So what's the point of thatlower standard?
Yeah?
Speaker 1 (22:56):
I couldn't agree more .
You pick the most comprehensiveand you run towards it.
The issue is that right nowthere's not a lot of enforcement
, and I don't want to be theperson that says that state
regulators need to go andactually issue fines.
But in cases where your lack ofcare for your customers' data
is prevalent, then I do thinkthat those folks are going to
(23:18):
need to be able to have theopportunity to fix it but deal
with the repercussions.
Otherwise, we just do not lookat data as a sensitive asset
anymore, and now the sensitivityof it has changed.
It used to be that you don'twant your social security out on
the internet and your birthdateand your home address and all
that, and that's still true forthe individual.
But we've been just fatigued bydata breaches to where people
(23:40):
don't even care anymore, whichis sad.
But now you have this whole newelement with AI, where we've
got this silicone curtainbetween the USA and Russia and
China and all of these nationstates that are all racing
towards the best LLM, racingtowards the best database, for
lack of a better term andtraining models.
So now it is imperative thatwe're keeping our IP out of
(24:03):
China's hands, for example, andRussia's hands because we're
giving them an unfair advantageand working towards global
catastrophe.
So I know that sounds like fearmongering, but that's kind of
the world we live in now.
So data is definitely worthsomething for both of those
reasons.
Speaker 2 (24:16):
Yeah, yeah, I don't think you're fear mongering.
I mean I don't think thatyou're.
I think that you're probablylike even understating the
importance of this AI arms racethat we're in right now.
Speaker 1 (24:27):
Yeah.
Right, I wonder for theregulatory side of it.
Speaker 2 (24:32):
I wonder if these fines aren't even enough.
Right, because just a couplemonths ago, facebook got fined
some astronomical number, I meanI think it was like what?
$4 billion or something likethat.
And then CNN you know CNN ranthe math and they're like, oh
yeah, they're going to make thatby Friday.
Speaker 1 (24:48):
They're literally going to make that by Friday,
and I'm just sitting here like,well, what's the point, you
think, mark?
Speaker 2 (24:52):
Zuckerberg is worried about that number, then you
know, like, whatever it was Ican't remember what the number
was, but I literally rememberthem- running the math like live
and be like like yeah, thatwouldn't even like keep him up
at night.
Speaker 1 (25:05):
That wouldn't even like mess up his you know his
sleep schedule, let alone, youknow, put a, put a dent in his,
in his vault, you know of $100bills right, like it's um, you
need to have something, you needto have a penalty that's a
little bit steeper or somethinglike okay, well, you're limited
in what data you can actuallymaintain for the next 24 months,
(25:26):
you know like maybe you can'tsell data to advertisers like
you did, or maybe you're onlyallowed to sell them a certain
amount right.
Speaker 2 (25:34):
Limit that sort of stuff, because that's the only
way that these companies arereally going to start falling in
line, because they'll pay likethey will literally pay the fine
every single time.
I literally had a call with aCEO, you know, a couple of weeks
ago, right, and I was makingthe pitch for like a hundred
(25:55):
thousand dollars, just so.
I could see I could buy a toolto allow me to see what's going
on in the cloud.
Speaker 1 (26:01):
And he asked me what's the risk if I don't do
anything?
Speaker 2 (26:04):
I was like well, if we get breached, I'm not going
to even know.
Like I literally won't know,there's nothing I can do about
it.
I won't know for probably threemonths minimum.
And his response was I acceptthe risk, like moving on.
Speaker 1 (26:16):
What are we talking about right now?
Like that, can I accept it.
Speaker 2 (26:21):
It's like okay you know that's an interesting
response, but it's not a rareresponse.
Speaker 1 (26:28):
You know, like CISOs get that every day.
Yeah, it's all too prevalent.
Cisos are getting their handstied behind their backs
constantly.
I think that there needs to besome kind of public shaming
element that goes beyond simplyjust a news article.
I think that if you are foundto be guilty of egregious data
malpractice, that you have topost it on your website and you
(26:51):
have to let every customer thatsigns with you know for the next
24 months that you'veexperienced a data breach.
We have these securityquestionnaires floating around,
right?
Those are a joke because peoplecan just put whatever the heck
they want and there's not anykind of validation.
Right, those are a joke becausepeople can just put whatever
the heck they want and there'snot any kind of validation,
right, all of that is manual,and so there's.
I fill out those questionnairesfor customers fairly often and
(27:11):
they have, uh, they have lineitems in there saying have you
experienced a breach in the last24 months?
You can just say no and nobodywould ever know, which is crazy.
I'm saying that's what I do, uh, just to be clear.
But, uh, it's.
But it's just a wild.
It's the wild west right nowwith how you basically enforce
this, how you validate how youcan believe what your vendors
(27:33):
are telling you, and so thereneeds to be at least better
measures for trusting butverifying when you're dealing
with vendors that are collectingyour most sensitive assets.
Yeah, yeah, the trust butverify piece is going to become,
you know, only more importantbecause of the AI aspect.
(27:53):
Right, the AI genie out of thebottle that we're racing towards
.
I mean, the genie is alreadyout of the bottle, we just don't
know what to do with it yet.
You know, like that's the thing.
Speaker 2 (28:02):
Currently I'm getting my PhD.
Speaker 1 (28:04):
You know in zero trust security on communication
satellites to prepare for postquantum.
And so with that I'm looking at, like the quantum encryption
requirements and what it takesto, you know, maintain that
standard and all this otherstuff right and with that.
Speaker 2 (28:19):
I keep on just continuously thinking like, oh
my God, this is probably notthat my PhD is the most
important thing, but this areais probably the most important
topic or focus area that we'veever seen in humanity, right,
like since the nuclear bomb.
Speaker 1 (28:36):
Right, because with an AI I mean guess what?
Speaker 2 (28:39):
Like I'm getting into that nuclear bunkers computer.
Speaker 1 (28:42):
You know I'm finding a way in, maybe the most one,
one of the most impressive, youknow espionage attacks.
Ever was Stuxnet right.
Speaker 2 (28:51):
Completely air gapped under a mountain, in a, in a
environment that had beenrebuilt right Five, six seven
times all of the cables pulledout of it, all of the cables you
know replaced and whatnot rightand Stuxnet still prevailed in
destroying that environment.
Speaker 1 (29:08):
All of the cables pulled out of it, all of the
cables you know replaced andwhatnot right, and Stuxnet still
prevailed in destroying thatenvironment.
Speaker 2 (29:12):
So what's to say?
You know that this doesn'timpact a siloed network.
You know, in a nuclear missilesilo somewhere right, Like that
Mission Impossible movie thatjust came out I don't know if
you saw it.
I haven't seen it yet.
Speaker 1 (29:21):
It hit a little bit too close to home because I'm
sitting here and I'm like wellthat's possible.
Speaker 2 (29:25):
Yeah, that's possible .
Speaker 1 (29:27):
It's just like going down the list of this almost
sentient AI and how it's likepiecing apart society.
It's like, yeah, that'sactually, that's a real
possibility, terrifying.
(29:52):
Yeah.
I think that we all.
There's a lot of dismissal ofAI simply because it's people
think that it's blown out ofproportion and they can't do
much now.
But we as securitypractitioners at least have to
think about what the next 12, 24, 36 months and beyond
incorporate and what is possibleand what is possible with how
fast it's already developed justin the last 24 months.
You'd be quite ignorant tothink that we're not going to be
at a state by 2030 where the AIis going to be able to just at
(30:15):
the very least, findvulnerabilities in existing
systems today, right, simplybecause it can do so many reps
and so many attempts on anygiven system.
There's so many differentrabbit holes we could go down
with AI.
Speaker 2 (30:27):
Yeah, yeah, I mean, if you look at the DARPA
competition that they wereputting on at DEF CON, you know
they did it for several years ina row.
I don't think they did it thepast couple of years.
Speaker 1 (30:39):
But when they?
Speaker 2 (30:40):
were doing it.
They had these two AI models,you know, on these two servers
attacking each other, and youknow they talked about how it
got to a point where they wereno longer doing.
Speaker 1 (30:50):
You know known vulnerabilities and exploits
like they were finding brand newvulnerabilities that had like
never been seen before.
And they're launching itagainst each other and
everything.
And they kind of stopped itearly, right, Because it started
to find zero days.
And the military is theresaying maybe we should, you know
not disclose that to the publicjust yet you know, and all
(31:12):
these different things right.
Speaker 2 (31:14):
So it's like the AIs are already, they're already
doing it and we kind of likehave this, we have this poor
mentality that we can kind ofcontrol it to some extent right
now, and it's like is itallowing us to think that we?
Can control it right now, orcan we actually?
Speaker 1 (31:29):
control it.
Right now, the movies arecoming true.
Yeah, it is a wild time to bealive.
Yeah, that's for sure.
Speaker 2 (31:34):
Yeah.
Speaker 1 (31:35):
It's going to be fascinating, you know, from a
security perspective, because webring a certain mentality into
everything that we go into right.
Speaker 2 (31:45):
It's like we're going into completely uncharted
territory.
Speaker 1 (31:46):
Yeah, and to tie this back to everything we've been
talking about, I think for thelisteners that are getting into
security or wondering what thenext phase of their security
journey is going to be, there'sa tremendous opportunity of a
market being created rightbefore our eyes around AI
security.
There is absolutely going to bea fundamental need for the good
guys to understand how AI worksand how we can use it
(32:08):
defensively and even potentiallyoffensively, because it's
already being used nefariously.
Speaker 2 (32:14):
Yeah, yeah, I mean it's already being used by, you
know, these hacking groups tocreate malware that we've never
seen before.
To just get into a target thatwas you know would have taken
them months to prepare, forthey're using this AI to get it
done that we've never seenbefore.
To just get into a target thatwas you know would have taken
them months to prepare, forthey're using this AI to get it
done in an afternoon, right.
Speaker 1 (32:29):
It's pretty crazy.
Those phishing emails aregetting legit as hell.
It's crazy.
Speaker 2 (32:34):
I saw I recently I think last week I put out the
clip of it and it's a, it's atrue story right.
Like my, my current CFO got anemail followed by a phone call.
Right.
Speaker 1 (32:47):
From what seemed like our CEO and it sounded exactly
like him on the phone rightSaying hey, I need you to send
20 million to this.
Speaker 2 (32:56):
This you know organization this account or
whatever, and the.
Speaker 1 (33:01):
CFO said.
He said I was 100% convincedlike because this has happened
before he's called me.
Speaker 2 (33:08):
he sent an email and then he called me, requested it,
you know went to the rightplace and everything.
Speaker 1 (33:14):
But we've recently changed the protocol and there
was one final step in theprotocol that he was required to
check right with the person onthe other end of the phone and
the person on the other end ofthe phone or the robot or
whoever didn't know that answerand he immediately hung up and
called security and said hey,this is what just happened.
Speaker 2 (33:34):
I didn't send anything, but can you just look
into it, and I mean the emaillooked totally right.
The headers were manipulated,obviously, but you're not going
to see that you know as a normalend user or whatnot.
Speaker 1 (33:46):
But the email address looked totally right you know
and I heard we pulled up thephone call and the phone call
sounded exactly like him.
Speaker 2 (33:54):
And I'm just sitting here, you know, as a security
professional, and I'm like thiswould have fooled me.
You know, like this absolutelywould have fooled me, like this
absolutely would have fooled me.
Speaker 1 (34:02):
You know my boss telling me to do something,
sends me an email, sends me ateam message gives me a call
afterwards because maybe it's alittle bit out of the norm,
right?
Speaker 2 (34:11):
Maybe it's a little bit, you know, iffy for me to
potentially create this rule inthe firewall, or whatever it
might be right.
Like just a random example.
Speaker 1 (34:19):
Like I wouldn't question it after the phone call
.
Why would I question it?
Like at that point I'm not andwe just don't have great ways to
validate this.
Like we have to stay on ourtoes more and more, but that's
only goes so far.
So what you just said like Iwould have been fooled by the
same thing.
What's wild is someone couldtake this podcast right and
record each of us and use thatnefariously, like it's just
(34:45):
anything that's on the web ofyou talking.
It's being used in cool ways,but it's also being used in
nefarious ways, as you mentioned.
So I can't even imagine apublic figure like a CEO that's
shooting fish in a barrel.
It's too easy to get that audioclip and that into something.
Yeah, I mean they're doinginterviews, they're doing
quarterly calls and all thatsort of stuff, like their voice
(35:06):
is out there it has to be outthere.
Speaker 2 (35:08):
That's the that's the thing too right Like it has to
be out there, because we'rewe're moving into a area where
you kind of have to look at yourown online presence more
closely, even Even what you'reposting on social media, not
just your location not justthings that are up
to date and whatnot right, butyou have to look at it in a way
(35:31):
of an attacker, almost wherethey would say, oh, he said he's
out of town.
I'm going to go rob his house.
I know where it is because Ican do a public title lookup and
see what he owns.
Right, Like that's apossibility.
Well, now you know, like youcould give them unknowingly too
much information online and nowthey mimic your voice by this
(35:52):
podcast.
Right, and they're doingsomething else.
Speaker 1 (35:54):
They're calling your bank and they're.
Speaker 2 (35:56):
You know it sounds like you.
Speaker 1 (36:04):
The banks have the voice detection software right,
they have that software, so it'sgoing to, it's going to check
that box, right.
And I mean that's the thing tooright.
I call my account manager and I, like I, don't have to answer
almost any security questions, Ihave to answer stuff that a
hacker would have you know.
That's the thing I have toanswer stuff that a hacker would
have you know, that's the thingI have to answer stuff that a
hacker would have.
If you made it all the way tothat point where you called my
account manager, you 100% haveall the other stuff that they're
(36:27):
going to ask me about.
And so it's like well, what dowe do?
You know, because that accountmanager can do anything.
Speaker 2 (36:32):
They can get me on the phone with anyone at that
bank.
Speaker 1 (36:35):
You know, yeah, the technology that our tools need
to catch up, the good guys toolsneed to need to catch up and
we're just not there yet.
So it's putting in compensatingcontrols, like what you're
talking about of having multiplepeople involved in a process.
I'm super thankful that my bankuses the voice recognition but
then has additional measures forhow they would validate and
(36:57):
there's separate processes too.
So I think the banks are atleast figuring out.
If your bank does not do thatand you're listening to this
just stop everything you'redoing and go switch banks.
We are at that stage where youdon't even need someone voice
mimicking and calling yourgrandma to get her to send
$5,000 or whatever in the mailbecause you're arrested, and
(37:17):
that trick worked on mygrandparents years ago.
Now I can't even imagine forespecially just the elderly
going through this and notunderstanding the technology,
but getting a call from a lovedone saying I need money.
It's crazy that it is as easyas that, but unfortunately
(37:40):
that's where we're at as asociety.
Speaker 2 (37:41):
Yeah, yeah, we're going into a scary place
honestly.
But you know, taylor, why don'twe touch on?
You know Eden Data and theservices that you provide.
Speaker 1 (37:53):
Why don't we?
Speaker 2 (37:54):
dive into it a little bit and talk about the services
that you're providing the greatcontent that you're putting out
.
Speaker 1 (37:59):
So Eden Data is essentially the outsource,
security, compliance and orprivacy teams for tech companies
around the world.
So when I say tech companies,that's anything from early stage
startups up to now they'recalling themselves, scale ups,
right when they're series C, dand beyond.
And then we have publiclytraded companies, enterprises
(38:20):
and everywhere in between, andso we are typically taking over
the security program or thecompliance program and and
helping them build against theframeworks that they need to
align with, either from aregulatory perspective, like we
talked about, from theexpectations that their
customers set, or we havecustomers that come to us and
just say I I can't sleep atnight because I want to protect
(38:41):
my customer's data and I don'tknow how, and so building a
robust security program aroundthat.
We have the great pleasure ofworking with customers all over
the world.
We have hundreds of customersthat provide all kinds of cool
technology services to theircustomers a lot of software
companies, but law firms andclinics and those kinds of
things as well.
And the other tidbit that I'lladd to this is that it's really
(39:03):
been cool to see we've beenaround for four years now, and
it's really cool to see that theindustry is shifting towards
security used to be very, veryimportant for the series A,
series B and beyond.
Now we've got pre-revenuecustomers coming through the
door left and right when you'rebuilding a new company and
you're offering software.
It's at least becoming moreaccepted that security is a
(39:25):
necessity.
Sometimes the founders arethinking it's a necessity
because they just want to takeit seriously and protect their
customer data.
Oftentimes it's because theyknow if I'm going to sell to the
Walmarts of the world,walmart's going to tell me I
need my SOC 2 and my ISO 27001and all of these things, and so
we are seeing a big uptick in.
More companies at earlierstages invest in security.
(39:47):
Yeah, that's huge that makes alot of sense, though, because
you know, as a young startupcompany, probably the worst
thing that could happen is youget breached and you know your
product is viewed as beinginsecure, especially nowadays,
and so it would make a whole lotof sense for them to pay
attention to it.
Well, they were that companythat got breached.
(40:10):
I really want to give a shoutout to the enterprises of the
world that are really settingthe tone for how security needs
to be enforced and then alsocontinuing to raise the bar.
That's something that I hope tosee continue to expand, because
it's not the regulators doingit, like we already talked about
, and I do think that there are.
I'm seeing this beautiful thingin the world where this next
(40:30):
generation of companies isembracing security from the
start, and that's critical.
These folks are going to go andstart more companies.
They're passing that knowledgealong to the customers that they
do business with, and so we areseeing this kind of uptick and
security becoming fundamentallyimportant.
It's just being tied more tosales than simply the fear,
uncertainty, doubt aspect, whichis fine.
(40:52):
I want people to see a returnon investment for security, and
that's something we obsess aboutover at Eden Data, because
otherwise nobody's ever going tolike us security professionals
right.
Speaker 2 (41:02):
Before we wrap up, what are some top trends in the
industry that people could startfocusing on?
Maybe it's a trend to helpsomeone get into the industry or
get more diverse in theindustry.
Maybe it's a trend that acompany should start adjusting
for and planning for for therest of the year.
Speaker 1 (41:21):
Yeah, I want to try to be give a different answer
than maybe some of your guests,because everybody and their
mother's talking about AI.
So I promise I won't say AI,but I will say touch on one
thing technically, two thingsthat we've already talked about.
One is paying attention to theopportunities being created in
security by AI and, morespecifically, iso 42001.
That is a big trend that'supticking.
(41:42):
Now.
That standard's only beenaround for a year.
It's finally starting to getadopted and enforced by
enterprises.
So when I say by enterprises, Imean for the software companies
that they're doing businesswith, and everybody is using AI
in some capacity in theirbusiness and so pay attention to
that standard.
I think that there's going tobe a lot of job opportunities, a
lot of project opportunitiescoming from that.
(42:04):
And then the second thing isthis rise in using security for
sales, like I talked about.
But more specifically, you'reseeing this big trend in people
being more public about theirsecurity posture in a more
detailed manner.
So today it's really beautifulto see like safe base, which was
acquired by Drada.
There's multiple players in thespace that allow you to build a
(42:25):
beautiful security page thatyou put on your website.
That's more interactive.
But the reason I love thistrend so much is because it's
also there's a validationcomponent.
We talked a lot about how youcould just make crap up as you
go along earlier in the podcastWith these types of tools.
They're pulling data from GRCtools, they're pulling data from
website.
They're pulling.
(42:45):
In some cases, they're doingscans.
Safebase, for example, hasintegration with Qualys and
Nexus and a couple others wherethey'll pull in recent scan
scores, and so now you'restarting to get what's basically
like an automated control, andthat trend is going to continue
to expand.
We're going to rely less onhumans telling us what our
security posture is and more onthe systems telling us, and so I
(43:07):
would encourage folks to payattention to that as well.
Speaker 2 (43:11):
Yeah, it makes sense.
It'll be really interesting tosee where things evolve and
where we end up in 2026,.
I'll have to have you back onand maybe we'll redo like a
trends, a trends episode for2026.
Speaker 1 (43:23):
Heck, yeah, let's put it on the books.
I can't wait to see what we gotright and what we got wrong.
Right, yeah, that'd be awesomeWell.
Speaker 2 (43:30):
Hey, you know, thanks , Taylor for for coming on.
It was a fantastic conversationI really enjoyed our time.
Speaker 1 (43:35):
Yeah, joe, I can't thank you enough for the
opportunity and folks listening.
Feel free to reach out to me onLinkedIn.
I'm obsessed with this industryand would love to nerd out
anytime on security, complianceor privacy.
Speaker 2 (43:47):
Yeah, yeah, absolutely.
I'll put a link to yourLinkedIn in the description.
I'll put a link to your website, Eden Data, down in the
description as well.
Speaker 1 (43:56):
Amazing.
Thank you, joe, awesome.
Speaker 2 (43:58):
Well, thanks, Taylor.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com