Unlocking Strategic IT Investments and Information Security

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hey, good morning. You are listening to Breakfast Bites, and I am Felicia King.
And today is a super special day because I'm not the only King on the show.
I didn't even think of that. Oh, my goodness. this. With me here today, I have Gina King.
She is from Ovation Point and she provides global management services from risk

(00:23):
management to program management.
Now that's what she wanted me to tell you, but I'll tell you what I think.
I think Gina is one of the top CISOs in the country and she kind of owns that
whole like Eastern Michigan market,
but also does lots of international service as well and is one of the CISOs
in the country that I actually have a lot of respect for.

(00:46):
So, thems are some high words.
So, we wanted to get together and have a discussion about a couple kind of hot items.
And those hot items had to do with, you know, oftentimes Sometimes organizational
management is struggling with trying to figure out a metric,

(01:08):
like how much should we be spending on IT?
And then there's a whole lot of debate about that. So we want to talk about that.
And then, of course, company managers also want to find out how they're doing against their peers.
And we're not going to cover that right now. But I think this whole topic of
how much are we spending on IT, that question and the answers that go with that

(01:29):
question are right in the same ballpark as that entire question of how are they
stacking up against their peers?
Now, then the other question we're going to talk about here is when are we done
with IT security investment?
Because that's another hot thing. And both of these questions and the answers
that go with them are applicable to any sort of executive management leadership

(01:53):
out there, business owners, business decision makers.
They're trying to grab Grab a hold of something that they can understand rather
than the technical stuff that they think is just Greek.
Okay, so let's get started on the topic of what should companies be paying in
total for IS and IT expenditures and what happens when they underinvest.

(02:19):
So, to me, if they're not doing this properly, if they don't have the right
paradigm around that, then they're always looking at, oh, we have to cut costs.
And then they typically are under-investing. So, what do you think?
I agree completely, especially when they think IT is all cost,

(02:40):
when at the point of purchase, there were some other considerations that they totally overlooked.
So the price of whatever they bought for IT or IS was more in the beginning
and they kicked that can down the road.
And so when those things come up, whether it's upgrading software or putting
more people in place to support the thing,

(03:01):
all the things that they overlooked in the beginning is really a delayed delayed
cost is not that they need to cut the cost of IT. There was an oversight off.
Yeah, you know, you bring up an excellent point about procurement.
If you do procurement well, and I think this is, you know, it's one of my hot buttons.
I think it's probably one of your hot buttons too.
And I think it's our hot button because we've seen the clarity of how crucial.

(03:26):
Quality procurement processes are.
If you procure properly and you do the right vendor risk risk management, vetting of a solution.
You put the right things in your contracts with your vendors.
You just avoid a whole mess.
So give us your thoughts on that. Oh, absolutely. And then being able to work
with the vendors who can not only help you buy what you need today,

(03:50):
but that can help see through your vision.
Because it may be great for the first 90 days.
Maybe you got something, they say, oh, this is free. But then after that 90
days, hey, here come all those costs.
You need to be able to work with vendors and suppliers that can help you see
that end-to-end strategy of how you're going to manage the cost of whatever
it is that you're buying.

(04:10):
And one day we need to talk about whenever there's mystery in whatever you're
buying, there's likely some hidden costs there.
That could be a whole show by itself.
Well, yeah. Now let's tangent on that a tidbit it because sometimes there is going to be mystery,

(04:30):
I think, only because somebody is like a business decision maker is asking an
IT service provider to boil the ocean.
But you can't. You can't boil the ocean. And actually,
this kind of, let me pivot a little bit into our second question,
because one of the things that I've seen frequently is where they're paralyzed

(04:54):
in their analysis and saying, you know,
I need you to give me this big assessment.
And we have to know everything about everything. And we need to know exactly
how much everything is going to cost before we can even start.
Okay, I can tell you that I've worked with clients, like the same client for

(05:15):
18 years, and I am still discovering stupidness in their environment.
Okay, like it is absolutely impossible to know everything about everything.
And anybody who ever tells you that they can come up with an air quote comprehensive
assessment, I think they're just misleading you, right?
So rather than being paralyzed and saying, hey, I don't want to spend any money

(05:38):
on anything everything until I know how much all of this is going to cost.
Because I'm just too concerned about, I don't feel like I can manage the risk
of this if I don't know about everything.
So I try to direct them away from that. And I take this approach of like,
let's do a small assessment. Let's just look at stuff for a couple hours.
If I can find $100,000 worth of stuff that needs to be fixed in two hours with

(06:03):
my eyeballs, do I really need to look any further?
And you know what? You're making a great point there because you're not going to know everything.
Absolutely. And the fact that they want to know everything and they're asking
you to do it means they've already missed the point of knowing everything.
That's in the past, but they can at least institute some touch points where
we need to do an additional assessment and understand our costs.

(06:26):
Let's say for the next 90 days or the next six months.
And then that's something you can estimate. You can estimate at the beginning
of the year and say, here are the touch points. And I estimate there's going
to be an additional 30 percent spend or an additional 20 percent,
whatever those things are.
But to not do it at all, you're just asking for disaster.
Yeah, exactly. Right. And or to say that somehow, you know, somebody has to

(06:46):
give you a comprehensive assessment before you can start to do anything.
Yeah. I mean, I've I've talked to even sometimes in their change process,
you find the way they do things uncovers more things that you did not know.
And just like oh yeah yeah garbage oh yeah oh yes that's almost like a weekly occurrence in fact,

(07:10):
and and that is exactly why i
think that every organization neither needs to have a cso or they need to have
a vc so but that person who's doing that function needs to be adequately technical
but they also need to be a bit of a politician to be able to,

(07:31):
you know, shepherd that change through the organization.
I find all the time where I'm able to have conversations where I sit with,
you know, executive management, sometimes the managers that report to them and
talk about those business processes.
And I can say calmly, you know, that's not ideal.
But let's talk about a better way of doing it.

(07:52):
And the way that you guys are doing it now, it introduced this type of risk
into your organization.
And it's really not that big of a deal if we do it a better way.
The better way is less expensive or whatever it is. And I can articulate those things.
And the interesting thing, and I think you've brought this up before,
is that many times the things that I'm advocating are things that the IT department

(08:16):
tried to get. All the time.
Implemented in the environment years prior.
But too often, internal IT lacks that ability to articulate things couched in
the risk management language.
I think so. And I think the other thing is being willing to present the risk

(08:39):
and recognize that they may just say, we're going to ignore that risk and being
able to take that walk with them.
So when it finally does fall over the cliff, you have the expertise to say,
I'm not going to tell you I told you so.
But here are some strategies we can do to kind of recover where I think sometimes
with IT, because I used to be in IT, it's their way or no way.

(09:01):
And instead of being like that, it's kind of like you can do whatever you want
if you're willing to take on these risks.
Right. That's a whole different conversation. It is.
Right. Right. Yeah. I mean, and I think, you know what, that's a maturity thing.
That's that is a maturity thing, right? Because oftentimes IT needs to be right

(09:22):
because they need to like prove themselves to somebody. You and I,
we don't need to be right.
We've already proven ourselves, you know, a hundred thousand times over.
And I can be, I don't have a problem with being wrong. It's kind of like,
wow, I never thought that would work. That's amazing.
Like that would have never, That has never worked for me, but somehow you were

(09:43):
able to pull it off like great job.
Because I used to be in IT, when they're focused only on technology,
all their answers are technical.
Oh, yeah. Oh, I have a really funny story for you on that.
Two weeks ago, I was in an enterprise wireless certification training program

(10:05):
for two days with, you know, 30 guys, right? Like 30 guys and me.
And, you know, and so in part of this class, one of the attendees,
He was talking about a little project he was doing.
And this whole debate he was having with everybody else in the room,
other than me, because I just thought it was a silly debate,

(10:26):
was how many wireless access points for this context?
And I kind of let them go on for a while and banty about.
And I just said to them, I'm like, guys, that's it. You know,
let's pump the brakes here because you're all wrong.
That's right. I said, no, here's why you're all wrong. wrong.

(10:47):
You're all wrong because all you're doing is sitting here thinking about that
this is a technical problem. You have to first start with economics.
And if you go to the client and say, you're trying to do it with two wireless
access points when we really should just be doing it with four wireless access
points, here's the price difference. And guess what?
If we get four wireless access points, you've spent money on equipment,

(11:10):
but now you're going to spend less less
money on labor because we're going to have less technical issues right
you can have less support issues it's going to be a more reliable solution
and now we can we can kind of
more with more certainty tell you what the cost of the solution is versus and
we are we're trying to get it done with two wireless access points well we may

(11:33):
have these issues that we may have to waste a bunch of time troubleshooting
things it's like no no this is not a technical problem this is an an economics problem.
And after I said that, they were like, oh, yeah, she's right.
Yeah, yeah. I did a survey. What made me pivot strongly into cyber is I did
a survey and I want to say it was more than 200 businesses.

(11:56):
And my question was, in a scenario where you know you need to do something regarding
cybersecurity in your environment, what's your number one blocker?
And I gave them like five reasons and I was sure it was going to be money.
Money was the last last reason. Number one was we don't know what to do.
We see other companies doing things, but as a small business,

(12:17):
I sell flowers. I don't know what I specifically need to do.
And then number two was, even if I knew what to do, so that's number one,
even if I knew what to do, where do I go to get help?
I see these huge companies. I could never afford those organizations.
Where could I go to get help? And then number three was, if I knew what to do
and I got help, how do I sustain it?

(12:37):
Because I can't compete in the marketplace for the type of talent.
And I was, I was just like, I was guessing that it was money. It was not money.
It was just having the guidance. And when I saw that, I was like,
Oh, look, I can, I can help with that. I can help with that.
So I think what you're talking about is right. Sometimes we think that it's
going to be a money issue when it's not, it's just that we need to do a better

(12:58):
job of helping people understand that they don't need to be an expert to get help.
Cause once we have a discussion, we can figure it out. But if they're sitting
there like, well, I don't know this and I don't know this and I don't know this,
it kind of makes it difficult.
Well, I think it's just so hard for a business decision maker these days.
I mean, it seems like every prospect I talk to, they're telling me some sort

(13:19):
of a nightmare story about how they spent $20,000 for an assessment and then
now they don't know what to do.
Oh yeah. Or the most recent one I talked to was we've had 10 prior prior msps
and i did a free audit for them of their network layer security appliance and.

(13:41):
Is the best word in polite company that i would use to describe the configuration
in the thing and you know so at the end of the day here what do we got we have,
10 other IT companies have been involved with this business.
And out of those 10, not a one of them could do the most basic fundamental thing

(14:02):
that I could have resolved in an hour.
And so this leaves such a bad taste in a business decision maker's mouth.
And another one I talked to, they were like, we spent $20,000 on an audit.
And now we don't know what to do. And we decided to not go forward with that

(14:23):
company because we had such a bad experience.
And they've had other bad experiences in the past.
So I think step one is getting an idea paradigm around how much should we be spending on IT?
And then what is the paradigm about that IT spending? And then maybe a third

(14:46):
question is, how do we find help?
So let's circle back to question number one.
I've personally experienced looking at the spend of our own clients who are
doing well, and who are not doing well.
And I've also talked to a lot of other CISOs and
a lot of other IT pros and the the

(15:08):
general consensus has been 10% of
revenue is your minimum 15% is
better yes and you know
the higher your revenue the closer you can get to 10% but if you're like a 1
million or a 2 million dollar business you should be spending 15% of revenue
what are what are your observations oh my goodness And that's so interesting

(15:30):
because I feel like if you attach your IT spend to how much money you're making,
you're looking at it the wrong way.
I think it's about supplying a unique, powerful, and consistent experience to your clients.
And I think it should be based on what you're trying to provide to your clients.

(15:50):
And the reason I feel that's because that's the core of your business.
If you're looking at IT for IT sake, you could be spending a million dollars on IT.
But if your client experience is in the garbage, you're about to close your doors.
Walmart, you're about to close your doors like we all know, like those companies
who feel like they have to be so rigid in how they provide experience to their clients.
At some point, someone who understands technology will sweep those people right

(16:15):
away from you. And so I think it's more about aligning with the experience that
you need your clients to have, because at that point, the spend could be a lot less.
Because if you split the technology you need for corporate, let's say,
and then the technology you need for your client, it could be the case that
your technology spend goes down. Wow.
So here's an interesting question then.

(16:35):
So I know you're aware of the FTC and IRS regulations for tax preparers in the United States.
And let's assume that business owners start to get savvy and they start going
to the tax preparers and they ask,
hey, give us your certification statement statement that shows that your business

(17:00):
is fully compliant with the IRS and FTC regulations,
because otherwise we don't really believe that you can keep our tax records secure. I agree.
How you do one thing is how you do everything. Right. So if your house is dirty,
you know what? I like you and everything, but I'm not going to eat there.

(17:20):
I'm just, I don't, I have nothing else to go on. I don't know what to tell you.
Okay, so that's a phenomenal example of how a person who owns a tax preparation
firm or a CPA firm or they do bookkeeping or payroll, whatever it is that they

(17:40):
do, that type of a service,
they need to be thinking first, right?
Because that is the prerequisite to them having revenue.
What do we need to do to have in place so that we can have the certification
statements that we can give to customers and prospective customers so we can
retain the customers we have and we can go get more prospective customers?

(18:02):
Furthermore, we can compete against our competitors successfully because we
can say, hey, we're doing this really well.
And those other people, they don't have that certification statement.
Okay. So now, if that means you have to raise your prices to have this additional
IT spend in order to be compliant,

(18:26):
in order to have appropriate levels of information security risk management,
then I personally would rather spend more money with a company who was paying
attention to those things than a company that's $200 a year less. us.
So this might sound a little harsh, but who wants clients that are making deals in the alley?

(18:48):
It's just a matter of time before you end up being the part of the exchange
of what they're exchanging in the alley.
Like, you know, hey, but if we go in the alley, we can trade these rocks and
this thing and we can do this.
Don't do it. Do do what you need to do. Do it right and finish it.
Because the clients you're looking for, they want things to be done right.
Like their business depends on right.

(19:10):
Business depends on. So if you want to be better in business,
if you feel like your business is struggling, number one, look to what your
clients need, get your house in order and be the type of company your clients
want. That improves your business overall.
Your client base, because they're looking, they know how to look,
they know how to check, they know how to do references.

(19:30):
They're definitely checking. And that's why you're getting those bargain basement
people wanting coupon prices is because they've done research and they know
that you'll cut corners.
It's just a matter of time before it blows up on you yeah
and then it's you just lost your whole business exactly you
know oh yeah because i mean certainly if the irs or the ftc come in and say

(19:52):
well you're not compliant with being a tax preparer anymore forget that that
entire revenue stream is shut down bye-bye yep and anything even closely related
is done and the same thing goes with insurance.
Think about your client, what they need. Right. Okay.
So speaking of that, now I have to, you know, you walked me into another one

(20:14):
of my hot buttons of all time, which is breach of contract.
Okay. So if you have a contract with a customer and that contract is contingent
upon having cyber insurance or having a set coverage level of cyber insurance.
Now, if a company does stop or doesn't do stuff,

(20:37):
that either way leads to that coverage not being there or, in effect,
if they are just doing things that would have invalidated the coverage in general.
So some things you can do will diminish the coverage. Other things will just
invalidate it and say, you don't have a policy at all.
Either way, it's breach of contract. Now, I've checked with my lawyer friends

(21:02):
and they're like, yep, that's breach of contract.
So yet, here's the sad, sad thing I can tell you is my observation is that 98%
of business decision makers in the SMB market don't care about that. And that's really sad.

(21:22):
So I think that the thing that's going to move the needle on this in the SMB
market is for the customers of those businesses to start asking for that documentation.
Share with us, what are you doing to be compliant?
What are you doing in your policies and procedures, your practices,

(21:43):
your information security risk management program, so that you can have effective
coverage? That sounds like a business we need to start.
Well, I call it correcting the issues on the demand side.
I love that because I think sometimes when I talk to consultants and these grimy

(22:04):
companies make them sign contracts like in perpetuity, where they're then on a hook.
Look, the companies didn't do what they needed to do to make sure that their things are right.
But because they have the resources, they'll go after the consultants.
I just want to expose that whole thing. It's rotten.
It's rotten to the core. It's rotten.

(22:25):
Oh, yeah. I mean, yeah. I mean, there's some serious problems with justice.
And I air quote that word in this country.
That's it. Yeah. We're going to air quote that. that.
So, you know, if someone's been breached or attacked and things like that,
and the insurance company says, oh, because you did A, B, and C,

(22:47):
this contract is just a pretty piece of paper, then what? So the clients are impacted.
All of the clients of the business are impacted, the customers,
everybody's impacted and nobody's responsible.
That's just, yeah, that shouldn't, that shouldn't be.
So let's, you know, we've talked about,

(23:07):
kind of an idea about a total IT spend thing.
If somebody wants to think about it in terms of like a percentage of revenue,
okay, fine. I gave my ideas on that.
And then you added that actually they really need to be thinking about what
they need to have in place in order to continue, have that revenue stream continue.

(23:30):
What are we doing to take care of our customers?
Now, let's pivot to paradigm. In a lot of cases,
the bad taste in the mouth that people have about IT services or consultants
and stuff is all because they've come to the table with the wrong paradigm.
Dime so so i'll i'll

(23:53):
start with like a really bad example and then i'll go
with a more a better example a really
bad example that should send somebody off some alarm bells is if they're giving
you like a statement of work that says that we're going to patch your systems
and we're going to patch your servers for 50 per server per month and all we're
going to do as part of that scope of work is we're going to verify that windows
updates are working oh right oh right Right.

(24:18):
Okay. Okay. Right. So, paradigm failure there, I find, is where the business
decision maker has no idea what they're looking at.
Okay. I look at that and I go, whoa, major problems. Your first instinct is,
uh-oh, major problems, right? Okay.
Business decision maker looks at that and says, well, this is only $6,000 a

(24:41):
month. I can totally afford that. Okay.
But can you? The residual from that, yeah, you might end up losing your job over that one.
Well, the residual, I can tell you, that was actually a real-world example I put forth there.
And the residual of that is that that company, by that process,

(25:03):
by signing with that completely egregiously incompetent IT service provider,
and I saw the SOW with my own eyes, so that's not up for debate what was in there.
They basically invalidated their cybersecurity insurance policy.
Okay. And because now they have no vulnerability management plan,
which by the way, invalidated the contracts that they had with their customers.

(25:27):
So if the customers ever actually found out, then the customers can sue the
provider for breach of contract.
And you know, it's, it's, you're done. You're done at that point. Right. Yeah.
But how did they think that was going to work even the company that set the

(25:47):
statement of work forward how did they think,
I don't know. I don't know. Well, see, you're trying to apply logic and reason
to something where people are trying to do back alley deals,
as you had previously referred.
Now I'm wondering, are they getting in touch with the data owners?
Are they making sure that they're testing those patches? Like,
is there an outage window, a change process?

(26:08):
Like, what's in this 50 bucks? Like, what's in this?
Well, it said right in the SOW, the only thing they were doing was monitoring Windows updates.
Wow. wow so no third-party patches no
hardware no business line apps no updates
to active directory because you know active directory actually
has to be patched too you have to like go get the new gpo template packs you

(26:30):
have to do continuous hardening on ad you know blah blah blah i mean like i've
got like a 30 page vulnerability management program document that i've written
yeah and And believe me when I tell you,
it can't be done for 50 bucks per server per month. I know, that sounds like, how are they?
It's like they in the alley like, oh, I got these gold watches.

(26:51):
I got these gold watches.
All right, so I want to pivot to this question that I oftentimes get,
which is, you know, when are we done with IT security investment?
And my response to those folks is, hey, look, you're never done.

(27:12):
The paradigm that I recommend is that we look at what needs to be done and we
flat rate service contract everything that can be flat rate service contract,
but you still have to come up with a dollar amount that you're going to say,
is that $2,000, is it $5,000, is it $10,000, is it $25,000, whatever that dollar amount is every month.

(27:34):
You are allocating that in your budget and then you're going to have somebody
in your company that is going to be your primary technical point of contact
who is going to to work with your VC.
So who is going to every single month be working on making your information
security risk management program better.
Sometimes that's going to be remediation. Sometimes it's projects.

(27:56):
Sometimes it's an assessment. Sometimes it's, you know, whatever it is,
but that now the business has a consistent spend.
They're expecting that spend to happen.
So And the other thing that I've said to those executives who asked me that
question, I say, look, you can stop at any time, right?

(28:17):
Because you can just say, we're not going to do anything anymore.
And we're just going to now accept all that risk. And we're going to accept
the consequences of that risk, you know?
So they're basically every single month having the opportunity to pump the brakes and stop. up.
But they need to realize though, and you brought this up before with the whole

(28:41):
technical debt issue, they need to realize that in that process,
if they pump the brakes and they pause that for a year or whatever,
it's really hard to pick that back up.
It is. It's hard to dig yourself out.
It's hard. If you don't stay, I would say at the pulse of change,

(29:01):
the compounding that is ridiculous because it's like spaghetti.
Where do you start? What came first? The chicken, the egg, the little egg or
the big egg, the big chicken or little chicken, the blue chicken or red chicken?
After a while, he was like, I don't know what's going on.
I don't know what's going on. I want to go home.
It just becomes a lot because digging through it, it just takes so much time

(29:24):
where if you just had that steady pulse, I think that's excellent.
That's an excellent way to look at it versus trying to dig through so many different
things, the overlaying and and compounding of issues, then what's going on with the business,
especially if it's a thriving business or a business that's going after new
markets or coming up with new products, you're mixing all that in with this
obscene risk. Because I think one of the things we've done,

(29:47):
with putting this cybersecurity label is we made it seem like cybersecurity
isn't a part of risk in general.
So all we're talking about is risk. By making it seem like saying cyber,
like it's some new thing, I think that's not really working out for us.
We need to get it back into risk overall because even though it may start off as cyber,

(30:10):
the impact of it might not be cyber
the impact could be people right in the market
the impact could be who knows so i think that well
the impact is revenue exactly we need
to pull that one back in yeah yeah i mean to that point i oftentimes have conversation
with executives where i'm saying look you know please do not think that you

(30:33):
are supposedly never going to understand this stuff I call baloney on that because
you understand legal risk,
you understand financial risk, tax risk,
market risk, customer risk.
You know, just simply the risk of having employees, right? I mean,
you understand those risks.

(30:55):
Information security risk is just another risk you have to manage.
And yes, my job is to help you understand it and to prioritize it.
But and and that's all I really ask of them is, please, just let me help you
become an informed risk decision maker.
Yes, yes, absolutely. We have the right people at the table so that they can help.

(31:19):
Individuals in leadership make the right decisions. Having a strong governance
committee that's tapped in and turned on to what's going on so you know,
hey, here's having to do a legal, here's something that's GDPR,
here's this, and having that group kind of come together and figure out where
are our priorities as crisis.
Well, and even in a smaller organization, I think something that's really effective

(31:40):
that an executive team can do is they can kind of come up with the IT steering committee.
So maybe here's their internal IT director, director
maybe they've got another person on their it team or
maybe they've got a business leader who's you know fairly
tech savvy and then they've got their vc so and
you know one of the ways that an executive management team can be really sure

(32:01):
that the right decision is being made is that those people agree yes absolutely
and one thing i've done before with smaller companies is to introduce them to
individuals that they don't have on their team that are at larger organizations organizations,
to help me help them understand.
So here's where your business is. You want your business to be over here.
I'm getting this guy from this business that you want to be like that.

(32:25):
He's trying to tell you, your unmentionables are out on the lawn. It's not me.
He's telling you, your door is open. Everything's getting out.
You got to do something about that. So then it's not like I'm being the party pooper.
Where you want to go, the person where your Your vision is looking that way.
They're telling you in order for you to work with them or in order for you to

(32:47):
be like them, these are things that you have to figure out how you're going to make it work.
And so I think it's really important to have that team, that listening team.
So we were talking before about the technical debt and there's another key piece we didn't reveal.
It's that if an organization doesn't have have a continual Kaizen approach to

(33:13):
just making their information security posture better on an ongoing basis.
Then they're finally like, well, now we got the budget. Now we're going to go spend the money.
They might spend six months waiting for somebody to be available to help them. Very true.
I go through it all the time, like finding those key resources,

(33:36):
especially if they're going after something like identity or some obscure thing
because they have such complexity in their environment.
Everything is not knee jerk. So I think they need to do a better job. job.
With other projects throughout the organization, it may make sense to have these,
long lead times and that, but when it comes to cyber, maybe that needs to be

(33:56):
in a different structure because the longer you wait, the longer you wait.
It's just a matter of time before something happens.
It's the impact of those things based on that technical debt that can be devastating.
So I always recommend where you can to have an alternate path for how cyber
work gets It's done because they can do it.
But if they're having some type of Christmas party, they find the money.

(34:18):
Just don't put that out there.
So priorities.
You know, another observation I've had, and I see what you've experienced,
but I've had organizations come to
me and say, you know, we've got this cybersecurity insurance application,

(34:41):
and we need to fill it out, right?
And so, you know, there are certain things that they want to have remediated
very quickly, which is always just, I mean, it's hallucinogenic.
Okay. It can't get remediated in the time that they think it needs to get remediated.
But the other huge observation I've had is that.
If I have an ongoing relationship with a client,

(35:03):
and we're working on something every month for them, my ability to crank out
that cybersecurity risk assessment questionnaire response for them is pretty,
you know, like I can get it done in a week or two,
you know, versus and it's a very high quality document that generally results

(35:26):
in them getting either a low premium or even in some cases, I've seen a lowered
premium for our clients. So, woohoo.
But in the context that we don't have that ongoing relationship,
I don't have any of the data.
And there's not enough hours in the day available in my schedule to go get that
data to be able to even produce the report.

(35:47):
So, I don't understand this. You mean you can't just make it up?
That's what they think. Just come up with some technical stuff and put it in there.
And you're like, I'm not putting my name on this. Like, no, I'm willing to pay you the money.
It's like, it's not about that. It's about doing the right things. Right.
I don't know. I don't know how they get, I don't know where they get that from.

(36:08):
It's like, you know, a lot of IT just fill this thing out. And just like,
I I've never been, there's like 19 sites on here.
What are you expecting from me? I don't, I don't know what you want from me,
but I think they expect you to kind of just make it up.
I can't like this, this document is like my words. Like I'm saying that This
is what I saw and I have to do it right. You're absolutely right.
Well, so that's a whole nother interesting element.

(36:32):
Like if I was going to have somebody fill that out for me or even assist me
in that process, I would want that person to have the credentials to do that.
And I would also want them to have the skin in the game that if they committed

(36:56):
some sort of a malfeasance,
there would be an implication to that, and it would be an adverse impact to them.
So I want them to basically have an incentive to not lie on that application. application.
In contrast, what I see oftentimes is happening is somebody from the executive
management team will receive this application that needs to be filled out.

(37:17):
They give it to somebody in IT and they're like, hey, that's just the IT stuff.
Let the IT department fill it out, right? Because they think in their mind that
that is not risk that executives need to be managing. They think that's just an IT problem.
And then I have yet, okay, and I'm not going to cast past aspersions across
to all IT people on the face of this planet.

(37:39):
I am just simply saying, I have yet to ever see a cyber insurance application
that has been filled out by either a business owner or by their internal IT
that was done accurately.
I agree. Yes. Yes. They won't admit it.

(38:00):
Whoever's in IT is not going to say, yeah, we screwed up on this.
So we're going to get a high premium, but I'm going to just be honest,
that's not what they do. It's unfortunate. Right.
And so then now the executive manager has to actually sign on that application.
Now, if they signed on that application, and of course it's their business,
right? So they're the ones who are actually accepting the liability.

(38:21):
Internal IT, they don't have any liability.
And the probability that they're going to be getting fired because of lying
on an application willfully, even after executive management finds out, is zero.
They're not getting fired over that. I've never seen anybody get fired over that, ever.
That's interesting. What are these people doing? enough.

(38:48):
Well, look, you and I have both been in enough spaces for enough years to the
point where I think we've seen a lot of companies make money in spite of themselves.
Yes. How are you still in business? Is this a front for the cartel?
I don't know what you're doing.
Well, it might not be that bad. Okay.

(39:09):
So let's pivot to kind of the final question here, which is how do we help Help
these people know how to find the right kind of help.
And I'll tell you, my ideas on it is, I've been doing the Breakfast Bites podcast
really since 2004 with the intent of trying to help people become more informed decision makers.

(39:33):
Because I think that if you correct the issue on the demand side,
where people who are procurement decision makers are not going to tolerate garbage service, right?
Incomplete. It's cheap, right? But it's incomplete.
If they know that $50 per month per server for air quote patching,

(39:54):
the server is horse hockey. Okay.
If that just immediately goes on their smell test is like, that is a horse hockey number.
You cannot possibly be doing an appropriate job at that price point.
Or you're using slave labor in some foreign country, which I don't really consent
to having them have admin access to my system. Do you know what I'm saying?

(40:15):
Like, okay, there is something that doesn't smell right about that.
So I've been doing this in terms of trying to address it on the demand side.
Make these people more informed decision makers so that when they see horse
hockey, they can spot the horse hockey and they can demand better services.

(40:36):
So what do you think is the solution to this?
I think that that's the solution. The reason I say that is a lot of risk professionals
struggle with trying to do the right thing because they're also fighting businesses
that don't know what the right thing is. They just know that they don't want to pay.
But if they have been educated and recognize in order for me to get quality

(40:58):
service, this is what it is, then it would make it easier for everyone.
Well, I think education is always the answer because when you know,
if you just choose to ignore it, hey, that's a choice. But if you didn't know.
So I do think the education is the way to go. I think that's very impressive to go for demand side.
There's a term that you should come up with, but some type of demand side solution.

(41:20):
So people are educated about what they can expect, the level of quality they can expect.
And not only about small business or risk, but even with their own data privacy.
Privacy, like there are some things that they can definitely expect.
And if you can't get that from your, whoever you're buying something from,
like you can go someplace else with people who care about your data and care

(41:41):
about where your data is going.
Because every time I've worked with organization that is either recovering from
a breach or has been hit by a breach, it started with a beacon among the employees
that the employees were getting breached first.
So the at data privacy, like it's a doorway. Once you get to the CFO,
it's just one or two hops and you're in an organization.

(42:03):
So, you know, those individuals are educated about their own data privacy,
like where are your emails going?
When you bought this product, you know, and it was a sketchy website,
all those types of things, you know, I think education is the way to go.
Yeah, I had to recently have a conversation with some managers of a company
to try to get them to be willing to alter some long-standing business processes about.

(42:30):
Inappropriate asking of employees for their logon passwords so that those could
be put into an Excel spreadsheet on a server.
And I ask the question, okay, how exactly do we hold people accountable for
what's happening under their user account?
Well, in that context, you don't, right?
So it's like all of this stuff is, you know, more often than not,

(42:55):
I think it's not a technology solution. It's a people solution.
But it's not cyber awareness, like that garbage.
It is not that because I would rather pull my eyeballs out than go through like
just general awareness training.
The types of things we're talking about where, you know, here's the problem.
This is where we want to be. There is a gap. How do we I need those types.

(43:17):
I need to be able to make mental connections. This click click and watching
this cartoon do this thing.
I just want to slip my wrist. Well, for what it's worth,
I think that both things are of supreme levels of importance because I don't
personally want to be doing a weekly cybersecurity awareness training for 7,000 people.

(43:40):
That's why we have tools that deliver that, and it can gamify it, and it can do scores.
If you use the right system, there is really high engagement,
and I have seen it improve people's awareness quite a bit. However,
there is no digital substitute for what a CISO can do.
Yeah, because what I'm talking about is all the gamification, all that's fine.

(44:02):
It's the scenario has to help them make a new mental connection so that they
know when to bring that new learning forward.
When do I do this? And so in what scenario, how should I change my behavior?
Because awareness, everybody's aware of everything.
But what triggers in your mind that you're going to change your behavior?
I think that's critical. And I think often that's missing with just awareness.

(44:25):
I know the answer to that. And the answer to that,
the question you just asked, the answer to that is that you value the security
of the organization's information security risk management program.
You value that and the quality of it and the company policies and the fact that
the The company needs to stay in business.

(44:46):
You know, you value that higher than your own convenience.
Yes. And I think that has to come from the top down. So, like,
I think all organizations, when they listen, their mission and their vision
in there should talk about security, not only of their organization,
but of the employees, because that's what we're trying to protect.

(45:07):
We're trying to protect people. Right.
I don't know why people sidecar. No, no, no. This is the key.
Protecting that identity because if you're not you, what does that mean?
If you're some goddess in Tel Aviv, Barbados, Mexico, what does that mean?
So we're trying to protect people and I think they should bring that to the forefront.

(45:28):
I think you're absolute. yeah and your point about it it being at the top i
mean oh oh my goodness this is i think you just it's just that's right there
it's one of my hot buttons right again because how it's so one of my one of
my employees said this to me one of my security engineers said this to me,

(45:48):
He said, when the executive management
team wants different rules for themselves than for the employees,
it's like Congress creating all kinds of exemptions for themselves that they
don't allow for us peons, us tax livestock.

(46:09):
Right, right. Absolutely. And then he says, no wonder Congress's approval rating is 14%.
What kind of leadership and loyalty does executive management inspire in the
employee base when they're like, well,

(46:29):
we're going to have these restrictions for you guys, but me,
I'm the executive, I'm going to do whatever I want.
You know it's okay that my executive assistant has all
of the executives passwords on a sticky note on her desk like
it's okay like this we're doing top stuff up
here top level top level stuff yeah whereas like i can tell you my attitude

(46:50):
is i recognize that i am a bigger target yeah and so therefore i feel that for
me it is a stakeholder management stakeholder being my My clients,
myself and my family, my employees and their families are vendors that we buy from, right?

(47:13):
You know, good stakeholder management is that I acknowledge that I'm a higher
risk profile because I'm a public persona, you know, because I'm,
you know, I own the company.
I am a higher risk profile than my executive assistant.
Okay. Okay, so I am willing to be more inconvenienced by having more technological restrictions on me.

(47:39):
And that does mean that I end up having different containerized places where I do different things.
And and the fun part is that I just recently had the conversation with another
executive member at a at an organization where the verbatim words that this

(48:01):
person said to me was that if it means I'm going to have to have two computers,
that is too much inconvenience and I'm not going to do that so so that's what I'm saying it's like.
Something is simple, and you know it's not expensive to have a second computer,
nor is it expensive to, oh, when I need to do those super, super secret things,

(48:23):
whatever, I'm going to remote into this other box to do that.
Okay? That's not hard, nor is it expensive.
Okay? But it has a huge positive impact in terms of risk reduction.
Absolutely. Absolutely. But here's this person telling me that they,
you know, that's too much inconvenience.

(48:46):
Just absolutely unwilling to even have a conversation to consider that that
might be the best thing for risk management for the organization.
Right. Right. That's upsetting.
Well, you know, so as a CISO, it's not a lot you can do with that particular problem.
Well, there's some things you can do, but nobody would like you after you did them.

(49:12):
I love the fact that if adversaries really wanted to have a lot of fun,
they should just reach out to us because we know the idiots that should be attacking.
Leave these people alone, but that one right there, have at it.
Yeah, yeah. Those people over there, they need a lesson right there. Yes. Yes. A lot of them.

(49:33):
So so what other tips do
you have for business decision makers
that are trying to find the right
help whether it be vc so
help or like it service provider of you know it projects it implementers remediation
that sort of thing well i would say above everything you really want to find

(49:57):
someone someone or even a group of people that aren't only about cybersecurity.
Because cybersecurity is just one thing. You really want people who care about
a holistic view of your organization and helping your company from a holistic standpoint.
Or you're going to get people that keep throwing cybersecurity tools and products

(50:17):
and things, and often that's not the answer.
Sometimes that can make things easier, but for the amount of work and preparation
and and care and feeding to deal with that thing.
If you're not willing to cut the light off when you're done at the end of the
day, buying a device that dings
to tell you to cut the light off probably isn't going to work either.

(50:38):
You just put the hat on the head like cut it out so i
would just say find find people who have a holistic view even
if you have to bring a group of people together to give you a full
view of what's possible and then like you
kind of mentioned make sure it incorporates educating your staff so that they
can care about your company too because they're really the last line of defense

(51:01):
yes right you can buy all the things check all the boxes have all the vulnerability
now like everything you want if you have somebody sitting there that has no idea.
Of what you're trying to do in terms of your risk strategy it just
gets real bad real fast oh yeah well well
so i mean prime example of that is you know bob

(51:22):
receives a call bob gives the bad guy
his password like oh yeah yeah here's
the team viewer connection information i don't
know who you are you know but i'm gonna give it to you to my computer you
know he said he's from the help desk what help desk i don't
i don't know it's like and and then and then
you know can you approve that push notification for

(51:43):
me on your phone can you do that you only
have to do it once and i'm gonna send you a call as soon as you do
it i'm gonna send a call to prove that i'm me so when you hit the push and you
never get the call you're just glad that you're done talking with the guy and
just go on with your day and just like are you serious oh yeah that's real i
was with a group that someone from the board of directors sent an email alerting

(52:06):
them that one of the servers had been hacked.
And so they wanted to get the password so that they could log into the server.
And so this email went out to like all the domain admins or whatever.
So one of the domain admins responded like with the password to the server.
And immediately the CISO responded with, are you effing kidding me?
Because it wasn't from the board of directors. It was like some spooked email.

(52:26):
And I'm just looking at this, like this happened so fast.
And they were, Or adversaries in the server were like, oh, my God.
And just spread wildfire throughout the organization.
And I was just like, oh, in less than 10 minutes, it was bad.
Well, I mean, so where was the smell test that said, even if the board of directors

(52:47):
is asking for that password right after hell freezes over? And my question,
how did I get on the email?
You know, but this person was like. Danny, 22.
And I think some of that. So in the defense of not only employees in general,
but people in cyber, there's just so much work and it's just so much stress and anxiety.

(53:11):
We have to allow them to slow it down so they can pay attention.
There's another aspect to that, too, which is and I've tried to counsel a lot
of executive management on this where it's like, you know, you guys are an authority.
If when you respond to something, you're responding overly for I mean,

(53:36):
just because you're an authority, what you say is already being delivered with
authority and forcefulness. Right.
That's already there. You don't need to get any louder.
OK, so so if what happens is somebody comes to you and they're trying to make
you aware of a major deficiency like, oh, yeah, you know, that HVAC system that we have.

(53:59):
Yeah, that's right. It's open to the Chinese hackers.
Maybe we should do something about that. You know, but then you have like the
facilities director that's like, I don't want to hear about that.
And then they get all emotional about it. They go to the executive team and
the executive team doesn't like conflict. So then they go back to I.T.
And say, don't talk to the facilities director about that. OK, wrong response.

(54:20):
Wrong. OK, now what they should have done is, you know, 1-800-FELICIA.
Oh, absolutely. You know, how can we handle this problem? And I would have said,
well, let's define who the resource owner is.
Okay, because the resource owner is the person who gets to define who is actually

(54:43):
authorized to have legitimate access to this resource.
And get them to make that decision because having the hvac system open to the
entire world free willy that is not a legally defensible option we can't do
that and it is literally you're you're,

(55:05):
you're defeating your entire position of being a risk decision maker by saying
that that person's emotions is more important than the survival of the company.
Exactly. Okay.
And, and so what I find way too frequently is where executives themselves don't want to slow down.

(55:31):
They need to stop and take the time and say, okay, I have somebody telling me
here that there's a problem.
Rather than telling the person who's trying to fix the problem to go away,
that they're making this other person emotional.
No, no. I now, as the leader, I have to pull all them in a room together and

(55:53):
say, no, no, you guys are going to sit down and you're going to talk about this.
Okay. And if we have to get a mediator, we're going to get a mediator,
right? But somebody is going to get hurt. Somebody is going to be hurt.
And sometimes that means that the executive manager has to go be the one who's doing the hearing.
So they have to make the time in their schedule to go hear it.
But I find 99% of the time, that's not what's happening.

(56:17):
And so IT people who try to fix, try to fix, try to fix, try to fix,
they just get this campaign pain thrown back at them over a period of time where
it's like, it's going to be, no, no, that's going to hurt somebody's feelings.
No, no, we don't want to inconvenience that person or, you know,

(56:39):
whatever the uninformed decision is that's being made.
And it's really, it's a decision about making the human emotional problem go away.
It's not a risk management decision that they're making. Exactly.
Yep. What they've done is given the ability for the leadership individual or

(57:02):
group or whatever, given the ability for them to make the decision to that guy.
And is that what you really want to do? Like, do you really want to put everything
about your company with the HVAC guy?
He could be amazing. He could be smart. He could be all these things.
But if you don't listen to it for yourself, that's really what you're doing.
On and that's it seems obscene well it

(57:24):
you know and in that example that the only thing that would have ever been required
is this do you lock the door to the hvac room you do well then we need to lock
the door to the hvac to the internet absolutely i mean like it's not different.
Absolutely absolutely a lot of a lot of the risk challenges that we're talking

(57:48):
about they just see it as one more thing when it's not as part of the fabric.
It's part of the tapestry.
And it's not if you do it. So it's not like if you have 10 things and you do
seven, that's good enough.
It's you do as much as you can do because it's never good enough. Right.
And I think they look at it the other way. Like we've done enough.

(58:10):
Like we can. OK, we're done. Like it's just a couple of things. It's like, no, no.
Whatever is available is going to be used. So you keep working at it.
You keep working at it. Well, and there's a new thing tomorrow.
Absolutely. Out of nowhere. Right. So if you don't stay on top of it,
your list of things you need to fix just keeps getting longer and longer and longer.

(58:32):
You know, you were talking about the fancy tools.
You know, I did a webinar on the cyber maturity defense model a month or so ago.
And one of the things that I i talked about in there is that i really
would like people to stop spending money on shiny objects when
they haven't actually fully utilized what they've already got or

(58:53):
they don't know what they have it's like you don't need right
yeah absolutely yeah and it was that was just it was basically what you were
saying there it's like you know so many of the problems that an organization
has can be fixed with policies processes and people and it doesn't always mean
new fancy technical technical controls.

(59:14):
Absolutely. Absolutely. A hundred percent. I would say at least,
you know, 60 to 70% of what you have to do is, you know, everything you have
and you know where it is and you really know who's using it.
Like you have identity now you're, you are in a really good spot.
Now is what you were talking about is that constant pulse of the new things

(59:34):
that are going to pop up that constant pulse of looking at vulnerabilities,
that constant pulse of, you planning for the future and what do we buy? Is that still good?
What's the end strategy of it? So once you get that, you know what identity
looks like in your organization.
Often organizations haven't even defined identity, what it means to have an
identity in an organization.

(59:55):
But once you get that down and you know what your assets are,
because data is an asset, people are an asset, you've gone a long way.
And there's a lot of work there that people aren't doing they're just buying the
new shiny thing what you know on
the identity front uh one of the things that has always
just rankled me was this question on the cyber security insurance

(01:00:15):
applications where it says you know do you have mfa and you
know and it's like some sort of you know generic ridiculous question like that
and the question i ask is do you even know what all systems people are logging
into because if you don't have an inventory of that you certainly can't go and
find out whether or not MFA is enabled there.

(01:00:39):
And I can tell you that I continue to run into situations where I'm trying to
work with somebody to get them off of some sort of massively horrible legacy technical debt,
some junk running on a 2003 server. I mean, super bad, right?
And the new thing is a SaaS application. And then you look at the SaaS application

(01:01:01):
and and it doesn't have MFA. I know!
First person that ever even said
to the software company, so what are you going to do MFA on this, right?
Right. Right. It's heartbreaking because I don't know.
Software, you know, software is like a swear word for me.

(01:01:27):
Oh my goodness. So many things come into play. So absolutely.
You know, like my switches, you know, my network equipment.
I love these things. They do what you expect them to do. But software? No, it's a swear word.
We just throw things in the bag and shake it up. Whatever you get to look at.

(01:01:50):
Well, but, you know, back to the whole SAS thing, like what what is the third
party information risk management vetting process for a new SAS application?
I mean, I would think it would need to be in the contract with the SAS vendor
that you will have multi-factor authentication and you have to have a global
enforcement option, too, which is that like this.

(01:02:10):
This shouldn't be like thing you have to turn on individually for every user.
No, no. Enforce. Enforce.
And there's got to have, you have to have a way to be able to have an automated
report generated from that system, like on a weekly basis.
So you can audit it. You've got to have the stinking audit process.
But it's like, I continue to encounter these SaaS platforms that don't have

(01:02:35):
the most basic functionality and requirements in there.
Huge database SaaS vendors who don't have any methods in there for like data retention.
Like, okay, we set a data retention policy of we don't need anything older than 10 years.

(01:02:58):
Okay, well, where's the process by which we can just run this once a year and
it scrubs out the old data and we do something with it or we inspect the old data or whatever?
The other one totally floors me. See if you run into this one.
So you got a company who needs to have a way to know the quantity and type of

(01:03:23):
records that may be reportable in a breach.
But then the SaaS platform has no mechanism whereby you can regularly with an
automation get those statistics.
So your reporting thresholds is like in some states for certain types of data,
it's more than 25,000 records.

(01:03:45):
Sometimes it's more than 200,000 records of whatever.
So whatever that threshold is, ultimately, at the end of the day,
you have to have a way to know what was the quantity and type of those records
that we think potentially could have been breached.
And if the expectation is that I'm going to be able to do that scan after the

(01:04:07):
system's been breached, well, the reality is the system may be ransomware and it's offline.
You can't get that data anymore.
So what do you think? I agree because there was one application situation where
in the documentation, they said they didn't collect any protected information.

(01:04:30):
However, one of the vendors that we needed to engage with, I think may have
been either in healthcare or something. thing.
The organization was not, the SaaS product was not, but because we started interacting
with the healthcare organization, there was a type of data that then became protected.

(01:04:51):
This software company could not figure out their, you know what, from their elbow,
to help us quantify what we were looking at in terms of the amount of risk and
the processes we would then have to structure for that particular vendor that
we started working with. It was ridiculous.
And so do you rip it out? Because you have other providers in there,

(01:05:14):
too. You have other services in there, too. Like, what do you do?
And so I think you're absolutely right about that. Often, I think these SaaS
application companies, they're going after a certain target audience and security
is not on the list because they want to get it out cheap, fast and in a hurry.
Yeah it's called minimum viable product

(01:05:35):
except except their definition of minimum viable product and mine are this far
apart even the terms they use sometimes i don't understand this one company
just how they use the term product i was just like.
That is a very colorful way to use the term.

(01:05:56):
That is not a product. Like, I don't know where you get, but this is not.
So I think they do everything they can.
So, you know, how do we fix this problem? And to me, the only way that I've
seen that it really, really gets fixed is if everybody in the company that has
procurement authority is going to pump the brakes and say,

(01:06:18):
we will not adopt any technology and we will not sign a contract to acquire
technology unless our CISO has signed off on it.
And then you have you know a tipizarum process
basically and do you
have mfa do you have a way for us to generate these
reports you know whatever it is right the CISO yes the

(01:06:40):
CISO's got to look at that stuff and specify those things and then that crud
has got to be in the danged contract it's got to be in the contract then you
sign it I'm having like a little tiff with a lawyer because they They don't
understand the implications of what they're about to sign.
And I feel bad for them because they're looking at, is there some exposure here

(01:07:03):
for my client? And it's like, no, no, no, that's the wrong question.
Can your client absorb the risk?
That should be the question. And so it's like, yes. So let me give you an example.
We installed this application. It does this, this, and this, blah, blah, blah.
But let's look at the life cycle of that system in your organization.

(01:07:23):
Often attorneys don't look at that.
Not just when you bought it, if there's risk there. Let's look at the end-to-end
strategy of this thing and all the different points of risk.
You got to look at the whole thing because I want the contract to specify at
each and every point who's responsible.
What do we need to come forward with? At what timeline?

(01:07:44):
Like I need to know those things because as I implement this,
I don't want to be on the hook for doing the big bad thing.
Like we need to square this away up front. And they're like, oh, well in general.
No, no, no, don't general general because when we have a cyber attack is not
going to be general. Let's be specific.
So usually I have to take the whole document, dump it in Excel,
have a whole what do you call it, governance committee or I.T.

(01:08:05):
Steering or whatever it is, everybody needs to look at this.
Who's responsible, who's accountable, who's going to execute on this thing and what frequency?
When are we going to check it? How much does it cost? Who needs to be involved?
What is the benefit? And as a result of all these things, is this that you're
looking at in the contract adequate?
I could take a contract that's seven pages and turn it to 39 like that. Like that.

(01:08:27):
Just when everybody takes a look, like take a look. Your department's about
to get hit with this thing.
When you read this paragraph, is this what you expect when you look at this?
And they're like, well, what about this? What about this? What about this? What about this?
You have to do it. You have to do it. Right. Because you can't clean up that mess after the fact.
It's too late. So often those software packages are hard for them to get in the door.

(01:08:49):
And that's how it should be. Because once they get in, they run rampant.
And then if it's difficult to manage them, then IT, and I'm not going to say
all IT groups, but often it gets on the back page and it never gets touched.
And now you have this vulnerable system in your organization.
Well, so I got another example for you to kind of contrast the necessity of a VC.

(01:09:14):
So versus just relying exclusively on internal IT. So I encountered a situation
where internal IT is sitting there for like 16 years with this server and this
legacy system and stuff.
And it's this super mega business critical thing.
And internal IT does nothing with this system. I mean, yeah,
they maintain it. They back it up.
But really, you can't have any endpoint protection on it anymore because it's too old.

(01:09:39):
It's massive amounts of technical debt. It's got massive amounts of software
vulnerabilities. You can't really secure it. I mean, it's just a cluster, right? Right.
OK, well, I go and I look at it and I talk to the the data owner and I just
understand what is in this system.
And they're like, oh, well, it's this type of data. And I'm like,

(01:10:01):
well, why don't we just do this with it?
And it just like instantaneously, it
didn't take me but five seconds to come up with a solution to leverage an existing
technology that the company had that could have taken all the data that they
cared about and put it in a fully supported modern platform that's secured. secured.

(01:10:24):
Okay. So I think that's something else that's really key pivotal that a CISO
who knows like, you know, business processes can do is they can look at these
things that, that IT just doesn't make that time to look at and to deal with.
Yeah. They were told no, and they just leave it like that. Or even just to have
a plan, like plan in place.
If this machine should go down, what would that look like? Once I have that plan, okay.

(01:10:47):
If we had to execute this today, where would that money come from?
Okay. You got that answer. So can we get started?
Why would we sit here? We've done this thing. We're all looking at the same thing.
Shouldn't we get started? Because we've looked at, it's taken us like two,
four, six weeks to come up with this plan of what we would do if this would
go down. Why would we wait?
Can we start? And they're just like, well, I guess. I guess we can do a little

(01:11:10):
of this, a little of this. But it's been sitting here for seven years.
Right. We'll get to it. It's like, no, the point is today. Right.
Well, that's also part of the push-pull that oftentimes happens with most of
internal IT is getting slaughtered with support tickets.

(01:11:31):
And when support tickets are their primary function, that's all that they're paying attention to.
And again, I'm not denigrating internal IT. It's just you've got competing priorities.
And this is exactly the same reason why a lot of times they're not patching
things effectively or they're not doing proactive management effectively.

(01:11:53):
Effectively and it's because if they have to do support tickets
whose primary responsibility is it
to actually maintain the security posture of the systems exactly
yeah right and that's a good point where vc so could come in because you know
if i walk into an environment and it happens a lot where i'm saying like you
know 10 000 support tickets the very first thing i want to do is let's strategize

(01:12:14):
and bundle these things and figure out this 10 of these tickets how can we fix this forever?
What is this thing? Because I'm tired of seeing this type of ticket. Like we need to fix it.
This is a problem in the organization and figure out how to make that kind of
project ties up instead of us just throwing spit balls at it.
Let's resolve it. Right. Is it education?

(01:12:36):
Is it a different system? Like what is the thing? Is it something that we're not understanding?
Like what's going on that all these tickets are coming through and try to figure
that part out. So I think when everybody's coming in, just pressing their key,
nobody looks up to say, if we take a holistic view of this thing,
how can we improve the environment?
So you just made me think of something else that I've observed is crucially

(01:12:59):
valuable is the, again, the slowing down, let's pump the brakes,
let's make some time for these strategic planning meetings.
So I love to go and meet with managers of business units and find out,
what do you need? What are you grumpy about?

(01:13:20):
What's your business processes? How are you doing this? How are you doing that?
Right. And then why do you do it that way?
And they've got to make the time for those meetings.
And oftentimes, if I'm doing a training session, I'll just start asking them questions and things.
And then, you know, you go down the rabbit hole of like, oh,
well, I had no idea. Right. Right.
And I found, you know, $250,000 worth of savings in a meeting just because I

(01:13:49):
get to know that this is the way that they've always done it.
And everybody else who was ever involved in that particular business unit or
that process, it's like, well, you know, they're paid to come to work every
day to do that job, to do that process.
Yes. right and and so that's their
managers tell them this is how you do it versus me i look at

(01:14:11):
it and i'm like we have a better way to do it can we
please just have a discussion about the better way to do it let me
show you this one thing instead of you spending 45 minutes to do this there's
a box here that you can click and it'll it'll do that for you like you can keep
doing that it's up to you i'm just telling you this right that's great oh you're cute when you do that.

(01:14:36):
Because I don't want people to feel offended.
Like you don't have to do it. You can overwork if you want. You can put an extra
four hours in your day. It's totally up to you. I'm just saying that you may want to,
You may want to do it more easy, you know? Some people like hard things. I get it. But just say.
Oh, yeah. Oh, yeah. People do like hard things like, you know,

(01:14:59):
like, hey, let's print out this stuff.
Have somebody fill out the paper copy. Then we'll scan it back into the system.
Then we'll send it over to this office. Then they print it again.
And then the people at that other office, they put it into the computer system.
I mean, like, I'm not even kidding you. This was a thing. and my head almost left my shoulders.

(01:15:20):
If I have to do a manual process more than a couple of times,
I'm immediately thinking, how can I automate this? There's got to be a way.
This can't be how this goes. I can't do this. It's got to be a little way.
Okay, well, good times. Do you have any parting words for us?
I could talk to you for hours. We should do something else. Like,

(01:15:42):
this is great. That's it. Oh, I think we've already picked out a topic for the next podcast.
Okay, what are we doing?
I will bring you up to speed on that later. But for now, for now,
thank you so much for being on the Breakfast Bites podcast. The InfoSac Rabbits approve.

(01:16:05):
I can envision them all sitting around like this long table.
Oh, yeah. Well, you know, it's the Knights of the Round Table. Yes, yes.
That's fantastic that's great.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Crime Junkie

Ridiculous History

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Unlocking Strategic IT Investments and Information Security

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Crime Junkie

Ridiculous History

All Episodes

Unlocking Strategic IT Investments and Information Security

On Purpose with Jay Shetty