August 23, 2023 • 24 mins
Will Sweeney is the Founder & Managing Partner of Zaviant Consulting, a company that focuses on improving the security posture of client systems to protect sensitive data by complying with official information security rules/requirements. Mr. Sweeney is a skilled and experienced consultant, auditor, and project manager who demonstrates expertise in information systems controls, IT audit and assurance, risk management, information assurance policies and procedures, and IT governance. Mr. Sweeney is adept at managing consulting engagements, including risk analysis, scope setting, testing and evaluation, client and leadership relations, and report writing.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
This week on the Art of Improvement, I'll be talking with Will Sweeney.
He's the founder and managing partner ofZaviant Consulting. Have you heard of AI?
Is your company allowing you to useit? Will, We'll be talking
about the importance of companies keeping theiremployees aware of deep fakes. That's a
concept where AI produces very convincing sounds, images, and even videos to actually
(00:23):
pose as real people. It's allpossibly to steal information. My conversation with
Will is coming up next on theArt of Improvement. Thank you so much
for listening to the Art of improvement. My guest today is Will Sweeney.
He's founder and managing partner of ZaviantConsulting, a company that focuses on improving
(00:48):
security systems. Is that correct,Will, Yeah, exactly. We focus
on improving security and privacy maturity oforganizations that process sensitive and regulated data.
When you say, I kind ofjust go what because I work for a
lot. I work for a largecompany and we get weekly, if not
you know, twice a week emailstelling people to be careful when it comes
(01:14):
to emails or to click on things. But inevitably people within the company continue
to click on things that sound toogood to be true or sound like it's
something that they should follow up on. I don't want to say why is
that? But why is that?You know what's really interesting, I think
(01:34):
when people think of hackers and youknow, companies getting hacked and data get
and getting stolen from companies, Ithink a lot of times they picture these
very sophisticated attacks where someone you know, many times probably overseas, they're picturing
someone sitting behind a computer hacking awayat systems for hours on end and months
on end. That the reality isphishing attacks like you mentioned, where people
(01:57):
get these emails, you know,asking them to click on things. That
accounts for over seventy percent of attackson companies. So the the the very
common issue among you know, securityprofessionals as as anyone will tell you,
is the users typically the weakest linkin your in your security architecture. So
(02:20):
these companies put all these really funand exciting softwares and protections in place,
and they spend a lot of moneydoing that, but the reality is the
users typically end up being the weakestlink and lead to the most most of
the attacks. That is so it'sso it's so sad and so I mean
it makes me wonder when I getone of the emails from our I T
(02:45):
department, to think, why dothey keep sending these things? What the
heck? You know, Well,I don't get it, but obviously there's
a reason they keep sending. It'sbecause people keep on clicking on it.
And I mean it's it's kind ofsad in a way, but I mean
I get it if people are reallybusy, or if they're really bored and
want to see what it is.I guess that that is human nature.
(03:07):
One of the other things that isjust all over the news and all over
social media these days is AI,and it is that something that will just
add more problems to security when itcomes to tech, absolutely, And I
think you know, you're seeing alot of even at the federal level,
(03:28):
you're seeing a lot of folks kindof getting out in front of the messaging
as it pertains to AI and saying, hey, we've got to be a
little bit more careful about how quicklywe're rolling out some of these these tools.
And the reason is that it doespose some pretty significant risks to businesses
and people. Like where you've gotthe obvious things, where you've got disinformation
(03:49):
or the ability for someone to maliciouslyuse artificial intelligence to distribute widespread disinformation.
But then you know, on amore sophisticated asis, you have machine learning
and AI that can actually identify weaknessesand organizations security architecture and actually expose those
(04:11):
weaknesses through pretty consistent and measured attackswhere the software is actually learning what's working
and what's not and then kind ofpivoting into different attacks based off of what
is learning. And there's when youthink about AI and the risk that it
represents, I think there's just somany different things that you know, you
(04:31):
can you can think of and andand you know, there's so many different
things you can comment on there.But I really think that, you know,
the risks associated with with AI,I think at this stage where very
early I kind of understanding what theyare, and I think people are also,
(04:51):
you know, typically very afraid ofsomething that they don't understand. And
so as these AI tol will continueto proliferate, I think we're going to
see more and more sophisticated malicious usersusing them in that type of a way.
But you know, definitely today there'ssome some pretty obvious things that you
(05:12):
know companies are concerned about uh internally. Uh So you know, thinking about,
as an example, what happened withSamsung where some of their employees were
uploading sensitive sort information source code tochat Gypt. You know, that information
was being put onto these servers thatSamsung really had no control over, and
(05:33):
who knows how that information could havebeen, you know, potentially used by
a malicious actor or even exceltrated fromthose servers and used in some other way
that we couldn't even think about today. I you know, I when I
started asking you questions about AI,and I assume that everybody knows what AI
(05:53):
is, and that may not betrue. Is there any way that you
can simplify what is AI? Andhow are companies using it? And how
can you get That's enough questions rightnow? What is it? And how
are companies using it? Because Ihave a million more questions for you.
Yeah, you know a lot alot of what's interesting about AI is it's
(06:18):
really machine learning. Right So whenyou think about AI, it's machines that
are actually using information to kind ofsimulate how a human would would use utilize
that information for some specific purpose.Right. So, I think the most
common thing that you know people arefamiliar with at this stage is chat ept,
(06:38):
right, So you can go onMicrosoft's barred or or I'm sorry,
Google's barred or chat ept and youcan actually ask you questions and it'll give
you answers, and a lot ofcases those answers are a lot they're they're
very accurate. I mean, they'rethey're understanding using natural language processing the questions
(06:58):
that you're asking and returning very humanlike responses to those questions. But the
truth is that these algorithms, whatthey're actually doing is going out on the
web and actually just consuming as muchinformation as possible and then distilling it in
such a way that when those questionsare posed, they can respond in kinds
of those questions. And so thuswhen a company employee asks a question,
(07:26):
it's almost as if they are givinginformation to AI for it to learn things
that it might necessarily shouldn't have learned. Is that I don't know how to
describe that. I mean, isthat right? In certain cases, the
information that these tools consume can beused to improve the algorithm to further refine
(07:49):
the responses to the questions, andin other cases, like in the case
of chat EPT, chats EPT actuallywent out and did some scanning of the
web I think probably around twenty twentyone or twenty twenty two, and that's
gets generally what it's using it asit's information gathering source. It's not actually
consuming real time information from people whoare using chat GPT. Okay, so
(08:13):
that's that's an important distinction. Butyou know, you raise an interesting point
here because one of the complications thatwe're seeing is it's it's not clear to
you know, the companies that we'reworking with, how are these tools actually
protecting the information that's being shared withit. And you know, data privacy
regulations have really come a long wayin the past you know, five five
(08:35):
to six years, where you know, the GDPR, as an example,
requires that these companies be able toidentify and delete information that it's gathering from
data subjects such as users of chatGPT. And the argument is that you
know, they don't actually have thecapability to go in and do that,
and that information is within the algorithmit cannot be deleted. So there's some
(08:56):
confusion there, I think around boththe security of the data and then also
you know, what are the regulatoryrequirements that are overseeing the usage of that
data and is that an agreement withwhat the law actually says that they can
be doing. So, if itis impossible to stop an employee from clicking
on something that looks like they wantone hundred dollars, and how are you
(09:20):
going to stop people from clicking oranswering I guess taking a shortcut and asking
GPT with the answer or how theyshould ward an email. I mean,
I don't understand how it can bestopped. The organizations that we work with
have taken kind of one of twoapproaches. So on the one end,
(09:41):
you have companies who have said,you know, we completely outlaw and banned
the usage of these tools, right, so they've actually built in security protections
to prevent their employees from actually usingthose tools. So that's kind of like
the nuclear approach, right, wedon't want you using it at all.
And then on the other hand,we have some of our organizations that we
work with who identified that you know, these tools can actually work to our
(10:05):
advantage in a lot of cases.So as an example, some of our
clients are using these tools to goidentify bugs in their in their in their
software, and you know, thesetools are actually very effective at doing that.
In other cases, some of ourclients are using them to help them
with marketing. So I think itreally depends on the company which approach they're
(10:30):
taking. But I think what's importantis, you know, if you're going
to go the direction of letting peopleactually use these tools inside of your business,
you need to educate people on howto use them appropriately. And then
you also, probably for you know, coverage purpose and liability purposes, you
should be explicitly outlining them, probablymore importantly, what they should not be
(10:52):
doing, and you know, havingthem agree to some sort of an acceptable
use policy around those tools so thatthey're not using them in a way that
as a company doesn't benefit us orcould post a risk to us. Right
right, if you've just now startedlistening, this is Will Sweeney's, founder
and managing partner of Zaviant Consulting.Will, what does your company do?
(11:16):
So we do a lot of things, I think in short, to sum
it up, I would say,we conduct assessments of an organization security and
privacy maturity. We then help themto build design roadmaps to comply with information
security standards and frameworks like ISO orNIST on the federal side of the House,
(11:39):
and then on the privacy side,we helped to design and build roadmaps
to comply with data privacy regulations likethe GDPR, CCPA, cp cpr A
and in the healthcare setting HIPPA,and then we help them maintain those programs
on an ongoing basis, so orour clients are prepared to discuss with their
party regulators or auditors they've done tocomply with requirements and safeguard information systems and
(12:03):
data. I so understand when itcomes to healthcare or even financial services.
It itself education how important it isto safeguard the information that each company has.
But what would you say is somethingthat even a small business should do
(12:26):
to protect themselves. You touched onphishing earlier and people clicking on emails.
Training and awareness is such an importantpart of an information security program. So
what companies are actually doing with thosephishing simulations is making sure that the users
within the business understand that this isa real risk and then helping to train
(12:48):
them on what they should and shouldnot be clicking on. Right. So,
training and awareness and phishing exercises aresome pretty great foundational steps that any
company can take, and they're notyou know, super expensive and then from
there, I think it's important tomake sure that you have the right controls
on the end points that you havein your business. And when I say
(13:09):
endpoints, I mean laptops, desktops, mobile phones. Make sure that you're
actually putting some information security controls aroundthose systems, and you're using some sort
of a software to actually protect thosesystems from you know, known attacks and
known areas of weakness. Those aresome pretty basic things that you know,
for our some of the smaller organizationswe work with, we almost always recommend.
(13:33):
And then from there it really kindof pivots into you know, what
kind of data are you actually processingand is it regulated data? And then
you know, typically from there you'llyou'll kind of align that organization to some
sort of information security framework which outlinesall of the different controls that they should
be implementing. So are you availablenationwide? I know you're looking in Philadelis,
(14:00):
feel right, but can any companycontact you and how do they do
that? We are, Yeah,so we're based in Philadelphia, we work
all over the country and some ofour clients also are international. So very
available to help and discuss these topics. We can be found at Zaviant dot
com. So it's zav i antdot com and I'm on LinkedIn as will
(14:26):
dash Sweeney. So I would loveto connect with any of your listeners who
we can, you know, kindof help with some of these areas.
It's sort of like, I evenhate to bring up the whole COVID thing,
but when COVID happened, everybody stayedat home and work and home suddenly
became one. And do you thinkthat that created more problems? Even though
(14:50):
people love seeing home. I mean, I can see how somebody would be
shopping on the same laptop they wouldbe using to you know, put in
messages that should not be shared.I mean, has that been a problem
all good time? Yeah? Andyou know, some companies really struggled at
the beginning because they weren't equipped togo remote and they they also weren't equipped
(15:16):
from an information security standpoint to allowallow their users to do that. And
then you have all the other risksthat come with that. Right, So
when you're in the office, youcould probably put some controls in place to
prevent someone from, as an example, you know, sticking a USB drive
into their computer and pulling a bunchof information off. But when somebody's at
home and they're in an environment whereyou don't have those controls in place,
(15:39):
it's really difficult to prevent you know, that type of expiltration of data.
So it's something that absolutely you hithit the nail on the head. Since
since COVID, the problem space hasgotten much larger and companies are continuing to
work remotely. I think at thisstage the software products have really caught up
(16:02):
to that type of a work situation. But in the cybersecurity space, we've
got a huge shortage of training professionalsthat can actually go out and you know,
build those controls and build that frameworkfor companies. I think I saw
the other day there's something like threepoint four million people. We're a three
(16:26):
point four million workers short of wherewe need to be in terms of cybersecurity,
and that that problem continues to grow. And as the environment changes and
something like a work from home,you know, when you have you know,
really two things happening at once wherethe problems escape is growing, and
we have a shortage of workers whospecialize in this area. You know,
(16:48):
it kind of compounds on itself wherethe risk goes, you know, way
way up right, And we've definitelyseen that over the past several years.
I'm sort of embarrassed ask you this, but I'll ask it anyway. So
I love talking about computers. Ilove, you know, learning about them.
(17:10):
But when I hear there's a cybersecurityjob open, I think, oh,
yeah, that's something that I wouldnever be able to do. You
might need to know math, whichI don't know. How does one?
I mean, honestly, people,a lot of young people aren't even going
to college these days. And isthis something that you need for your degree?
(17:30):
Is it? How would you getone of those jobs? And do
you have to be proficient in mathor something else? Yeah, a really
important question. So actually, earlierthis year in March, the White House
released what they refer to as theirCybersecurity Strategy or Cybersecurity Directive, and a
big part of that was around trainingthe next generation of the workforce. And
(17:55):
what we're seeing in cybersecurity is youknow, definitely those degree are very helpful,
but they're starting to be quite abit of free training. I think
I read the other day that forthe first I think it was hundred thousand
folks who signed up for CIS trainingcomputer information security training, it would actually
(18:15):
be free so you're you're we're starting. We're starting for sure to see both
at the federal level and even youknow, in private business, a real
reinvestment back into growing the cybersecurity workforce. And it's a really important thing that
we need to do, not justfor the industry, but as a country
(18:36):
because again, you know, beingthat we are, you know, operating
with some international risk here, it'sreally important to protect our infrastructure. And
you know that training is very,very important. We need, we need
to get more folks into the workforce, and I think companies are also seeing
that it's not realistic to think atan entry level you're going to get somebody
(18:56):
with three to four years of experiencein this particular area. We're going to
have to, you know, asbusinesses, reinvest in train folks and get
them up to speed and up andrunning, because there is a pretty steep
learning curve here, depending on youknow, where you decide to go within
the soar story industry. That's amazing, That is such good news. And
I'm sorry I'm not talking about yourcompany as much. Zavian Zavian Consulting,
(19:21):
Zavian Consulting, but this is somethinglike really important for people because I think
that so many young people. Ihave twin daughters that are about to turn
twenty, and they feel like,what are we going to do? You
know, what is the future,what jobs are going to be available?
But if you're thirteen million people shortin an area that is growing, it
(19:47):
seems like a smart move to foryoung people to look into that or old
people, it doesn't really matter tototally agree. And that you know,
as context, for Zavian, wewe are, you know, very heavily
recruiting and for our business, weunderstand that it's going to take time for
us to get someone up and running, and we forecast somewhere between nine and
(20:11):
twelve months before someone is really functional. So I would encourage anybody who's really
not sure about where they want totake their career to really evaluate cybersecurity as
an option. It's a huge growingfield. There's a ton of opportunity,
there's and companies understand that you're goingto come in, you're going to have
to take some time and learn.And again I mean just to reiterate companies
(20:33):
and for national security purposes, wereally need more talents for kind of flocking
to this particular area. It's sofunny because when you talk about cybersecurity and
the government, there really is noRepublican and Democrats. It's something that I
guess the thing that comes to mindis that big Chinese weather balloon that was
(20:56):
flying over America, and I wasthinking, why why isn't anybody figuring out
what this is? And even thoughthat's something we can see with our own
eyes, I can only imagine thethings that could go on undetected if people
are clicking on one free month ofDisney Plus as it just it baffles my
(21:21):
mind. You know. I don'twant to go on a tangent here,
but in my view, modern warfareis really not fought on the battlefield,
you know, it's it's fought overit's a cybersecurity you know battle. I
mean, these these these countries areattacking us all the time. You know,
we're doing what we need to doin turn, but uh, you
(21:42):
can imagine it's much more dangerous tobe able to take you know, critical
infrastructure offline, where a country canno longer power its homes or power its
businesses, and the impact that couldhave on the local and even national economy.
You know, that cybersecurity landscape,and that's cybersecurity warfare, in my
(22:03):
view is is uh, you know, potentially way more dangerous than what we
experienced and prior you know, warfarewhere it was typically fought on the battlefield.
You know. So you're right,it's it's definitely not a part,
it's definitely not a partisan issue.It's everybody agrees that we've got to continue
to improve and we've definitely seen overthe past several years where the lack of
(22:26):
the lack of controls and a lackof protections we have in place has impacted
us both on the on the onthe private side and on the public side.
Absolutely here here, I agree withyou that we are at the end
of our podcast. But I dohave one more final question, and it's
going back to math, which I'mhorrible at, Like what type of mind
(22:51):
set do you need or what sortof skills or what do you feel like
people that going into cybersecurity tend tobe smart at I that's a dumb way
of seeing it, but do youknow what I mean? What are they
to do? Yeah, it's youknow, it's it's different for everybody,
and I think that that's what's encouragingto people who are trying to enter the
(23:15):
field is if you're smart, ifyou're hard working, if you are eager
to learn. I think there's athere's something that you can carve out for
yourself here in the field. AndI would say that there's many different paths
that you can take. There's there'sfolks out there who are doing ethical hacking,
and then there are folks out therethat are writing information security policies,
(23:37):
and there's everything in between. RightSo in terms of you know, if
you were looking at degrees, Iwould say, uh, information security is
an obvious one. Computer science.There's there's engineering involved here if that's something
you're interested in. There's you know, softer skills like consulting that you know,
kind of where we sit in themarketplace is bringing at government's risk and
(24:00):
compliance focus. But I really believethat there's there's something for everybody if you're
willing to put the work in andyou're willing to learn, and you know,
stretch yourself and put yourself out there. Fantastic will We're at the end,
but please tell people how they canget in touch with you. Absolutely
so, and thank you again Karenfor having me. I can be reached
(24:22):
at zaviant dot com. So zaVi, I a NT dot com and
I am on LinkedIn, as willDash Sleeney, and I look forward to
connecting with with your listeners. Thankyou so much
This week on the Art of Improvement, I'll be talking with Will Sweeney.
He's the founder and managing partner ofZaviant Consulting. Have you heard of AI?
Is your company allowing you to useit? Will, We'll be talking
about the importance of companies keeping theiremployees aware of deep fakes. That's a
concept where AI produces very convincing sounds, images, and even videos to actually
(00:23):
pose as real people. It's allpossibly to steal information. My conversation with
Will is coming up next on theArt of Improvement. Thank you so much
for listening to the Art of improvement. My guest today is Will Sweeney.
He's founder and managing partner of ZaviantConsulting, a company that focuses on improving
(00:48):
security systems. Is that correct,Will, Yeah, exactly. We focus
on improving security and privacy maturity oforganizations that process sensitive and regulated data.
When you say, I kind ofjust go what because I work for a
lot. I work for a largecompany and we get weekly, if not
you know, twice a week emailstelling people to be careful when it comes
(01:14):
to emails or to click on things. But inevitably people within the company continue
to click on things that sound toogood to be true or sound like it's
something that they should follow up on. I don't want to say why is
that? But why is that?You know what's really interesting, I think
(01:34):
when people think of hackers and youknow, companies getting hacked and data get
and getting stolen from companies, Ithink a lot of times they picture these
very sophisticated attacks where someone you know, many times probably overseas, they're picturing
someone sitting behind a computer hacking awayat systems for hours on end and months
on end. That the reality isphishing attacks like you mentioned, where people
(01:57):
get these emails, you know,asking them to click on things. That
accounts for over seventy percent of attackson companies. So the the the very
common issue among you know, securityprofessionals as as anyone will tell you,
is the users typically the weakest linkin your in your security architecture. So
(02:20):
these companies put all these really funand exciting softwares and protections in place,
and they spend a lot of moneydoing that, but the reality is the
users typically end up being the weakestlink and lead to the most most of
the attacks. That is so it'sso it's so sad and so I mean
it makes me wonder when I getone of the emails from our I T
(02:45):
department, to think, why dothey keep sending these things? What the
heck? You know, Well,I don't get it, but obviously there's
a reason they keep sending. It'sbecause people keep on clicking on it.
And I mean it's it's kind ofsad in a way, but I mean
I get it if people are reallybusy, or if they're really bored and
want to see what it is.I guess that that is human nature.
(03:07):
One of the other things that isjust all over the news and all over
social media these days is AI,and it is that something that will just
add more problems to security when itcomes to tech, absolutely, And I
think you know, you're seeing alot of even at the federal level,
(03:28):
you're seeing a lot of folks kindof getting out in front of the messaging
as it pertains to AI and saying, hey, we've got to be a
little bit more careful about how quicklywe're rolling out some of these these tools.
And the reason is that it doespose some pretty significant risks to businesses
and people. Like where you've gotthe obvious things, where you've got disinformation
(03:49):
or the ability for someone to maliciouslyuse artificial intelligence to distribute widespread disinformation.
But then you know, on amore sophisticated asis, you have machine learning
and AI that can actually identify weaknessesand organizations security architecture and actually expose those
(04:11):
weaknesses through pretty consistent and measured attackswhere the software is actually learning what's working
and what's not and then kind ofpivoting into different attacks based off of what
is learning. And there's when youthink about AI and the risk that it
represents, I think there's just somany different things that you know, you
(04:31):
can you can think of and andand you know, there's so many different
things you can comment on there.But I really think that, you know,
the risks associated with with AI,I think at this stage where very
early I kind of understanding what theyare, and I think people are also,
(04:51):
you know, typically very afraid ofsomething that they don't understand. And
so as these AI tol will continueto proliferate, I think we're going to
see more and more sophisticated malicious usersusing them in that type of a way.
But you know, definitely today there'ssome some pretty obvious things that you
(05:12):
know companies are concerned about uh internally. Uh So you know, thinking about,
as an example, what happened withSamsung where some of their employees were
uploading sensitive sort information source code tochat Gypt. You know, that information
was being put onto these servers thatSamsung really had no control over, and
(05:33):
who knows how that information could havebeen, you know, potentially used by
a malicious actor or even exceltrated fromthose servers and used in some other way
that we couldn't even think about today. I you know, I when I
started asking you questions about AI,and I assume that everybody knows what AI
(05:53):
is, and that may not betrue. Is there any way that you
can simplify what is AI? Andhow are companies using it? And how
can you get That's enough questions rightnow? What is it? And how
are companies using it? Because Ihave a million more questions for you.
Yeah, you know a lot alot of what's interesting about AI is it's
(06:18):
really machine learning. Right So whenyou think about AI, it's machines that
are actually using information to kind ofsimulate how a human would would use utilize
that information for some specific purpose.Right. So, I think the most
common thing that you know people arefamiliar with at this stage is chat ept,
(06:38):
right, So you can go onMicrosoft's barred or or I'm sorry,
Google's barred or chat ept and youcan actually ask you questions and it'll give
you answers, and a lot ofcases those answers are a lot they're they're
very accurate. I mean, they'rethey're understanding using natural language processing the questions
(06:58):
that you're asking and returning very humanlike responses to those questions. But the
truth is that these algorithms, whatthey're actually doing is going out on the
web and actually just consuming as muchinformation as possible and then distilling it in
such a way that when those questionsare posed, they can respond in kinds
of those questions. And so thuswhen a company employee asks a question,
(07:26):
it's almost as if they are givinginformation to AI for it to learn things
that it might necessarily shouldn't have learned. Is that I don't know how to
describe that. I mean, isthat right? In certain cases, the
information that these tools consume can beused to improve the algorithm to further refine
(07:49):
the responses to the questions, andin other cases, like in the case
of chat EPT, chats EPT actuallywent out and did some scanning of the
web I think probably around twenty twentyone or twenty twenty two, and that's
gets generally what it's using it asit's information gathering source. It's not actually
consuming real time information from people whoare using chat GPT. Okay, so
(08:13):
that's that's an important distinction. Butyou know, you raise an interesting point
here because one of the complications thatwe're seeing is it's it's not clear to
you know, the companies that we'reworking with, how are these tools actually
protecting the information that's being shared withit. And you know, data privacy
regulations have really come a long wayin the past you know, five five
(08:35):
to six years, where you know, the GDPR, as an example,
requires that these companies be able toidentify and delete information that it's gathering from
data subjects such as users of chatGPT. And the argument is that you
know, they don't actually have thecapability to go in and do that,
and that information is within the algorithmit cannot be deleted. So there's some
(08:56):
confusion there, I think around boththe security of the data and then also
you know, what are the regulatoryrequirements that are overseeing the usage of that
data and is that an agreement withwhat the law actually says that they can
be doing. So, if itis impossible to stop an employee from clicking
on something that looks like they wantone hundred dollars, and how are you
(09:20):
going to stop people from clicking oranswering I guess taking a shortcut and asking
GPT with the answer or how theyshould ward an email. I mean,
I don't understand how it can bestopped. The organizations that we work with
have taken kind of one of twoapproaches. So on the one end,
(09:41):
you have companies who have said,you know, we completely outlaw and banned
the usage of these tools, right, so they've actually built in security protections
to prevent their employees from actually usingthose tools. So that's kind of like
the nuclear approach, right, wedon't want you using it at all.
And then on the other hand,we have some of our organizations that we
work with who identified that you know, these tools can actually work to our
(10:05):
advantage in a lot of cases.So as an example, some of our
clients are using these tools to goidentify bugs in their in their in their
software, and you know, thesetools are actually very effective at doing that.
In other cases, some of ourclients are using them to help them
with marketing. So I think itreally depends on the company which approach they're
(10:30):
taking. But I think what's importantis, you know, if you're going
to go the direction of letting peopleactually use these tools inside of your business,
you need to educate people on howto use them appropriately. And then
you also, probably for you know, coverage purpose and liability purposes, you
should be explicitly outlining them, probablymore importantly, what they should not be
(10:52):
doing, and you know, havingthem agree to some sort of an acceptable
use policy around those tools so thatthey're not using them in a way that
as a company doesn't benefit us orcould post a risk to us. Right
right, if you've just now startedlistening, this is Will Sweeney's, founder
and managing partner of Zaviant Consulting.Will, what does your company do?
(11:16):
So we do a lot of things, I think in short, to sum
it up, I would say,we conduct assessments of an organization security and
privacy maturity. We then help themto build design roadmaps to comply with information
security standards and frameworks like ISO orNIST on the federal side of the House,
(11:39):
and then on the privacy side,we helped to design and build roadmaps
to comply with data privacy regulations likethe GDPR, CCPA, cp cpr A
and in the healthcare setting HIPPA,and then we help them maintain those programs
on an ongoing basis, so orour clients are prepared to discuss with their
party regulators or auditors they've done tocomply with requirements and safeguard information systems and
(12:03):
data. I so understand when itcomes to healthcare or even financial services.
It itself education how important it isto safeguard the information that each company has.
But what would you say is somethingthat even a small business should do
(12:26):
to protect themselves. You touched onphishing earlier and people clicking on emails.
Training and awareness is such an importantpart of an information security program. So
what companies are actually doing with thosephishing simulations is making sure that the users
within the business understand that this isa real risk and then helping to train
(12:48):
them on what they should and shouldnot be clicking on. Right. So,
training and awareness and phishing exercises aresome pretty great foundational steps that any
company can take, and they're notyou know, super expensive and then from
there, I think it's important tomake sure that you have the right controls
on the end points that you havein your business. And when I say
(13:09):
endpoints, I mean laptops, desktops, mobile phones. Make sure that you're
actually putting some information security controls aroundthose systems, and you're using some sort
of a software to actually protect thosesystems from you know, known attacks and
known areas of weakness. Those aresome pretty basic things that you know,
for our some of the smaller organizationswe work with, we almost always recommend.
(13:33):
And then from there it really kindof pivots into you know, what
kind of data are you actually processingand is it regulated data? And then
you know, typically from there you'llyou'll kind of align that organization to some
sort of information security framework which outlinesall of the different controls that they should
be implementing. So are you availablenationwide? I know you're looking in Philadelis,
(14:00):
feel right, but can any companycontact you and how do they do
that? We are, Yeah,so we're based in Philadelphia, we work
all over the country and some ofour clients also are international. So very
available to help and discuss these topics. We can be found at Zaviant dot
com. So it's zav i antdot com and I'm on LinkedIn as will
(14:26):
dash Sweeney. So I would loveto connect with any of your listeners who
we can, you know, kindof help with some of these areas.
It's sort of like, I evenhate to bring up the whole COVID thing,
but when COVID happened, everybody stayedat home and work and home suddenly
became one. And do you thinkthat that created more problems? Even though
(14:50):
people love seeing home. I mean, I can see how somebody would be
shopping on the same laptop they wouldbe using to you know, put in
messages that should not be shared.I mean, has that been a problem
all good time? Yeah? Andyou know, some companies really struggled at
the beginning because they weren't equipped togo remote and they they also weren't equipped
(15:16):
from an information security standpoint to allowallow their users to do that. And
then you have all the other risksthat come with that. Right, So
when you're in the office, youcould probably put some controls in place to
prevent someone from, as an example, you know, sticking a USB drive
into their computer and pulling a bunchof information off. But when somebody's at
home and they're in an environment whereyou don't have those controls in place,
(15:39):
it's really difficult to prevent you know, that type of expiltration of data.
So it's something that absolutely you hithit the nail on the head. Since
since COVID, the problem space hasgotten much larger and companies are continuing to
work remotely. I think at thisstage the software products have really caught up
(16:02):
to that type of a work situation. But in the cybersecurity space, we've
got a huge shortage of training professionalsthat can actually go out and you know,
build those controls and build that frameworkfor companies. I think I saw
the other day there's something like threepoint four million people. We're a three
(16:26):
point four million workers short of wherewe need to be in terms of cybersecurity,
and that that problem continues to grow. And as the environment changes and
something like a work from home,you know, when you have you know,
really two things happening at once wherethe problems escape is growing, and
we have a shortage of workers whospecialize in this area. You know,
(16:48):
it kind of compounds on itself wherethe risk goes, you know, way
way up right, And we've definitelyseen that over the past several years.
I'm sort of embarrassed ask you this, but I'll ask it anyway. So
I love talking about computers. Ilove, you know, learning about them.
(17:10):
But when I hear there's a cybersecurityjob open, I think, oh,
yeah, that's something that I wouldnever be able to do. You
might need to know math, whichI don't know. How does one?
I mean, honestly, people,a lot of young people aren't even going
to college these days. And isthis something that you need for your degree?
(17:30):
Is it? How would you getone of those jobs? And do
you have to be proficient in mathor something else? Yeah, a really
important question. So actually, earlierthis year in March, the White House
released what they refer to as theirCybersecurity Strategy or Cybersecurity Directive, and a
big part of that was around trainingthe next generation of the workforce. And
(17:55):
what we're seeing in cybersecurity is youknow, definitely those degree are very helpful,
but they're starting to be quite abit of free training. I think
I read the other day that forthe first I think it was hundred thousand
folks who signed up for CIS trainingcomputer information security training, it would actually
(18:15):
be free so you're you're we're starting. We're starting for sure to see both
at the federal level and even youknow, in private business, a real
reinvestment back into growing the cybersecurity workforce. And it's a really important thing that
we need to do, not justfor the industry, but as a country
(18:36):
because again, you know, beingthat we are, you know, operating
with some international risk here, it'sreally important to protect our infrastructure. And
you know that training is very,very important. We need, we need
to get more folks into the workforce, and I think companies are also seeing
that it's not realistic to think atan entry level you're going to get somebody
(18:56):
with three to four years of experiencein this particular area. We're going to
have to, you know, asbusinesses, reinvest in train folks and get
them up to speed and up andrunning, because there is a pretty steep
learning curve here, depending on youknow, where you decide to go within
the soar story industry. That's amazing, That is such good news. And
I'm sorry I'm not talking about yourcompany as much. Zavian Zavian Consulting,
(19:21):
Zavian Consulting, but this is somethinglike really important for people because I think
that so many young people. Ihave twin daughters that are about to turn
twenty, and they feel like,what are we going to do? You
know, what is the future,what jobs are going to be available?
But if you're thirteen million people shortin an area that is growing, it
(19:47):
seems like a smart move to foryoung people to look into that or old
people, it doesn't really matter tototally agree. And that you know,
as context, for Zavian, wewe are, you know, very heavily
recruiting and for our business, weunderstand that it's going to take time for
us to get someone up and running, and we forecast somewhere between nine and
(20:11):
twelve months before someone is really functional. So I would encourage anybody who's really
not sure about where they want totake their career to really evaluate cybersecurity as
an option. It's a huge growingfield. There's a ton of opportunity,
there's and companies understand that you're goingto come in, you're going to have
to take some time and learn.And again I mean just to reiterate companies
(20:33):
and for national security purposes, wereally need more talents for kind of flocking
to this particular area. It's sofunny because when you talk about cybersecurity and
the government, there really is noRepublican and Democrats. It's something that I
guess the thing that comes to mindis that big Chinese weather balloon that was
(20:56):
flying over America, and I wasthinking, why why isn't anybody figuring out
what this is? And even thoughthat's something we can see with our own
eyes, I can only imagine thethings that could go on undetected if people
are clicking on one free month ofDisney Plus as it just it baffles my
(21:21):
mind. You know. I don'twant to go on a tangent here,
but in my view, modern warfareis really not fought on the battlefield,
you know, it's it's fought overit's a cybersecurity you know battle. I
mean, these these these countries areattacking us all the time. You know,
we're doing what we need to doin turn, but uh, you
(21:42):
can imagine it's much more dangerous tobe able to take you know, critical
infrastructure offline, where a country canno longer power its homes or power its
businesses, and the impact that couldhave on the local and even national economy.
You know, that cybersecurity landscape,and that's cybersecurity warfare, in my
(22:03):
view is is uh, you know, potentially way more dangerous than what we
experienced and prior you know, warfarewhere it was typically fought on the battlefield.
You know. So you're right,it's it's definitely not a part,
it's definitely not a partisan issue.It's everybody agrees that we've got to continue
to improve and we've definitely seen overthe past several years where the lack of
(22:26):
the lack of controls and a lackof protections we have in place has impacted
us both on the on the onthe private side and on the public side.
Absolutely here here, I agree withyou that we are at the end
of our podcast. But I dohave one more final question, and it's
going back to math, which I'mhorrible at, Like what type of mind
(22:51):
set do you need or what sortof skills or what do you feel like
people that going into cybersecurity tend tobe smart at I that's a dumb way
of seeing it, but do youknow what I mean? What are they
to do? Yeah, it's youknow, it's it's different for everybody,
and I think that that's what's encouragingto people who are trying to enter the
(23:15):
field is if you're smart, ifyou're hard working, if you are eager
to learn. I think there's athere's something that you can carve out for
yourself here in the field. AndI would say that there's many different paths
that you can take. There's there'sfolks out there who are doing ethical hacking,
and then there are folks out therethat are writing information security policies,
(23:37):
and there's everything in between. RightSo in terms of you know, if
you were looking at degrees, Iwould say, uh, information security is
an obvious one. Computer science.There's there's engineering involved here if that's something
you're interested in. There's you know, softer skills like consulting that you know,
kind of where we sit in themarketplace is bringing at government's risk and
(24:00):
compliance focus. But I really believethat there's there's something for everybody if you're
willing to put the work in andyou're willing to learn, and you know,
stretch yourself and put yourself out there. Fantastic will We're at the end,
but please tell people how they canget in touch with you. Absolutely
so, and thank you again Karenfor having me. I can be reached
(24:22):
at zaviant dot com. So zaVi, I a NT dot com and
I am on LinkedIn, as willDash Sleeney, and I look forward to
connecting with with your listeners. Thankyou so much
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.