Brian Johnson - CFH #27

[00:00:00] Noncompliant clients, writing the ship before regulators' pounce. And beware, fud, avoiding fear tactics when selling your managed services. That and the latest news and trends in the managed security space coming right up, on Cyber For Hire. Building bridges between managed security providers and their clients,

[00:00:24] it's the podcast where MSSP's VC-SOS and end users take a united stand against Cyber Crime. This is Cyber For Hire. Struggling to monitor the growing threat landscape, pressure to reduce costs, security skill gaps, facing compliance issues, these issues can translate to operational, financial, regulatory

[00:00:47] and reputational risks to your business. Checkpoint can help. Checkpoint combines an MSSP Enablement Program, cloud-delivered multi-tenant management, sock platform, and superior threat intelligence capabilities to give MSSP's the confidence to grow profitably out-of-reduced risk. Checkpoint is 100% channel-driven. We partner to deliver the best security everywhere.

[00:01:13] Visit MSSP Alert.com slash checkpoint. All right, welcome friends to episode number 27 of Cyber For Hire. How's everybody doing today? I'm Bradley Barth with SC Media in New York and joining me today.

[00:01:29] Just an hour and a half drive away on I-95 is my guest co-host for the day Jessica C Davis, editorial director of Channel Brands at Cyber Risk Alliance. That of course includes MSSP Alert and Channel E to E.

[00:01:45] Jessica, you know, we're going to be talking about fud a little bit later today, fear uncertainty and doubt. And I always look a good metaphor, so I'm going to actually lay one on you here to start the episode.

[00:01:57] I just a couple of days ago and did up going to the dentist. And when I was there, the high dentist that was there decided that they wanted to take all these pictures of my teeth.

[00:02:08] To show me that, oh, I was developing certain cracks in some teeth and oh, my goodness, like these could wear down and ultimately result in my teeth losing their structural integrity. And you know, maybe they'll fall out, you know, I'm grinding them down.

[00:02:25] And I'm not exaggerating even all that much in terms of what they were warning me. And they were like, you know, we want to put sealants in 11 of your teeth.

[00:02:35] And I'm like, well, I was here six months ago and I'm sure these cracks didn't all develop in the last six months. So why now all of a sudden, do I need sealants in 11 teeth?

[00:02:44] And they were just sort of like, so like I feel like that was almost an example of fud right there where they were basically trying to scare me. Now maybe I'm wrong and my teeth are all going to fall out in the next six months.

[00:02:56] But I'm curious, has anyone ever tried to use fud on you on any aspect of your life? Well, sure. And you know, building on your dental metaphor, I can remember when I was much younger than today.

[00:03:10] And they were telling me, oh, your wisdom teeth, their mouth posed, which means they're crooked. They need to come out. It's going to be a problem later in life. But here I am much later in life. And still have those wisdom teeth. No problem at all.

[00:03:25] But they're telling my teenage son now that he needs to get his wisdom teeth out for the same reasons. So and his case is much different than mine, which was fine. So we'll see what actually happens and what my son decides to do. Plummers are another one.

[00:03:44] Also had issues with that as well. You know, always great to get a second opinion about these things. And I would recommend that to you Bradley. Go see different dentists and find out what they say about it. A good idea, a good idea.

[00:03:59] It looks like though that you actually showed some wisdom by keeping your wisdom. That least so far. More banter a little bit later in the show. But first, some news just can't wait, which is why we want to share what's top of mine today.

[00:04:13] So here's your headline, courtesy of SC media and MSSP alert. Microsoft, Sissa, and the FBI have issued warnings about a cyber-espeenage group targeting Western European and US government entities plus any consumer accounts associated with these organizations with a data expiltration campaign.

[00:04:34] Now, Microsoft attributes the activity to the China-linked APT group storm 0558. The adversaries carried out the attack by leveraging forged authentication tokens in order to access user email via an acquired Microsoft account customer signing key. While governments were the target here, this tactic can obviously be used against companies

[00:04:57] from any sector. Microsoft said it successfully blocked storms 0558 from this attack moving forward. Meaning its customers don't have to take any further actions themselves unless they've been contacted about being victimized. Still, SC media Steve Zerrier did cite some sound advice in his article from Joseph Carson,

[00:05:19] the Chief Security Scientist and Advisory C. So at Delinia, Joe, who's a great guy recommended that organizations periodically check for abnormal credential and identity activity on their networks, rotate credentials periodically and implement strong privileged access security controls that prevent lateral movement.

[00:05:42] So sound advice for organizations out there and for you MSSPs that are taking care of your clients, something to keep in mind moving forward. That's going to be our top-of-mind headline for the day.

[00:05:55] Now it's time to move on to our info sect topic of the week presenting our big idea in security, non-compliant clients writing the ship before regulators' pounds. Try as they might to keep their clients in compliance with privacy and security regulations.

[00:06:15] Managed services providers are still at the mercy of the organizations they serve. Fortunately, companies don't always follow the MSSPs or VC-Sos advice on items like responsible data stewardship, privacy policies and breach notification. If an attack does transpire in the company draws the Ior of regulators, the security services

[00:06:37] provider could end up escape code or even embroiled in a liability case. So this Q&A discussion will look at what resources an MSSP or VC-SOS service has when their customer fails to make basic compliance a priority.

[00:06:53] So leading us through this discussion today is our special guest Brian Johnson, founder and CEO of Crucible, an Infosec and VC-SOS services firm. Brian brings more than 20 years of experience in leadership founding and building to his role at Crucible.

[00:07:08] Previously he was CSO of armor blocks, CSO at Lending Club and Upwork. Brian has held leadership positions at Uber, Netflix and Forest Scout and he's helped build design, he's helped design build and secure systems for the USDOD, global finance and technology companies at scale.

[00:07:28] Brian is also work with federal agencies and policy advisors to influence actionable change in national security policy and these an active advisor and mentor to several startups and founders in Silicon Valley. Brian thanks so much for joining us today.

[00:07:41] I'm really glad you could be here and as always we're going to jump right into things. And I guess really the first thing to examine here is what as a VC-SOS or MSSP, what control

[00:07:54] you actually have over the situation in the first place if you are doing managed compliance if that is part of your contracted responsibilities then clearly there's more responsibility and accountability on your part. If you're doing more generalized incident response or all around VC-SOS services then maybe

[00:08:15] you're not as much on the hook for these things but you're certainly giving advice and consultation to the client and hoping that they follow suit. So I guess the first question is really understanding and defining how much responsibility you have as a VC so in the compliance arena.

[00:08:33] Thanks Bradley, thanks for having me. I think it's a good question right? You know obviously your responsibility is driving value to your customer no matter what really it's your job to find the way into that right.

[00:08:44] So from a legal and compliance standard from an aspects you also have responsibility as a reporting and aspects through that as far as your incident response that's a whole other kind of interesting topics to go because then we have to engage legal.

[00:08:58] We're talking about, you know, breach notifications and those kinds of aspects but I think number of the first phase of this we'll know we'll focus on the how do we keep

[00:09:06] your clients aware, how do you keep a client that may not want to go down and what exactly you're telling them to do and you know how you keep them, you know seeing the value that you're trying to provide.

[00:09:19] Absolutely so let's talk a little bit about some of the potential consequences for you as a managed security service provider or a VC so when something really does go wrong on the compliance side there are state, national, international industry regulations you know all of

[00:09:42] which organizations are expected to follow. You're supposed to be looking out for your client for their sake but also you need to you know look out for yourself as well because as I mentioned

[00:09:54] in the intro you can also potentially get in hot water as well in certain situations is that not correct? Yeah that's correct, you know you can really you really have to watch out for yourself

[00:10:04] to be fair and you really don't. And that's really comes down to contractual obligations that you have when you sign that paperwork and even if that legal paperwork that you sign in that contract says

[00:10:13] you know where your liability and starts and ends the customer expects you to deliver service that you know fully covers them so I think the aspect in this is you know over communication and my aspect

[00:10:23] has always been the most successful part. And whether that's just with the correct manager or CSO or whoever is actually signing your contract all the way up to the other execs in that business I think

[00:10:33] the over communication event letting them know that you exist knowing that you're trying to drive value to them as best as you can and to really help come up with a more strategic plan I think

[00:10:43] the next case is you know announce for prevention here is really what's going to help you. I think you know all of us who have been CSOs or the man in service space doing this for

[00:10:52] number of years know that you know you play like you practice right so plaque practicing some of these events practicing a bad day it's really the thing that will prep you and not maybe

[00:11:02] so much you or maybe the execs so the other team players and the other site that also helps the security group that you're usually directly working for or the governance risk and compliance for your doing compliance for you know help with their business and understanding business objectives

[00:11:15] and that's a good thing also as you talk to other members of the business you start to learn that business better and you're probably drive more value so when something bad does happen then you speak up somebody you know actually listens and you're not in the board reading

[00:11:28] room for the first time everybody's like who's the guy in the corner right so it's like you know you know they already know who you are you already providing that kind of value. I wonder Brian

[00:11:40] you mentioned talking to clients about different security issues and I've heard people in the channel talk about or debate really whether they should get clients to sign waivers about particular security risks they're taking or whether that's bad business to get them to

[00:12:01] sign waivers. Do you have an opinion on that? Yeah I'm not sure you're going to get them to sign waivers I understand the aspect of trying to get that done. I think a lot of what you're responsible

[00:12:11] for in those initial contracts is really what you're going to rely on in the over communication you know of that and I would say ensure that communication is just not verbal or over the phone right

[00:12:21] make sure you're communicating it clearly whether that's in your I think providing customers with you know weekly updates or delivering a cadence that they can understand delivering those notes and aspects in that case if it starts being a legal issue I think communicating directly with the legal

[00:12:37] team both in meetings and you have trying communications email in my opinions you're to the best way to do that so you're starting to communicate the risks at the business communicating those risks

[00:12:49] with the right level of people so that you can take us to a teetrick move. The real thing here is about to have it is not to be forced into a tactical situation where you're responding you know in

[00:12:57] a five minute you know your phone's going off at three in the morning you know kind of incident the aspect is slowly back into this over a longer period of time and to have some room and some decision

[00:13:07] making process usually when it comes down to you have to make a decision in the next two hours the number of realities you have to deal with is you're choosing the worst situation

[00:13:18] to make the decision in the most pressure to where you're if you make it this you should strategically you know over days or months we have much more time to many more options to take before things go kind of

[00:13:29] negative we're let's say a waiver or your individual legal team is your MSSP or virtual CSOS now any letters on your behalf to clients is something we want you a guillotine we have a way. Brian from your experience and observations what are some of the most frequently occurring

[00:13:49] compliance lapses that clients can be guilty of that where a man and services provider may have to step in and provide some guidance and recommendations. Yeah so some of the things you see whether it's from the smallest startup of the biggest

[00:14:08] tech company and Silicon Valley as we see them get to the compliance hurdle you know they've got across the finish line that get the compliance documentation there's a big party everybody highfives yay we're done with compliance not really understanding that literally the next day

[00:14:22] the compliance starts all over again so it's really spending time to them realizing that you know doing the cadence getting your collecting your evidence on a usual basis getting those lovely geared tickets in on time you know those kind of things are really

[00:14:37] an ongoing you know solutions to that compliance isn't something where you call us accruesible and you know ask us to come in and fix all the pot bowls and everything else that

[00:14:46] happens you know over the year you know doing those things throughout the years really the best way to do that we've had a number of clients who have called us the last minute they helped them

[00:14:55] get to the compliance and we've done it they think us and then you're provisioning on my cadence to come back in but if that's monthly or quarterly or wherever that is to help them you know

[00:15:04] through that process so I think that's a number one piece of advice I could give to anybody either one starting out or a larger organization you know is to do that you know it's you know

[00:15:14] kind of like exercise of that kind of thing right if you do it once it doesn't really have the benefit of doing it all the time so I think that's the main thing we really tried to teach and showcase the

[00:15:24] folks as we as we get into health and through compliance you you mentioned the technology industry Brian and I I saw on on the Christmas website that you know you specialize in a few vertical industries have you found that these specializing in these vertical industries that are regulated

[00:15:42] is a good business practice for your company it is for us and you know to be fair not we done a lot of work in the financial space finding it says a number of rules by the charges

[00:15:55] apart and here in the US and states and all this your jurisdiction is globally right so there's a number of things that do that there's a much easier conversation to have because most people

[00:16:03] can find it understand the compliance guidance and legal ramifications so I'm not doing some of these things and they can be a little more rigorous and tedious at times to get through you know lots

[00:16:15] of new technology in the finance space that fin tech space whether that's critical digital wall it's that kind of aspects and you know speaking to federal organizations or state organizations usually aren't always on the cutting edge of tech and what's coming out so we really have to

[00:16:30] help you know those financial institutions get through questions that treasure department and really you know setting examples of you know why we're doing things correctly you know how we're securing you know some of these assets I think that's going to continue to change in the market but

[00:16:45] as far as you know for verticals there are verticals have different you know business goals they're trying to meet and we found selling into some of those verticals either one with certain language or certain products has been the most responsive.

[00:16:59] I mean it seems like also from a business perspective you would get to know that vertical industry and you know be more efficient in serving and creating a stack for that industry and serving that

[00:17:08] industry so it would be a better business for you as a VC so provider. Yeah both as a VC so provider I mean NMSSP you know the cadence for reporting and has to be done

[00:17:20] some of the integral parts that need to be done you know some of that review that could stun let's say example of FDIC reviews use script to know what that kind of cadence and what you

[00:17:30] know data what questions are going to be asked which is a little bit different than same thing as software compliance for a sad start of more talking like that. Brian so let's talk about the

[00:17:40] dreaded scenario that we set up here for this segment where something that isn't entirely within your control as a VC so is going wrong from a compliance angle where you're seeing either you're seeing some dangerous mismanagement of private you know PII information being stored in

[00:18:03] places that might be publicly accessible or you're seeing signs of a breach that might require some sort of notification and the notification hasn't come. How do you get the client to act responsibly and properly if you're seeing that they're going down the wrong road what can you

[00:18:22] say you're doing that situation. Yeah what we found in these situations to do is really start off with a narrative you know nobody ever never thought I'd be in the storytelling business

[00:18:31] not getting into the info sec but it's really kind of which you we have to do right you have to start with a narrative something you've seen in the past luckily with a number of years I haven't

[00:18:40] secured you there's a number of past stories to use as a narrative for hey this is what happened this is what we saw this is the action and this is the outcome and those stories can't be

[00:18:50] good and bad they could be stories of you know this is the issue that soapy did in the outcome wasn't great so that's why we're going to do something else I found a narrative aspect

[00:18:58] with historical anecdotes of places we've done this before has really helped just coming up with kind of the fear and certainty and doubt aspects and that's going to be talked about later it's

[00:19:09] really not what we'll get people to respond to you in the in the most positive way right so you really want to start with that narrative and then get them on a strategic place like you know get through

[00:19:19] that you know issue whether that's the compliance of pre-ch issue how to keep them kind of you know back on the you know on the on the right path and over that's just putting something report

[00:19:29] and moving on past it whether that's a response to an incident I think that narrative story definitely helps humans kind of understand where they're at and what the best aspect to do

[00:19:38] just going in and telling somebody you're going to do something because I say it doesn't work as a sea soap definitely not going to work as a virtual sea soap and the man service space to be

[00:19:47] up on you so and if so I think that's a great idea to obviously you want to be able to tell stories you want to be able to try to control the narrative a little bit let's say you're still

[00:20:01] encountering some level of resistance so that sort of that what you just described what the first step is and hopefully that's successful now what's plan B when things still really aren't going

[00:20:16] the way that they should be going at a certain point do you have to in some respect you know pose an ultimatum like I may not be able to continue to work with you or you know in certain

[00:20:29] cases I might be legally obligated to have to alert regulators if this continues to go on whether you want me to or not let's talk about you know more dire scenarios like that yeah 100% so

[00:20:43] that's a narrative aspect doesn't work and there's still on a path to get themselves in the trouble you know you start after you know who have the chain being a little more serious I don't think

[00:20:52] the aspect of I've never had the you know do this or I'll leave kind of really work I want the customer to be successful I want that narrative to be there and usually as I started moving up the chain

[00:21:02] whether that's talking to the head of legal what that's talking to the CEO we've even talked to some of our smarter companies some of our some of the VCs in that space you know trying to understand

[00:21:12] to really get an aspect of doing that most of the time when we talk to the legal and we start discussing legal ramifications of a notification because of an issue in a search jurisdiction the response is usually pretty quick you know I think lawyers are even

[00:21:28] less risk adverse than C-SOS so they definitely want to make sure they're on on the right path to do that compliance can be a little bit you know different because you really have to explain

[00:21:37] the look of may not be a legal ramification but you're going to have to explain this disgaping your controls for the next you know year to six months while this you know report is live

[00:21:47] is that something you really want to do and usually if you discuss the impact of them whether the sales impact whether that's the just overall view of the marketplace we haven't seen anybody

[00:21:56] not react to that luckily and we've never had to do any type of reporting on a customer who's let's say lost PII or that kind of aspect we definitely leave the legal organizations and we've always seen

[00:22:07] positive outbacks from that if you really want to get into a domestic scenario doing that you have to protect yourself your business and your employees at some point right so if you do have the

[00:22:16] cancel you know that contract as I would over communicate about it you know make sure that's you know everybody is completely understanding don't go your customers on a Friday just because they're not responding and then you know have your internal legal team you know awesome involved so that

[00:22:33] there's a make sure that people work is there in all communications exactly right and also I did I did also want to ask you if you had from your vast experience working with all sorts of

[00:22:51] organizations is there and anonymized example you can give us just to kind of illustrate some of the points you're making today about a case where you did work with a client where you know maybe you

[00:23:04] did spot some kind of non-compliance with a particular regulation or framework and you employed some of the tactics that you just talked about maybe not some of those extreme ones that we just recently talked about in the last question but one where again you spotted something and you

[00:23:22] went to the appropriate stakeholders and told the story that needed to be told to get them to understand why it was important that they correct whatever was a miss is there a good example of that you can share

[00:23:34] yeah a couple of those and it really you know encompasses both compliance and you know instant response right so we've had customers both where we've gone in for a compliance aspect just to review

[00:23:43] controls and found a kind of an issue that need to be fixed and you know really wasn't in the business goals of you know the current according to get done as IT's most the CTO's they get paid for

[00:23:56] delivering new code not fixing old code so there's always the you know back and forth from that so and in the IR tier you know kind of aspect we've also seen you know where they thought they

[00:24:06] had something controlled we came in really as doing compliance audit or you know other security working found out that you know attend the call of that you know incident had gotten some place

[00:24:15] else and you know that takes a little bit of going you know up into the C staff and reporting that to make sure actions get done and documenting that you know and as us is a virtual T. so my

[00:24:25] number one goal is that value back to my customers so even if we're in there you know really with a statement we're just to do compliance will always help with anything that we find from a

[00:24:35] you know security incident or to somebody that's gonna you know cause a loss but in all of those cases you know we got thank you's we did not have a case where you know they didn't want to respond

[00:24:44] to whether they didn't want to do anything about it maybe the prioritization or when they were going to do about it was more of the friction we had to get through but we were able to quickly come

[00:24:52] to an you know understanding and you know get that done and in some cases we know we felt right to get that to get that results all right well great I think that gives us a much better

[00:25:04] understanding of what happens in these tricky scenarios where it can get a little bit prickly you know with with a client where you certainly want to steer them down the right path you know

[00:25:17] they have you know they're trying to get business done but you have to you have to look out for yourself and them at the same time and certainly that's why some of these conflicts can arise

[00:25:27] and I've given us some really good tips in terms of how to avert a more serious situation and by hopefully nipping things in the bud so appreciate all the advice and recommendations on that

[00:25:40] Brian we're going to at this point with the couple of minutes that we have left in this first half of the show we're going to transition to one of our favorite bits of the show that we do on a recurring

[00:25:52] basis it's a spooky little segment that we like to call what scares you now as we've mentioned on the show before and actually this will be an integral part of the flood discussion that Jessica and

[00:26:07] I will be having later in the second half of the program the cybersecurity world is full of chicken little out there who are constantly warning us that the sky is falling when reality some threats

[00:26:19] are overexaggerated some not all because there certainly are times where the danger is very real and so this bit is an opportunity for us to gather around the virtual campfire here and hear from the experts their scary stories on what keeps them up at night what gets their

[00:26:41] spidey senses tingling and so Brian with that I ask you what scares you? Great question, Bally. So I think the thing that scares me most you get this from most users is the things we don't know

[00:26:53] but that sort of always gets you up or finds yourself in the paper but I think from a technical aspect of one of the things that keeps me up at night now I know we're hearing lots about this now

[00:27:04] with the AI and machine learning side of things is moving rapidly that scares me a little I'm super excited about it I think it's kind of y'all kinds of new and great things but as a security person

[00:27:15] what comes out of that from a privacy legal and you know data loss side of what's being shared where that gives you a little bit of night we have lots of clients we talk to you who are going

[00:27:25] to the same thing now like hey we're using all this new tech we're signing up for new things where there's my data going and sometimes at the current moment the answer is aren't great

[00:27:34] so that aspect is you know keeping me up you know a little bit at night just thinking what that next phase is going to be because this is new ground for everybody you know anybody who says

[00:27:45] they haven't figured out yet has this much time in this space trying to work it so it's going to be new and innovative I think your good work to use for you know what's coming up.

[00:27:55] Yeah absolutely right and something that we talked about a little bit on the show here and there you know initially especially when chat GPT first exploded on the scene some of the initial reactions were from generative AI both the positive and negative potentials of how these tools could

[00:28:15] be utilized both by attackers and defenders to advance their respective agendas and all of that's true then as we thought about it more we also started realizing some additional implications like the

[00:28:28] one that you just mentioned which is when I use these tools where is the data going what's happening to that that's why we're starting to see some of these organizations now like you know Walmart was

[00:28:39] one of them Amazon I believe was another one where they've started instituting policies for their employees on how to responsibly use it like don't share company secrets don't share proprietary code in any of these tools for whatever exercise that you're trying to do because

[00:28:58] who knows you know where that information is going and who could get their hands on it later yes and who wants to code you generated the code now whose IP is it is it is it yours is

[00:29:08] somebody else this is the companies I think those are all interesting and we're just going to that policy you know exercise now the next piece is going to come for you know people like us about

[00:29:17] how do we implement controls and to make sure that those policies are actually being upheld I think that's going to be the next thing you know phase of you know how we do this and it's

[00:29:25] going to be changing it's going to be changing rapidly I think any but in the virtual sea so we're managed service space this is going to bed dynamic time to keep moving and to figure out

[00:29:35] you know what those responses are going to be because the new ideas are going to come out rapidly we've only seen that probably to your point in the last six months to a year

[00:29:45] so I think that's going to continue increasing scale in a number of companies using this and the new company is showing up to use this is going to be exciting on the on the other side

[00:29:56] of it too the creation of chat GPT I mean the technology was trained on all the privacy information that was already out there and I've seen a couple of headlines in the past week where

[00:30:11] authors are suing an open AI over the use they're what they say is the ingestion of their work so it'll be interesting to see how those legal cases are decided as well and the implications

[00:30:25] on things going forward yeah because that's really going to set the case law for but I there's really nothing to stand on right now so none of us who are in the practitioner space

[00:30:33] know how to react to this post that case law we have better guidance on kind of where the boundaries are but it's going to take a good while for that case law to be built up there's not

[00:30:41] somebody has to be overnight and no offense to my legal friend to legal does not work with the same kind of experience that we have to in the security side so it's going to be interesting to

[00:30:51] watch to see what that is yeah we're certainly in the wild west here with generative AI but I feel like that's a position that people in the cyber community are used to at this point

[00:31:00] we seem to be in the wild west about something all the time everything's always just so rapidly evolving in the world of technology and cyber so this is one of the latest ones

[00:31:10] and it's certainly interesting to see where things going from here and I think it's going to be great I think the number of things that come out is going to be you know are going to be really good

[00:31:18] but is our job to be a little bit of the negative side everyone so all and you know point out where we need to you know be a little more secure absolutely agree a hundred percent on that

[00:31:27] Brian with that we're basically out of time for our first half of the show but you know we still do have a whole second half to go of our episode which will feature our big idea in business

[00:31:38] the beware of a topic that we've been teasing throughout the first half so there'll be that and a lot more coming right up so we will see you in a moment on the other side all right welcome back

[00:31:57] to cyber for higher the managed security podcast once again I'm Bradley Barth with S. E. Media and cyber risk alliance and the first half of our show we talked with Brian Johnson at Inclusive about client non-compliance but right now I'd like to welcome back my co-host for the

[00:32:15] day Jessica C. Davis also from cyber risk alliance MSSP alert and channel E to E because it's time for us to examine our MSSP industry strategy topic of the week presenting our big idea in business beware of avoiding fear tactics when selling your managed services

[00:32:38] the consequences of a cyber attack can be devastating and it does make sense for managed security services providers to impress on their current and prospective clients the risks of not investing in prevention and response however many cyber thought leaders believe that

[00:32:57] certain lines should not be crossed advice is one thing fear-mongering is another and if you pursue the flood angle too hard you may simply come off as a predatory opportunist looking to push

[00:33:11] your services on the customer so this discussion will reveal how to convey your message and market your services in a way that doesn't exaggerate existing existing threats and turn off your clients

[00:33:25] so Jessica welcome back and as always we are going to jump right into things I think one of the tricky things about flood is that while most thought leaders in the cyber space agree that it's

[00:33:41] generally bad and ineffective and even that's not even 100% unanimously agreed on because I've talked to some people who said flood in a couple of instances might actually work out for you but no one can

[00:33:52] even really agree on where exactly that line is of what's flood and what's not you know what is truly a threat that is worth maybe not quite panicking about but really impressing on them this

[00:34:10] is very serious you need to do something about it and and to what extent you're you're maybe trying to oversell them and I feel like that's the first thing is really having a good definition in your

[00:34:20] mind of of where you cross the line yeah I get that that's an interesting point and I think I think certainly you know when things are scary there's a tendency to say I can't deal with this right

[00:34:34] now I'm going to ignore it because I can't deal with it right now it's too much and maybe in those cases you know you do need to shake your client not literally but say you know pay attention

[00:34:47] to this this is important this can impact your business this can shut you down and you know you're not going to have a business if you don't pay attention to this but if your clients are paying

[00:34:58] attention they see the news about ransomware attacks and other security problems and but they're busy running their businesses and so they're looking for someone to protect them and so you know

[00:35:10] they need they need someone like you to do that it may be tempting when you're trying to sell them on security services to focus on all the negative things that can happen and all that's true of

[00:35:21] course and it could they could be here with a ransomware attack there employees could be fished their businesses could shut down if there's a serious incident and they need to be paying attention

[00:35:33] to that but does any of that lead to a better sales outcome for your organization and that's the big question there too on the business side yeah for sure oh sorry no I mean when you talk

[00:35:45] to clients about security you want them to be aware of the risks right but the conversation should leave them with a sense of readiness and not fear readiness that your services are going to help

[00:35:57] mitigate the their security posture yeah for sure I mean you mentioned fishing just now and it's funny I almost feel like there are certain parallels between a a flood sale and a fish in terms of just

[00:36:14] some of that ultra urgent language of trying to make somebody make a hasty snap decision that maybe isn't really in their best interest is there certain red flag language or approaches to a

[00:36:30] to a sales pitch for your services that you know should immediately you know raise eyebrows in terms of maybe this is going a little bit too far and getting into that flood category I love

[00:36:42] I love that analogy Bradley of the the fishing attack to the foot that that's awesome because I don't know about you well I do know you know your dental story from earlier in the show

[00:36:55] you know when when people are pushing with you like that I personally it may be it's the journalist in us right I personally tend to take a step back and get more skeptical about what they're trying

[00:37:08] to sell me and I'm talking about me as a buyer not me as someone who's trying to sell something but I know that that people who do sales on the managed services side you know their buyers of things

[00:37:21] as well in their lives so you know what are the red flags that go off for them when people are trying to sell them things it sort of makes you more sophisticated as a consumer when you're when you're doing that

[00:37:34] that kind of selling so so I would say yeah I mean I am a little put off by those those hard sales tactics I like a lot of information not everyone's like me I realize but but for me the more

[00:37:52] transparent someone is with me the more likely I am to trust them and that trust is what builds a relationship and relationships are essential with your customers relationships the channels about relationships not transactions yeah let's talk about the the the the why is a little bit behind

[00:38:12] why it's important to try to avoid fear and certainty end out in your pitch if you're basically trying to convince a client for example like you know just throwing it out there is just like one

[00:38:24] for instance like hey you definitely need our managed XDR service because you know blah blah blah here are the reasons and if it doesn't happen then you know your whole world's gonna crumble because

[00:38:38] you're basically at risk for you know A, B and C and then they take your advice in the short term it might seem like a big gain in win for you because you know hey like you know

[00:38:49] more revenue coming your way but ultimately if the client can't ultimately justify that adoption of the service and suddenly realize there really wasn't a good business case for it more medium to long term there can be some repercussions so so that's interesting um so I would say

[00:39:14] that that managed security service providers would do well to constantly be looking at their stacks in terms of protecting their customers and advising their customers on the importance of each aspect of the stacks and creating that kind of gap report on a regular basis you know here's here's

[00:39:37] what you have protected here are the things that are still at risk here are the things that need to be patched here are the things you need to be looking at and and can you I mean maybe on a

[00:39:50] quarterly basis talk to the client about the things that need to be um remediated um and standardizing your customers on your security stack is an important part of providing those security services um you do your best job for your customers when they're all receiving the

[00:40:14] same types of services um so and and you can spot more anomalies that you can do a better job of spotting anomalies that way I mean it just it just works better so um I think it's an ongoing conversation

[00:40:28] with customers that you need to have and and you shouldn't wait a year or something to have a discussion with the customer about why their XDR service continues to be important um you should

[00:40:42] be having that discussion on a quarterly basis and and doing those gap reports yeah absolutely uh in a in a recent episode we had a a deer cyber for higher uh bit that touched on this a little

[00:40:57] bit the notion of um a vendor uh where they release some kind of a uh a survey that they commissioned you know which says something to the degree of like 99% of security and IT professionals

[00:41:17] that don't have a XYZ solution which by the way we happen to specialize in and that seems to be our wheelhouse uh suffered some kind of a catastrophic data loss which just illustrates how important

[00:41:33] this particular solution is according to this uh purely unbiased quote I'm quote you know research and you know it's not just vendors that do this a lot of organization companies do this um I've gotten pitches from um you know MSSP type companies too that try to demonstrate through

[00:41:53] survey results and and research you know why it's better to have somebody managed security for you but some of these uh you know surveys really are conducted in a way that they're asking some

[00:42:06] some some loaded questions or they're slanted and so I think again in terms do you have any advice or thoughts in terms of if you are a managed service provider in terms of using any kind of uh surveys

[00:42:19] research statistics that you commission to then show it a perspective clients in terms of making sure that if you're going to do that it it it does come off like this was a pretty scientific

[00:42:31] objective exercise rather than something that was just purely meant to evoke fear and ultimately sales. Yeah so you know from my perspective and my advice would be um you are the trusted

[00:42:48] advisor uh to your clients they you want to remain the trusted advisor so you want to be transparent with them and you want to be honest with them as much as you can about about what the actual risk is

[00:43:03] you don't have to manufacture a bunch of statistics to show how dangerous things are um there's plenty of stuff out there that's scary uh that you can protect your clients from so you know 99% uh I don't

[00:43:19] know I that seems unnecessary and over the top and will put your clients in a skeptical state of mind if you ask me. Yeah for sure uh is there occasionally an exception to the rule where perhaps

[00:43:38] a little thought is justified uh maybe you're an MSSP and uh there is some kind of active campaign right now that that's going on that is a particularly of concern maybe because uh you're clientele

[00:43:56] specializes in a sector that has become a major target of a of a of a group or an exploit campaign that is uh you know currently uh you know wreaking havoc on the cybersecurity community and in

[00:44:10] a case like that it might be necessary to say hey the the risk level on this has really actually you know legitimately gone up we would quantify the risk here it's it's skyrocketing and now is

[00:44:24] the time to act is so is there an exception to the rule occasionally with thud. I you know thud is playing on emotions right and so I mean if we're having a conversation about the risk of

[00:44:39] something that's going on in in the market right now um that's a legitimate risk discussion that you should be having with your clients but should you be employing fear uncertainty and doubt

[00:44:51] to push your clients into something um I don't know I I don't know that you should be playing on your clients emotions like that um their business people and they should understand the risk factors

[00:45:04] and if if you're not able to have I mean I've heard this debated at various industry conferences over the years um you know maybe maybe it's time for you to to move that client along to someone else

[00:45:22] if they're not going to take their their security posture seriously um you may not be able to convert them um and so and that comes back to you and it's gonna hurt them in the long run and um

[00:45:38] I and again I would rather have the risk discussion with them then try to play on there emotions in that way yeah there's certainly I think a way to do it in a more reasonable manner in a lot of

[00:45:52] cases uh rather than again take that sky is falling approach to things because ultimately in the end the MSSP client relationship uh is supposed to be built on a solid core foundation of trust

[00:46:08] and if you employ tactics that ultimately could you road trust down the line then you really only hurting yourself as as time goes on so uh I think uh you make some excellent points here

[00:46:20] on the notion of fear uncertainty and doubt and you know interesting topic there's there's lots of uh you know points of view on this as we said sometimes hard to define when you cross that line

[00:46:31] into foot but it's something you should always be aware of so uh interesting discussion there but we're gonna move on to our next order of business now Jessica and that is a segment that we

[00:46:42] like to call dear cyber for hire now this is an advice column segment where we get to play marriage counselor between MSSP's and their clients to help mend fences when the relationship goes

[00:46:57] a ride now the following letter of about to read to you Jessica has been dramatized and anonymized to protect the innocent but the conflict represented here is a very real problem that companies face

[00:47:12] and so Jessica it's time to immerse ourselves in some juicy MSSP melodrama and this complaint comes from the provider side of the relationship so fellas cue the music dear cyber for hire

[00:47:29] after many years of bliss and harmony between me and my significant other it finally happened we have a new addition to our family but please don't congratulate us this new bundle of joy is more of a monster

[00:47:47] that no one could possibly love i'm sorry if that makes me sound terrible but I didn't ask my client to go off on a mergers in acquisition spree annexing a company i never asked for my team went

[00:48:02] from managing a very straightforward streamlined client to now securing a frankinstein company pieces of which i have very little visibility into the newly acquired businesses processes systems and employees are disparate and different their tech is legacy and it's not as if i got

[00:48:21] to perform an assessment in advance to determine if their cyber posture even meets my standards how did i get roped into this mess sincerely agitated an anxious around abruptly acquired addition in an arbor you know Jessica in a previous episode just the last one actually we talked

[00:48:44] about how MSSP's handled their own in-house M&A activity now we're looking at M&A from a different angle here where suddenly your client brings on a whole new unit what can an MSSP do in this situation

[00:49:05] should they have been more involved in some of the initial security vetting well you know this can happen and and your client doesn't need to ask your permission to acquire another company but honestly you know service providers know what to do here i think you've you've unborded

[00:49:26] new clients before and the process is similar you've explained to the new clients the importance of doing an asset inventory your existing client is going to understand this is part of your process

[00:49:37] since you've gone through it before with them since your client is the acquire and not the acquisition target you will have more say in this process your existing client will want the systems buttoned up

[00:49:50] and secured as soon as possible so that the acquisition doesn't compromise their existing security measures you know nobody wants this acquisition to be the cause of an incident you probably already have the tools in-house to do this asset inventory on the acquisition ASAP plenty of tools out there

[00:50:12] the new acquisition systems aren't going to be instantly integrated into your client's IT infrastructure the moment that your client signs on the dotted line so you can do the asset inventory first

[00:50:25] first thing as if you were onboarding a new client you have explained to your existing client the importance of standardized systems and a standardized stack in your security posture they should be ready for you to have this conversation about onboarding these new assets to the standardized stack

[00:50:42] you may want to have a conversation about the risks of delaying these actions if your client tries to put this off this is ultimately their decision of course but you will have done your job in

[00:50:54] advising your clients of the risks and making recommendations to mitigate those risks ASAP makes perfect sense Jessica you know we've certainly you know heard stories before about organizations where they they make some kind of a major merger acquisition and if they have an

[00:51:13] in-house cyber and IT team it's always generally recommended that they be part of an initial assessment or or vetting of this other organization to see if they meet certain levels of cyber standards

[00:51:28] because if there is something of grave concern they can go to management and say this actually may end up being very costly for us because they're actually borrow a theme maybe from

[00:51:42] segment one they're non-compliant for example in a lot of ways and could open us up to certain you know legal liabilities we're seeing a lot of security and privacy issues here so in a situation

[00:51:53] where you don't have maybe that expertise in-house to do that vetting prior to signing the dotted line is it all advisable for a client to go to a trusted VC so or or managed security service provider

[00:52:12] and say can you help us do this initial assessment to help us finalize our decision on whether we're consummating this relationship or does that maybe just make things too complicated you know bringing in another outsourced outside organization that you're working with to get there you know two

[00:52:33] cents on this business transaction yeah that's a really interesting question Bradley I think that you know you would want to have that kind of relationship with your customer so that your customer

[00:52:46] trusted you to that degree that they would maybe invite you into that transaction to take a look and make that part of it but it comes down to whether the customer would consider that security

[00:53:01] posture and IT infrastructure to be a deal breaker and and it's possible that they wouldn't you know it depends on what the major assets of the company are you know some companies it's the customer

[00:53:14] some companies it's the contract so it really depends on the industry depends on the businesses it would be lovely to think that that you know your customer trusted you enough to bring you in and

[00:53:29] if it if that happened to be a deal breaker and a highly regulated industry and but again it's not something that you have control over before the deal happens and so you know you deal

[00:53:45] with it when it's dealt to you mm-hmm yep that's the bottom line when it really comes down to it sound advice Jessica makes perfect sense another relationship saved hopefully our listeners have learned from this and don't make the same mistake I'd remember if you've been struggling with your

[00:54:03] managed security services relationship whether you're the user or the provider we want to hear from you so please write to us at cyber for hire at cyberriskinglionts.com and we might use your

[00:54:14] letter in a future episode all right well it's almost time to wrap things up but before we go it's time for us to get a little random as we share with you drumroll please our irrelevant news item

[00:54:29] week now this is a real news pitch that I've received in my inbox for reasons that are entirely inexplicable to me are you ready to get random Jessica? I guess so I'm afraid.

[00:54:44] Trust me it'll be painlessly fucking uh hey Bradley have you ever found yourself stranded and in need of a taxi only to be unsure of the cost well a reason study conducted by airport parking

[00:54:59] reservations.com has unveiled the average cost of a taxi in the United States with the highest taxi fares for nine mile journeys so I don't know why they arbitrarily picked nine miles but

[00:55:12] why that's the magic number but Jessica let's first starters would you care to guess which state has the most expensive taxis for a nine mile trip on average? I would say New York that would be my

[00:55:25] guess. That is an absolutely logical well-founded guess and it is totally wrong but you actually you're not too far off New York is is is number four on the list so it was a good guess but believe

[00:55:42] it or not strangely main actually takes the top spot as the most expensive state for nine mile taxi rides with an average taxi cost of thirty five dollars in ninety two cents. Right behind that

[00:55:57] would be Rhode Island then New Mexico then New York then Hawaii the US state with the cheapest taxi rates for the nine mile trip on average is Iowa with a twenty dollar and eighty six cents

[00:56:13] cost. Now this leads me to my next question to you Jessica which is just not necessarily what was the most expensive taxi ride you've ever taken but what's maybe the worst or weirdest cab ride

[00:56:28] that you've ever experienced. Oh gosh and while you're thinking of that maybe I'll let you illuminate that on a second because I can tell you for sure that I've definitely had my

[00:56:41] share of strange ones I've written in a lot of taxis and I've had like everything from like conspiracy theorist cab drivers like telling me all they're like wild theories about the world

[00:56:53] you basically just sit there and be like yep well uh huh yep I agree with you because I'm gonna agree with whatever you say at this point because otherwise like you're gonna turn around

[00:57:03] to be like and you're part of it and you know I'm like I like where they just creep me out and I'm just like I'll just go along with whatever they're saying. I mean I had one guy one time that

[00:57:13] said something to me along the lines of like you know you know what's always been strange to me if the sun makes things hot what's out there that makes things cold and I've sorry I so

[00:57:26] I haven't had one guy who um in the middle of a very important airport run that I had to make ask me if he could stop at the convenience store and buy himself a sandwich halfway through the trip

[00:57:38] so those are some of my weirder you win Brad I win really I I have not had weird cab encounters honestly I've really enjoyed chatting with my taxi and Uber drivers you know but I don't

[00:57:53] live in New York so I probably have not taken as many cabs as you know I did you know um embarrassingly mispronounced the names of different places that I've I've asked to go to you know like going to

[00:58:08] LaJola Calacca that was very embarrassing and I'm still mocked to this day by my husband for that one um so yeah I've learned my lessons and but no I you know not good I don't want to you know

[00:58:25] invite bad luck but yeah I've enjoyed the conversations I've had with my taxi driver but I like talking to those guys I'm fair enough fair enough you you've had some enjoy wheel I've had enjoy but experiences too just had some weird ones probably ultimate favorite one that I

[00:58:42] didn't mention before uh was just a Vegas cab ride where the driver was basically talking about this super drunk mr. T impersonator that he had to uh drive around on occasion and a whole

[00:58:59] wild story about that as well so I've been regaled with some some pretty amazing stories myself from uh cab driver here yeah yeah yeah absolutely and hopefully we've entertained everybody today

[00:59:11] with this latest episode but unfortunately we are now officially out of time but fret not we will be back again next week with episode number 28 so one last thank you to my guest fill in host Jessica

[00:59:28] Davis for joining us today meanwhile feel free to check out even more cybersecurity podcast content on the S. E Media MSS P alert and channel E to E websites until next time I'm Bradley Barth

[00:59:42] please reach out to us VR show pade with your comments questions and insights about the business of cybersecurity we will keep the conversation going on the next episode of cyber for higher your inside source or cyber outsourcing