CFH #22 - Don Pecha

[00:00:00] Breaking down the board room barrier, positioning the VCsow as a key business voice, and or MSSP's snubbing web security. Why websites take a back seat to network needs? That in the latest news and trends in the managed security space coming right up? On Cyber For Hire

[00:00:18] Building bridges between managed security providers and their clients, it's the podcast where MSPs, VCs, and end users take a United stand against Cyber Crime. This is Cyber For Hire. Alright, welcome friends to Episode number 22 of Cyber For Hire. How's everybody doing today?

[00:00:40] I'm Bradley Barth with S.C. and Media in New York, and joining me today 12 times zones away in Singapore. Is my co-host and partner in Cyber Crime, Ryan Morris, principal consultant with Morris Management Partners?

[00:00:53] Ryan, I know you've been doing a lot of traveling lately, but it's soon going to be my turn again. I'll be heading to Las Vegas, the last week of May, to cover the Cyber Risk Alliance's Identiverse Conference.

[00:01:05] Now, in the coming weeks, we'll be bringing on some guests that tie into this identity and access management show. But for now, here is all I really want to know. Is which all you can eat buffet should I gorge myself on?

[00:01:17] Are you a big, biggest buffet fan, Ryan? You know what? I've become a fan of Vegas buffet again. 20 years ago, the buffet kind of got a bad name and you really didn't want to eat the seafood there. But these days, they've gotten right back into it.

[00:01:34] I will say, at the Venetian, there's a fantastic restaurant for the buffet. It doesn't look like a cafeteria. It looks like a nice sit down restaurant, but it's the all you can eat style buffet inside the Venetian hotel, fantastic food.

[00:01:50] It's okay to go ahead and eat the lobster even though it's at a buffet. Yes, you just ignore the fact that everybody's hands touch everything and then it's all wonderful and delicious. My main rule of thumb, if it's got King crabs legs, it's a winner.

[00:02:04] I can easily make a meal out of those and make my money back on that. All right, well anyway, plenty to discuss today as always, but some news just can't wait, which is why we want to share with everyone what's top of mind today.

[00:02:16] So here's your headline, courtesy of SC media's Jessica Davis, a new bill introduced into the US Senate proposes the creation of a rural hospital cybersecurity workforce development strategy to help compensate for the lack of staffing unless populated or economically developed regions of the country.

[00:02:36] The bill, which was proposed by Josh Hawley and shares many of the same elements as a policy proposal previously issued by Mark Warner, would require the DHS to coordinate with the departments of health and human services, education and labor as well as rural

[00:02:53] healthcare providers and learning institutions to build out a pipeline through training, educational curricula and legislation. So Ryan, we know rural areas can be devoid of cyber talent due to this digital divide that exists between a have and have not geographical markets can an increased presence

[00:03:12] from MSSP's, especially considering the remote management work for many work capabilities also help with this digital divide should MSSP's be strategically targeting rural markets more heavily with their marketing and outreach efforts.

[00:03:26] Perhaps you can show your thoughts on that as you explain why this is top of mind for you. I agree with your thesis 100% the idea that we get into here with the staffing is a very

[00:03:39] common conversation and I'm very glad to see some very tangible proposals being made in this direction. There is a digital divide in rural communities. There is a dramatic shortage of cybersecurity talent in all market places, A plus B equals

[00:03:58] we all need to get busy in figuring out a way to address these kinds of very important operational needs. I personally think that the ability to target and serve health care clients is a more challenging focus and strategy item than focusing on rural market places.

[00:04:19] I think that's the easier part of this conversation so to give incentives to provide education programs into really specify that we address this. That's a very good start and MSSP's should be ready to already be there.

[00:04:35] If in your business you have a demonstrated ability to serve health care clients then you are already ready to serve rural health care clients. Kind of the magic of all this remote technology is as soon as you're not located on prem at that

[00:04:54] rural hospital anywhere other than on prem is just as good at delivering these cybersecurity services. We know we need to address the talent shortage. This is a very good and tangible way to start looking at that from the end user's point of view.

[00:05:12] But it's going to take six months a year before the first candidate comes through. It will take multiple years before we build that pipeline. Kind of forward to weight all that long. Let's get started serving these hospitals right now because they are just as likely

[00:05:29] to be targeted by the bad guys as hospital in a major metro area. So let's not wait for a couple of years to get these students through the pipeline. Let's start servicing them today. All right, well agreed 100% with you on there Ryan.

[00:05:45] So sharp take is always and that's going to be our top of mine hot take for the day. More to come a little bit later in the program, but first it's time for our featured MSSP industry topic of the week presenting our big idea.

[00:06:00] In business breaking down the board room barrier positioning V C so as a key business voice. Info sec leaders shouldn't just be reporting to the board room to explain themselves when things go wrong. They should be a regular part of the strategic business decisions.

[00:06:20] And discussions that take place inside of a company's executive halls. That's true whether they're directly employed by the company or if they're a contracted V C so provided by an external managed services provider. In this segment, we'll discuss how managed service security leaders can land themselves

[00:06:38] a coveted spot in the board room and assert their influence on future business decisions. We've got an excellent guest to guide us through this conversation today. He is Don Pecca, V C so at first national technology services or FNTS, a leader in multi-cloud mainframe and managed security services.

[00:06:58] Responsible for overseeing security strategy at FNTS, Don has a deep understanding of regulatory compliance, risk mitigation, and threat defense, which he has leveraged through his quarter century of security strategy and IT governance work at many highly regulated health care, finance, and high-rejudication enterprises.

[00:07:18] He's also internal C so at FNTS as well. So Don, very happy that you could be joining us today. Always great to speak with you and as always we're going to jump right into things. So first question for you is as follows.

[00:07:32] You know it's hard enough for internally employed security leaders to convince executive management that they deserve a seat at the table that they should get the opportunity to lend their perspective to the CEO, to the boardroom.

[00:07:46] So in what ways is it harder and in what ways is it easier for an external V C so to get FaceTime with key business decision makers? Yeah I'll start with the easier. It's easier because oftentimes when you're paying for a service

[00:08:04] you value and you're looking for an outside opinion because maybe there's a lack of trust or a lack of visibility on your internal peoples' really viewpoints where you want to take

[00:08:16] bias and rout it out and get an external view of the reality of what's happening in your environment. So it makes it easier for you to come in because you're investing in that and you're bringing

[00:08:26] in somebody who is showcasing as an expert in that area and you've probably done your research to find somebody who knows your area and can come in and provide value to your right away.

[00:08:37] And demonstra to a value because you're contracting for that and you know what the deliverables are going to be. If you're inside, it makes it more difficult because you have to overcome the bias of information security and is a siloed service that often only talks through

[00:08:53] fun and when we're bringing in fear and uncertainty and doubt that's not the way to bring things to the table anymore. You have to bring data to basically provide business discussion in business

[00:09:04] terms that will allow you to come into the board and talk to business executives in language at the understand and tie it to governance and business risk using data to drive your points

[00:09:15] so often times what I'll do is provide images to even break that data down even more while also bringing the context of the business and the risk to the business to the roadmap.

[00:09:26] If you can't do that, it's going to be very hard time for you to get up into that more green. And even if you get invited in once, if you don't provide that value, they may never once you back.

[00:09:36] You know, Don, I think this is a, you made a very important point about managing risk and bringing the governance conversation to the board. Most people, you know, we're all, we all want to be called trusted advisors. We all want to be taken seriously at the executive level,

[00:09:53] but a board plays a, like a critical almost legal fiduciary role in leading governments, a business strategy. As you look at that, are there ways to move beyond fear that are that are going to be still highlighting risk and making this a priority for some significant

[00:10:14] investment? Are there good case studies that we can bring in in your experience? What's the positive story on this is good for business growth as opposed to just I'm the guy who brings the the chicken little sky is falling story? Yeah. You know, particularly for like an MSP,

[00:10:34] we're going and trying to sell to small business mid-market, tender price. I have to be able to position security as a good thing for them. And realistically it is a differentiator. If you can

[00:10:48] come in and promise your customer that you're in a securely hosted data center and security is a mindset of your company, and you can showcase those controls by talking about what you're doing. Very in being very clear about that, the differentiator between you and your competitor,

[00:11:08] that gives you a market advantage today because people inherently want security and if you can market that and tout it, they're going to come you over somebody who's not doing it if it's

[00:11:19] an apples to apples comparison. So in that viewpoint being able to talk about your security versus not talking about it publicly is a good thing. Don, you know, it's I thought it was an interesting

[00:11:34] point that you brought up for that an external VC so or managed service that's coming in and talking to the top level business executives can come in and be in some cases, you know,

[00:11:49] more objective, not afraid to be blunt, not worrying about having to be a yes man for fear of job security, anything like that, free of office politics and can bring a fresh perspective. I think

[00:12:03] that's all great. The converse argument that like an internal C so might give is, yeah, but nobody knows my company better than me because I work here. So having said that, what is

[00:12:14] the responsibility or the onus on of VC so before walking into that board room to make sure that you really are fully prepared and familiarized with the full business and IT environment of your client before you start going and making wholesale recommendations to a board room?

[00:12:38] Yeah, I'll always start with I need to have discovery which means I need to talk to all of your business leaders. I need to talk to your engineers in your architects because they're going to know

[00:12:48] where the skeletons are in your business. The business leaders are going to talk about the stressors that either the CIO or the C so are putting on them from a technology or tools perspective.

[00:12:59] Once you have talked to all those different drivers in the business and then you may be going to talk to the CFO, what is his concerns about the investments? Talk if there's a chief

[00:13:09] risk officer so you want to get to all these people because you want to know is your cyber insurance, the premiums are going to go and sky high. How are you going to handle that? What's the

[00:13:17] conversation around how you're going to have to manage your security up as the insurance goes higher in your obligation comes up and you have to meet it somewhere in the middle. Once you've had

[00:13:30] those conversations now you can go in and effectively talk to the board because you understand from a from interviews and from talking very deeply and frankloved with the other people that you're

[00:13:41] there to help them and they're going to give you all the data and the points for you to be able to then distill into a business conversation around risk and around what the business can do to

[00:13:52] appropriately manage that but still drive business and drive the roadmap forward. So I'm thinking in practical terms as a third party that gives advice for a living we have to toe this line between

[00:14:08] I'm here to help you with best practice versus that sounds an awful lot like a sales pitch right as you are trying to position the credibility that you bring to this conversation. How do you

[00:14:23] make specific technology recommendations? How do you get into, this is the way we've done it elsewhere without crossing the line and making it sound like we're selling to the board. Yeah I mean when you spend enough time in security you understand the pain points of

[00:14:42] enterprises so when you come in and you start talking to them it's really about where do you have pain where do you think you have gaps today and then showcasing them the truth by coming in and doing

[00:14:52] investment's of their environment. And I don't trust those verbal assessments that we do I want to actually engage them in an outside hand test not a vulnerability assessment but a pen test because

[00:15:06] that's going to show them the truth about their security from the outside in where the attackers are going to view it and it's going to remove a lot of bias it's going to remove a lot of

[00:15:16] uncertainty and give actual data points of where you have material risk and then it's not a sales conversation at that point it's a here's where you are here's where you think you were

[00:15:31] and here's where you said you want to be so let's have a conversation about how you get there and if you can show the value of doing that pen test and talk about how

[00:15:42] doing that puts you in a good place because now you have something you can work from and that gives you a source of truth to your state that's a very easy conversation once that

[00:15:52] data comes in to then drive the rest of it without being celzy and then when it comes to like providing vendors I'm not I have to be agnostic as a consultant right I can't come in

[00:16:02] and just give my vendor of choice I have to think about what their environment is what their budget is where they sit in the SMB to mid-market enterprise and one of the challenges we have

[00:16:15] with security tools is they say they're SMB but they don't really scale to the SMB and they're not easy to use so then you really have to get creative and figuring out what can

[00:16:24] you put together for the SMB to actually be effective and do that with very little skills or very little team or resources to apply to that toolset. Donna I'm also wondering what happens as a VCSO

[00:16:41] when you do meet some resistance on the part of upper level management in terms of really fully bringing you into the fold making you one of the you know just one of the team

[00:16:55] basically what's your advice in terms of how you can ultimately win them over and while it's certainly would be nice and ideal to have as much unfettered access and have the you know the

[00:17:11] ear of the board as much as possible you know what's really how do you set reasonable expectations for what kind of access you should be getting. You know frankly it may be a conversational with

[00:17:22] the president or CEO to understand who are the best board members where they coming from why did they bring them to the board so what what's the value to the organization if you come in and you've done

[00:17:34] your research and you can talk again to the business maybe even talk to their experience from a voice of reason of what their business because then you can kind of see where their bias

[00:17:46] or their band may come from you're going to help yourself to come in and be successful because you identified upfront by doing your research who you're talking to and then they're going to accept

[00:17:56] you more readily. You know I'm I'm thinking this through from a board members perspective and how how many of the things we advise on are industry specific right at health care is different from financial services. All of those use cases become in theory right they they become intellectual

[00:18:21] property for a service provider knowing an industry in detail and being able to make recommendations. I'm wondering your kind of balance between the focus on cybersecurity in general and the posture of the entire organization versus say specific business initiatives right if we're

[00:18:41] making investments if we're launching new lines of business. As you look at that do you think of it as I'm just here to tell you about security as an umbrella and then you guys figure out the business

[00:18:52] underneath or do you actually get down into the details of oh so you want to open an office in Phoenix here are the things you need to consider in that decision process from a cyber perspective how do you balance that at an kind of an industry intimacy level?

[00:19:09] Yeah honestly data privacy laws are driving that to have to go deeper when you start thinking about there are now nine states plus you have nationally GDPR and a lot of these data privacy

[00:19:22] laws are overreached so if you know they're going to be going into areas where that's going to be a concern you have to dive with them they're in explain what that means for their business the

[00:19:32] additional overhead and the knowledge of data they have to have otherwise we see regularly where people fail at basic security practices so I hone on almost without I mean it's just it's what you do

[00:19:49] you come in and you evaluate are you doing your core security right are you doing remediation are you meeting your SLAs because that's where we see companies fail over and over and over again

[00:20:01] is the basic practices are done poorly and that's how actors get in and are in for so long because they're not aware of what's going on there's so much noise in their environments they

[00:20:11] don't actually know what truth is. Don I always think it's great when a guest can come in and illustrate some of the principles that they've been espousing through some kind of an anecdote

[00:20:25] even if they need to anonym some of the parties involved that they've worked with and so I'm wondering here maybe you can think back to a specific example from some of your own professional

[00:20:38] experience where you worked with a company as a VC so and that company almost had a eureka moment where they kind of realized wow you know we've been missing this perspective all along of somebody coming in with an IT security perspective and we're now realizing how beneficial

[00:20:58] this is to what our business goals and objectives are is there is there an example like that that that comes to mind for you. Yeah I mean in the course of what I do I just talk to business leaders

[00:21:12] all the time and one of the steps that speaks out is somebody who came in that didn't have any security background thought they were good and they realized after just 15 minutes of talking to me

[00:21:26] that they wanted to bring me into talk to them on a regular basis because I started talking them about just what's happening in the world around security and they had no idea because

[00:21:41] they're so focused on their business as a entrepreneur this wasn't even on their radar all the stuff happening that could impact that business and what do you think about how many SMBs are attacked once and closer doors because they can't manage the cost of that that's a very

[00:21:57] important conversation for us to have today because SMB drives the economy and if we can't help them and I can't have that frank conversation at just a very high level about what's going on

[00:22:10] we're never gonna get there where they actually feel like they want to invite me to start having conversations with them another one that comes to mind is a current customer we went out

[00:22:20] to do a luncheon and they just asked me to come along and kind of hear about what they're doing and so I asked them how do you feel you are and they're like oh we're good and I said so

[00:22:31] have you thought about I started giving them actual use cases of attacks that occurred with their tools with their configurations using their environment and we then went to lunch and lunch was

[00:22:44] very animated and they came back and said you scared the daylight thought of us and I said that's not my intent I was just talking about things that are happening they said no that's just it

[00:22:55] you showed us what we thought versus reality or it's very different from a practitioner standpoint you gave us an authoritative view of the real world and now we realize we need your advice to

[00:23:07] come in and do that so that actually offered another engagement for me those are just simple conversations you're having around what do you have in place where do you think you are and then start to have

[00:23:20] conversations around real things that are happening insecurity in the real world that it's have tax that have been happening you know that have perpetrated that have stopped business or cost a lot of

[00:23:30] money and then take those you know take that information and bear it out and it'll always bear fruit in my experience it's always poor fruit anyway well and see I think that speaks a lot to not just

[00:23:44] how wise you might be as an advisor but the readiness of those customers to hear those stories we hear a lot of bad stories all around the industry about business people who are

[00:23:55] not cyber savvy and they just they aren't open they're not willing to hear it right so I'm I'm thinking about your kind of line in the sand if you will right in the practical application

[00:24:07] of board governance we have to remember boards vote right like it's not just me I'm the one voice of reason and everybody does what I say the board has to agree and then the company officers

[00:24:21] have to agree and take our advice is there a point where you might look at it and say you know what I've given you all of my best my best information all of benefit of my experience and you guys

[00:24:34] aren't willing to go am I willing to stay on the board and continue to advise is there a point where you say this is big enough that it's it's either you guys agree or I got to leave just out of my fiduciary

[00:24:50] responsibility how how do you manage that voting process and not always being able to give direction so if you distill that down it's really probably going to come about of lack of knowledge

[00:25:07] or you're talking over their head so I would advise in my my personal strategy would be I'm going to go take an aside and schedule time with those board members that are being intractable

[00:25:19] and I'm going to say hey where we were are we not connecting and I'm going to change my language of my change my presentation I'm going to give them as much one-on-one time as I need to make

[00:25:32] them feel comfortable now they still may vote down but I'm not doing my job if I don't communicate to them in a way that they understand and as an educator in many other ways I understand everybody

[00:25:45] learns and comprehends different ways and I have to approach that when I'm talking to individuals to make sure that I give all of them and this is important because you talk about that food

[00:25:55] issue in legal responsibility I have to give them the right data at the level they can consume it so they can make the right decision on behalf of that business. So yeah I love your your mix

[00:26:08] so this is security best practice versus this is the real world and we actually have to get people to come with us that's I think that is a lesson all of us who know too much about cyber security

[00:26:21] can really benefit from so I appreciate that advice you know we obviously could learn a lot from you and and before we let you go here just in the interest of time I want to bring you into

[00:26:33] another segment that we refer to on our program as we speak the the goals that we have in this world is to not just solve cybersecurity problems but to humanize the people who do this and

[00:26:46] and get to know you a little bit better so well we always say birds of a feather in this industry right well we tend to watch similar TV shows and movies and we have similar similar preferences in video

[00:26:59] games and such what are some of the things you do in your world that that really show you know way more about one particular subject than the average Joe. Yeah so I'm just going to put

[00:27:11] this up on the screen for people to see so there's something called demand school and I went through this program realizing that I had serious gaps at what I would consider my homelessness a man

[00:27:27] and particularly there were times where I couldn't be present where there's fear or there was doubt and I had to figure out a way to sew those out and be if more effective as a leader

[00:27:40] and show you know be more present for not only my family but for my employer and for my team and going through this program transformed me as an individual and what I found is a lot of

[00:27:53] executives particularly a lot of C-SOS and C-I-Os are so stressed today that we have addiction going in an epidemic we have people who are leaving the profession because they're so stressed and

[00:28:06] is there a way that I can connect with them and LinkedIn has been my vehicle where I started posting about men's wholeness and around mindset and around how do you use scripts and strategies

[00:28:19] and skills to transform how you think about your day and how you handle your stressors that has resonated so much I have more traction on my posting around men's wholeness and stress and

[00:28:33] the topic of fear and doubt we talk about fear and doubt because that's where we live a lot times of C-SOS and what if we could change that and come from a state of wholeness so that's

[00:28:44] what I do outside my job because it's a passion because I believe that if we can help people that are in executive roles to be more whole and to re-script how they think about their

[00:28:55] day and their stressors we're going to be better for it. That's very inspirational and certainly important considering just how truly stressful the job of most security professionals are I'd be curious, what's an example of one small thing that somebody could do right now today

[00:29:15] if they wanted to just to kind of help manage their stress a little bit give give like one tip easy to adopt if the people could do just to make their day a little bit less stressful something that

[00:29:25] you do. The most important thing when we talk about this is it has to be from your voice because we listen to ourselves so if I say I am resilient or I am I am a professional or I've got this or

[00:29:40] I know this and we say it out loud and we say it even in the mirror where we see ourselves saying it that type of scripting over time I am worth it I am you know I'm a good person I'm a professional

[00:29:56] and we get we talk about like the incident responders who get hammered every time there's something that goes wrong and how do you create so for my team we go through these resiliency

[00:30:05] where this incident will not define me I am better than one result I can get through this and you're really talking positivity to get yourself through these but then you're also teaching yourself to think about things very differently so you don't get drugged down in the day instead

[00:30:21] you think about why am I feeling this way and then speak it out I mean in the dis-sounds hokey but it's the truth of we have to speak what we want to see not what we're reacting to and oftentimes

[00:30:33] we react without thinking about it now you have the presence to stop and think why am I stressed all right how am I going to get past this one I'm going to use a script to get out of it

[00:30:42] but then I mean it did dig deeper to find out why was that stressing me and solve that next you know in general that concept would apply to all of us as professionals I see

[00:30:53] even more value for people who do something like cybersecurity that has so much opportunity to go wrong right and we we we succeed a thousand times in a row we fail once and everybody thinks it's the

[00:31:06] end of the world so I really appreciate this in the spirit of practical advice and your method of reaching out how can people find you on LinkedIn if they are interested in not just what you're doing on that inspirational side but also your work as a vcso

[00:31:24] yeah it's linkedin dot com slash i n slash don't pecca all right well thanks very much don i appreciated and asked to your mantra of i m worth it you are worth it i'm glad that we had you on the show was very illuminating and i appreciate it

[00:31:39] and that's going to wrap up the first half of our show but please return for the second half of our episode featuring our big idea in security why MSSP websites or sorry why MSSP's website security

[00:31:52] capabilities take a back seat then network security services that and more coming right up so we'll see you in a moment on the other side struggling to monitor the growing thread landscape pressure to reduce costs security skill gaps facing compliance issues these issues can translate

[00:32:17] to operational financial regulatory and reputational risks to your business check point can help check point combines an MSSP enablement program cloud delivered multi tenant management sock platform and superior threat intelligence capabilities to give MSSP's the confidence to grow

[00:32:37] profitably out of reduced risk check point is 100% channel driven we partner to deliver the best security everywhere visit mssp alert dot com slash check point welcome back everybody to cyber for higher the managed security podcast once again i'm Bradley Barth with s c media and the first

[00:33:00] half of our show we talked with Don Peca at fnts about positioning the vcso or managed security provider as a key business voice but right now i'd like to welcome back my co-host Ryan Morris

[00:33:13] from Morris management partners because it's time for us to examine our info sec news and trends topic of the week presenting our big idea in security MSSP's snubbing web security why websites take a back seat to network needs it's understandable why many organizations cyber investments heavily

[00:33:34] concentrate on protecting core networks and data centers from breaches and ransomware attacks but let's not overlook the importance of ensuring that your website remains operational especially when it directly drives revenue through sales or advertisements threat such as d-d-bots e-skimmers,

[00:33:51] malvertising and drive by downloads continue to plague websites so why aren't there more managed service providers offering specialized help in this area that's the issue we're going to be addressing

[00:34:02] today and Ryan is always we're going to get right to the heart of the matter so you know it's not that there there are no managed service providers out security service providers out there doing

[00:34:13] website security but it's definitely a little harder to find than some of your other standard security services can you give us a sense as to in your mind how underdeveloped is this market? yeah it is unfortunately a it's an assumption of progress that has not yet been made

[00:34:34] that leads to a massive blind spot i think a lot of people in the business side on the client side of consuming these services and on the service providers side they like to work from the

[00:34:46] framework of oh website security that's not new it's been around for a long time we saw that years ago everything is fine right i think that is a basic misunderstanding of the progress that the bad

[00:35:02] side of our industry continues to make in new threat vectors new attack methods and new technologies that did not use to be available the begins with that blind spot of now that's the easy

[00:35:16] part it's not nearly as complicated we've already solved it you know we haven't and we need to pay attention to that the second thing that i would highlight is that there's this unfortunate

[00:35:28] kind of thought about the website as you know real business gets done on my network that's where my business applications live it's where my financial information is all of my customer data all

[00:35:41] of that stuff lives inside my network so that's vital the website oh that's just an online brochure and some marketing stuff that's not all mission critical information and and we can get to

[00:35:54] that once we've solved all of the quote unquote real problems i think that we need to begin from a philosophy point of view of you know the the website is the most public face that we have in the

[00:36:11] world and whether you use it for e-commerce and transactional purposes or if it literally is just an online brochure it is impossible to have a website that does not have attack vectors and people don't

[00:36:25] need to just pay attention to the you know the information that's on your webpage that is an access point into other systems and we need to stop thinking of it as just a subordinate communications

[00:36:39] resource and start thinking of it as you know it's like your eyes everybody always says the eyes or the key to the soul i'm thinking of it in those kinds of philosophical terms i'm saying

[00:36:52] you know your eyes are the most vulnerable place on a human body where viruses infections other things can enter our protected environment the website is very much like that in in business technology terminology that is where we are most likely to get other unknown visitors where it's

[00:37:17] where we're most likely to see it and attack begin and therefore we need to make sure that that's locked down before everything else that is quote unquote less connected to the internet.

[00:37:30] Ryan is part of the problem here also that the field of website security is a little bit of its own unique animal it's it's almost in a way it's own separate branch of cyber security that has certain

[00:37:46] unique threats that requires a specialized expertise it is and i mean you that's true with all of these neighborhoods of cyber security right it's one thing to say let's use a layered approach

[00:37:59] and we can protect our stack as well as our data and and that'll solve all the problems well when we do network access you know wired network environment that's a different discipline from wireless networking security which is a different discipline from transactional and

[00:38:15] database security website security is a specialized animal it's one thing to deploy quote unquote basic tools that you know if you read the vendor marketing literature it sounds an awful lot like they're saying just install my software everything will be fine the software will solve the problem

[00:38:37] no it won't the requires specialized evaluation and assessment and pen testing type skills but it also requires different alert categories different levels of what is normal behavior in your environment to identify variations web security is not just a tool that you install it's detailed and

[00:39:00] specialized best practices and to add one more of those areas it's really easy for a cyber professional who's already got 10 things on their plate to look at this and go i roll i don't want

[00:39:14] to learn another one let's just install a tool and call it good and then we'll get back to what we are experts in this this is a so lot of information that we need to process on your web

[00:39:27] you'll get inevitably more traffic on your website than probably the rest of your internal network environment combined right it's a very busy very public place where you know the public can just stop buying see what's going on well it's really hard unless you're paying

[00:39:50] careful attention to know is that a casual visitor is that somebody who's pinging my security and testing the perimeter defenses is it's something that's part of a pattern is it's something

[00:40:03] that we need to alert and be aware of we don't want to overreact to every new visitor that comes to to our website right it's funny internal controls we we like this idea of identity and access

[00:40:18] management you don't get access to my network environment unless i know who you are what you need access to and that you have authorization and then i will give you credentials okay that's literally impossible in a website environment you can't know everybody that's about to visit your website

[00:40:38] unless of course you don't want any new visitors to come to your website which kind of defeats the purpose of having a website right so this is very sophisticated technology and it requires a different

[00:40:51] approach to oh no there's somebody new and they're doing something nobody's ever done and then realizing that's just normal behavior on the website not a pattern of malicious attack that's going on

[00:41:05] Ryan I had mentioned in my little intro that i read a number of threats that are associated with websites so for organizations that do need help with their website security certainly there would be a lot

[00:41:21] SMBs that that qualify for that because they're there need of help because you know they don't have their own webmaster they don't have a large IT staff looking overall of this where are their biggest needs in terms of website security what threats are our most prevalent and important

[00:41:40] for them to be able to shore up and defend against that they might want to pull in some outside help you know i think of this in all of the threats are real let's not you know let's not be naive about

[00:41:54] these things those those kinds of attacks are happening but I look at two areas of vulnerability that are especially difficult one is the idea of hijacking right where my entirely legitimate and

[00:42:06] real website gets taken over by a bad actor and it is served up to users who think they're coming to my website and it's a delivery mechanism for malware that is that is a place where where I think we have

[00:42:23] an especially wide threat opportunity and it's something that's really difficult for the end user to know the difference and they're not you know they're not like somebody in an internal department

[00:42:38] who can send an email to the cso and say hey saw this bad behavior I didn't really understand maybe you should check it out these are customers these are potential customers they have no

[00:42:50] access to the notification and alert systems so even if they do have a bad experience and get some malware delivered they don't know who to tell so it's it's one of those where we see the penetration

[00:43:04] versus the recognition and the remediation that length of time tends to be longer in a web hijacking environment than anything else the secondary that I would really highlight is the web skimming right

[00:43:20] in an AI world where large language models are trained on every single thing that's ever been published to the web if you put text out there if you put marketing information out there product catalog information out there all of that information is now part of a large language

[00:43:39] model and it is very easy for some bad actor to mimic your voice to borrow enough legitimate information and then just spice in the little pieces of misinformation or potential ransomware fishing vectors we live in a completely different world now with AI and your website is no longer

[00:44:05] only in your domain of control we wish that it was right it's my website I get to say what is published on my website and I'm in charge of how that information is delivered not anymore you're not

[00:44:19] you live in a world where AI is already mimicking your voice it knows everything you've ever published out there and that produces a new level of vulnerability for future attacks that are going to

[00:44:34] sound incredibly real right used to be that we could very easily recognize well this is legitimate language and that is mimic language from a bad actor because you know they would use bad grammar

[00:44:48] English as a second language there would be some telltale signs you know these large language models they they're getting pretty good they they sound like real human writing and if it is based on

[00:45:01] your product catalog it's going to take a very careful eye to recognize the difference between real messages and spoofed messages that can be used for bad purposes all right so Ryan we've established that website security is a discipline that is underrepresented

[00:45:22] right now in the MSSP and and greater managed security services space so let's imagine a scenario now where this is a golden opportunity for some MSSP's to jump in and say let's take advantage of

[00:45:40] that let's you know seize the day and fill the scap in the market there's a lot of people in need out there let's say you're maybe one of those organizations right now what do you do to make this happen

[00:45:53] and position yourself as a leader in website security what what steps do you take to to maybe pursue this particular market opportunity which which seems to be out there waiting for someone to take advantage there there is a tremendous opportunity and need in the marketplace it's all based

[00:46:11] on credibility right like the decision makers who are responsible for any business system whether it's your website or your internal network the boss of that system is going to take advice

[00:46:23] from people they know people they trust and a new voice even if it's right even if it's telling a story that needs to be heard that new voice is going to take a long time to cut through

[00:46:33] I would advocate a channel strategy right think of this not in terms of just you and I direct approaching the end user and saying your website is vulnerable we can help you protect that

[00:46:46] who does that decision maker already believe when it comes to a web conversation probably their web designer if they have a marketing agency that's built that in is administering the environment if they have a technical designer a web developer a programming asset that has built out some

[00:47:05] of these capabilities that is an established route to credibility let's go through those individuals and give them an upsell opportunity think of it like this if I'm a marketing agency and I provide

[00:47:21] website services to clients wouldn't it be a good idea if I could say to those clients you know in addition to just making your website look cool and have some good interactive functionality

[00:47:32] I live in the real world and cybersecurity is an issue and we can now also in addition to a cool website we can give you a secure website and we can address that from the original strategy in

[00:47:46] what kind of a client's going to say no no I want to have an insecure website that's the kind I prefer right no they're not going to do that if it's let's make you a better web environment

[00:47:57] and also let's make sure it's secure that's not an upsell that's just responsible professional behavior well that ad agency ain't an expert in cybersecurity don't expect them to be you be there white label or third party supplier where they can just bring your services into their client

[00:48:20] environment if I can get one marketing agency to agree that I'm a good provider and we can be white labeled into their environment that now gives me access to their entire install base that's a

[00:48:32] very efficient multiplying strategy that'll allow us to get to many end users without having to wait a year to to build a brand of credibility on website security all right that's our way of

[00:48:48] thinking about this topic in security what do you guys think we would love to get some feedback and some opinions and some real-world experiences so for those of you in the audience listening in

[00:48:58] here today let us know what your thoughts are and if you have any other experiences and recommendations or if you still have questions you can reach us via our email address at cyber fore hire at

[00:49:10] cyberriscalance.com and you can hit us up on our show page as well in the notes and comments that we would love to keep this conversation going. In the meantime let's move on to our next segment which is

[00:49:23] something that we like to refer to as dear cyber for hire this is an opportunity that we take to play relationship counselor between the professionals who sell security services and the ones who consume

[00:49:36] those services no matter what the technology is the relationship often matters more than what our software and service capabilities are so we've written this letter in a way to mask the identities

[00:49:50] of the innocent but make no mistake this is a real situation that we deal with out there in the world Bradley what what is the relationship challenge that we're dealing with today? Well you're about to find out Ryan because we're back with even more juicy MSSP melodrama

[00:50:07] and this one comes from the client side of the relationship so fellas cue the music dear cyber for hire I'm all for keeping appearances in relationship but sometimes I feel like the marriage I have with my MSSP partner has become a little artificial like a couple who keeps

[00:50:30] posting Instagram photos of their amazing family adventures when they never actually do have the things they pretend to do. In my case my MSSP keeps pushing me to do a glowing testimonial or case

[00:50:43] study that they can use to bring in more clients don't get me wrong things are good I'm happy but not everything is as perfect as they want to make it out to sound and I don't want to be

[00:50:54] insincere misleading plus not everyone needs to know how I'm handling my security needs especially cyber criminals who may be paying attention please help how can I stop being my MSSP's trophy spouse sincerely testy over testimonials in Toledo Ryan what can the client do in a

[00:51:17] relationship or a situation like this I mean at the very least they could maybe hold out for some pricing incentives or something maybe an exchange for a testimonial but I'm not sure this in

[00:51:27] area that's necessarily going to do the trick what else can be done here. You know this is a great conversation because this is an area where endorsements and testimonials will make more difference

[00:51:40] than other areas of commerce right if I provide advertising services or if I provide a business consulting services testimonials about what I did and how good it was and how valuable the

[00:51:52] client found that that's going to be helpful but in a world of like trial by fire not just the theory and strategy of business but the real practice of cyber security everybody's marketing brochure sounds great right everybody can say we've got all these years of experience and we've

[00:52:12] got methodologies and the most advanced capabilities yeah everybody says that but it only really is believable when somebody can say in the real world we use their services that bad stuff

[00:52:25] happened to us and everything turned out okay that that will make more of a difference in the accelerating the sales cycle for cyber security providers I believe than any other discipline of technology

[00:52:38] and managed services this is a proof based service and the evidence needs to come not from me because if I'm the service provider and I say my services are great that's not communication that's

[00:52:53] promotion and everybody is going to take that with a grain of salt but it it's a very valuable thing so I set that up to say I understand why we want those testimonials but I also understand exactly

[00:53:09] why a customer might be reluctant to give it I don't want bad guys to know what my approach is and I also don't want anybody in my client base to know well we had this one time where we were breached

[00:53:21] and dot dot dot holy cow everybody just stopped listening and they said you wait what you were breached and you gave a testimonial about that now I have to question how secure your environment is

[00:53:34] I think as if I were on the client side of this conversation I would be very reluctant to give a detailed testimonial about service structure or about any remediation experiences which are

[00:53:48] the really valuable things I would only ever be willing to speak about either you know the general fluffy stuff of we like them a lot and they provide great relationship or about really very compact elements of the service relationship like the onboarding experience to get all

[00:54:07] of my users up and running was flawless and it happened in a very a very tight time frame or you know we have regular reviews with our service provider to make sure we're not just

[00:54:18] assuming that we are safe but we are looking at things on a regular time cadence and we're all ways up to date by the way those are much more effective marketing messages than just the general

[00:54:32] we love them kind of testimonials and it's a lot easier to get your clients to be willing to agree to give that precise level of testimonial so let's not just go to our customers and say will you endorse

[00:54:47] me let's go to them and say will you endorse me for this one very specific element of the service we provide or the relationship and the method we use to deliver these services I don't have to say

[00:55:01] everything is perfect and nothing will ever go wrong because I might not be comfortable saying that about my service provider I just endorse that very specific use case happens to be not only easier

[00:55:14] to get the customer to agree to but dramatically more believable by the person who's reading that testimonial so let's not stop asking for testimonials let's just stop asking for blanket endorsements and we will get way better participation from our client side all right sound advice

[00:55:32] as always Ryan another relationship saved hopefully our listeners have learned from this and don't make the same mistake and remember if you've been struggling with your managed security services relationship whether you're the user or the provider we want to hear from you so please write to us

[00:55:48] at cyber for hire at cyberrisculiance.com and we might use your letter in a future episode all right well it's almost time to wrap things up up before we go it's time for us to get

[00:55:59] little random as we share with you drumroll please our irrelevant news of the week this is a real news pitch that Ryan or I have received in our inboxes for reasons that are

[00:56:11] entirely inexplicable to us are you ready Ryan I am ready let's hear the randomness all right well really this time around it's not so much of a news pitch but rather a pitch I got from a news writer

[00:56:25] a freelancer asking me if I was interested in brace yourself for this one back to school articles now this I might be the first time ever that I've seen a reference to end of summer and back to

[00:56:41] school before summer even got started yet and and that is very depressing I mean I get it some editorial magazines plan out their calendars well in advance fashion companies they plan right

[00:56:55] their fall collections whatever it is like nine months in advance or whatever but come on like can we enjoy the summer a little bit before we already start thinking about the fall like I know it's

[00:57:04] weird but for me I still when I see that first back to school commercial a chill still runs up my spine as if I was still in high school knowing that I just had a few sweet weeks left of summer

[00:57:16] sun before I was like back in the the hallways of school again I don't know how you feel about that Ryan you know what I have that exact level of emotional reaction you know when you when you

[00:57:26] start to see the Christmas decorations in the store before Halloween you go come on let's can we enjoy the seasons as they come but while any of those are frustrating none of them hurts more

[00:57:38] than the back to school message right even all these years after school when we don't have to go back in the fall it that was that was the end of innocence every single year when you were in eight

[00:57:50] year old and somebody said back to school and you were outside like running through the sprinklers you went but I just got started I literally just am getting good at summer can you let me enjoy this

[00:58:03] and it gets harder and harder as we go I agree it's the responsible thing to plan ahead but you know what don't harsh my mellow quite so early it's still springtime we're not anywhere near summer

[00:58:18] let's let's save those back to school conversations for a time after I've been able to go outside and enjoy some relaxing summer activities absolutely I always try to console myself or take

[00:58:30] solace in the fact that I'm like well at least fantasy football seasons coming up I guess what I cling on to like at least I have that but yeah I other than that let let us enjoy the summer right so

[00:58:40] speaking of summer break school is out on this particular episode of cyber for hire but don't fret folks because we'll be back again next week with episode number 23 meanwhile feel free to check out even more cybersecurity podcast content on the SC media MSSP alert and channel ETE websites

[00:59:00] until next time I'm Bradley Barth and I am Ryan Morris and we would love to keep this conversation going so please share with us any of your questions, comments and advice on the business of cyber security

[00:59:13] and we'll keep the conversation going on the next episode of cyber for hire your inside source or cyber outsourcing