Ahead. Hello and welcome to the Cyber Rants podcast.
This is Zach Fuller, joined by Mike Rotondo and
Laro Chavez. The three usual suspects
here. And today we are talking about a topic that I think is important
for a variety of people, whether you're in technology or not.
But it is the topic of transforming cyber risk management cybersecurity
into a revenue generating asset for your organization.
So cybersecurity isn't just about managing risk. Of course, that's
a core component. But companies that are smart, especially
B to B companies going after enterprise contracts,
can use this to land millions in new revenue. We've seen it.
We see it regularly. So this stuff works.
We're looking to dive into that shortly.
But first, we'll kick it off with the news.
Mike good morning and welcome to our 1
01st episode and the 101st news.
Leak of intel boot guard keys could have security repercussions
for years the potential leak from MSI gaming of signing keys
for an important security feature in intel based firmware to cast a
shadow on firmware security for years to come and leave
devices that use the keys highly vulnerable to cyberattacks.
Intel is still actively investigating an alleged leak of an
intel boot guard private keys for 116 MSI products.
The investigation comes after a claim that leak sources
that leak source code from March 2023 cyberattack on MSI
includes this data as well as image signing private keys for 57
MSI products confirmed in Tell OEM private key leak causing an
impact on entire ecosystem.
It appears that intel boot guard may not be effective
on certain devices based on the 11th Tiger Lake, 12th Alder Lake and 13th
Raptor Lake processors. Alleged leak comes about a
month after emerging ransomware gang tracked
his money message hit Taiwan MMSI.
With a double extortion ransomware attack
claimed to have stolen 1.5 terabytes of data during the attack,
including firmware source code and databases.
When the $4 million ransom the group demanded was not paid,
the attackers released the data.
Boot Guard do you think they'll change the name now?
I don't know. How about just boot fake in
Browser Window Updates push Aurora Info Stealer
Malware a recently spotted malvertizing campaign
I haven't heard that word before.
Tricked users with an in browser tricked browsers with
an in browser Windows Update simulation to deliver the Aurora
information stealing malware. Aurora has been available
on various hacker forums for more than a year, advertised
as an info stealer with extensive capabilities and low antivirus detection.
According to the researchers at Malware Bytes,
the malvertizing operation relies on pop under ads,
which are cheap pop up ads that launch behind the active
browser window, staying hidden from the user until they
close or move the main browser window. Typically, these are
found on adult content websites
with high traffic adult content and redirects potential victims
to malware serving locations. I can see many things wrong with
how you get infected by this and many other things that you
get infected by. By doing this, you have to do it in real life,
you're getting infected. And if you do on the Internet,
you're getting infected. Exactly. Yeah, exactly. I'm not your dad,
but stay away from the porn. Or if you're going to buy it, pay for it.
New greatness service. Simplifies microsoft 365 Phishing attacks.
The Phishing is a service platform. Platform called named Greatness
has seen a spike in activities that targets organizations using M365.
Most victims are located in the United States,
with many working in manufacturing,
healthcare, technology, education, real estate, construction,
finance and business services. So basically everybody, um.
The Greatness phishing as a service contains everything
a wannabe phishing actor needs to conduct a campaign
successfully to launch an attack. The user of the service accesses
the greatness admin panel using their API key and providing a list
of target email addresses.
I love that name. We're just greatness the phishing as a service
platform allocates the necessary infrastructure,
like the server that will host the phishing page as well as for generating
the HTML attachment. The affiliate then crafts the email content
and provides any other material or changes to the default settings as needed.
The service then emails the victim who receives a
phishing email with an HTML attachment.
When the attachment is open and obfuscated,
in the browser to connect with a greatness server to
fetch the phishing pagethat will be solid to the user,
the phishing service will automatically inject the target's
company logo and background image from the employer's
actual Microsoft 365 login page.
Do you think that kids today are just like, waking up mad because
something happened in Minecraft and they're just like,
choosing to be a scammer? Like today I'm just going to
start my life's work as a scammer.
I'm mad at the world because my elf warlord died.
Yeah, they've recreated the whole game.
Zelda breath of the Wild
inside of the minecraft server. And it's like, why not just go to the
regular game where the graphics are nice, instead of looking
at this thing in eight bit anyways?
US disrupts Russia linked Snake Implant Network the Snake
implant is one of the most sophisticated implants used by Russia
linked threat actors for cyber espionage purposes.
he malware has been designed, signed and used by
sensor 16 of Russia's FSB in cyber espionage
operations on sensitive targets.
The FSB created a covert peer to peer p to P
network of machines worldwide
that were infected with the Snake malware.
If you don't know what FSB is,
it's kind of similar to our NSA. Excuse me.
The PNP network is used to operationalize traffic
to and from the Snake implants on the FSP's ultimate targets.
The malware uses custom communications protocols designed to avoid detection.
The US experts identified Snake infrastructure
in over 50 countries worldwide,
including the United States and Russia. US.
Agencies monitored FSP officers assigned to the Turla that uses
Snake malware as part of their daily activity.
From own FSB facility in Rizon, Russia. US. Authorities code named
the operation as operation Medusa. And the FBI develop a tool named
perseus disabled Turlus snake malware on compromised computers.
Perseus issues commands as a Snake malware to override its own core components.
A lot of Greek mythology there.
All right, just a couple of quick headlines. Tennessee health system
stops all operations amid cyberattack recovery.
We're going to start taking this stuff seriously.
In the healthcare industry, those Smashing Pumpkin fans.
Smashing Pumpkin's frontman paid ransomware to a hacker
who threatened to leak the band songs.
Western Digital notifies customers of data breach after a March attack.
FBI sees 13 domains linked to DDoS far higher platforms.
There's a new Linux net filter kernel flaw that allows escalating
villages to root and Cisco got hacked. Not Cisco the technology people,
but Cisco the food delivery people.
With that, let's go over to Laura's Corner and see if we can hear
something happy. Not Cisco. The best food comes from Cisco.
My favorite frozen chicken fried steaks with gravy that I get.
My favorite dirty spoon restaurants come from Cisco.
Dang it only second best of the swan truck.
Welcome to the hundred and first episode of Lauro's Corner.
And today, in my corner, we're going to talk about the
101 reasons why you should join the cybersecurity. Field of profession.
Now, if you want don't want to hear all 101, you can go ahead i
In this moment and fast forward to 47 minutes from now exactly on the video,
and that's where we'll pick up with the actual store that we want to talk about today.
I'm kidding. I'm kidding. There's not there's probably 101 reasons,
but I'm not going to talk about the day.
But I am going to address a question that I get a lot.
I've actually had to talk to about four people this last week.
Friends of friends, friends of family, colleagues, kids.
It seems like everybody wants to join up with cybersecurity
right now, and that's a wonderful thing. And the first thing I want to tell
you is that, yes, you too can join the fight against the
cyber bad guys who are trying to disrupt our
business operations here in the United States.
And believe it or not, I too, once never knew how to type on a keyboard.
And that's okay. We all got to start someplace.
So where do you start? I've had friends ask me about college courses,
about certifications. How do you get into specifically penetration testing
is kind of what I've been asked the most recently.
I think it's got a lot of fun. It's got a lot of fun.
Edgy coolness to it, and it is a lot of fun to do, but it is a very technical job.
So the first thing that I'll tell you is if you want to be
a penetration tester or a technical assessor in this world,
whether you want to focus on web apps or you want to focus
on hosts or you want to focus on APIs the best thing for you to do
before you take certifications and go to a big fancy school
and start taking these courses is just use the free material that's out there.
And I'm going to drop a name for you.
Hack the bot box. So go to Hack the box.
And not only do we require this as part of our, I guess.
Preliminary, preliminary requirements for our team members to join the team.
But it's a good place to really see if you've got the mustard to do the job.
And anybody can tell you anything they want and guide you
anywhere you want.
But the only way you'll really know is if you go to these places and try for yourself.
So what is Hack the box? It's a playground with applications that are,
I won't say rigged, but they are configured in a manner
that they have a weakness that is associated with them.
And that is your job, like with a metal detector,
to find the gold ring that somebody lost on the beach.
Your job is to find the flag, or capture the flag, as they call it.
In this realm of gamified approach to penetration testing.
It's free to sign up. They've got free classes. There are some paid for classes.
They offer certifications as well.
But I think in the lab you'll find what it is that
you're looking for and a place to ask yourself, is this job for me?
And I think a lot of you will find the answer to that question is yes.
Because if you get excited about the work that you'll see there,
you'll get very excited about the work that you'll see out here.
So stick to it, stay at it, don't get discouraged.
It's a steep learning curve, but that doesn't mean it's impossible.
So whether you want to be the technical aspect of cybersecurity
or if you want to do governance, they're both acceptable
places today. And there are a lot of jobs that are being offered
out there to organizations who could benefit from from high quality
individuals today, even if they don't have a strong background
on cybersecurity. Having a high integrity individual that is excited to learn
and willing to learn about this discipline is by far picking
somebody who has the opposite attitude but has more
experience in the field. So stay with it.
If you need help, reach out. Lots of resources out there on YouTube,
in various places, but check out Hack The Box and find out if it's
going to be fun for you or like me. You just prefer making sandwiches?
It's one of my favorite things to do. Zach speaking of making sandwiches.
I think cybersecurity can be used to make,
like, some sort of a
triple decker that everybody wants to buy.
Yeah, you're making me hungry here.
Well, excellent. Let's dive in and talk about cyber risk management,
but even more importantly, using that to drive revenue here.
And we're going to do that after a quick commercial break. Doo doo doo doo.
Buy some soda, mike's soda. Mike's soda is the best.
Always reminds me of this Seinfeld episode when Kramer
buys the Merv Griffin set and he does the fake talk show.
He clicks the tape, and it plays the play out music, and it's like turnover tape
now to play the plaque music, and he sits back and eat some chips
and drink some soda and then starts the show again.
I got to watch that. That's funny. Tony has been on a seinfeld binge,
which is completely not his age area at all.
So be a funny conversation to have with him in the future, right?
Yeah, I think our break is about over, guys.
Yeah, I think the commercial is probably up. All right.
Commercial is over. Okay. All right. Welcome back to the
101st episode of the Cyber Rants podcast. W
e're triple digits already. Where did the time go?
But let's talk about something that is really awesome about being in this
business, and that it's not, again,
like I said earlier, not just about risk management,
but enabling companies to drive forward.
And one of the foundational concepts is if a
company doesn't have any customers, t
heir cybersecurity really doesn't matter, right?
So first of all, we got to figure out, okay, how does an organization
drive revenue, and what does that look like?
Now, when we talk about cybersecurity, I hate to break it to you,
but those of. This podcast are a bit of an anomaly. Y
ou're the minority out there.
Most people don't care that much about cybersecurity.
I know it's a shock. And it's not that people don't care.
Nobody wants to be hacked or wants their data stolen
or anything like that, but most people put about as much
thought into it as say, they do their car insurance policy
after they've had it for five years.
It's just kind of one of those things that, well, hope nothing happens,
hope it works when you need it, that kind of thing.
And unfortunately, this can filter into leadership in organizations, right?
And so, while executive teams are much more aware of this and know
that cyber risk is a factor, a lot of technical leaders realize that
they're not actually getting the support and the funding they need,
even in this day and age.
Now tides are turning kind of out of the necessity and what's going on,
but we still see a lot of that out there in the wild.
So our jobs in the security realm or technology realm in general,
and chances are you probably know, you want to push more
initiatives through in your organization, you want to do more in terms
of cybersecurity for your company.
If you're not getting that support you need, or the budget,
the buy in or the stick to really enforce those requirements,
the teeth. That's well said. Then we need to start changing
our conversation all we need to start changing our conversation
from cyber risk management over to one about something that your
organizational leadership absolutely does care about and puts
a lot of focus on, which is revenue generation.
So if we can start to speak in their terms now, we can start to.
Change the tides. I like money. Yeah, well, who doesn't, right?
With that, we'll talk a little bit today about some of the vendor
evaluation process and that sort of thing.
Anything you guys have to add or any stories you want to share
about companies that have used secure to land big,
huge buckets of money. I like money. That's all the executives care about.
I like money.
You got to know how to talk to them. Like, you like money.
I like money too. You want to make some money? Yeah,
I want to make some money. We need to put some cybersecurity in.
What's that? And there you go.
That's it. Simple as that. I don't think it is. I wish that were the case.
Well, it takes the right kind of I want to make money sometimes.
That's a million dollar deal. Well, here's another thing I think you made
a good point about.
You don't care about cybersecurity and got any customers. Right.
Which is kind of funny, because if you remember from last week's
podcast, the insurance application form, the cyber insurance
malware application form that you're not going to be able to get.
So most companies are going to require you to have some form of
liability and cyber insurance to do business as a technology company.
And if you can't get those, you can't get cyber insurance. T
hen to Zach's point, you don't really need to worry about cybersecurity.
It's not even just technology companies.
Every company now is being required to have cybersecurity insurance.
It's just the cost of doing business now. That's right.
Likewise, pen tests are becoming mandatory on almost
every security questionnaire. So every client you're engaging, so it's
dedicated, it security staff, how are you going to do four people,
right, exactly. So. There's Tim, he's a developer, he's a machinist,
he's the janitor and he's the CISO. Right? Yeah. CISO or CISO.
I don't remember. I think there was a conversation about that a while ago.
I think it's motto that up before.
But it's CEO CIO CTO CAO, not Cow. Right. So I think it's CSO or yeah.
Before E, but not after C. That. Last podcast, you said you're going
to beat the crap out of anybody that said siso. Yeah. How'd that go?
This is what we were doing. We were going out in the streets of La
and we were just, like, holding up a Placard card to the homeless druggies
and being like, how would you pronounce this word?
And then if they did it wrong, Zach would just hit them.
No, you know what? There's a lot of highly experienced CISOs out there
that use siso, so I can't really argue with them.
Right. The other confusion is CISO versus CSO.
So I think there's an argument there of if you say CISO,
you might be referring to a chief security officer, as in covering physical security and that sort of thing.
Other matters beyond cyber versus the cyber side.
But I don't want to go down that rabbit hole too much because it's.
Too late, we're in the rabbit hole. But here's what I'll say is it say it,
however, is going to get you the free drink. There you go.
Phone number. Use that title however you need to use it.
You pronounce it anyway. It's going to get you that phone number. That's fine.
Well, there you have it, people. Settled. Settled.
So I don't know if there's a right way to say it, but I always use CISO.
I think that's just because that's the right way to say it. We need to get into this again.
I thought we already beat that dead horse.
But seriously, back to each driver back on the road. I'm glad that.
This podcast. Vehicles got off road tires that don't pop because
we tend to get on the rocky path sometimes. So let's talk about real quick.
So For Those people Maybe that haven't been through this or want to understand why
Cybersecurity is So critical To Revenue generation, we're Talking Mostly
Through the lens of A business to business Organization, especially t
hose going after larger Enterprise customers.
So what happens is let's think about the sales cycle here, right?
What happens is that large Enterprise customer and let's say
you're a SaaS company and you're offering this cool SaaS product
and you've put all this money into your marketing.
I like money efforts. So we go in and we are out there.
The company finds us and finds us as maybe a solution among
others in the marketplace. Right. When we first connect with them,
we're at this neutral level of trust.
They don't distrust us. They don't really trust us.
We were basically just there and not very meaningful to them.
But they start to dig through our marketing material.
Maybe white papers, maybe do a demo, or they talk with our sales team and all that.
And all these things are happening.
An idea In Sales because you can't make sales without It is
you're always growing that trust, right?
So you're building that level of trust, and at some point in that initial phase,
call it the familiarity phase that's going to start to level off,
they're going to kind of have seen everything that they can see,
and they say, yeah, this looks great.
This looks like a very viable solution to solve the problem
or the pain that our organization is having, or make us more
efficient or whatever it is that you're offering.
And then the very next thing they're going to do is they're going to say,
okay, well, we've seen what we can see.
Now. We have to. Go through the formal vetting process.
We have to vet you to understand what type of risk you are going to bring
to our organization.
And that's where companies that aren't ready for this just crash and burn.
That's where they fail. Because then that large enterprise
is going to pull back the curtains and they're going to say, oh,
look, they've got a great website
and all this stuff on the front end.
Then they pull back those curtains and it's a mess back there backstage.
They're going to say, wow, this company doesn't actually
have really anything in place. It poses a high level of risk.
We're going to move on and look at different options so it can
absolutely make or break your process.
And so you could spend millions on the front end really looking good,
but you don't have that next phase covered, and you're going to lose
business speed to market. I got an idea.
What if we do our listeners a little justice here and
we can make this make sense in a little role playing exercise.
All right, Zack, so how about you? I'm going to be the shopping, interesting customer.
I want my new widget. Okay. Now, Zack's company,
he's going to be the widget that doesn't have any security.
And Mike, mike's going to have the same company widget that I'm looking for, but
he's going to have the security.
And so this is how the conversations go. I'm going to start with you.
Okay. Zach, what do you think? All right. I know where it's going to go.
It's going to go someplace awesome. All right.
So you got a Widget, Zack, that I want to use.
That's pretty cool. So I like your marketing site.
It's real fancy and your tool does what I need, b
ut I kind of need to do a vetting process. Process. Would you guys sign an NDA?
Yeah. Oh, of course.
Anything for you, Mr. Prospect. Awesome.
Well, I'm glad that you signed that NDA because now I've got about 53 questions I
need to ask you about the security of your application.
Are you okay to answer those for me?
Oh, yeah. Fire away. Of course. Fireway. Excellent.
So my first question is, do you have a sock to or any kind of
governance framework that you've aligned to for risk management in your company?
Okay, now, it's okay.
It's fine. I'm a next question. Do you have a firewall? Okay, now, it's fine
Don't worry about it. I'm going to go next question.
Do you have development team that is here in the United States,
or they offshore someplace that you've never heard of?
Well, about that it's okay.
You don't need to know where your development team comes from.
We're not using this app. Janine, this is crazy.
Okay, back to my last and final question here.
How much do you charge for your services?
Well, I mean, it depends. Okay, well, thank you very much for all of
your assistance here, sir. I'm going to get back to you.
I'm going to go confer with my teammates and make sure that this
is the best choice for us.
But while we're doing that, I need you to do your best to go
in and fill out that security questionnaire and get it back to me.
Okay, well, I'm really looking forward to doing business with you.
I'm glad we're at the top of the list.
I'm excited about where the future is going to take us.
You're going to love the product. I mean, it's going to solve all
your problems and all your challenges. So I'll call you next week.
Awesome. That smells like someone let some gas loose.
But yes, let's call next week. Okay. All right. Hi, Mike. How are you?
I found your product online, and, man, it looks really cool.
It looks like I got something I want to use in my company.
We need that. So would you sign an NDA for me, sir?
Sure. Awesome. No problem. I got about 100 security questions
I need to ask you. Are you okay with them? Is that all?
Yeah. I mean, I've got some more I can pull out of
my pocket just because I carry that stuff around with me,
like spare change and lint.
But we'll get to that in a minute.
Well, let me ask you, have you aligned to, like, a sock, two or.
Risk management framework in the industry.
Yeah, we're aligned to sock two and SCSF. Oh, wow. That's hot.
Okay, let me ask you another question. Do you use a firewall?
Yeah. As well as IDs. IPS. We have DMZ. We have honey pots.
You got, honey? Pots. Oh, sweet Lord.
Okay, this is getting really getting hot in here.
I like this product already. Okay, well back.
Are you channeling your inner Billy Bob Thornton or what?
Yeah, well, I had to make it entertaining.
It's not fun if it's just my stupid voice, my Laro's corner voice.
Like, come on, guys, give me a break.
But I think you can see where this is going, right?
We don't have to continue with Billy Bob Laro.
But yeah, you can see the difference. Right?
And that's exactly what Zach's talking about,
is that these customers we're all consumers.
It doesn't matter. You don't have to be consuming a cybersecurity
product or a technology or a business that you want to purchase.
You could be consuming shampoo at the store. Right.
You have your choices and your reasons for the way that you choose
he way you do for your products.
Whether it's steaks or veal or coffee or a coffee maker.
You have your integrity based decisions that you're going to make.
And if you went up to buy the Doritos okay, I'm a pretty good fan of Doritos.
It depends. But if you went up to buy a bag of Doritos
and it said, not sure the ingredients, potentially some other stuff,
not country of origin, not sure where it's made, would you buy that chip?
Would you actually want to consume that potato chip?
Probably not. I think that's actually what it says on a bag of Doritos.
I'm pretty sure that's beside the point. Don't want to eat it.
You should want to grab the chips that have all the friendly stuff on there
where you know where it comes from.
It's cooked in peanut oil. You know what I mean?
Those are kale chips made right here in America. I like it.
We should all just unknown reason why we would make kale chips.
Because you can charge eight times the price.
Yeah. And it costs like eight times as less to make for half the ingredients.
So it's for rich people that hate themselves.
Right. Basically, it's a pyramid scheme, I think that's right.
We call it Whole page.
Well, that's what you need to do, though. You need to be the kale chips,
cybersecurity, right. For your business. What does it really boil down to?
I mean, if you look at revenue generation, whether it's sales, marketing,
any business development efforts,
the fundamental, the core of all of that is trust.
You have to develop trust with your customers.
Right. And it doesn't matter if you're doritos or if you're going
after big time engagement, those big time Fortune 500 contracts,
you have to develop that level of trust.
And Cybersecurity is your best weapon in that.
If you are, especially for tech companies, I mean, all companies,
but going after large enterprise, but especially tech companies,
where your technology iis your brand, you have to leverage Cybersecurity
so it's no longer just about checking the block.
Do you have this in place? Really good. Really good.
B to B companies are putting this stuff front and center in the sales discussion.
They're putting on their marketing materials, put it on their websites.
Yeah. Well, speaking of websites, one prime example is if you go to a website
and maybe they have a security page,
just a big block of eight pages of text.
Nobody cares. Nobody's going to follow that.
Companies that do it really well. They make their security page a
marketing page, and they have logos of their different certifications
and the frameworks they follow.
And they talk not so much about the specifics of their security,
but they talk about the benefits of their security in, in a language
that is meaningful to their customers. And that way when their customers read that,
when they're, where they're doing their reviews, they say, oh yeah,
this company's already bringing up those, those concerns that we
have when working with vendors.
And here's how they've answered it. Again, not in detail.
It's not supposed to be open source intelligence material
but it is done in a way that really shows that the organization
has security at the core of its kind of values and the core of its focus.
So definitely have that page on the website.
Maybe I'll just drop in a truth tip, right? Some experience that we have,
we see this happen all the time. I think that's why it's important
for us to talk about it and why we like to talk about it is
because we see this actually happen in the workplace.
And so, as an example, a company contacted us.
They did some really cool salesforce consulting and they had this
recipe of going in and making your salesforce cloud is just awesome.
Just awesome. As awesome as it could be.
Just like a bonsai tree in your yard kind of thing, right?
So these guys are really good at what they did, this company,
and they had done pretty good about getting contracts,
but there were some really large contracts, like million dollar plus
contracts that came with a security questionnaire from these larger companies.
And they weren't getting these million dollar contracts
because they couldn't answer this questionnaire,
nor were they going to lie about it.
So finally, the sales and the CFO kind of stepped in and said,
we got to do something about this.
How are we going to get this done? So we got called.
We went in and they asked us like, how do we can, you know,
how do we complete this? And I basically, you know, responded that
you have to implement the risk management program that
they're asking you in this questionnaire.
So we went forward that took place and they began to get
these million dollar contracts and they began to get million dollar contracts weekly.
And at the end of our engagement,
after about 18 to it was about 20 months, wasn't it Zach?
Something like that. They were making about 8 million a week
and they got purchased by one of the biggest technology organizations out there.
And it was all because leadership understood that there was a
problem that was stopping them from making revenue.
And it wasn't marketing materials, it wasn't sales.
It wasn't the ability to be awesome at what they did as a business.
It was the ability for them to articulate their security controls
and build that trust and that integrity with their customer base.
You're seeing that more and more. Too dovetailing on that.
There's another SaaS company that I've been working with t
hat started and they really had no security framework in place
and have since implemented and are able to
get the bigger and bigger clients.
They're starting to roll to that. But the thing is that's happening is this.
The companies want to be able to trust you.
They also have insurance companies they have to answer to.
So that is driving them to have those requirements.
So they're basically pushing downstream.
It's kind of like what the Department of defense is trying to do with CMMC.
The primes have to adhere to a certain standard. Well now the entire supply
chain is going to be required to adhere to that standard to ensure their
security from Bob the pipe bender all the way up to the guy
building the aircraft carrier.
So them that's what's happening with this.
And that's why we really need to take it seriously.
If you want to grow your company, if you want to continue to exist
five years from now, you don't really have a choice.
You have to get on board with cybersecurity.
You have to start implementing a framework.
You don't necessarily need a sock two, but you do need to have something in place.
Third party attestation not we think we have it.
I recently had a conversation with someone and they're like,
well, I don't want a pen test. It's like, well, that's becoming the
cost of doing business, man.
And it's on every security questionnaire you're getting cost of doing business.
You're going to need a pen test whether you like it or not.
It doesn't have to be sound sector. Just do it. Two words, somebody.
Vendor management. Right? Yeah. That's really what kind of, I guess,
causing the echo effect of some of this stuff, right?
As you've got these organizations that are aligning to
Sock Two and CMMC and 171 Alpha and PCI, and they a
ll require you to manage your vendor security. So you have
to reach out to your vendors. And before you take on a new service,
as part of procurement for any new services or technologies,
you have to vet the vendor.
That's what vendor management program mandates you to do.
And all of these frameworks like Sock Two are going to require
you to do vendor management. So there's really not a way to get around it.
And it's causing this sort of echo effect in the industry where
if you're new to this and you came out with some new hotness again,
some new cool tool that looks really sweet,
but you don't have all of the UK mall in the back part of this,
you're going to get burned out when they ask you.
Because despite the cool factor, speed to market is
a smoke and mirrors marketing methodology. I think that's more understood these
days and it's less favorable for the speed to market. It's more favorable to have all
of the dev SEC ops thought out, to use a coined word.
Sounds funny when I say it DevSecOps. But you do.
You need the security built into your development all the way through and be able
to demonstrate that as part of your marketing materials.
Keep in mind, too, that large enterprises will pay more
for a solution that absolutely presents them with less risk.
You're going to pay for. Yeah, the the return on investment can be
huge keep because, you know, it might be a million dollar a year contract
may be big for your organization if it's a small SaaS company
or something like that, it might be a game changer.
But for a Fortune 500, that's like a rounding error.
They spend more than that on toilet paper each month, probably across the organization.
Totally. Well, every consumer does, right? I mean, l
ike I went over to Billy Bob's hamburgers the other day and
I got Dysentery from eating his hamburgers even though they were only $0.50.
You know what? I'm going to stick with the five guys burger.
It costs more, tastes just as good. And guess what?
I'm not on the toilet for 6 hours. Yeah, but they've been hacked recently.
Twice this year. Ookay, pick another burger company quick.
I should say twice in the last twelve months. In and out, in and out.
Damn good hamburgers though. They got damn good hamburgers.
They got hacked. I'll still eat their hamburgers.
Maybe they got hacked and they'll add more French fries to the bag.
There you go. Well, hey, another thing if you're wondering.
Well, the tactical level, well, what do we do? Of course.
Okay, so it's pretty clear you have to have a formalized
cyber risk management program, right?
Even if you don't have a SoC two audit or an ISO audit,
you got to have that. But some of the other things that
you can do to help put security front and center and start leveraging
it as an asset are to really build a summary.
Right? So you have your website, you got a page that's non confidential stuff.
And think about your sales process.
What else can you supply after you're under NDA to
the prospective buyer, even before you get into vetting
and security questionnaires and all that.
Give them more material that shows, hey, here's what our security
program looks like. Generally speaking. Again, still not too detailed, but.
Have that and that becomes some sales firepower as well for
your sales reps, which you'll also need to train on security
nd what matters to the type of companies that you're going after, right?
So you're going to need to tell them, well, what risk concerns are based
n the nature of our business and what we're doing and all that.
What are our clients going to care about? Because they're going to
need to bring that up in the discussion and basically explain
the benefits of the product.
So this is a tool for them to use to go out while they're prospecting,
while they're selling, while they're trying to bring in those contracts.
So make sure they know what's important, make sure they know
about frameworks and certifications and why that stuff matters, right?
Third party validation and what's going to get them motivated to
back you here and all this and your security efforts is letting them
know that, hey, well, when we put these things in place,
we actually shorten the sales cycle quite a bit, right?
Because we're not going to be bottlenecked with those
questionnaires as much. We're going to be able to answer
them confidently and not be trying to jump through hoops to
put things in place when they come into place.
And sales reps like Speed to close. If you can shorten their sales cycle, w
hich you can with the right efforts here, they will be absolutely
ecstatic that they get paid quicker. Because what do we say?
People care about revenue, right? And sales reps like money in their pockets.
So just a couple of quick tips there. I don't know anything else.
I don't want to beat a dead horse too much, but surprise,
surprise, cybersecurity can make you money.
Who knew? Tell you what, I want some of that Mike's Hot application.
His web app is so hot and it's secure and I'm going to send old
Zack's web app a glitter bomb, you know what I mean, in the mail. So.
We we have to reorient the thinking of a lot of the executives out there,
because I used to deal with some very high level people,
including in government, that would say, you know what, s
o if we get hacked, all we do is we take a stock hit for three months.
That I don't think should be the mentality anymore.
No, definitely. And I think we need to get away from that type of thinking.
It's just not about the stock price or the valuation of the company.
There's reputational damage that's being done
here's a reputational damage that's being done to your consumers
because you're exposing their data.
And it has to be more treated. The customers data has to be
treated more valued.
You treat it like gold or platinum or whatever the most palladium.
That was the one I was thinking of tonight.
I knew it was in one of my lighters, I just couldn't remember which one.
But anyway, it was all expensive.
But my point is that it needs to be treated like that,
and your customers need to know that you're going to treat their data
like that because that's how they want to treat their data.
Hopefully, I go back to one of my things, is that I used to work for
a very large bank who did not use the cloud. They built their own cloud.
Why did they do that? Because they trusted themselves with their data,
not somebody else.
Why would I put my data in the cloud? So why would you trust somebody
else that doesn't trust you with your data? It's all about trust.
Exercise. Stand on the table and fall back. Trust fall.
Make sure people there, though, first.
Don't do that by yourself. Point of the exercise is, there's there's supposed
to be people to catch you, cats just run away. Yeah. Otherwise you just fall on the floor.
That hurts. Well. Hope, hope you got something out of this podcast episode
that you can take that'll help you as you think through these
concepts and help you get your point across with your organization.
If they are not giving you the support and resources you need to
really build an effective cyber risk management program,
really, that's we want to empower you with information and so
hopefully that helped with that.
Be sure to like the episode, share it, rate it, comment, do all that stuff.
Cyberancepodcast.com. You can submit requests for future topics and we'll see you on the next episode number 102. Have a good day.