welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly embellished truths
about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts mike rotondo zach fuller and lauro
chavez welcome to the cyber ants podcast this is your co-host zach fuller joined by
mike rotondo and laura chavez and today we are talking all about the benefits of cyber security
go far beyond cyber risk management a lot of people think of cyber security as a risk
management issue is almost a sunk cost but i say that is incorrect because we've
seen it help companies grow thrive go through major acquisitions
there are a lot of benefits far beyond risk management and we are going to get into that today but before we do
mike why don't you kick us off with the news good day and welcome to the news the
usdod tricked into paying 23.5 million to a fishing actor uh the u.s department
of justice has announced the conviction of a resident of california for multiple counts of relating to a fishing
operation that caused 23.5 million in damages the us department of defense i think that's a hammer the fraudster
managed to divert to his personal bank account dod funds destined to a jet fuel supplier conspirators registered the
domain dia dot dash mill dot com which is very similar to the legitimate dla
dash and used it to send phishing emails these emails were delivered to users
in a vendor database or companies that would want to conduct business with the federal government register themselves
the phishing messages contain links to a cloned login.gov website where the victimized vendors entered their account
details annoying unknowingly exposing them to the conspirators this is why we recommend
phishing training seriously if you're going to do if you're a criminal doing this don't have the funds
wired to your own personal bank account i mean come on he managed to pull all this off and had
the funds send to his his own bank like nobody it's called smart
stupid well if you read the story he had a co-conspirator in new jersey
uh that owned a used car dealership a big surprise that uh basically registered under his own
business the bank account another bank account so oh wow
man you've got to be more crafty than that not even bread comes you're leaving whole pizzas behind
yeah do you know your fishing training people yeah and there is no such thing as
dotmel.com just yeah for all of those of you who are worried about the onslaught
of russian hacking because they have all this all this labor laying around of russian
hackers this is for you russia to rent tech savvy prisoners to corporate i.t faced with a brain drain of smart people
fleeing the country following the invasion of ukraine the russian federation is floating a new strategy to address a worsening shortage of
qualified information technology experts forcing tech-savvy people with the nation's prison population to perform
low-cost i.t work for domestic companies multiple russian news outlets published stories on april 27 saying the russian
federal penitentiary system had announced a plan to recruit i.t specialists from russian prisons to work remotely for domestic commercial
companies so
just i can't even yeah what are they in jail for probably
hacking yeah well it's russia it could be spitting on the sidewalk you know so
that was a good point i'm just curious about if they didn't arrest arrest them for hacking and they're in jail how do
they know that they're tech savvy does everybody gonna get a test or what i mean
it's a dossier you know they they may have been a criminal that you know right person that got busted for drugs or i
mean you know that's you know good point but uh
yeah i mean i guess it beats hard labor in siberia but i mean
i don't well yeah i mean that or we're dealing with you know microsoft i don't know
well yeah there's a lot we can hack on this i'm going to leave it there
well my only concern is due to the brain drain or the tech shortage that of workers that we have in the united
states and some you know rocket scientists the department of justice is going to go hey we can do that too
so yeah um anyway uh there isn't a yeah
anyway i'm gonna go on uh new u.s breach reporting rules for banks take effect may 1.
uh new cyber incident reporting rules are set to come into effect in the u.s on may one banks and the country will
require to notify regulators within the first 36 hours after an organization suffers a qualifying computer security
event the act defines a security event as a computer secret it says it's an occurrence that results in actual harm
to the confidentiality integrity or availability of an information system or the information that the system
processes stores or transmits an incident requiring subsequent notification the agency say is defined
as a computer security incident that has disrupted or degraded a banking organization's operation and its ability
to deliver services to a material portion of its customer base and business lines uh based on this they're saying
large-scale ddos attacks system outages failed system upgrades unrecoverable system failures resulting in activation
of continuity or dr plans computer hacking incident malware and banks network or ransomware attack that
encrypts core banking systems so you're in the banking system keep that in mind according to mozilla
lack of security protections and mental health apps is creepy mental health apps is creepy on its own
but that's another story well they have good intentions to foster mental health and spiritual wellness the majority of mental health and prayer apps can harm
their users other ways by exposing personal and intimate data due to the severe lack of security and privacy
protections researchers from mozilla have found of 32 mental health and prayer mobile apps investigated by the
open source organization 28 were found to be inherently insecure and slapped with privacy not included label
according to the report of the same name published online this week moreover 25 apps fail to meet mozilla's minimum
security standards such as requiring strong passwords and managing security updates and vulnerabilities unpatched
dns this is important for all of you with remote workforces which i think is all of you so all five million of you
please perk up unpatched dns bug affects millions of routers and iot devices a vulnerability in the domain name system
component of a popular c standard library that is present a wide range of iot products may put millions of devices
at dns poisoning and task attack risk a threat actor can use dns poisoning or dns spoofing to redirect the victim to a
malicious website posted at an ip address on a server controlled by the attacker instead of a legitimate
location the library which is uc lib c and its fork from the open wrt team uc
lit c dash ng both variants are widely used by the major vendors the concern netgear axis
and linksys as well as a linux distribution suitable for embedded applications
uh this is good news maybe ransomware payments just 46 percent of
victims now pay ransomware i think we talked about this a couple of weeks ago is the tide finally turning on
ransomware one piece of good news maybe is that the number of organizations hit by ransomware who choose to pay ransom
their attackers has been declining reports ransomware is a response from cover based on
thousands of cases on which it has worked cohere says the number of ransomware hit victims who paid a ranch declining from 85 percent in q1 of 2019
to 46 in q1 of this rear cove where's finding stand in contrast to recent release recently released
study from cellphos which noted that the number of organizations that self-reported paying ransomware to increase from 2020 to 2021. the actual
study was based on self-reported survey where codeware's findings are based on actual cases and who you believe they're
going up or it's going down the first quarter of the year cobra found these are the ransomware strains had the most market share
conti v2 had 16.1 percent lock bit 2.0 14.9 black at 7.1 high 5.4 avos locker
4.8 with that we've got some critical headlines uh f5 has a huge has 10 flaws
in its products go ahead if you have f5 check into that there's a deep dive protecting against container threats and
the cloud is a little too technical to talk about in the news but it is an excellent read and then uh got some cool
names today chinese override panda hackers resurfaced with new espionage tags and chinese-linked motion dragon
i'd be the security software to side load malware so i don't know what a motion dragon is but
sounds scary so with that laura motion i like it so that last news
article about our evil coming back i think is a good segue into exploits this week as we look at
some really really cool work from one of the security researchers out there i'm going to drop his name hyperlinks
thank you so much for all this awesome work that you've done to basically give us blue team guys and all you blue team
guys out there some good fight back against our evil okay the cool thing about this is that
the ransomware itself is is terrible when it when it when it's working against you however like many software
pieces just like mike was talking about um for the prayer apps and things the the coders who built our evil didn't
really put a lot of security into the app itself so there are dlls
that this this this malware looks for and you can hijack those dlls because they sit on disk and you can get them to
do anything that you want so you can get ahead of this this ransomware um this malware before it
actually even starts terminating things and doing harm on your system and the cool thing is that hyperlinks not only
given us some of the exploit code for this um that you can use to help yourself but he's also provided that not
only just for our evil but for trojan crypto wall there's like um the ransom lock or goga
there's um ransomware server code execution that he's got so there's a cbt
locker code execution so check those out from hyperlinks i think if you're blue teaming and you've got um you've got
you've had some infections with this before or you're helping companies do reactive response check this out because
you might be able to get ahead of these dll dlls and stop the ransomware from
doing harm just based on the weak security that the hackers provided in the code so that's
cool um so a little win for exploits that go against some of the malware this week and then the other one that we have
unfortunately is is against us it's for the verizon 4g lte network extender so
if you've got one of these network extenders in your house that's extending your 4g lte if you're in a remote location
make sure that you're trying to get off of version 4 because there is a weak credential algorithm that the
producers of this this extender baked into the product so one of the one of the security
reasons out there has given us some insight into the essentially the naming convention that
the um the device uses to build its admin account for everybody if you don't go in and change this
there's a script that can easily easily guess this on pretty much any one of these devices instantly giving you
access to then install other things or you know do harm or turn off or whatever you're going to do to the lte
switch so if you've got one of these make sure you're taking a look at it uh change the admin password to
something manual don't let it do it using its auto function and also try to
get off of version four because that is the one that's that's weak all versions prior up to four
containers for law so that's all i have for exploits this week but i hear we're going to be talking about how cyber
security can help you win some multi-million dollar contracts potentially new business am i right zach
something like that that's that's exactly right that is exactly what we're talking about but before we do let's
take a quick commercial break want even more cyber rants be sure to subscribe to the cyber rants podcast get your copy of
our best-selling book cyber rants on amazon today this podcast is brought to you by silent
sector the firm dedicated to building world-class cyber security programs for mid-market and emerging companies across
the us silent sector also provides industry-leading penetration tests and cyber risk assessments visit
silentsector.com and contact us today and we're back and uh before we dive in mike i just
wanted to say about your the article you mentioned about ransomware payments going down
um i uh i might assume that maybe it's all the people listening to the cyber ants
podcast and hearing us rant about not paying ransoms you think that could be it i would assume so yeah i mean i would
think that uh i don't know who else in this industry is shaming on people for paying ransoms
so well i think when we passed our billionth listener i think we really had
a uh a reach that could broadcast this message out yeah in the universe
making a dent shame on you for paying a ransom we got an email from a guy in mongolia who thought that the cyber
rants was great yeah yeah that was pretty cool that was pretty cool
so yeah in all seriousness though get yourself a backup plan where you're backing up like
near real time if not daily sometime between near real time and daily that way you don't have to pay ransoms that's
right be sure to remember that the cyber ants podcast is far better than any type of
endpoint protection or firewalls or sim solutions or anything
else out there so it starts with knowledge all right and that said let's dive into
today's topic so wow shameless plug um shameless
cyber security is a tremendous asset for
especially for business to business companies why is that it's because
large enterprises are very serious about cyber security because of all the breaches what's on
the line the expenses people getting fired over breaches all of that stuff going on
so large enterprises now want to make sure that their vendors they're especially their technology vendors but
they don't have to be technology vendors really all of their vendors are operating in a secure manner right if
i'm the person in a large enterprise and i am looking at potential options you know a
platform or software some sort of solution or any type of vendor to use i need to make sure that one my data is
going to be protected but two operationally that i can count on them right
it could one vendor could take down an entire company when that company's reliant on them for operations so
uh if you're if you put yourself in the shoes of somebody in a large enterprise they have to make sure that the
organizations are bringing on board are secure and it's been proven that they are willing
to pay more for vendors for solutions that present a lower level of risk than the other
options out there so with that said
security can drive revenue and grow your company can create a competitive advantage there's absolutely
no doubt about it and we've seen it mike or laura do you guys you want to kick us off with any
um any case studies any stories that you've seen even just from our you know own clients and experiences out there in
the wild sure mike do you want rochambeau you want to go you want to go first
why don't you why don't you go first sir it's my honor to let you go
oh thank you you're so kind you're so kind uh you know i'll say that that cyber security is kind of like the grey
poupon out there you know you got your your big giant company executive driving around and he's out of gray poupon
because he expects it in his company you know because they they have the money to afford great coupon and they
pull up next to the civic and he rolls the window down and he says do you have any grey poupon and you say what's that
and he goes oh and he scoffs at you and drives off right so he's like we have to go we have to go look for somebody who's
got grey poupon for my sandwich um that's cyber security and and and as
funny as that sounds it in in the case studies that i'll talk about here with some clients that we've
we've walked through this this whole process and successfully seen them fly off into the hundreds of millions of
dollars of acquisitions that happen um after we've done our good work right we've helped the company get aligned to
a framework and get contracts and so we one one of the cases i'll talk about is
is we had a services company that was really really good at coming into your business
and if you were using this bit again or there's a big industry level software out there that everybody uses for crm
okay and a lot of companies use this software and they don't use it very well well this services company that we
served could come in and they could take that and turn it into a they could take that
piece of 10 that you had laying around that you were using for crm because you didn't really know what you were doing
and they could turn it into a a complete rocket ship for you and it was unbelievable and they could
do it in a very short amount of time okay and so they were really good at what they did but they lacked a lot of
you know there were a bunch of consultants that were really smart at configuring this tool for you they didn't really have a lot of you know on
the back and they had one it guy um that was trying to do it all and keep it together with you know about you know 30
people in the shop so what what happened is the same thing that we talked about what always happens
you start getting questionnaires as your client base grows and you start getting into a larger echelon of clients and the
fortune 150 ranges as zach said
the grey poupon right as i mentioned they're going to expect that of you and they're going to send you this questionnaire
and so there was a bid this the services company had a bid for um there was essentially over a million dollars it
was like 1.3 million dollars worth of work for this huge huge automotive
company and uh our client the services company we had you know um we hadn't quite taken them
on yet they had received a security questionnaire from this automotive organization and they just couldn't answer it
and so they you know with a quick google search they found us we were a local client and um we were you know local
positioned there for them and so we went into and you know met with them and within we signed a statement of work and
within about five or six days we had that contract moved through sales
we had the security questionnaire completed in a manner that that you know let the automotive company know that
they had partnered with a professional services team and that these were going to be the changes in the roadmap that were going to be occurring over the next
year and they went ahead and accepted that as you know a good faith and so this
this giant automotive client now broke all the records for our services client in the amount of contract money
this was this was huge over a million dollars in contracts is just you know an amazing amount of money well this is the
first one if i remember right wasn't it a million a year million plus a year
it was a million plus a year for this absolutely ongoing services yeah so it's a big deal
big deal and so to fast forward this okay so silent sectors absolutely involved with this client and we're
walking them through the frameworks we're putting in all of the proactive cybersecurity stuff that we know that everybody is not only needs to reduce
their risk but also to adhere to the frameworks that all these big companies are looking for you to do
and so after that contract came through you know another security questionnaire comes in and next thing you know
this services company we're serving is making over a million dollars a week in revenue then this is no joke this is no
made up story this is the real stuff here this is what dreams are made out of it really is and so
another what were they what did we say they were mike they're a technical company that's a fortune 50 again i'm
not trying to drop names here so i'll forget they're a large integrator yeah okay so they're a large integrator
offered to buy our services company that we were serving and they accepted and i i'm not sure
what that final number was but it had a lot of zeros on it it was incredibly
incredibly um just just an amazing lucrative venture right and so
we got to not only watch this you know help this company get to a place where they were making a million dollars a week in contracts
um but but also walk them through this acquisition process to this giant
giant tech company that then purchased them and of course you know we had to part ways but you know that that's the nature of of
why we do this i want to say that is that we don't we're you know at least i you know i believe mike and i do this we're not
doing this so we can stick with you for 50 years we're trying to teach you to hunt and fish on your own so that you
can be self-sufficient and we want you to build your security team and your security program and be sufficient in
that and say goodbye to us and say thank you for teaching us thank you for guiding us oh sherpa of the cyber
security mountain you know we thank you and we'll part ways and then you know that's the whole point of it right it's to reduce all of the american businesses
risk as a whole and you know we can help guide you through that process sometimes you know we are unfortunately we do
stick around because as you know some of these companies realize this stuff is difficult to do and sometimes it's hard
to hire professionals and so we'll be in these roles longer but this was i guess probably the perfect case study for us
in my opinion we came in we got them the contracts we got them to a place in business where they were high
integrity in the market they got purchased we walked them through that acquisition process with the lawyers
and we got to say goodbye and and thank you and and there was like this big party and dancing and confetti and it
was it was beautiful there was hugs they don't call they don't write they don't you know they don't they don't
check it anymore we don't hear from them they're they're counting their money they're kind of busy
so yeah yeah give them a break i would i would i would do the same it's like taking care of a little bird that fell
out of its nest and then it flies away in the end
you know it is really really awesome and that's you know that's one of our things in our in our company values and kind of
our our purpose and cause and such really our company passion is just that it's accelerating the growth and success
of our clients and um that i mean that's just one of many stories but
uh if that doesn't get you all hot and bothered man i i don't know what will i mean that's
cyber security really is a revenue driver a competitive
advantage i'm excited any other stories we want to go through or do we want to um do we want to dive
into some of the mechanics of it on a less grand scale i mean there are
clients that we deal with on a regular basis that are dealing with smaller engagements and smaller companies and
their you know fifty thousand hundred thousand dollar engagements or you know contracts with clients or you know half
million here or there but those questionnaires are just as important for those companies as well
and they are and we walk them through that we've developed environments for them to do that we've developed
solutions for them um and you know one of the key things
is not just answering the question there it's doing what you're saying you're doing and that is
you know we get you nist or cis compliant and then we get you on you know get that stabilized and stabilize
your environment so you can answer those questionnaires and the goal is to teach
you to answer those question areas on your own i mean gladly will help you but um
you know i i i can think of a bunch of clients that we've got that we you know
are winning business for just by being able to either show or demonstrate that we are that
they are compliant but answering the question theirs properly as well is a big deal so yeah
we we pretty much um we give that in you know that gives that
integrity right and there's a competitive advantage to having that cyber security
card in your pocket for your business because you know these large companies they're going to form out these questionnaires
and you may be familiar with the process but you know you're gonna answer these questions and they're gonna they have individuals like mike and i that are
gonna review the these responses and they're gonna write a risk report and so if you've got a widget and it's
the only widget in the whole market and no one else has it but everybody wants it you can just answer no and there's
probably a chance that you'll still get some clients right you can just say i'm not answering a questionnaire ever because i got the only amazing widget
that does this widget stuff you know to me it's widgety so you might in that case if you're in that completely
super small slice of tech space be able to get contracts without answering questionnaires but everybody
else is going to answer that questionnaire and this big organization is going to say well we need this widget
do a you know do a market analysis on this and they're going to come back and say well there's 14 widgets to do what we need to do
and so they're going to farm the questionnaires out and out of those 14 they're going to look at price they're going to look at risk and
they're going to determine which one's going to be the best move forward and so you know if the price point's right that's one thing but then how much risk
does the client you know is going to incur now based on what they were what they responded to the question well
yeah and keep in mind that their risk is being driven by the fact that they have insurance under writers and they have
liabilities and they have cadres of lawyers that are telling them you can do this you can do that you can do this you
can do that it's not up to you now the other thing i've seen in the industry and then we can jump to the
next topic exactly is that i've seen a lot of these small companies especially with female employees that are
spearheading this being treated poorly by the sales staff and being treated by security people
either when they're asking for questions asking questions about their security or requesting security stuff from
those companies from companies that they're trying to get as vendors
and that i find disgusting but a lot of those people are
um but we're seeing that i've seen that a lot i saw that recently and i was i was i was mad about it well the nice
thing was is there the women that were running this this program
came back to me and they're like we're having problems with this and and the guy was pushing back hard and so i said well just tell them to talk to me and
all of a sudden it was like okay talk to this guy now and
having that guy having the person come in that that has the credentials and be able to
answer the questions for you um who isn't going to get pushed around by
the vendor or whoever it is helps so
it does it's sad that they're misogyny you know still unfortunately you know
yeah um but you know i mean we're we're strong supporters of our you know our
female leadership that you know they just do without seeing a job and it's it's a shame that that still happens in
the industry but it certainly does and for all of you you know even if you're not um female out there having issues
with vendors mike's we call him the enforcer so i don't know that i don't know that you need any other individual to talk to
somebody who's giving you problems at all
mike mike can shut those people up really quick so it's one of his skill sets i think he
has a certification in that right yeah there's good cop bad cop and mike
yeah you're certified in stfu i like it
um well yeah well well said um let's talk in let's get a little bit
into the mechanics of this and and um you know i think this is something we could do many episodes on and we we've
talked a lot about this but just at a high level you know what are the most common things that that the large
enterprises are looking for in their vendors in terms of security is it specific security measures in place is
it um third-party attestations what what do you hear the most
common what do you hear is the most common requests from large enterprises
unseated sock 2 and a third-party attestation of security
framework compliance those are the two big ones um the third party questionnaires
will contain the questions pertaining to those two but those are the two big underlying
things that i'm seeing yeah if you can provide a sock to or an attestation letter along with the
questionnaire i think that that that really sealed the deal that's the certification stamp essentially right on
that on that return item for the risk but um from a technical piece on the
questionnaires i think i i see a lot of a lot of things that are pertaining to control of data on mobile
devices specifically yeah bring your own mobile device so all the companies out there that are
letting you know your employees use their personal compute at home to you know vpn in or use your you know
office 365 or g suite or whatever you know um there's there's a lot of
risk that's happening there because you can move you can have file movements across that bpm from that
you know essentially uncontrolled um you know non-non-issued device that you're allowing to basically you know
interface with your your business compute and so they're asking a lot of questions around how are you handling
um when an employee leaves how are you handling the email on their personal phone if you're letting them use a personal phone to connect to
company email so keep that in mind the other one i still see a lot of is you know um
you know i think uh it has to do with um
isolation of the host so there's all i think a lot of it is kind of moving towards this kind of micro subnetting
where every host has some form of tool on it that isolates it is its own
singularity essentially right at the interface nick so between
127.0.0.1 and your 10.10.whatever it's holding that device in its own dmz
if you will so they're looking for that kind of granular control you know i don't want to call it zero trust but it's getting
towards that um and then of course you know the the firewall the intrusion detections are still you know being requested or you're
asked about um obviously all your policies um and what you're doing change management asset management things like
that and then the data encryption at rest how are you how are you protecting the data at rest
and on removable media and then controlling access to the data so the clients want to know hey if you're
holding my data how do you how does your team get access to my data do they can
they you know does there a request process they have to go through talk to me about that process talk to me about
the permissions that you're giving the different employees based on their role responsibilities so there's still a lot of that in the
questionnaires yeah so let's let's talk
oh god mike well i was also saying there's also a lot of scene questions and stuff like that that we touched on
last week i know it's laura's favorite topic belonging but try to avoid that but yeah that's
there don't get them started
well the um let's talk about a little bit about those organizations uh that don't have
all the security controls in place and we see this this is called an emerging especially emerging tech companies right
it's starting to get more and more interest from fortune 500s and and they're getting these security
questionnaires and they say mike lauro i don't have i don't have all this stuff
what do i do can you talk a little bit about about navigating that with their prospects
uh information security team and kind of the back and forth and negotiation
uh that goes on you can lie about it and hope they don't ask for evidence
that's we don't advise that yeah but yeah it's a certainly a viable
option and done very frequently unfortunately yes
yeah ask for evidence every everybody on the corporate teams out there listening to us yeah asking for evidence
now don't collect the evidence do a screen share but yes you want evidence and for those of you who are relying on
questionnaires as silent sector finds out you're lying on your questionnaires we'll probably fire you as a client
absolutely absolutely we do not approve of such behavior you've got to be
here's the thing is that um um you know unfortunately you know we talk about this as a revenue driver okay
i like to see it as more of a return on investment right it's hard to quantify in cyber security which is why all the
the security teams that listen to us you know understand we understand your pain about not getting budget right and all
you leaders that are asking for money for you know risk reduction technologies are not getting budget because your
leaders have a hard time seeing why we need something else right cybersecurity is already just a big you
know a big uh budget suck but it is true you will get a return on this
so if you're a small one-man shop and you've got a widget we deal a lot with that i think we see we see that pretty
often that's not super common but it comes up for us right because we we do focus on the small businesses and um
we'll occasionally have a you know very cool single shop web developer devops cyber security individual
all-in-one who's made a really cool widget that everybody wants to use in the same situations give me questionnaires
unfortunately there are some things you can do to help yourself like like just segments just doing
proper like segmentation of duties saying that you know when i log into my sas environment or i log into a dev
computer it's a completely separate account than the one i use on my regular computer right or during my regular activities i have a completely separate
dev account so i keep those those realms separated on the compute devices but you
i mean there is going to be some investment there's going to be some investment specifically right around
time there's going to be time you're going to need to take to do things right so there's going to be a time cost
always with cyber security and there's probably going to be a little bit of a monetary cost the smaller you are the more the less expensive it is of course
the bigger you are the more expensive it is just because of the nature you have more things right and that's typically how these security services companies
give you tech is based on how many ips or seats or whatever right that their licensing models are made out of so if
you're smaller it's still you know it's more affordable compared to a you know a fortune 50 company's expense but it
still may be expensive to you i mean it's still whether it's ten grand or five grand or you know 55 grand that
could be like a lot of money to you as a small business but try to look at the big picture you're
going to invest in these risk redundancy technologies number one they're going to reduce your risk they're going to keep you from getting hacked hopefully
you're going to keep your business logic and your your you know internal intelligence safe and also they're going
to give the the integrity check to larger companies that you're trying to get as clients that are going to come and say
how are you handling this and you can say that well i've invested in these technologies or this consultant ship or whatever the
case may be this partnership with an mssp or um an uh you know ms uh what are we exactly mpo um i can't remember we
call them we're uh we're a unique animal um that's really started an entirely new industry
but that's that's not about us we are we are we're the unicorn of cyber security shameless plug we are you're
not going to find you're just not going to find the capabilities in other organizations that you find at silent
sector that's just the truth back to the question if i'm hearing you right basically the way to the way to
navigate this is get started and show it started forward right show a documented path forward a plan of
action right something that shows that hey we're on it you know we also have a way of straight
erranding my circumlocution sir thank you sorry i didn't mean that please continue it would be great if
there was a cyber security company maybe selling sector that started a small business program that uh
had a small canned uh startup process for this for small you think wow
can you think of one that's probably enough shameless plugs yeah
and a commercial um striding through the universe has a
smaller unicorn riding on its back that is for small businesses so yeah unfortunately that
magical beast does exist yeah don't be afraid of the cost because you know there are
services out there that at least do something right yeah
yeah and you're going to get it back you're going to start doing something just like you said zach do something start someplace get you buy some
anti-malware tool and deploy it you know um simple stuff right you know uh start thinking about you know how you're
handling the data you're gonna handle the data for the client or the you know the intellectual property security do
something grab one of these frameworks download it look at it they're free right it's there they're free to look at they're they're
sometimes costly to implement but download and look at it and see where you fall just go through it you know they yeah they're you know they're 180
lines of suck but go through it see where you fall in line the truth is is that you're going to invest in this
stuff and these companies that are sending these questionnaires now that you can answer honestly and you're not lying that
through your teeth about this stuff they're going to have high um they're going to have you know high confidence in your services and your
ability to protect them while you do services for them and they're going to go with you and so these contractors are
going to start coming in and coming in and coming in just like they did for our previous client who thought cyber security was not worth investing in and
they took a chance and look what landed them in less than two years
they got millions and millions of dollars for their company right and also became more secure in the process
and so it can it's certainly a repeatable thing that'll happen um so you will get that money back at some
point it's not just throw away that in the water right here's here's an idea a little bit
off the wall but sharpen up that that sales saver get it ready because you can go and show
a well-articulated plan kind of get the deal across but get some money up front that covers these cyber
security expenses that they're facing right get them get a get a uh early
payment or get something negotiated because i mean let's face it forge fi especially if
you're a smaller company um these fortune 500s i mean they have they have deep deep pockets they can you know cut
a check get you you know get you funded a little early and uh there have been a lot of successful
startups that way that actually raised their money through their client base through their prospect base i should say
that became clients by doing all kinds of creative stuff like that you know from
early payments to early distribution rights uh selling territory rights all kinds of stuff so
don't think of it as a as you know black and white you know we can do this right
now or we don't it's more how can we do this so well one client there was one client we had that uh they
had a long-term client that was now asking them first for a certification or at least a framework letter of
attestation and they got the client to pay half of it right
so i mean that's also a possibility absolutely don't be don't be afraid to
ask these large enterprises for things and remember the people you're dealing with it's not there it's not like it's
money out of their pocket you know they're not going to their their retirement fund and pulling it out and saying hey here we'll pay for half your
stock too right company funds they have funds designated for stuff like this and you have a good solution a good product
they're going to want to keep you so it's just how it goes well hey we're running up way past time
here but uh any final words of wisdom before we jump off
don't lie don't lie on your questionnaires
yeah get some great coupons i'm gonna go make a make a sandwich well thank you everybody for joining us
hope you enjoyed this episode of the cyber rants podcast you can check out the news articles online at
cyberrantspodcast.com you can also submit your topics questions uh areas of discussion for
future episodes uh we're also available on linkedin so connect with us and share
and like the episode and rate it all that good stuff everything you can do
please do we'd love to get the word out and that's our goal with this podcast is really to help organizations become more
secure but also use those security efforts to grow and thrive and bring in
tons and tons of revenue so thank you everybody and have a great day
