In this episode, Max Clark talks with Ntirety’s Chief Information Security Officer, Chris Riley, about what cybersecurity is today and how Ntirety works with their clients to create the kind of boundaries to move forward safely and compliantly without having an impact on the user.
Max: 00:03
Welcome to the tech deep dive podcast where we let our inner nerd come out and have fun getting into the weeds on all things tech. At Clark Sys, we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven't heard of before. I'm Max Clark. And today, I'm talking with Chris Reilly, who is the chief information security officer, aka CISO, for entirety. Chris, thank you for joining.Chris: 00:27
Thanks, Max.
Max: 00:29
How did you get into security? You know, I mean, your background and I look at your LinkedIn profile. This isn't something where you went and were a analyst for the defense department and, you know, came out of that into the private sector, which seems to be a pretty common path. I mean, what is your story? How did you get here?
Chris: 00:45
Yep. So, pre y two k, so that'll date me right off the bat. I was working for a a small start up company addressing technical support for credit card terminals. And as y two k and the threats rolled around, I began to do some automation and get more into the tech side. A gentleman by the name of Tim Daniels, saw some flicker of hope in me in terms of the tech side and, brought me into the IT world.
Chris: 01:15
And from there, it just, I grew really organically from desktop support onto handling project management, being a liaison between customers and and the IT, the internal IT function, up into really designing and and maintaining compliance programs and on from there. So I I knew right about 2010 that cybersecurity was genuinely a thing. It needed a focus. It needed a dedicated team, and I started really down that managed security service avenue at that point.
Max: 01:53
I mean, 20 2010 is very early for security, it feels like in the world. I mean, that that wasn't really it wasn't a conversation topic. It wasn't a focus. I mean, you were pretty early into this.
Chris: 02:03
Yeah. It was it was absolutely client driven, to tell you the truth. We were dealing with some very large financial institutions in the in the roles that I was in. I was having to, balance that compliance mechanism into the security side, And and security, the traditional security posture into cybersecurity, that's really, you know, over the last 10 years, that is what has evolved. And with that, I've evolved with that posture.
Chris: 02:34
So
Max: 02:34
I And when I think back to being a network engineer and supporting customer installations, I mean, security, you know, up to 2010 and even after 2010 for most people means a firewall and antivirus software, and that was the entire posture. And and we can talk about how, you know, default rules in the firewall allow any traffic outbound and all these other things that, you know, maybe aren't the best idea, but in relate to what it seems like 99% of all firewall installations. What is cybersecurity today? I mean, it's obviously beyond a firewall and antivirus software at this point.
Chris: 03:08
Yeah. It's, whether it's SIMS or you know, it's it's, it it depends on the maturity model, but so much of it holistically, it it determines is determined on, how an organization wants to wants to view themselves, what they and how mature are they in determining their threat landscape. And and the traditional castle mentality, you know, died in in or the early 2000. And to be concerned about the the internal threat versus the external threat, being able to see the traffic, being able to understand, what your posture is against the landscape, and landscape is a cool thing to talk now that we're all work from home and that has expanded greatly. It's it is constantly changing and it's not stagnant.
Max: 04:03
So you're the first one to drop acronyms here on this. We're gonna come back to those in a minute. But, what I'd like to ask you about is, you know, you're the CISO for a service provider, which means you're responsible for security for entirety. And at the same time, entirety has a security practice so it supports your customers. I mean, what does that mean?
Max: 04:22
What is your day to day like in this role, and how do you balance those two needs?
Chris: 04:28
Yeah. That's one of the cool things about my job. You know, not only do I get to wear the the internal security hat and compliance goes with that, but then there's the outward facing service. And so over the last 3 years in developing a managed security service for our clients and prospects, compliance as a service, these are the same services that we utilized internally. So we built the program, we turned around, and went through the pain over the last handful of years, and then we took those same programs and flex them outwards for our customers to consume.
Chris: 05:09
So what's cool about the managed security services, I I'm actually a customer of our service. So just like any of our other customers, I sit down with the SOC team and they present a report for me. They walk me through what they're seeing and how they're seeing it. You know, I have the perspective to be able to look across our entire organization and then get their analysis to back up what my thoughts are. And so it's incredibly cool.
Chris: 05:39
It's one of the primary drivers and I think something that differentiates how we function in the space that really I get to benefit from every day.
Max: 05:50
So compliance, meaning in the world like PCI compliance or HIPAA compliance or, you know, government issued compliance mandates. Right? Yep. So so these become I mean, compliance response becomes a mandatory for a company if they fit in those roles. We see lots of enterprises that aren't required to have a compliance stamp attached to them.
Max: 06:11
And when you engage in that enterprise, it's it's a very different kind of person you know, conversation cycle. Right? Like, how do you talk to somebody about the layers and the maturity of security if they're not being forced to go out and buy it?
Chris: 06:28
Yeah. Great question. So when I hear how does security apply to us or we're not a target, it doesn't matter. The conversation immediately goes for me to, can your organization fiscally handle the damage to your reputation if somebody were to breach you and take that information and make it public? Could you handle downtime or a a service or business interruption?
Chris: 06:53
And could you handle it for a day, 14 days, you know, 3 weeks? What's your threshold there? And and it always comes down to the money, the monetary impact that it's going to have. But organizations at that point say, okay. So I I need some basic security, and and that's that starts the conversation.
Chris: 07:15
And oftentimes, the basic the basic security is, hey, I've got antivirus. I've got the firewall. We're good. And that logical transition between, hey, it's not so much the outside that you have to worry about, it's it's the inside or the malicious actor or the the failure on one of your staff's parts or clicking on something that shouldn't have been clicked on. Are you prepared for that?
Chris: 07:42
And that then begins to open up the conversation.
Max: 07:46
Boy, that opens up a lot of dialogue. So you talk about malicious actors. You know, SANS, a long time ago, published a report and talked about the actual threats for organizations. And, you know, top of those lists were accidental acts by internal employees, and there was malicious acts by internal employees. And I think they were, like, 12 or 23.
Max: 08:05
I mean, it was significant. And what I didn't realize at the time, but as an IT person, that created a lot of conflict between the IT department and the users of the business. You know? And I and and how is that is that still in play? I mean, are users still resistant to security?
Max: 08:21
Is security still a blocker for an actual, you know, person working for a company trying to do their job?
Chris: 08:30
The traditional no posture, whether it's coming because of compliance or whether it's coming because of security, it is no longer an option. You know, if I would have known something 10 years ago that I could have told myself, it would have been be a business enabler. Get to know the business, get to understand how they how they need to function, and then enable that business to do it in the safest, most compliant means possible. You in my role, so much of it is is taking that business goal and creating kind of the the boundaries, the the the bumpers, if you will, on either side to turn around and then allow that business to move forward safely and compliantly. And that that can't be an impact to the to the user.
Chris: 09:24
The user interface has to be simple, flawless, and it has to work every time. Because if not, the user won't use it, and therefore, we've broken the security program.
Max: 09:36
A lot of the industry stats talk about percentage of companies that will have a security event will be breached, will have ransomware, what percentage of those will have what outcome or failure out of business. As individuals, we read on the we see on the news a lot of, you know, this company was hacked, this financial data was lost, this this customer data was stolen, you know, etcetera. But I still I feel as, you know, as just humans, there's a sense that it's not gonna happen to me. This happens to other people. And as a result, I don't need to do this, or I don't have anything valuable that I need to be worried about.
Max: 10:09
And how do you how do you view that and how do you talk about that?
Chris: 10:15
Yeah. Great. So the best analogy that I've heard that's not at all technical or business related is fishing. And when you're sitting on a boat with a line in the water, you're not looking for a specific fish, you're looking for any fish. And that translates directly into what bad actors are doing.
Chris: 10:37
Whether they're using a email phishing campaign and they're throwing that net out, wide and deep, or whether they are turning around and gathering information to make a targeted attack. They are they start and cast that wide net, and if you fall for that first click, you're in the crosshairs. And so I think over the last handful of years, I think the perspective of it's not if, it's when, and consider it if you don't have the proper visibility, you potentially are already compromised. That's the mentality shift that has to take place. It can't be that we're completely buttoned up and we're absolutely secure because bad actors, the bad guys and gals, they have unlimited time, unlimited funds, and they know the same tools that we use for good.
Chris: 11:35
Half of them are using them for bad.
Max: 11:37
So what's what's the goal of security? I mean, what's the what's the outcome that we're trying to drive to that can be achieved? I mean, what's how how do you look at this for your business? How do you look at this for your customers?
Chris: 11:51
Yeah. Yeah. So the standard three word response, you know, confidentiality, integrity, and availability, you know, to protect the confidentiality of data, preserve the integrity of that data, and then ensure the availability. And while it's really sounds cliche to say, it fundamentally any program, and I say a program because it's, again, more than just that endpoint solution in your firewall, it has to encompass that. You have to be able to discover and understand your evolving threat landscape and and address some of the 101 things like vulnerability and reducing those threats to the end user.
Chris: 12:32
But you have to be able to shift that focus, like I said, prior from the outside to the inside. The the bad actor is often not just on the Internet. They're they're already hired or within your four walls, or working remote now. And so your security model has to have that line of sight or the visibility across your entire platform. And then cyber cybersecurity has to include some level of accountability, and that accountability is top down.
Chris: 13:07
One of the primary objectives that I have to do is I have to enable the business to make the right decisions. Sometimes that's, bringing to light some very ugly things. Sometimes that's evaluating a business process and ensuring that it's not introducing risk. Other times, it it's simply saying, if we're going to do that, we need to do this in addition to secure it or to maintain that compliance posture. Executives and boards have a fiduciary responsibility to, you know, the company, the shareholders.
Chris: 13:38
Right? But how
Max: 13:39
much of that fiduciary responsibility is just being aware and making a decision? I mean, you could you could get into position that says, hey, we wanna implement this this process, this technology. We, you know, we wanna, you know, we need 25% of our budget for security. You know, and the board can can meet on that and say, well, that's too expensive. We can't afford it.
Max: 13:56
It's not a positive outcome. I mean, that that doesn't that meet the standard of fiduciary responsibility for a board? At what point, you know, does this conversation go from or making sane decisions into, you know, neglect or or much worse?
Chris: 14:11
Yeah. I I think that that falls directly onto me. It's the CISO's job or the security executive's job to turn around and not only educate, but also create that road map that enables those conversations to take place. So the education is the first component, and and then you have to turn around and help that shift in mentality really resonate or or foster that with your board. You need to you know, if you're just walking in blindly and saying, hey.
Chris: 14:47
We need to spend this because of this, and there's no context or background, you failed to appropriately present why the solution is relevant. So I I think it's a it's a fine line that we have to walk, which is expanding that knowledge, educating the board, and giving them a chance to see how that business enablement is taking place through, you know, the technology, the people, or or the process.
Max: 15:12
I've been in a bunch of conversations where security was related to insurance. You know, you have insurance in case something bad happens to you and, you know, if your building burns down, you know, the insurance company will pay to replace it. And security was in that same, you know, vein of, like, you have security as an insurance policy to protect you against these things, but it's really different. Insurance is an after the fact event, and it's directly correlated to, you know, a financial event. You've you've lost something.
Max: 15:37
Something's left. Something's been stolen. Right? Security is a, in in many ways is a before the event posture, and you have to spend money to try to prevent a negative outcome. And that's a very difficult concept to get across when you start talking about budget allocation.
Max: 15:55
Right? You know, we need to spend $1,000,000 this year on our security position, and we're protecting a $1,000,000,000 of business behind it. But that $1,000,000 doesn't necessarily produce a tangible result that somebody can say, oh, we didn't have any hackers this year, so therefore, that $1,000,000 was valuable. Or we only had 5 incidents, so so that million was, was, you know how does this actually work into, like, the real world budget and budget decisions for enterprises?
Chris: 16:20
Yeah. That's, that is the balancing act that I think security professionals have been doing since day 1. Not only securing that budget, but helping organizations better understand the the why behind it. Why do we need a VPN? Why would you need a a remote connection when everybody comes into the office?
Chris: 16:43
Well, here we are in one of the largest work from home scenarios ever, and organizations either chose wisely or are scrambling to enable that. So some of it is being able to to to determine how best to support the business short term, long term, and and again, do it securely. Other times, you're you're kinda looking into the crystal ball knowing your risk or your threat landscape and saying, boy, we've got kind of a soft spot here. Let's test it. Let's determine what the best solution is, and then let's take it forward with kind of the good, better, best model and and try to secure that.
Chris: 17:24
So I I think it very much depends on what the business use case is. And then, again, it's a process to secure those funds.
Max: 17:34
You have, you know, this idea of the script kiddies, you know, young people locked in their, you know, parents' basements and downloading programs and and doing nefarious things on the Internet. And then on the other end, you have these, you know, this concept of, like, this very focused intelligence, you know, persistent hacker. You know? And an executive would say, oh, well, you know, somebody really wants to break into my business and and hack our system. There's no way there's nothing we can do to prevent that from happening, so we should just not try to focus on that or try to protect against it because we've already lost that battle.
Max: 18:06
I mean, would you agree with that position, or what would you say?
Chris: 18:10
No. No. It's my it's my job to not agree with that. You have to secure the environment. You cannot make it easy.
Chris: 18:20
You have to educate your employee base. You have to enable them to to understand the whys around, you know, everything from phishing to not clicking on on the random links to how to best protect the data of either themselves or the customers. So I take that challenge on every day, and so I go back to, you know, if a nation state is targeting you, that falls into a very different category than just somebody port scanning you and trying to determine what that initial soft spot is. Both of them go through very similar fundamental processes, which is gathering that information and then trying to determine on how would they're going to exploit it. And that's where we also start with the education layer.
Chris: 19:12
It has to be something that you enable not only for your teams, but also for your your employee base.
Max: 19:20
How big of a problem is nation state organized, you know, attacks at this point for US businesses or, you know, global businesses?
Chris: 19:28
Yeah. Verizon data breach investigations report, you know, from 2018, I think it rose 12%. 2019, it was up 23%. Most recently, FireEye released a report beginning q 1 of this year, you know, where the APT 41 Chinese cyber espionage actor, was targeting 0 day exploits for Cisco, Citrix, Zoho, etcetera. And then we go into this pandemic and we see that Checkpoint said there were 16,000 new coronavirus related domains registered since January and more than 22 100 of them were suspicious with 93 confirmed serving malware.
Chris: 20:13
So it's relevant. It's it's happening, you know, that's out of scope. No hacker or attacker has ever said that. It's it's it's all relevant. And it's it's it's not only huge business, but that's fundamentally a new component to how we have to view the industry.
Chris: 20:36
There are organizations that are making offensive, and there are organizations that are making defensive cybersecurity products. And, you know, you get hit with ransomware. You can actually get a help desk call into some very nice folks to help you convert to Bitcoin. They're they're they're there to enable. So, it's it's functionally a massive business.
Max: 20:59
Alright. What are the real world impact? I mean, what what are people after? What actually happens to companies? You know, what is the you know, there's a spectrum of this, but but it you know, what is that spectrum look like?
Max: 21:10
What are what are happening to companies?
Chris: 21:12
Yeah. I I think, you know, everything from damage to the reputation and them not being able to recover to completely monetary or or money focused on taking intellectual property, putting an organization competitors out of business. The scale, you know, goes 1 to 1 to unlimited so quickly. Obviously, it's it's a multibillion dollar business for for the bad actors. They're they're in it to make money, and they're they're continuing to to build or or foster their position.
Chris: 21:53
So we also have to continue to evolve and build and and foster our defenses or visibility within our our programs.
Max: 22:03
Few years ago, a major US retailer had a very public breach where their point of sale terminals have been infected with malware, and they were collecting credit card data. And there's 2 things I wanna ask you about. So the first one was that the actual breach factor came out to be, an HVAC subcontractor, if I remember correctly. And that HVAC company was compromised, and then the attackers were able to bridge the networks together and get into the retailer's infrastructure. So that's already kind of like, you know, your jaw to the floor.
Max: 22:31
And then the second part of this was that there was a third party security company that was involved that was sending alerts to the retailer's IT, you know, staff saying there's something going on. You should look at it. And it was effectively it was ignored or dismissed or pushed aside. Let's talk about this a little bit. I mean, that's a very major breach, massive financial impact.
Max: 22:52
It impacted their stock price, impacted their sales, customer. I mean, the whole thing end to end. But what's what's the rest of the fallout in that story really look like for people, both in terms of, you know, working for the retailer, at the HVAC company, at the security company? What what actually happened after this breach was public?
Chris: 23:11
I I don't know the specific after the facts for them, but I can tell you that we're talking about a big box store that even when I go in there today, I certainly won't use my debit card. It's that damage to reputation, whether it's immediate or whether it's long term, there is a lasting impact there. You touched on something that I think is is critical, and oftentimes, we partner with 3rd parties to eliminate some of that risk or defer some of that risk. And in this case, to have, you know, security company sending alerts means that means that somebody at the big box store said, hey. Let's just set it and forget it.
Chris: 23:54
We're in good hands. And they they didn't uphold the side of their partnership to take notice, take alert, and take action. And that's a huge challenge, especially as a managed security service provider. Oftentimes, we can see things that require specific action. We can suggest those actions, but it requires the the other organization to be a willing participant and want to further their program.
Max: 24:26
I mean, that's that sounds like that could be a very frustrating position. I mean, if you have a customer that's engaged with you to provide security services to them and they're not listening to you, I mean, that that sounds like it's not a environment that's gonna be successful.
Chris: 24:41
Right. Right. It's you know, and we we go in with a prospect early on as this is not transactional. This is a partnership. Here is the requirements.
Chris: 24:53
Here's the here's the responsibility matrix. Here's our roles. Here's your roles. And it very much is developing and maintaining and fostering and maturing a program, whether it's security based, whether it's compliance based, or whether it's the whether it's the marriage of both.
Max: 25:15
So I'm an enterprise, and I have firewalls, and I have antivirus today. And I realize that maybe this is not the security posture I wanna be in. From that level to what, let's say, the NSA has to do on a daily basis, what are the steps and what are the tiers that go in? And how do you define or figure out what's appropriate and how much, you know, how much is enough? You know, where do you start and how do you figure out where you stop?
Chris: 25:41
Yeah. So whether it's the cybersecurity maturity model, whether it's a business maturity model, I I try to break it down, you know, on a scale of 1 to 5. 1 being, you know, you're initializing your program and moving to developing, defining, managing, and and optimizing. But that's the the top level, if you will. That's the goal for the model.
Chris: 26:04
You then have to break that down into further details, and you have to address critical infrastructure. And for organizations, critical infrastructure can be, you know, at a hospital, it might be their electrical grid. Where for a managed service provider, that might be, you know, the infrastructure to support uptime and availability. You then go to your application security, and and this is where I see it as, you know, the functional antivirus, the firewalls, the encryption layer into the traditional delivery or or network security. So you're dealing with your logins, your passwords, and then blending into that application layer.
Chris: 26:46
And now our environments are even more complex because we've got cloud and IoT. And so the traditional perimeter that you and I consider, you know, firewall was that boundary back in the day. That's that's no longer there. That boundary is is now working from home. That boundary is in the cloud, and that's somebody else's, you know, device.
Chris: 27:11
So that functional program needs to be able to flex up into all of that. And I think where organizations really get challenged is, how do we do that without adding tens of tools to that tech stack?
Max: 27:29
Your response is interesting to me because you really talk about identification process and program and not necessarily tools and technology. I think a lot of people will answer that question and say, Oh, we need to do single sign on. We need an IDS system. You're going to go get a SIM tool. You're going to do threat intelligence.
Max: 27:45
You're going to do, you know, endpoint detection or MDR, all these different things. And you answered very differently from that, which was more, what is our business process related to security? And then how do we move the business process down down the road?
Chris: 27:58
I try to approach it from the business side. I try to approach it without or or with being technology agnostic, if you will. You know, when we say SIEM, a security information event management system, I say, hey, we need something that will aggregate and correlate all of those logs for us. You know, if we and this happened, you know, traditionally in security where you bought a widget, you put it in place, and you allowed it to perform a function, Then you you put a person that would monitor that, and, quickly we realized that we've got, you know, dozens of dozens of pieces of technology that aren't talking to each other, and we're having to maintain dozens of tools with a very limited human capital or or the employee base, the subject matter experts to maintain them. And the big buzz word a couple of years ago was security orchestration, automation, and response or SOAR.
Chris: 28:57
And it was trying to get all of those tools that we've had massive investments with to be able to play nicely together, to to correlate because we knew that 8 people on a security team, which if you had 8, that's a massive that's a massive team, you couldn't do the armchair analysis. You your port 80 person couldn't say, hey, I'm seeing this on our firewall systems team. Are you seeing this? Desktop, are you seeing this? That traditionally, that time has come and gone.
Chris: 29:27
So it's it's now taking whatever that technology is and and pairing it with the right human capital to maintain it and and being able to have a consumption model that makes sense because as as we talked earlier, that massive CapEx expenditure, it is very, very difficult to secure.
Max: 29:50
I mean, how how big of a team when you start talking about subject matter experts, you know, if you're an enterprise and you wanted to turn up a security practice from 0 for yourself, you know, or right now you've got, you know, your your your application, your server and desktop staff, and you have a network engineering staff, and and those roles are a little blurry, but you say, okay, know, we wanna go get a firewall, and then we're gonna get a SIEM tool, and we're gonna get, you know, we're gonna integrate a CASB tool, and we're gonna x, y, and z. And you go down that list, and you say, okay. We need all these things. And usually, those are probably to function. You know, we we have remote users.
Max: 30:20
So we need a VPN, or we wanna go 0 trust. You know? What does this look like in terms of staffing? Can companies do this themselves? I mean, is this feasible?
Chris: 30:30
Yeah. I I think I think the national average for for the unemployment or employment average for cybersecurity professionals is is in the negative numbers during this time. It's hard to predict, but I I think last I saw it at the beginning of the year, it was, like, a negative 7% for for cybersecurity professionals. Now you talk about you need to cover, that spectrum of of work that workload 24 by 7, 365. So now you're talking at least 9, 10 people in order to do that.
Chris: 31:07
You have to help those 10 people, maintain their certifications or their knowledge base. You have to keep them happy, so that they don't go elsewhere because it's certainly a hard market, and you have to enable them to do what they need to do with the proper tools. So to answer the question quite candidly, it again comes down to how much money do you want to spend and how much are you willing to continue to spend. So often, I'm speaking with with organizations that have an opportunity to further their program, but what they're saying to me is, hey, we we have made a massive investment. We have 100 of 1,000 of dollars sitting sitting here and and nobody to nobody to manage it, nobody to use it.
Chris: 31:59
And so it's just atrophying right here.
Max: 32:03
Your LinkedIn this morning, you have, job posts for security and you're you know, that you're looking to hire for yourself. I mean, how hard is this to hire for? I mean, what is it like for you guys to find and hire and retain, you know, qualified experts in this?
Chris: 32:16
Yeah. This is, you know, the balancing act. And we really we have, I would call it, the advantage of 1, being able to mature or build our own teams, develop them internally. At the same time, we absolutely go out right now. You know, it's a great time for us to attract top tier talent that may or may not have been displaced, and so we're taking that advantage of that situation.
Chris: 32:47
More importantly, as a managed security service provider, we do have the ability to to offer a lot of those things. We have spectacular relations with our with our, technology partners. We often get to play with some of those cutting edge tools, and we are we are developing the service and furthering that service, not only for ourselves internally, but also to enable our customers to mature their program. So some sometimes the challenges that a traditional business has, we don't necessarily always bump up against those.
Max: 33:27
Last year, I was at a conference and a CISO spoke, and he was from a brand name multibillion dollar market cap company that that was, you know, had had a retail component. And he had an $11,000,000 a year budget for security. I mean, the the revenue of the business was 1,000,000,000 of dollars per year. I need a $11,000,000 budget to protect that revenue. And I walked away from this conversation with, you know, a sense of, like, was it acceptance or or defeatism?
Max: 33:56
Or, you know, it seemed it seemed really off balance to me of how little a budget actually was and what he and and the acknowledgment that he couldn't even begin to try to protect his infrastructure in a meaningful way. It was almost like he was choosing you know, it was like a a giant act of triage. Like, okay, I've got this much budget. What do I actually wanna focus on? And and this will be the most effective.
Max: 34:19
Why not displace that budget? 1st off, actually, 2 questions. You know, how do you figure out what is an appropriate budget for your business and security because this is not revenue related per se? And, you know, how does that budget allocation change internally versus externally when you start partnering with a service provider?
Chris: 34:39
Yeah. So to answer the first question, again, it depends on where you are in that maturity model. It depends on so much of it is trying to get the max return on investment of the capital expenditure that you've already spent or output and and maintaining it or or getting it refreshed for the next cycle. That's a dangerous game that, as security professionals, we we constantly are are in that cycle of, 1, trying to figure out what the right technology is for the organization, but then how do we support it long term? When you talk about a managed security service provider, it becomes more of a utility.
Chris: 35:27
It becomes a consumable model that's based on monthly reoccurring rather than that massive capital expenditure and then that fixed budget headcount cost in in order to maintain that. And I think that that's something that is changing in the industry right now. We're we're seeing organizations that want a very similar model to how they're dealing with their customers, that consumption model of of monthly reoccurring. Let's let's build and scope a program and and help maintain that by deferring some of that the technology cost, the people cost to a service provider, and let them be that expert. And let us focus on what got our business successful and and continuing to innovate in that sector.
Max: 36:19
Hi. I'm Max Clark, and you're listening to the Tech Deep Dive podcast. At ClarkSys, we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven't heard of before. With thousands of negotiated contracts, ClarkSys has helped hundreds of businesses source and implement the right tech at the right price. You're looking for a new vendor and wanna have peace of mind knowing you've made the right decision?
Max: 36:38
Visit us at clarksys.com to schedule an intro call. What percentage of security do you think is externally focused versus internally focused? I mean, we talk about malicious or external acts internally, or you hear about people putting USB drives in parking lots and stuff like that, or or clicking on links. I mean, how much of security posture today is really focused on keeping people out versus keeping your own people from making do doing something that then causes something to happen. Right?
Chris: 37:04
I I think that that is that is one of the best questions and and probably one of the hardest. For me, I see everything as, hey, it's already gotten through the outside. Our, you know, our perimeter is now the the at the end user base. And so ensuring that that you have the behavioral analysis that goes on, does Jan from HR need to go to the finance folder and then go out to dropbox.com and offload 200 gigs of data? Is that a normal business function?
Chris: 37:41
And to answer your question, is that an internal or an external threat? You know? So so much of our landscape, because of the hybrid environment, traditionally, we would look at it as as that's all outside or that's all inside, and functionally, we can't do that. We have to take and blend both those those elements. So I try not to do the do the inside versus outside conundrum because it it just gets me into that catch 22 logic loop.
Max: 38:11
Do I mean, but how much of this is, you know, employee education? You know, don't click on these links you mentioned earlier. You know, what does that look like in in a in a, you know, training regime or being a practice of how do you, you know, educate a workforce?
Chris: 38:23
Yeah. I I think that you just like you, remove end of life software and you patch and you, your asset inventory is a critical function and and what I would consider a 101, Employee education is right there along with that. It's a critical function. It's something that you have to do. It's not appropriate to do it once a year.
Chris: 38:46
It's appropriate to do it on an ongoing basis. And just like, you're educating your staff, you have to educate your executives, you have to educate your board, you have to be a a teacher or or an educator, primarily, and you have to do it without the hammer mentality. You can't you can't punish somebody for for doing something wrong. You have to explain the why's. It has to come from that position of you did this and this is what occurred because of that.
Chris: 39:21
Let's follow that transaction through. And so I I always see this education.
Max: 39:28
Entirety recently launched a compliance as a service offering. Let's talk about that. What does it actually mean in practice? You know, what are you what are you providing your customers, and how do you give them a compliance as a service solution?
Chris: 39:39
Right. A couple of things and and something that I think sets us apart when we talk compliances, so much of our posture or our compliancy and let's take PCI because it's been around for so long. We've actually had our our services audited and deemed PCI compliant so that our prospects or customers can leverage our compliance on on in their compliance cycle, if you will. And as we were going through that, we realized that organizations, just like we talked on the security front, they're having a difficult time handling or managing that compliance program. It's often done brute force.
Chris: 40:22
It's done in spreadsheets. It's done by a very finite group of professionals, and it's hard to then put it back up into their organization because they spend so much time heads down managing the the the functional compliance. So when we determine that we were gonna build a compliance program, we wanted to bring again that top tier tech into them. We wanted to help them streamline those processes and procedures and develop workflows into an organization. We then wanted to to bring the the knowledge, the the functional expertise to either assist their team or to augment a team that might have atrophied over the years and they couldn't hire for.
Chris: 41:08
And and lastly, it's then to to take those two elements and and enable the organization to kind of flex whatever process, procedure, functions they have back up into their organization. So they're we're multiplying their internal teams. We're allowing them to champion it and just not be the compliance folks, and and tracking, helping role play, enabling the the business conversations, if you will. How does that compliance requirement meet my business objective? And and it's been very positive.
Chris: 41:44
It's been incredibly well received, and we've helped a lot of organizations, do it in in a very cost effective method.
Max: 41:53
And what's the timeline for this? I mean, how I mean, if somebody came to you and said, hey. You know, we have a HIPAA compliance. We have a PCI compliance, and we need to you know, we're looking for help with this. I mean, that's not something where they just sign a contract and you go, boom.
Max: 42:04
You're compliant. Right? I mean, there's you just outlined a a lot of steps in between point a and point b.
Chris: 42:09
That that that's true. And and we would consider that that service to be a long term service. We're we're building or or taking a program and fostering it and improving it. That being said, when an organization is open or or their back is against the wall, we we had a customer in the financial industry that had one of their industry leaders had had a breach, and all of a sudden, it was a requirement that everybody become PCI compliant. And they had tried to figure out how to do it, and it took them about 6 months to get to the point where they realized they needed help.
Chris: 42:43
And in 6 months, with our partnership, we were able to get them PCI compliant. Now that's that's that's not the norm. They were very open. They had a a dedicated team. They had top down buy in from their executives, and so it became, you know, their their one singular goal, and we enabled that.
Chris: 43:04
So it really takes the organization to buy in to any security or compliance program for it to be successful.
Max: 43:11
I can still vividly remember going through a PCI type 1 compliant audit compliance audit.
Chris: 43:17
And
Max: 43:17
Star. I I mean, you hand an IT guy like a, you know, what's effectively like a ream of paper of questions of like, okay, Max, you're our IT guy. Answer all these questions for us so we can become PCI compliant. And you're like, great,
Chris: 43:32
I think.
Max: 43:33
You know? Yeah. Yeah. Sure. We've got that tech, I guess, check.
Max: 43:38
You know, it's like Right. So GDPR was, you know, really the shot across the bow. We now see states in the US coming up with their own versions of this. I take an approach where I kinda feel like, you know, until we see a lot of litigation and enforcement actions, there's still gonna be a lot of questions. Right?
Max: 43:53
So GDPR responses for most of my customers so far has been debates between their outside counsel. What does this actually mean for you? How do you get into GDPR? And it's had a little bit of impact in their operations internally, but not a ton. It's just, oh, we we think we're compliant because our lawyers said we were compliant.
Max: 44:10
And now with, you know, California, New York, and and other states following suit, how does this, you know, change the landscape? What does this do to your risk posture for your business? How do you maintain this and not, you know, find yourself in a lawsuit or an enforcement action 2 years down the road?
Chris: 44:29
Right. So you touched on PCI and, you know, so much of that's that's one of the oldest and and I I think we all have that same scar from that those those PCI audits, especially the initial ones. But PCI did something very different where they they kinda gave you the requirement, they gave you the testing profile, and then they gave you a little bit of guidance around it. HIPAA and HITRUST, you know, they come at they come at that dataset of the health care information. They come at it from a risk perspective.
Chris: 45:00
And then GDPR comes out, and they come at it from a legal perspective. And really, another primary difference between all three of them is GDPR came out with some huge penalties and public penalties, and they started executing. They gave everybody plenty of time, but they started executing against those penalties. And you're right. The IOC is giving some guidance.
Chris: 45:28
Legal is obviously giving some guidance. There's certainly some back and forth, and now we're seeing that privacy tact take place at our state levels. And I try to have the conversation of, of, again, kind of that trifecta. What does your program look like from a risk perspective? How are you dealing with the data?
Chris: 45:49
And are you ensuring that all the folks that are coming into that data stream or that supply chain, if you will, both up and down that are dealing with that data, are they handling the data the same way that you are? And are they are they is it equal or or more secure when you touch it and hand it off? And that really is a change. It's a shift. It is a fundamental difference and requires us now to really look at our data flows.
Chris: 46:20
And, again, as you're talking about, you know, some of the levers that you can pull to enhance or or further your program, privacy is certainly one of them. And so much of that data is not just special data or sensitive data. It's the data that we deal with, whether it be sales and marketing, whether it be our client list, all of that is is considered in that privacy model. So I I would say that it's really helping organizations get some visibility and mature their security and compliance
Max: 46:52
programs. You have the same limitations at a different scale that most people have, right, which is time, money, and people. How do you prioritize your resources, you know, today? How do you align, you know, what's on your road map for next year and the year following? What does that look like, and and how do you balance that?
Max: 47:12
And and what is on your road map for the next year or 2 years?
Chris: 47:15
Yeah. Just like every security program, it's to continue to get better visibility into what's actually taking place across the network systems and environment as a whole. It's automation. It's trying to it's trying to, again, do more with less, if you will. And oftentimes, those challenges technology can help that, but you have to apply the technology in the right places so that it's it doesn't become a time or a money suck.
Chris: 47:46
And then lastly, it's looking a little bit into that crystal ball and bouncing it up against, what you know is your risk criteria or your risk. What is the business doing that generates risk, and how can I help the business go faster, better, stronger, and in more secure compliant fashion? For us, that's scale. For us, that's enabling our our customers to to regardless of where they are in their journey, to consume hybrid cloud, data center, or any of our services in the most secure and compliant fashion.
Max: 48:23
You mentioned earlier if you could go back and talk to yourself 10 years ago what you would have said or or what you would have thought about. Let's let's put that the other direction. I mean, you know, 10 years from now, what do you think you would reflect on at this period of time as it relates to security, and what would that conversation with yourself be like?
Chris: 48:43
This is a really incredible time to actually be in the industry space. We're we're in the middle of of a huge work from home experiment that nobody would have ever predicted. We are dealing with technology stacks that are are far more complex in our hybrid environment than than we would have predicted. We've got more horsepower at our fingertips, and then you turn around and and add that, we've got a huge compliancy with some big teeth that are floating around. So this is an incredible time, and the shift is amazing.
Chris: 49:21
That same time, the bad actors are more complex and have, probably some of the best funding that they've ever had. So this is really a dynamic time. I've been in the role for for, nearly 3 years, and it's it's every single day is genuinely different. And if I didn't love it, I wouldn't do it, but, boy, there are there are some great days and there are some really tough days. And I think for me, looking at it, I'm trying to consume as much as I can, keep myself up to date as best I can, and be open to the fact that our community as security professionals were much more willing today than we were 10 years ago to share information, what's working, what's not.
Chris: 50:10
And so taking that those opportunities every chance we get, just like this podcast here, I love it. So appreciate it. So you mentioned work from home and COVID.
Max: 50:21
You know? And earlier, we're talking about, perimeter and castle based security systems. And so now you have a a forced workforce that has to be distributed and work from home remotely. And, you know, some of that is web based SaaS applications. Some of that is organizations have put a software VPN client on a device.
Max: 50:40
Some of that is people are shipping hardware boxes and hardware VPNs or SD WAN boxes out at the edge. And, you you know, a lot of that's to deal with a performance reality of we have to let these people or enable these people to work remotely, and and the performance wasn't good. So put this box out there and it improves the performance. I take a step back from that, and I think, okay. Great.
Max: 51:00
Now you've put somebody's home network and all their home devices on your corporate network. And it it and when you when you pause for a second, I mean, doesn't it does that terrify you? I mean, that that thought cycle?
Chris: 51:13
Yeah. It it does. And it gets back to not only the education of the user, but we go then immediately into the asset function and and ensuring that you're not getting weird software installed in the behavior that that user normally interacts or does when they're in the when they're in their normal business process. But it's it's even further because we're forcing whether it's the access control layer, the data and traffic flow, or just determining what gaps functionally that we have in order for business to be conducted. That's all happening real time.
Chris: 51:53
And so I I I'm having a conversation with folks and and encouraging them to, 1, celebrate what worked. What did you plan right? What did you have in place, and what was successful? I'm turning around and telling technology and business leaders, now that you celebrated those successes, focus and be very critical of what didn't work. Evaluate where your operations, didn't have the performance that you wanted or it took too long.
Chris: 52:21
Are they functioning in a a varied state of disaster recovery or business continuity? I I call that a qualified state. And then, and then turn around and make the determination and go after what you need to do, to rectify those immediate needs and consume the technology the the way that you need to. Don't go out and buy the widget. Be sure that you're making the right decision.
Chris: 52:46
And whether it's a service, whether it's a partnership, or whether it is that that you have the the team to support it, and then pull the trigger on it very quickly because we're all gonna be trying to consume those same technologies, services, and the people to further our environments.
Max: 53:04
Chris, I'll I'll give you the parting thought here. Anything that we have not touched on that you'd like to share?
Chris: 53:11
I'm going through some of my notes, Max. Man, we we covered the gambit. We we really did. I appreciate the opportunity, Max, to, 1, visit 2, Talk Tech, but 3, to to give folks the opportunity to really understand what it's like to be a CSO and the the challenges and the pros and cons. So thank you for the time.
Max: 53:38
No. Thank you. It's always, I I love these. It's how I always learn something new, and I'm always, you know, I sleep a little bit worse at night, I think, when I, you know, every time I have a security chat.
Chris: 53:48
Yeah. It's a a little more little more gray in the beard is what, is what I keep seeing in my in my own reflection. So we learn the best by doing it, and we're we're doing it on a massive scale. So it's it's a lot of fun. It's a lot of challenge, but it's no better place to be right now.
Chris: 54:05
So thank you.
Max: 54:06
Awesome, Chris. Thank you again. Thanks for joining the Tech Deep Dive podcast. At Clark Sys, we believe tech should make your life better. Searching Google is a waste of time, and the right vendor is often one you haven't heard of before.
Max: 54:17
We can help you buy the right tech for your business. Visit us at clarksys.com to schedule an intro call.