Episode 3

full
Published on:

1st Mar 2024

The Struggles of SMBs in Cybersecurity: A Cybersecurity Blueprint with Mike Pedrick

The Struggles of SMBs in Cybersecurity: A Cybersecurity Blueprint with Mike Pedrick

The dialogue engaged a cybersecurity expert on topics ranging from his experiences with

Small and Medium Businesses (SMBs) to the development of security

infrastructure. The conversation ranged from the importance of training and

certifications to the balance between security and risk. The cybersecurity

expert shares anecdotes on SMBs, the challenges they face, and how he assists

them in enhancing their security. The discussion covers regulations like the

EU's General Data Protection Regulation (GDPR), California's Consumer Privacy

Act (CCPA), and the U.S. Federal Trade Commission's Safeguards Rule. Also

discussed are the increasing overlap between data security and privacy and the

evolution of federal government regulations like Cybersecurity Maturity Model

Certification (CMMC).

00:00 Introduction

and Guest Background

00:32 Journey

into Cybersecurity and Challenges

02:32 The

Intersection of Data Privacy and Security


02:52 The

Impact of AI on Data Privacy


04:11 The

Regulatory Pressures on SMBs


05:12 The

Reality of Data Breaches


05:57 The

Misconception of Geographic Borders in Cybersecurity


08:30 The

Struggles of SMBs in Cybersecurity


10:15 The

Role of Service Providers in Cybersecurity


13:11 The

Importance of Risk Management in Cybersecurity


17:11 The

Challenges of Compliance and Scaling Frameworks


18:16 The

Emotional Investment in Cybersecurity


19:58 The

Importance of Asset Inventory in Cybersecurity


28:02 The

Reality of Ransomware Attacks


31:39 The

Importance of Security Cameras and Protecting Business Assets


32:59 The

Value of Data and the Risks of Losing Access


33:50 The

Challenges of Federal Government Contractors and CMMC


34:51 The

Debate: CMMC vs NIST 800


35:46 The

Reality of CMMC for Service Providers


38:00 The

Journey of Becoming a Registered Practitioner


39:37 The

Struggles of Implementing CMMC in Organizations


41:47 The

Complexity of Cybersecurity Frameworks


43:40 The

Reality of Cyber Threats and the Importance of Risk Management


46:24 The

Never-Ending Battle of Cybersecurity


49:11 The

Final Thoughts on Cybersecurity and Risk Management


🔗 Helpful Links & Resources:


🎧 Listen & Share:


Love what you're hearing? Subscribe to our podcast for more episodes on transformative

technological movements like Mike Pedrick is leading. Share this episode on

social media to spread the word about the cybersecurity education.

Transcript
Speaker:

In this pod, I chat with Mike Pedrick, who is a cybersecurity consultant, which can

Speaker:

also be heard of as a VSISO, or a Virtual Chief Information Security Officer.

Speaker:

We exchange ideas about the challenges faced by the small and

Speaker:

medium businesses in cybersecurity.

Speaker:

We dive into real world instances of cyber threats, discussing the

Speaker:

aftermath of incidents and the necessary steps for recovery.

Speaker:

The importance of risk management and the role of compliance frameworks like CMMC.

Speaker:

This is going to be packed with insights drawn from our personal

Speaker:

experience and industry knowledge.

Speaker:

We're navigating the often intimidating terrain of cybersecurity.

Speaker:

We can provide clarity and some actionable advice.

Speaker:

Don't miss this episode where Mike demystifies the complex

Speaker:

world of cybersecurity for small and medium businesses.

Speaker:

Nine, eight, seven,

Speaker:

one.

Speaker:

Mike, appreciate you being here.

Speaker:

How did you, you know, we met on LinkedIn.

Speaker:

This is our first time talking to each other.

Speaker:

Give me a little bit of your background.

Speaker:

I know you're doing a lot of cybersecurity advising, virtual CISO work with clients,

Speaker:

kind of, how did you get to that point?

Speaker:

I mean, you've got a pretty long career with like.

Speaker:

A length of security certifications as I am tall.

Speaker:

So how'd you get to that point?

Speaker:

It, it's, it's funny because I, you know, in addition to my day job, I'm

Speaker:

also a frequent instructor, a frequent trainer, and it feels like as soon as

Speaker:

you earn that first couple of, you know, security and risk related credentials,

Speaker:

you have to keep pursuing them just to maintain the ones you have, right?

Speaker:

Because it's always in the pursuit of CPEs.

Speaker:

And so I spent a couple of years accumulating credentials before I

Speaker:

realized, working with, Hey, I could get CPEs by teaching them instead.

Speaker:

So how about we just make life easier and do that?

Speaker:

So, so anyway, yeah I started out, you know, really in response to

Speaker:

being in IT and thinking I knew what I needed to know about information

Speaker:

security and risk management, and just finding out very abruptly.

Speaker:

That, that wasn't the case that I was pretty ignorant to some, some

Speaker:

very real, very important concepts.

Speaker:

And so being in the SMB space, I sort of thought this is a

Speaker:

grotesquely underserved market.

Speaker:

I'd like to try to make some impact on that.

Speaker:

And so even though I'd been consulting it, consulting for a couple of years

Speaker:

on a freelance basis while running.

Speaker:

You know, while having a executive position at a manufacturing firm, I

Speaker:

was like, I'm just going to go into consultant consulting full time.

Speaker:

And I, I hasten to add that a consulting organization reached out to me and

Speaker:

said, they gave me the sweetheart pitch.

Speaker:

They said, Hey, how about we do all the marketing for you and bringing

Speaker:

the clients to you and you just.

Speaker:

Take care of the clients.

Speaker:

And I thought, don't threaten me with a good time.

Speaker:

Of course, let's, let's do that.

Speaker:

And so that's what I've been doing ever since.

Speaker:

Right.

Speaker:

So and, and again, just interspersed with.

Speaker:

Teaching and training and of course, the, the pursuit of various hobbies

Speaker:

and passions that interest me.

Speaker:

And you know, just never really getting very far away from that.

Speaker:

That information security.

Speaker:

Yeah, exactly.

Speaker:

I've been really passionate about data privacy of late,

Speaker:

but I think a lot of us have.

Speaker:

The, the overlap between security and data privacy is really strong now.

Speaker:

So there's, there's a huge and growing you know, cohort of us in the information

Speaker:

security space that have started to take notice of data privacy issues and,

Speaker:

and have, have started to fight in that

Speaker:

Yeah.

Speaker:

I think you're seeing an uptick on that as well as more companies

Speaker:

are implementing some sort of AI into their operations, whether it's

Speaker:

through some of the SAS programs or them trying to build their own.

Speaker:

You're seeing a lot of that chitter chatter out there of, you know, the

Speaker:

AI is going to suck up all my data and the privacy of the data that's in

Speaker:

there, how we're going to handle that.

Speaker:

And then you got the counterpoint of.

Speaker:

Well, I'm going to build my own, but you can't have the security.

Speaker:

The security is not going to be as good, you know, versus what a cloud provider

Speaker:

will do is, are you having conversations like that with a lot of the small and

Speaker:

medium businesses that are hearing, you know, you're hearing the buzz

Speaker:

term AI, I was at an event last night.

Speaker:

As a matter of fact, it was a little cringy, but that they're looking

Speaker:

to actually be Change management and try to put in some AI processes

Speaker:

and then having those security and privacy conversations with you.

Speaker:

Yes.

Speaker:

Although I will say AI is, is very, we're right in the meat of the hype cycle with

Speaker:

this round of what we're calling AI.

Speaker:

I'm going to catch some heat for saying it exactly that way, but I'm going

Speaker:

to leave it there in the air anyway.

Speaker:

But for the vast majority of the SMB space specifically, it's,

Speaker:

you know, AI is fascinating.

Speaker:

AI is sexy.

Speaker:

It's, it's, it's on the lips of every vendor, everybody

Speaker:

who is coming to talk to SMBs.

Speaker:

But the real pressure on SMBs is regulatory.

Speaker:

So they keep hearing about GDPR, but that's over in the European union

Speaker:

or CCPA, but that's in California.

Speaker:

And so many of them are waking up to the idea that.

Speaker:

Not only do you still probably have applicability with regard to GDPR and

Speaker:

CCPA because it's not really confined to the borders in either case, but there's

Speaker:

a full 12 states now that have enacted similar privacy legislation, and there's

Speaker:

far more than that's already in committee.

Speaker:

And so the SMB space is waking up to what are the regulatory risks?

Speaker:

What are the regulatory pressures for me?

Speaker:

And what does it look like to try to be compliant if I have a customer and

Speaker:

every customer is gold to me, but if I have a customer that has a right

Speaker:

to action to demand all the data that they have on them, do I have

Speaker:

the operational mechanism to do that?

Speaker:

Am I going to be able to process that request?

Speaker:

You know, prudently with, without facing the wrath of, of insert

Speaker:

regulatory body here, or, you know, losing, losing customers as well as I

Speaker:

think that we've started to see a lot of these more embarrassing breaches,

Speaker:

data breaches and compromises are getting into the mainstream media.

Speaker:

You don't find it only on wired and only on dark reading.

Speaker:

com.

Speaker:

It's making it the CNN.

Speaker:

It's making it to, you know, MSNBC.

Speaker:

And so it's getting out into the general public space that this isn't

Speaker:

a thing you can ignore anymore.

Speaker:

And especially with SMB clients, they're sensitive to the idea that

Speaker:

it's very possible that their first compromise is the one that leads to

Speaker:

them closing their doors the next

Speaker:

Well, you brought up something I'm curious, how much, how much education

Speaker:

or how surprised are you that we're still talking about people thinking

Speaker:

in terms of geographic borders?

Speaker:

I mean, versus going, I mean, I got a small, they're a high net worth family.

Speaker:

I, I deal with in very similar vein, but they're dealing, no kidding with

Speaker:

little onesie, twosie entrepreneurs.

Speaker:

They do horse racing type.

Speaker:

I'll say horse racing type stuff.

Speaker:

I'm not allowed to say who they are, but you're dealing with somebody in Europe.

Speaker:

You're dealing with somebody, you know, in South America, you're, you

Speaker:

know, but these onesie twosie things.

Speaker:

So it's been a while since I've had somebody that was an example of.

Speaker:

Thinking in the geographic boundary thing.

Speaker:

Are you still running in it?

Speaker:

I mean, that's it's to me.

Speaker:

That's crazy.

Speaker:

From a, from a regulatory enforcement perspective.

Speaker:

Yes.

Speaker:

Right.

Speaker:

Because they're still thinking in terms of the vast majority of folks in the United

Speaker:

States are still thinking in terms of.

Speaker:

You know, local, regional, state, government, federal, right, in that

Speaker:

order, and then industry, right?

Speaker:

If we're in the healthcare industry, we already know that HIPAA is

Speaker:

going to be a consideration.

Speaker:

If we're, you know, in the retail space, that we have to pay attention to PCI,

Speaker:

Yeah.

Speaker:

or at least know how to spell it.

Speaker:

And and so on, right?

Speaker:

And so.

Speaker:

It really is a game of, as you say, right?

Speaker:

Educating folks to say, okay, yes, this regulation is bound by, it's

Speaker:

enforced by this agency, which is subject to this jurisdiction where that

Speaker:

jurisdiction is in alignment with state borders or jurisdictional, you know,

Speaker:

borders and in your locale, right?

Speaker:

But that's not always going to be the case.

Speaker:

You can't always make that assumption.

Speaker:

And for better or for worse, there is.

Speaker:

And it's still an appreciable amount of ignorance in, in industry about really

Speaker:

what, what does the thing mean, right?

Speaker:

What is the what does PCI mean?

Speaker:

What does HIPAA mean?

Speaker:

What does GDPR mean?

Speaker:

We know these terms.

Speaker:

We know those, those acronyms well enough to be able to assign them to an

Speaker:

industry or assign them to a scope of.

Speaker:

You know, demographic or again, jurisdiction, et cetera.

Speaker:

Like, okay, well, how do I follow it?

Speaker:

How do I, how do, how do I not incur a fine or, you know,

Speaker:

again, a very ugly court case?

Speaker:

With regard to that regulation, and there's, there's no push button, get

Speaker:

education out there for the vast majority of businesses that are large, let alone

Speaker:

small and medium sized businesses.

Speaker:

And maybe that's a thread I want to pull on just a little bit here is that it's,

Speaker:

it's a necessary gravitational pull upward in the service provider space.

Speaker:

Here's what I mean by that.

Speaker:

As service providers want to grow, they want to expand their,

Speaker:

their foothold in industry.

Speaker:

They want to be better.

Speaker:

They want to be bigger.

Speaker:

They want to be, you know, spoken about in bigger rooms, so to speak.

Speaker:

They always try to start aiming for bigger fish.

Speaker:

And so it takes them away from smaller fish.

Speaker:

So you'll, you'll hear often in a service provider dialogue

Speaker:

inside, you know, inside baseball.

Speaker:

We're only going to target organizations that are over X dollars MRR or ARR.

Speaker:

Well, that takes them away from the SMBs.

Speaker:

And so now what you've got is the SMBs are, are left with fewer options, where

Speaker:

one of the options that are always on the table or what I call Bob's, right?

Speaker:

Bob takes care of everything that has electricity coursing through it.

Speaker:

He's the former roommate's brother in law of.

Speaker:

The, you know, CFO or something along that line.

Speaker:

And unfortunately, Bob, Bob just doesn't have the bandwidth to

Speaker:

take care of what those SMBs need.

Speaker:

And so I don't have the right answer.

Speaker:

I promise.

Speaker:

I don't have a magic bullet, but I do wish that more competent.

Speaker:

Well staffed well educated SMBs.

Speaker:

I'm sorry.

Speaker:

SMBs MSPs would take a step backward and consider there's still a

Speaker:

lot of a lot of good to be done.

Speaker:

A lot of value to provide to the SMB space.

Speaker:

I know it's not going to be tremendous revenue, but is that the only goal?

Speaker:

Is that the only reason we're in operation?

Speaker:

I'd like to

Speaker:

I, I, to a degree, I understand what you're saying because that's coming

Speaker:

from that idealistic point of view.

Speaker:

Don't get me wrong.

Speaker:

I get it.

Speaker:

I want to say that's idealistic and not necessary.

Speaker:

And, you know, because my experience has always been the smaller client

Speaker:

that they do have the needs.

Speaker:

Don't get me wrong.

Speaker:

You know, I've dealt with the small legal firms, for instance,

Speaker:

or your small doctor's offices.

Speaker:

Yeah.

Speaker:

Oh yeah.

Speaker:

They're the worst.

Speaker:

I shouldn't

Speaker:

say it.

Speaker:

It's, I'll say it.

Speaker:

But, but also they're the ones when you're talking about your,

Speaker:

the client that pays the least that sucks up most of your time and

Speaker:

Yeah.

Speaker:

The 80, 20

Speaker:

the 80 20 principle I had been involved in one.

Speaker:

Well, I wasn't involved because I said, dump them or don't

Speaker:

even waste your time on it.

Speaker:

I mean, it was like a 3 week conversation going back and forth over 50 a month.

Speaker:

For like a five person firm and I get it.

Speaker:

They, this is, this is where I don't know if there are any.

Speaker:

I think you posted it or somebody else had posted it on LinkedIn about

Speaker:

that product station of, of stuff.

Speaker:

Yes, and I've got different.

Speaker:

Yeah, and I've got different thoughts on that in a different that works.

Speaker:

Well, I think, and from an educational standpoint, I don't know about

Speaker:

implementation for sure because of the lack of training and resources,

Speaker:

but, but I'm sitting there looking at a company that had a ton of staff.

Speaker:

Your overhead is X amount per hour.

Speaker:

We legitimately can't take on, you know, I can't have my staff run out and

Speaker:

take on the three person place that's going to pay me 100 a month or wants

Speaker:

to get into a fight over 150 a month because I was in a kickoff meeting.

Speaker:

There was 8 of us in the kickoff meeting just of our staff.

Speaker:

We're talking, we're talking, and I'm thinking this is a larger project, just

Speaker:

the way that everybody was talking, and at the end of it, I found out

Speaker:

that this was a 200 or 250 a month client, and I looked around for how

Speaker:

many of us were in this kid called me.

Speaker:

There was way other problems with this place.

Speaker:

Don't get me wrong.

Speaker:

I'm glad to, and I went, we just burned up a year's revenue revenue in this hour.

Speaker:

And we haven't done anything yet.

Speaker:

Don't even have any ink on paper.

Speaker:

Yeah.

Speaker:

no, and don't get me wrong.

Speaker:

I've had that thing too, because you see somebody, you got your

Speaker:

friend that asked for help.

Speaker:

Man, I want to help you, but.

Speaker:

You know, this is a time suck.

Speaker:

So I, I, and again, I don't have the answer for that either.

Speaker:

Again, there has to be short of us short of, but then you're talking about some

Speaker:

sort of vendor locks solution or getting the vendors with some sort of turnkey.

Speaker:

You know, secure enclave type of thing, something along that line.

Speaker:

But I, I don't, I don't know.

Speaker:

I think this is going to be something that's going to, it's been a struggle for.

Speaker:

Well, as long as I've been involved, you know, and it's going to continue

Speaker:

to be a struggle, particularly when you're starting to deal with trying to

Speaker:

negotiate this, you know, the pricing and people, people don't understand the value

Speaker:

of what you're bringing to the table.

Speaker:

And you can articulate the value of what you're bringing to the

Speaker:

table, which has always also been a problem in cybersecurity.

Speaker:

Yeah, I would say again, no magic bullets for me and I, and I don't

Speaker:

purport to having the right answers.

Speaker:

Do you know what I mean?

Speaker:

I always joke around.

Speaker:

I say, you know, I thought I was wrong once, but it turned

Speaker:

out that wasn't the case.

Speaker:

And it's just a cute way of saying I've been wrong before.

Speaker:

Right?

Speaker:

So my hot take is.

Speaker:

I liken it to attorneys, right?

Speaker:

There are corporations that have an army of attorneys at their beck and call.

Speaker:

And of course they're paying eight figures a year for that privilege, right?

Speaker:

And then there's the better call Saul folks that service.

Speaker:

You know, somebody who, like, I've, I've, I've never even said

Speaker:

the word attorney out loud, but I need somebody like that right now.

Speaker:

What is it going to cost me?

Speaker:

Right?

Speaker:

And then there's a retainer that's spun up and that person

Speaker:

engages for that period of time.

Speaker:

I don't find fault with a SMB reaching out to a consultant or a

Speaker:

consulting organization on a, I know, you know, nothing about me basis,

Speaker:

but, but I need your help right now.

Speaker:

Right.

Speaker:

That, that sort of basis.

Speaker:

But I think that we, we try to employ, we try to push bigger corporation

Speaker:

tactics down to smaller organizations.

Speaker:

Right.

Speaker:

And it's not always the case.

Speaker:

I mean, I've had clients that were, you know, two guys in a, in a room over

Speaker:

a garage and yeah, shoestring budget.

Speaker:

And we, we had a good dialogue.

Speaker:

We had a good, you know working relationship, but I saw them maybe four

Speaker:

times a month, knowing in my head that.

Speaker:

I have to maximize what I'm gonna get.

Speaker:

Those, get outta those four hours in a, in a month, right?

Speaker:

And try to protect them and, and, and make sure that things are going okay.

Speaker:

And it became a matter of I can't be here full-time, so I'm

Speaker:

deputize deputizing you, my client.

Speaker:

And we're gonna start having educational, you know,

Speaker:

dialogues, mentorship, dialogues.

Speaker:

Here's what you need to know, here's what you need to understand in order to.

Speaker:

Keep things going and when you, when I've approached the relationship in

Speaker:

that way, one of two things happens.

Speaker:

They either say, okay, I'll, I'll absorb everything that I can and

Speaker:

call you in case of emergency.

Speaker:

Or they look at me squint and say, how many more hours a month do I

Speaker:

have to pay you for me not to have to understand any of this, right?

Speaker:

Like what, what does that, what does that look like?

Speaker:

What's the vision of me not learning anything in this context?

Speaker:

And either way, I feel better, right?

Speaker:

I feel better about, you know, the risk management targets there.

Speaker:

But to your point when you have an organization that has, you

Speaker:

know, tremendous payroll, because they've brought in the best talent.

Speaker:

Every meeting that becomes a 3, 500 meeting to talk about a client for which

Speaker:

they are never going to pay back even that initial 3, 500, then it just, it

Speaker:

just doesn't seem like it's worthwhile.

Speaker:

And, and so again, I, I, it's necessary.

Speaker:

It's, it's a, it's a gravitational pull upward and I fully understand

Speaker:

it, but I do feel like the SMB organizations are left out in the lurch.

Speaker:

And for better or for worse, they're the targets.

Speaker:

I mean, they are, they're comp it's it.

Speaker:

I always compare it to, you know, smash and grabs, right?

Speaker:

We see movies, we see television shows where people go in

Speaker:

and rob banks in the lobby.

Speaker:

And that sort of thing doesn't happen as much anymore.

Speaker:

But the smash and grabs at a convenience store.

Speaker:

That happens quite often.

Speaker:

And the difference is that at a bank, if you go to rob a bank,

Speaker:

there's chances you could leave with hundreds of thousands of dollars.

Speaker:

You go rob a convenience store, you might get 72 and 65 cents, but

Speaker:

the defenses are far different.

Speaker:

And it's easier to get in and get out.

Speaker:

It's the same thing with cybersecurity where SMBs are concerned.

Speaker:

Their targets, because they know they can get, the attackers know

Speaker:

that they can knock that thing over real quickly, get in, get out, not

Speaker:

a big payout, but doesn't need to

Speaker:

and that's 1 of those things where, when you talk about trying to shove down

Speaker:

those large corporate policies to the, to the small, medium business market,

Speaker:

how much do you, how much do you think.

Speaker:

Because, well, let me, let me, let me start that over again.

Speaker:

You've got all these frameworks that are scalable and that should be scalable,

Speaker:

but then you've got a, a section of people like you and me that are, they're

Speaker:

going, well, you've got this compliance piece and you've got to, you've got

Speaker:

to check all these boxes because it's a compliance piece, but we've lost

Speaker:

that ability because you know, you've had the same training that I've had.

Speaker:

Hey, we got to go identify what is the highest priority risk.

Speaker:

Which one of those highest priority risks are going to have the major impact and

Speaker:

let's go tackle those first before you're just kind of doing down the checklist of

Speaker:

the things that your counterpart, this 10x your size are going to have to do is

Speaker:

that is that something that comes into your mind as you're evaluating these guys

Speaker:

that, you know, that compliance versus scaling the framework down to them.

Speaker:

Yeah, 100%.

Speaker:

And I'm biased.

Speaker:

I worship at the altar of risk.

Speaker:

And, and so I go into those conversations with those clients with the intent

Speaker:

of saying I, by the time we get to the end of this conversation, I want

Speaker:

us to be acclimated on what risk is.

Speaker:

And how I'm going to express to you a danger or something, a threat to your

Speaker:

organization in those terms, right?

Speaker:

I'm going to come to you and I'm going to say, here's, what's at stake.

Speaker:

Here's what I think the impact is going to be.

Speaker:

If this particular thing happens to you.

Speaker:

And here's how I think that you can mitigate that risk accordingly.

Speaker:

I feel like that instead of, instead of the alternative of that is, Hey,

Speaker:

I'm going to come to you with like NIST 853 and whether it takes us a

Speaker:

month or it takes us the next 12 years.

Speaker:

By hook or by crook, we will have implemented every one of the controls

Speaker:

control structures in this framework.

Speaker:

Are you ready?

Speaker:

Let's go.

Speaker:

That's heinous, right?

Speaker:

As far as I'm concerned, especially if you know, if you're again, an

Speaker:

SMB owner, you've just hired your third employee ever, you know.

Speaker:

That's, that's just, that's not a good scene.

Speaker:

So instead I treat everything as though this is a risk item, right?

Speaker:

You not having, you, you still using Symantec 2004 on your PCs.

Speaker:

This is the risk associated with that, right?

Speaker:

Let's start there.

Speaker:

And hopefully if we do all of the, the core stuff first.

Speaker:

By the time we get to the other end of, you know, six months or whatever it

Speaker:

is now, we're starting to pick on the bigger stuff, the more advanced topics.

Speaker:

And one of my strategies over over time has been to leverage CIS, which

Speaker:

I affectionately refer to as the Fisher price security standard, right?

Speaker:

Or the little tykes.

Speaker:

Security standard, not because I'm saying it's, it's immature or

Speaker:

childish, but because it's got like big tactile buttons and it's, you know,

Speaker:

it's a, it's a great place to start.

Speaker:

It teaches people how, you know, what a framework is, who've never

Speaker:

experienced a framework before.

Speaker:

So if I go into those clients, I say, all right, first one on the list is inventory.

Speaker:

I will walk around the room right now.

Speaker:

I will inventory everything.

Speaker:

I'll throw it in a spreadsheet.

Speaker:

Oh no, sacrilege.

Speaker:

Inventory in a spreadsheet, right?

Speaker:

Cause everybody else that's listening to me about this is like, I don't

Speaker:

do inventory in a spreadsheet.

Speaker:

What is this?

Speaker:

Like 2002, get the hell

Speaker:

do inventory.

Speaker:

Start with.

Speaker:

Ah, there it is.

Speaker:

You can't complain about it being in a spreadsheet if there's no inventory.

Speaker:

Yeah.

Speaker:

I think there's a meme there somewhere.

Speaker:

Yes.

Speaker:

Yeah.

Speaker:

Right.

Speaker:

Like but to the, but to the client, then you can say, or, or, you know, I'll

Speaker:

even make it more, more robust, right?

Speaker:

Hey, Mr.

Speaker:

Or Mrs.

Speaker:

Client.

Speaker:

I'm going to buy a 200 roll of stickers and I'm going to wander around your space.

Speaker:

I'm going to put those stickers on everything I can see that looks like an I.

Speaker:

T.

Speaker:

asset.

Speaker:

I.

Speaker:

T.

Speaker:

R.

Speaker:

I.

Speaker:

S.

Speaker:

Asset, and I'm gonna put those numbers into a spreadsheet, and all I'm

Speaker:

gonna demand of you is that you have somebody on this staff do the same

Speaker:

thing or go around once a year and validate that they can lay eyes on the

Speaker:

numbers that are in the spreadsheet.

Speaker:

Congratulations.

Speaker:

You've just unlocked.

Speaker:

Asset inventory in a way that a lot of major corporations aren't doing correctly.

Speaker:

Right.

Speaker:

And it was 200 bucks in stickers, right?

Speaker:

So it doesn't, it doesn't have to be a high tech answer or, or an eight figure

Speaker:

tool that, you know, from a company that isn't going to exist five quarters

Speaker:

from now, it's just, it's, it's not a easy thing, but it is a simple thing.

Speaker:

And the best way to do it is just to,

Speaker:

It's one of those things that scares me when I start trolling the subreddit

Speaker:

for cybersecurity or some of the compliance framework subreddits.

Speaker:

We'll talk, we'll talk about one of them in a little bit.

Speaker:

I'm, I'm holding off.

Speaker:

Or even in, in LinkedIn, I give you the, you know but I know you

Speaker:

got to serve with that's a whole.

Speaker:

Yeah.

Speaker:

Anyway.

Speaker:

But, but the way that you see the guys that are so invested that primarily

Speaker:

have only ever worked for large organizations and I'm looking at this

Speaker:

going, who are you communicating to?

Speaker:

Because that's been one of my things when you're sitting there

Speaker:

going, I want to, You know, I want to start an awareness campaign.

Speaker:

I want to start doing education.

Speaker:

But when I see the way that they write, it's super technical.

Speaker:

It's super, super in the weeds.

Speaker:

It's in my mind, it's overly tactical and it's going.

Speaker:

But who's reading that going?

Speaker:

Oh, this is great.

Speaker:

It's, it's one probably nobody's reading at the moment they start because it's

Speaker:

just dry and boring, but it's a turnoff.

Speaker:

It's not approachable.

Speaker:

It's not that thing.

Speaker:

Like you talk, you mentioned that Fisher price, the CIS controls, if to

Speaker:

be honest, any of the major breaches that I have read about over the last.

Speaker:

Decade goes back to something dumb.

Speaker:

It's just they have larger scale.

Speaker:

That's literally it.

Speaker:

It is because the bulk of the small medium businesses, they're not coding.

Speaker:

Well, maybe now they are with AI helping them, but they're not

Speaker:

building software applications.

Speaker:

They're using commercial off the shelf stuff.

Speaker:

They're using commercial off the self things.

Speaker:

So a lot of those things, you know, a lot of the controls don't apply.

Speaker:

And I'm seeing the way that the other cyber professionals that are again.

Speaker:

You know, maybe they're working for CISA, or maybe they're

Speaker:

working for your Microsoft.

Speaker:

Yeah, you got to be worried about that.

Speaker:

90 percent of organizations out there probably don't.

Speaker:

Right.

Speaker:

Yeah.

Speaker:

And if, again, it should be a liberating perspective, looking through everything

Speaker:

through the lens of risk, because there's, there's a, the, the other side of that

Speaker:

looking through the lens of risk is that you can accept a, you can accept any risk.

Speaker:

I'll say this to a client from Jump Street, right?

Speaker:

I'm going to tell you that a thing is a risk.

Speaker:

And I'm going to tell you how risky it is.

Speaker:

I'm going to give you some notion of, of where I put it on a rank from zero

Speaker:

to five, where five is holy poop and zero is I gave it oxygen and that was

Speaker:

the extent of my obligation, right?

Speaker:

You can tell me if I tell you it's a five and it's guaranteed to happen

Speaker:

eight times a day from now until the end of eternity, and you look me

Speaker:

straight in the eye and say, all right, I'll deal with it when it happens.

Speaker:

Okay, awesome, cool.

Speaker:

It's gonna suck for you, but all right, that's your decision to make, right?

Speaker:

And so I think that a lot of us have a tendency, and I am putting

Speaker:

us in, I'm saying us, like I'm a

Speaker:

you're getting the call if it happens,

Speaker:

We'll get wrapped,

Speaker:

or

Speaker:

well, also that, but we, we, we tend to get emotionally

Speaker:

invested in a thing, right?

Speaker:

I had a, I had a client that their remote access methodology was GoToAssist.

Speaker:

And for anybody who understands GoToAssist already, you know

Speaker:

where I'm going with this.

Speaker:

I had a problem with it because it's just a screen sharing application.

Speaker:

And so if you're at home working, but somebody's at work, they

Speaker:

see everything you're doing.

Speaker:

And there's miles between you and them.

Speaker:

You're not stopping them from actually taking over the mouse and

Speaker:

the keyboard and doing whatever.

Speaker:

Whatever it is they want to do.

Speaker:

And so I, I remember saying like, I'm, I'm bringing a stop to

Speaker:

this, that this is just not okay.

Speaker:

This is way beyond the pale from a risk perspective and I'm, I'm not cool with it.

Speaker:

And I knew as soon as I said it that way, right, you know how it is when you start

Speaker:

saying something and then the back of your mind, you're going, well, hold up.

Speaker:

Are you really going to put that out there?

Speaker:

Are you really going to say that that way?

Speaker:

Is that the, is that the the thing you want to say?

Speaker:

And as soon as it came out of my mouth I was immediately reminded of, you know,

Speaker:

by the client that it wasn't my choice to make, that they just weren't going to

Speaker:

invest in another solution because it just wasn't a high enough priority for them.

Speaker:

They didn't see the.

Speaker:

You know, see that that was a big enough deal to invest the money

Speaker:

in, in overhauling that particular solution or adding another solution.

Speaker:

And so, you know, again, as, as practitioners, we have a tendency

Speaker:

to, to get emotionally involved.

Speaker:

Like I do, Oh man, that's, that's just, as far as I'm concerned, the only

Speaker:

emotional investment we should have as practitioners is when it's our neck on

Speaker:

the line, as we've learned, you know.

Speaker:

SEC versus SolarWinds, or actually more appropriately,

Speaker:

the SolarWinds versus the SEC.

Speaker:

If, if that's where you can, you can let emotion, you know, get involved,

Speaker:

but otherwise you lay out the risk, you say, this is what's at stake.

Speaker:

And if the client says, I don't care anymore, then, then that is what it is.

Speaker:

And so all of the things that have been, all of the risks that have

Speaker:

been accepted, I accept the risk of.

Speaker:

Enforcement of you know, PCI.

Speaker:

Well, no, I wouldn't even lean on PCI.

Speaker:

Right.

Speaker:

So FTC safeguards rule was recently updated and there's a lot of organizations

Speaker:

that just woke up to the idea that they are a financial institution, but nobody

Speaker:

knows, actually this dovetails into CMMC really well too, nobody knows what

Speaker:

enforcement is going to look like yet.

Speaker:

So, so everybody is looking around at each other like, well, I'm going to wait

Speaker:

and see who gets popped first and see how bad it is before I start, you know,

Speaker:

falling over myself to get compliant.

Speaker:

So, okay, well, it's going to go one of two ways.

Speaker:

It's going to be easy or it's going to be really, really hard when that starts

Speaker:

So before we talk about CMMC, I do, I was curious, do you have any of like.

Speaker:

Your worst horror story or the most interesting story of interacting with

Speaker:

the client, you're like, oh my God, like that forehead slap type of thing.

Speaker:

And you're like, I can't believe this has been going on.

Speaker:

That kind of jumps out at you without having to, you know, of course,

Speaker:

without like disclosing who they were, but just a crazy circumstance.

Speaker:

Yeah, it's actually got a pretty fairly positive spin on it, though.

Speaker:

I had a client that this, and this was, this was 10 years ago now.

Speaker:

They got ransomware and I had been talking to them.

Speaker:

They had an SBS, they had a small business server.

Speaker:

Right.

Speaker:

And, and actually funny.

Speaker:

Oh, maybe this is more in line with what you're asking.

Speaker:

My first interaction with that particular client, I came in and

Speaker:

I got, I got the lay of the land.

Speaker:

I did the whole, what are your, what's, what's your business,

Speaker:

what's your goals over the next five quarters, so on and so forth.

Speaker:

Got the business profile squared away.

Speaker:

And then they take me to a back room where it's a white box under a desk and

Speaker:

that's the entirety of their existence.

Speaker:

And I thought, Oh, now we're already off on the wrong foot.

Speaker:

This is, this is not good, but I get signed into that SBS, that small business

Speaker:

server, and I pull up, you know, I pull up the task manager and the thing

Speaker:

had been up for 430 something days.

Speaker:

It's a Windows box.

Speaker:

You know what that means.

Speaker:

Updates had not been applied for 400 and something days.

Speaker:

And it's small business server, which is notoriously fragile.

Speaker:

And I was thinking to myself, I don't want to touch it.

Speaker:

Like it's, it, if I reboot this thing, there's a very high chance.

Speaker:

It's

Speaker:

take three or take two months to apply the updates.

Speaker:

One of the two.

Speaker:

Right.

Speaker:

Exactly.

Speaker:

Exactly.

Speaker:

Like I can't in good conscience restart this thing now, but I can't not either.

Speaker:

But so that same client called me up and said.

Speaker:

You know, we we think we've got ransomware.

Speaker:

Asked about the symptoms, what's going on?

Speaker:

What are you, what are you thinking you're seeing?

Speaker:

So on and so forth.

Speaker:

And, and, and they did, they had, they had ransomware and mercifully, I

Speaker:

had just overhauled backups recently.

Speaker:

And so we were able to restore pretty quickly.

Speaker:

And without paying the ransom or anything along that line, it wasn't,

Speaker:

the ransomware was just one of those spray and pet prey campaigns, not part

Speaker:

of a larger, you know concerted attack.

Speaker:

And so I was talking with the office manager.

Speaker:

The office manager was the one that had fallen victim and clicked the

Speaker:

link and unleashed the ransomware.

Speaker:

And so he's asking me, he's like, all right, I need you to

Speaker:

explain to me what happened.

Speaker:

And I explained ransomware.

Speaker:

I explained how it executes in the context of the user account that unleashed it.

Speaker:

And he's like, well, what, what could we do differently when, and if this

Speaker:

happens again, and so I went straight for the notion of least privilege,

Speaker:

I said, well, you know, again, it executes in the context of the

Speaker:

person who, you know, opened it up.

Speaker:

And so, you know, just imagine what that person has access to,

Speaker:

and then let's make sure that they only have access to what they need.

Speaker:

And I could see it on his face.

Speaker:

He's like.

Speaker:

I don't need a damn thing other than email and the ability to get

Speaker:

out of the out to the internet.

Speaker:

Shut me down, right?

Speaker:

I need access to nothing.

Speaker:

And that was music to my ears.

Speaker:

I was like, okay, do you want me to give you the same speech to

Speaker:

everybody else in your office?

Speaker:

Because I'm more than happy to do so.

Speaker:

Right.

Speaker:

And so that was the, It was painful, but it was a big win for again,

Speaker:

the idea of least privilege, not the archaic notion of we've had

Speaker:

the same nine employees since 1992.

Speaker:

They're all good people.

Speaker:

They're like family.

Speaker:

So we just have a P drive and an S drive and everybody has access to everything.

Speaker:

Like, well, that's.

Speaker:

Bite you eventually,

Speaker:

I'm trying to, so when you were saying that it triggered an additional memory

Speaker:

that I had encountered, but I've got, cause I use, I have three, somebody asked

Speaker:

me, well, there's primary two, but you gave me the third one because of that.

Speaker:

So I'll I'll tell you the third one real quick, came into a golf club golf their

Speaker:

office and walked in, they had had, somebody had walked out with a whole bunch

Speaker:

of clothing off the shelf, polo shirts, they'd like broken into the office.

Speaker:

And apparently 1 of the things that the owners like to do was monitor

Speaker:

their security cameras in real time.

Speaker:

They didn't have a recording.

Speaker:

Facility on there, they just need to make sure that they could record them.

Speaker:

So something had messed up, wasn't going through the firewall properly.

Speaker:

And I'm, I walk in immediately and I'm going, why are you even worried about if

Speaker:

they had stolen, you know, 500 worth of polo shirts off the rack and some food

Speaker:

items when that server that you've got over there, that's running your entire

Speaker:

business is you have a lock cabinet.

Speaker:

And it's sitting on top of it.

Speaker:

Like, you need to move it in there and lock the door because if they had

Speaker:

taken that You're out of business.

Speaker:

Your insurance is going to reimburse you the shirts

Speaker:

right,

Speaker:

Yeah.

Speaker:

And who cares in the long run?

Speaker:

And it was, and it was just one of those things of like, you could

Speaker:

see like a light bulb go off.

Speaker:

Oh yeah, you're right.

Speaker:

And it was just the thinking in the, in the moment.

Speaker:

Oh my God, somebody stole shirts.

Speaker:

But, but what if they had taken the server?

Speaker:

That is because you're talking, this is a rural location with inconsistent internet.

Speaker:

Most of the stuff had to be locally hosted in their particular environment.

Speaker:

And it's just that re rethinking that, that, that mindset.

Speaker:

right.

Speaker:

And I'm sure you've seen this too, where you, you have to, you introduce somebody

Speaker:

to the idea of same scenario, right?

Speaker:

You lose this server.

Speaker:

I've, I've said this to clients.

Speaker:

They say, well, there's not really anything there that

Speaker:

I'm worried about getting out.

Speaker:

And my rebuke to that is always, well, what happens when you

Speaker:

don't have access to it, right?

Speaker:

Nevermind unauthorized access.

Speaker:

Nevermind, you know, a random person in the general public gets it.

Speaker:

But what happens when you no longer have the ability to conduct business

Speaker:

because you don't have that data?

Speaker:

And then you see it just slowly dawn on them, like, oh, yeah,

Speaker:

that, that would be problematic.

Speaker:

That would sort of be a bummer.

Speaker:

Okay.

Speaker:

So.

Speaker:

In the locked cabinet, it goes right?

Speaker:

That's just crazy stuff.

Speaker:

I must, I'm going to pivot back.

Speaker:

I'm going to set this up, though, for anybody that's not familiar with this.

Speaker:

Federal government contractors under the last 3, 4, 5 years, whatever it's

Speaker:

been now, I've lost track even though I was in, in, in trying to be involved

Speaker:

in version 1, have been going to be subjected to a regulation called CMMC.

Speaker:

For anybody that holds controlled and unclassified information.

Speaker:

So, I noticed that you have went through the process to become

Speaker:

an official risk practitioner.

Speaker:

I,

Speaker:

Yeah.

Speaker:

Yeah.

Speaker:

Registered practitioner.

Speaker:

oh yeah, sorry, registered practitioner.

Speaker:

See, I was in I was very heavily involved in the, probably 2019 through the early

Speaker:

part through until CMNC version one fell apart and with all the junk that was

Speaker:

going on with the board and just the junk.

Speaker:

What are your thoughts about it stands now as things are getting

Speaker:

into that final rulemaking period?

Speaker:

Has it been worth your effort going through that RP process?

Speaker:

Because I get hit up on that periodically.

Speaker:

And I've got, well, I'll let you go first and then I'll tell

Speaker:

you where my problems are at.

Speaker:

Sure.

Speaker:

Well, and I just want to say, I don't want to be flippant about this,

Speaker:

but it's like VHS versus beta max.

Speaker:

This is how it's become right?

Speaker:

Because it's become CMMC versus NIST 800 dash 171 and then subsequently 170 172.

Speaker:

Right?

Speaker:

And, and the fascinating thing to me is that when 171 I will say.

Speaker:

Was under threat of being enforced, I had clients that would reach

Speaker:

out to me and say, well, oh my gosh, am I going to get audited?

Speaker:

No, you're not.

Speaker:

Well, my gosh, what am I going to do?

Speaker:

You're going to write an I promise letter, right?

Speaker:

That's what I, back in 2016 and 2017, I said.

Speaker:

Give me the list.

Speaker:

We're gonna put the word, or I shouldn't call it word poam,

Speaker:

plan of action and milestone.

Speaker:

And you're gonna go, I, again, I promised to do this by X, X, x, x,

Speaker:

Right.

Speaker:

Exactly.

Speaker:

And, and, you know, so when CMC was announced, I think all of us felt like

Speaker:

that's the step in the right direction that actually gives this thing some teeth

Speaker:

and then dragged out, dragged out, you know, is this, is it going to be this way?

Speaker:

It's going to be that way.

Speaker:

Right.

Speaker:

The SMB space, ironically enough woke up and said, oh dear God, there's

Speaker:

no way anybody in this whole area can afford to become CMMC certified.

Speaker:

This is not, it's not a thing.

Speaker:

You want me to pay three assessors for every engagement to do the audit?

Speaker:

In addition to the, to the audit and in addition to the remediation

Speaker:

that's required, et cetera, et cetera.

Speaker:

And then it became CMMC reintroduced the self attestation and the

Speaker:

poem and the I promise model.

Speaker:

And and so, but, but again, here comes 171 reborn or undead.

Speaker:

And 172 and so on and so forth.

Speaker:

And so again, it's, it's VHS versus Betamax.

Speaker:

And I don't, I don't know, I don't know that any of us, I don't know

Speaker:

how to say this again without sounding dismissive, but I don't

Speaker:

know that any of us care anymore.

Speaker:

Right.

Speaker:

Here, here's why I say that if, if it's just going to be another one of those,

Speaker:

you know I promise, or, or here's what I'm going to do, or good enough, or

Speaker:

this is, this is what this is, then it doesn't really move the needle

Speaker:

in, in any appreciable way compared to what we were doing before anyhow.

Speaker:

Right.

Speaker:

And so I, not that I'm advocating for, you know, the mom and pop shops

Speaker:

that are building a tiny little widget that goes into a larger component

Speaker:

that eventually ends up in, you know, in a toilet and in the Pentagon.

Speaker:

I'm not advocating, advocating for those shops to be closed down because

Speaker:

of the onerous, you know pressures from CMMC, but it's not them I'm

Speaker:

worried about anyway, it's the larger organizations that have just sort of.

Speaker:

You know, been able to negotiate their way into lax programs, lax control

Speaker:

frameworks, so on and so forth.

Speaker:

That's, that's my big philosophical pitch there.

Speaker:

To answer your question directly.

Speaker:

So I started getting involved in CMMC 2020, 2019 right about the time when

Speaker:

clients started asking about 171.

Speaker:

Right because they've had a deadline, but of course, the vast

Speaker:

majority of organizations were blew it off until it was 3 weeks away.

Speaker:

Right?

Speaker:

And so I started getting involved in there and I was very excited about the

Speaker:

idea that I think we all sort of saw a.

Speaker:

A path for CMMC to be the standard, the de facto standard, not just for

Speaker:

organizations that are partnered with, you know, the DBCAC, but also with

Speaker:

like across all industries, right.

Speaker:

That the CMMC was going to become the path of least resistance.

Speaker:

If I'm compliant with CMMC, I'm compliant with everything.

Speaker:

It's like, you know, the, the, the magical umbrella across

Speaker:

information security programs.

Speaker:

And so I got excited, got involved, got, you know.

Speaker:

Got the training well versed in all of the stuff and then it's, you know, sit around

Speaker:

and wait, like, are we going to do this?

Speaker:

Is this going to become a thing and working with service provider

Speaker:

organizations that their sales apparatuses and their, their marketing teams think

Speaker:

this is the greatest thing since sliced bread, we're going to, we're going to be.

Speaker:

The experts, the gurus for those organizations that

Speaker:

need to be CMMC compliant.

Speaker:

I'm, I'm in the room, I'm in the back of the room trying to speak up and say,

Speaker:

well, but that means we have to be too.

Speaker:

Are you kidding me?

Speaker:

Like, is this, do you want to open up this box?

Speaker:

This is Pandora's box.

Speaker:

If you want to advise clients, if you want to audit clients even worse

Speaker:

against CMMC, well, that starts with us.

Speaker:

Are you, are you ready?

Speaker:

Like, you know, put on your big boy pants because it's, it's about to get real.

Speaker:

And so I, I got as far as the registered practitioner credential

Speaker:

before people started to wake up to what is this going to mean?

Speaker:

And said, stand, stand down.

Speaker:

Don't worry

Speaker:

So I like you.

Speaker:

Like I said, I was involved pretty, pretty early on.

Speaker:

I tried to get on the working groups multiple times when they, for that first

Speaker:

version of the boards, 'cause again.

Speaker:

I'm here in Virginia.

Speaker:

I'm in the heart of government contracting country, federal government contract.

Speaker:

I, I can spin around a spit in my neighborhood and 99 percent of them

Speaker:

probably work for 1 if they don't work for the federal government themselves.

Speaker:

So, you know, my concern, obviously, when it 1st spun up was.

Speaker:

You saw everybody and their brother was a cyber security expert the

Speaker:

next day, because they saw this thing of how many ever, they roughly

Speaker:

estimated 300, 000 companies.

Speaker:

They're all of a sudden going to be enforced with getting cyber security.

Speaker:

Ooh, licking your chops, licking your chops.

Speaker:

That's starting to spin back up again, by the way.

Speaker:

I'm seeing that spinning back up again.

Speaker:

And, and I legitimately thought, and I think a bunch of others did as

Speaker:

well, that they would have some sort of Requirements, some sort of work

Speaker:

history, some sort of something that says, Hey, you've had to be in the field

Speaker:

for certain so many years, you've got to go and have certifications like C.

Speaker:

I, to be honest with you, it's the only reason why I did C.

Speaker:

I.

Speaker:

S.

Speaker:

S.

Speaker:

P.

Speaker:

I wanted to be done with certs.

Speaker:

I was at the age.

Speaker:

I'm like done.

Speaker:

And I said, well, this is going to be a thing.

Speaker:

I live here.

Speaker:

I spent six weeks to the C.

Speaker:

I.

Speaker:

S.

Speaker:

S.

Speaker:

P.

Speaker:

And then to find out that you could go take a, an online

Speaker:

course for 10 or 12 hours.

Speaker:

Somebody sent me their notes because I know somebody that had a marketing thing.

Speaker:

Background, no cyber security and passed it and became an RP.

Speaker:

And I said, this is a joke.

Speaker:

So it was one of those things I said, I don't know where this is going.

Speaker:

I do know that they've taken away the poem, the, you know, your, my promise

Speaker:

letter, so that my promise letter is not, that pieces went away, which I,

Speaker:

and I think, or if you do have it is you've got to finish it within six

Speaker:

months or 90 days or something like that.

Speaker:

Right.

Speaker:

It's good.

Speaker:

It's a, yeah, it's, it's some sort of compromise.

Speaker:

You don't get it indefinitely is, is what it boils down to, which

Speaker:

that makes probably a little bit more sense than anything that's.

Speaker:

You know, usually open ended but I told this to somebody else last night.

Speaker:

So a couple back in that 2019 2020 timeframe, I was on a conference call.

Speaker:

This was not a CMMC, whatever that board was called back then before

Speaker:

they're now the AB or whatever it is.

Speaker:

This was more like something related to SPRS scores and something else

Speaker:

the federal government already does.

Speaker:

And they talked about, you know, the, if you have this one, it

Speaker:

will translate over to CMMC.

Speaker:

But then you had at the time, this is something I want to ask you

Speaker:

because you work for an MSP, correct?

Speaker:

MSSP.

Speaker:

MSSP.

Speaker:

Yep.

Speaker:

at the time, and again, this is like 4 years ago, somebody asked about

Speaker:

MSPs and MSSPs for requirements of working with the clients.

Speaker:

And this is the first time.

Speaker:

I had the call on speakerphone.

Speaker:

I had stepped out of my office, but I had it up really loud.

Speaker:

And somebody said, you're most likely as it stands now going to have to

Speaker:

be at the same level as whatever the clients are you support and the audible

Speaker:

gasp will never I'll never forget that gasp that I heard because it

Speaker:

was an open phone call that I was on.

Speaker:

This wasn't a zoom call or something like that that I had dialed into.

Speaker:

It was open phone call.

Speaker:

Anybody could have jumped in and then that fell apart.

Speaker:

At that time period, and it's been, you know, went through with different things

Speaker:

that has been going through, that's popped back up in the last few weeks.

Speaker:

I was on the town.

Speaker:

I don't know if you were.

Speaker:

Were you on the town hall a week before last?

Speaker:

I gotta be honest, I stopped attending them.

Speaker:

last one was a, the last one had to deal with MSPs and MSSPs.

Speaker:

Yes.

Speaker:

Okay.

Speaker:

It's on the website, but essentially they were talking about this and now

Speaker:

there was a group of like, 7 or 8 MSPs that have bound together to form

Speaker:

their own lobbying group around this.

Speaker:

I think they're circling the wagons.

Speaker:

So, I didn't know if this is something with the clients that you guys have had,

Speaker:

knowing that that's probably coming down with defense contractors that you support.

Speaker:

Have you started taking measures yet?

Speaker:

For yourselves to see what, what tools, what applications, that type of thing that

Speaker:

you're going to go, ah, crap, we can't use this one, or we've got to build a secure

Speaker:

enclave for this handful of clients.

Speaker:

Is that something you guys are in discussion about?

Speaker:

Yeah, we, we've, we've been talking about it and, you know, it's always

Speaker:

a, a, like an evangelist tour, an evangelism tour with MSPs and Ms.

Speaker:

SSPs because I, you know.

Speaker:

The marketing team wants to do it.

Speaker:

The sales team wants to do it.

Speaker:

You've already got client clients that are in scope, so on and so forth, but

Speaker:

then you have to bring in the reality of things like the enclave, things

Speaker:

like, Hey, you're still in your, your what, what do I want to call it?

Speaker:

The honeymoon phase of migrating to Microsoft 365

Speaker:

across the board and the luck.

Speaker:

You're going to need to move 365 tenants again.

Speaker:

Right?

Speaker:

Oh, and you've got a, an overseas apparatus.

Speaker:

We're going to have to talk about, we're going to have to talk about that.

Speaker:

That has implications as well.

Speaker:

Right.

Speaker:

And, and so it's, you know, trying to bring that reality to

Speaker:

the MSP and MSSP space and trying to sneak up on the idea of.

Speaker:

If you don't have the testicular fortitude to do this right, don't

Speaker:

do it, don't do it at all, right?

Speaker:

Don't bother your answer then to organizations that have

Speaker:

applicability in this, in this space is call somebody else, right?

Speaker:

I can't, I can't help you.

Speaker:

Right.

Speaker:

And so I, again, I don't want to be a defeatist.

Speaker:

I don't want to be the cat that has to answer to the person

Speaker:

who signs my paychecks to say, yeah, no, this is a non starter.

Speaker:

But again, this is, it's, there's a lot on the table if you do it wrong.

Speaker:

There's a lot at stake if you do this wrong.

Speaker:

And so it's having those dialogues, having those conversations.

Speaker:

I've been having that conversation a lot with MSPs and MSSPs since 2020.

Speaker:

And inevitably, it's a question of here's what it looks like.

Speaker:

And they want to negotiate.

Speaker:

Well, could we just, could we just, you know, Could we just

Speaker:

give it to this group of folks?

Speaker:

Do they, does it have to be a dedicated team?

Speaker:

Yeah.

Speaker:

Yeah.

Speaker:

Yeah, it does.

Speaker:

And the, the, the service providers that I've interfaced with that get it

Speaker:

better than others are the ones that have had CJIS applicability, right?

Speaker:

The criminal justice system, CJIS requirements are not dissimilar or

Speaker:

Okay.

Speaker:

Yeah.

Speaker:

I tar.

Speaker:

have had ITAR or yeah, exactly.

Speaker:

And those, those cats get it.

Speaker:

Those cats hear the requirements and go, all right, fine.

Speaker:

You know, and they, and they've been, they've been through that hell.

Speaker:

Right.

Speaker:

But it went quiet for quite a while.

Speaker:

So I'll have to, you know, dip my toes back in that world.

Speaker:

If the, the conversation is coming back around, I've, I heard the last I'd heard

Speaker:

was that October Was the earliest we were going to see anything resembling.

Speaker:

Enforcement,

Speaker:

acting like now, I think it's going to be next year.

Speaker:

Most likely because Congress has to have so many days.

Speaker:

To go on and with it being a major, you know, an election year, they

Speaker:

think that's probably going to interrupt the progress, the process

Speaker:

with that, regardless of it switches.

Speaker:

Is this it was like, does the current at that time?

Speaker:

Will the current Congress need to go approve?

Speaker:

What is going on?

Speaker:

So I think I think they are thinking it's going to be 1st quarter

Speaker:

of next year at the earliest.

Speaker:

There's been a couple.

Speaker:

So, you know, and let me shift gears away from the policy because besides

Speaker:

the fact that I, it was a little irritating to see everybody be a

Speaker:

cybersecurity expert and do all this stuff that they weren't the day before.

Speaker:

Probably couldn't spell it.

Speaker:

You know, I was always frustrated with the monopolistic nature of the

Speaker:

way it was set up with one nonprofit.

Speaker:

There was another one here in the area that predates the Cyber AB that had

Speaker:

volunteered to be involved in this process even before that, because they had a

Speaker:

large, big building up here right outside Quantico in the, in the vicinity and was

Speaker:

told no, because of that circle jerk that was going on that allowed some of that

Speaker:

stuff to take place back at that time.

Speaker:

And then all the fees that were wrapped up in it.

Speaker:

I mean, you got the, you got the RP.

Speaker:

Are you still paying the maintenance fee, even though.

Speaker:

Nothing has been happening.

Speaker:

yes, I'm, I'm still within my first renewal cycle, so I'm, haven't made

Speaker:

the decision ultimately as to, you know, am I going to proceed now?

Speaker:

Mercifully, I'm subsidized by my employer.

Speaker:

It's not coming out of my own pocket and I'm not out on my own as a

Speaker:

solopreneur and having to finance that against, you know, consulting

Speaker:

consulting work because I'll be candid.

Speaker:

If that was the case, I probably would have pulled the plug on it.

Speaker:

I probably wouldn't have pursued it if I'm candid.

Speaker:

Right.

Speaker:

So it'll be interesting to see what happens.

Speaker:

But I, but I also want to, I want to say this because I want

Speaker:

to, I want to give it oxygen.

Speaker:

Right.

Speaker:

That it's, it's similar in nature to a regulation I referenced

Speaker:

previously, the FTC safeguards rule.

Speaker:

Right.

Speaker:

You, you have almost everything you need in front of you

Speaker:

from a guidance perspective.

Speaker:

And I'm, and I'm talking to the clients, talking to the organizations

Speaker:

that are, that are sitting back waiting for a final answer on CMMC.

Speaker:

Let me know what I have to do to be compliant and I'll do it.

Speaker:

But while y'all are bickering back and forth, I'm just going to go back

Speaker:

to doing what I was doing all along.

Speaker:

problematic.

Speaker:

Like you've got 171, well documented, it's out there in the open.

Speaker:

Hell, you've got the CMMC standard itself, although it just looks a lot like 171.

Speaker:

Right?

Speaker:

Yeah,

Speaker:

Right, exactly.

Speaker:

They just give it different IDs.

Speaker:

It's the same requirements.

Speaker:

It's just ID numbers, you know.

Speaker:

The mapping exercise from 171 to CMMC takes you

Speaker:

I want to say, I want to say something about that real quick.

Speaker:

This is that part that I get frustrated, not just with CMMC going, how many

Speaker:

damn frameworks do we need to have?

Speaker:

Where there are, it's essentially the same policy, but it's this number here.

Speaker:

I used to have a chart.

Speaker:

I swear to God, I had this chart.

Speaker:

You could have mounted it up on the wall and it had all the

Speaker:

frameworks and it showed how, all right, password reset policy.

Speaker:

Okay, this one is, this one is, this one is across this thing was gigantic.

Speaker:

I cannot find it, but anyway, it's just, it's frustrating and I can see

Speaker:

where that's confusing to the lay person that wants to just do that initial

Speaker:

research that wants to sit there and it starts going and they're like, oh

Speaker:

my God, there's 45 of these things.

Speaker:

And anyway.

Speaker:

Heh heh heh heh

Speaker:

Yeah.

Speaker:

No.

Speaker:

And to your point, what I think frustrates a lot of teams and especially those teams

Speaker:

that are working with service providers is they go through the effort of, okay,

Speaker:

now I am in line with 853, or I'm in line with the NIST CSF and then somebody else

Speaker:

walks in the room, their organization or service provider, vendor, whoever it

Speaker:

is, somebody else walks in the room and goes, Hey, that's great and all, but

Speaker:

I'm gonna need you to get ISO compliant.

Speaker:

You know, by 2 p.

Speaker:

m.

Speaker:

today, and then it starts the mapping exercise of going, okay, all right.

Speaker:

Hold on.

Speaker:

What am I already good with in this other framework?

Speaker:

And how can I, you know, close the gaps accordingly as quickly as possible?

Speaker:

We've actually spent a lot of time myself and my team at the

Speaker:

behest of the organization.

Speaker:

Mapping from everything from the TSC through CMMC 17153 CSF, all

Speaker:

the way down the line, right?

Speaker:

This requirement maps to this requirement, et cetera.

Speaker:

And then leveraged that to close gaps in our own policies and our

Speaker:

own controls frameworks to say, all right, now we are compliant.

Speaker:

We are demonstrably compliant with.

Speaker:

Everything, right?

Speaker:

But I can't tell you how much money, how much time, how much just

Speaker:

pure resources were just vaporized into that particular process.

Speaker:

And so if we were trying to pitch that to a client to say, Hey, here's what

Speaker:

we're going to do over the next year.

Speaker:

We'd be laughed out of the room and rightfully so, but in that effort,

Speaker:

one thing that stood out to me was I thought I was good with the vast

Speaker:

majority of frameworks, right?

Speaker:

You, you get enough exposure to a framework and the implementation

Speaker:

realities of a particular framework.

Speaker:

You think, you know, the framework well enough.

Speaker:

It isn't until you start comparing it to other frameworks where

Speaker:

you start realizing, Oh, I see there's a problem with that one.

Speaker:

And then you move to the next one.

Speaker:

You're like, well, I see a big hole in that one as well.

Speaker:

Right?

Speaker:

And you, you start realizing that there is no perfect framework and

Speaker:

putting my flag in the ground on this, it doesn't make it any better

Speaker:

overlaying them on top of each other.

Speaker:

It's not like a mesh that magically solves all problems.

Speaker:

Right?

Speaker:

And so.

Speaker:

Because there's still holes.

Speaker:

There's still things that are missing from all the frameworks

Speaker:

or it's cost prohibitive, resource prohibitive to try to, you know,

Speaker:

apply all of them to your org.

Speaker:

So yeah, it's, I fully understand.

Speaker:

I fully appreciate some of the heat that our industry gets from

Speaker:

outside of our industry, right?

Speaker:

Like, do you guys even know what you're doing?

Speaker:

No.

Speaker:

Why are you spending all this time fighting with each other?

Speaker:

Fighting with, you know, the bad guys don't have overlaying frameworks, right?

Speaker:

Like they don't, you know, the MITRE ATT& CK framework, that's cute.

Speaker:

They've got their own set of

Speaker:

Whatever wor Whatever works.

Speaker:

thing.

Speaker:

Exactly.

Speaker:

Exactly.

Speaker:

So and it's always going to be a game of they're going to try something.

Speaker:

It's going to succeed.

Speaker:

We're going to try to defend against it, but it's already happened.

Speaker:

So

Speaker:

It's

Speaker:

it's a, it's a

Speaker:

well, it's it's crazy.

Speaker:

I've only ever, you know, talking about that evolution, that cat and mouse

Speaker:

game because it's a cat and mouse game when you're talking about that one,

Speaker:

I want to use it that it was a zero day virus because I got to work with

Speaker:

semantic engineers about 10 years ago we had it was a ransomware attack.

Speaker:

You got localized on just one computer, similar to what

Speaker:

you, your story was earlier.

Speaker:

And we were using an on prem SPS server with Microsoft exchange.

Speaker:

Yeah.

Speaker:

And we were using SemanticML for the antivirus and filtering.

Speaker:

This had gotten through, it was a Word document, Excel document,

Speaker:

some sort of Microsoft document.

Speaker:

And it was an infected Visual Basic script that was in there.

Speaker:

So, got a hold of the file, ran it through VirusTotal.

Speaker:

It comes back, oh, we've never seen this one before, zero.

Speaker:

Like, okay, that's kind of interesting.

Speaker:

Never had, I personally have never had that happen before.

Speaker:

A buddy of mine was there.

Speaker:

I shot him the file said, be careful with the file, but you run it through.

Speaker:

I forget which one he added.

Speaker:

He ran through virus total again as well.

Speaker:

Dude, it said like, it still says zero at that point.

Speaker:

It like didn't trigger that.

Speaker:

I had run it through.

Speaker:

I shoot it up to Symantec.

Speaker:

They actually bounced me all the way through up to their senior engineers.

Speaker:

They said, yep, we've not seen this before.

Speaker:

You got a zero day.

Speaker:

And it was just a morphing because somebody had taken a line of code.

Speaker:

And moved it down a couple spots.

Speaker:

It didn't let their threat detectors pick it up as it was scanning the file.

Speaker:

Now, imagine this happening at scale all the time, everywhere.

Speaker:

And that's what I try to explain to people with that.

Speaker:

But I do like to go around and say, I have seen a zero day and I got

Speaker:

to work with semantic engineers for three days, five days, something

Speaker:

along that line to patch the hole.

Speaker:

And then we had two knowledge base articles that were attributed to us,

Speaker:

which I thought was kind of cool.

Speaker:

Right.

Speaker:

And not that I'm trying to instill fear in people or put the fear of

Speaker:

God of into folks about this, this sort of thing, but and we do, we

Speaker:

have more advanced detection tools.

Speaker:

We have heuristic tools and so on and so forth, right?

Speaker:

But could you imagine the, the, the comedy, the sheer comedy of.

Speaker:

In 2004, 2006, something along that line, somebody says, what do I do to

Speaker:

put out a virus that will, will evade detection, cut, paste, send, right?

Speaker:

Really?

Speaker:

Is it, was it that some, I remember, I remember being prior to going into

Speaker:

IT, I worked in architecture and, and we were, we had a open office, open

Speaker:

office layout, of course, architects and designers love that sort of layout.

Speaker:

This would have been 90.

Speaker:

98, 98, 99, something in that range.

Speaker:

The, I love you virus, right?

Speaker:

I remember again, I'm not an IT at that moment.

Speaker:

It's not my problem, not my responsibility.

Speaker:

And I remember hearing it just ping around the room and the guy

Speaker:

that was responsible for, for IT.

Speaker:

I mean, he finally just stood up, threw his, threw his stuff down.

Speaker:

He's like, everybody stop.

Speaker:

Just push back from your desk.

Speaker:

Don't touch.

Speaker:

Anything just, just stop, you know, and, and it just the

Speaker:

frustration in his voice is like,

Speaker:

Yeah.

Speaker:

I was going to say that was in 2000, 2001, I believe.

Speaker:

Wasn't it?

Speaker:

they can, it could be, it could be that I left architecture in 2002,

Speaker:

so it could be in that timeframe but we were still on Dell, Pentium,

Speaker:

No, I want to say we went, we had, you know, cause that

Speaker:

one had went around so much.

Speaker:

I remember being the same thing.

Speaker:

I'd worked at a American military university.

Speaker:

I was a senior network engineer because I think that was the worm

Speaker:

that went through everybody's contact list to immediately spread itself.

Speaker:

I've already caught.

Speaker:

You know, that type of thing.

Speaker:

And it was like, Whoa, unplug, you know, there was like legitimately, it was like

Speaker:

an unplugged situation instantaneously because it spread so rapidly.

Speaker:

Yeah.

Speaker:

Oh yeah.

Speaker:

Oh, you're going to give me PTSD on that one.

Speaker:

Yeah.

Speaker:

Appreciate it.

Speaker:

Well, coming up on time, we'll wrap up with, with maybe like your, the advice

Speaker:

you usually seem to give somebody.

Speaker:

The 1st time you've interacted with them, or maybe maybe using a final

Speaker:

advice, you're wrapping up an engagement for them to continue on a path to make

Speaker:

sure that they've, they've got that security mindset because that's something

Speaker:

that's, you know, we talk about that.

Speaker:

Cyber security is a team sport.

Speaker:

It's not just relegated to.

Speaker:

Your I.

Speaker:

T.

Speaker:

staff.

Speaker:

This is legitimately everybody has to be aware because the lowest

Speaker:

person has access to too much stuff can cause a major problem.

Speaker:

So what what's kind of that advice?

Speaker:

Do you find yourself giving repeatedly that other people seem to accept?

Speaker:

To keep them in a kind of a secure mind frame,

Speaker:

Well, for me, it's always, you know, I've touched on it a couple of times.

Speaker:

I always go back to risk, right?

Speaker:

Risk, risk never reaches zero.

Speaker:

If anybody comes to you and says, I can make you secure, they're lying.

Speaker:

That's not a thing.

Speaker:

It's not a utopian society or a utopian destination where you get there and.

Speaker:

Ah, have a margarita, have a, you know, similar cocktail with an umbrella in it.

Speaker:

That's not, that's not the case.

Speaker:

It's a way of being.

Speaker:

It's, it's a, it's a hygiene.

Speaker:

It's a posture.

Speaker:

And unfortunately it's forever, right?

Speaker:

It's, it's, it's this, this ever vigilant.

Speaker:

You know, posture that we all have to be on, on high alert.

Speaker:

Right.

Speaker:

But I counter that by saying like, listen, I still sleep fine at night.

Speaker:

I hope you do too.

Speaker:

You know whatever happens is going to happen.

Speaker:

Either you see it coming and you've done enough to reduce the

Speaker:

risk or you haven't, and you have to deal with it when it happens.

Speaker:

I advise a lot of clients on, we're going to talk.

Speaker:

30 percent about preventing certain things from happening and 70 percent

Speaker:

how to deal with them when they do.

Speaker:

And I've had clients actually look at me and say like, that's not right.

Speaker:

We want, we want, we want it not to happen.

Speaker:

I'd love for it not to happen too, but

Speaker:

it's, it's going to happen.

Speaker:

So, you know, exactly.

Speaker:

How are you going to deal with it when it happens?

Speaker:

Right.

Speaker:

You, you, when you go to the mall, you park your car.

Speaker:

You lock the doors.

Speaker:

Maybe you stuff all your valuables in the glove box and lock the glove box.

Speaker:

Maybe you still have the club across the steering wheel, right?

Speaker:

You set the alarm when you walk away.

Speaker:

You still have insurance, don't you?

Speaker:

Right.

Speaker:

So, you know, it's just, it's, it's,

Speaker:

And if you're in, and if you're in San Francisco, they're still breaking

Speaker:

your windows and taking your shit.

Speaker:

Yeah, exactly.

Speaker:

No, it's San Francisco.

Speaker:

You just leave everything open so they don't break the car.

Speaker:

Mike, this is, this has been fun, man.

Speaker:

I think we could have kept going for a while on this.

Speaker:

I think we're like minded if anybody wants to reach out, what's

Speaker:

the best place for to contact.

Speaker:

Find me on LinkedIn.

Next Episode All Episodes Previous Episode

Listen for free

Show artwork for Titan of. Tech

About the Podcast

Titan of. Tech
Tech Trends, Triumphs, and Trials: The Human Side of Tech
"Titan of Tech" is more than just a podcast; it's a journey through the evolving landscape of technology. Each episode is a window into the future, offering insights and perspectives that you won't find anywhere else. This is the place where curiosity meets innovation, and listeners become well-versed in the language of tomorrow’s technology.

Why Tune Into "Titan of Tech"?

Diverse Perspectives: We bring you voices from all corners of the tech world – from seasoned CEOs of leading tech companies to the unsung heroes and rising stars in the industry. Get a 360-degree view of the technological panorama.

Beyond the Buzzwords: We delve deeper than the trendy tech jargon. Understand what Cybersecurity, Quantum Computing, or Artificial Intelligence really mean for the world and for you.

Global Tech Scene: Technology knows no borders. We explore international tech developments, giving you a global perspective on innovation and its impact.
Accessible Content: Whether you're a tech guru or a novice, our content is tailored to be accessible and engaging. We break down complex concepts into understandable and relatable discussions.

Future Focused: From predictions about the next big tech breakthrough to exploring how technology will shape our society in the future, "Titan of Tech" keeps you ahead of the curve.

In "Titan of Tech," every episode is a blend of passion, knowledge, and a vision for the future. We're not just reporting on technology; we're part of the conversation that shapes it. Our engaging narratives and in-depth analyses make us the perfect companion for your daily commute, workout, or leisure time.

Discover the stories behind the innovations that are transforming our world. Join our community of curious minds and tech enthusiasts. Subscribe to "Titan of Tech" and be a part of the conversation that's shaping our digital destiny. Connect with us online at https://podcast.titanof.tech and follow the future, today!

Follow at:
https://linkedin.com/in/johnbarker78
https://x.com/johnbarker78
https://instagram.com/johnbarker78
https://titanof.tech (Virtual CIO Advisory Services)

About your host

Profile picture for John Barker

John Barker

John Barker, MBA, CISSP, PMP, has worked as a Virtual CIO for the past 7 years. He has supported many executives in a wide range of industries. John's mission is to improve operational technology, identify technology value drivers, and improve cybersecurity defenses. John has led numerous cybersecurity evaluations. Using standard frameworks such as HIPAA and NIST cyber standards. John has been a regular featured columnist in Northern Virginia news outlets. He has over 35 technology columns published in the region.

John started his technology career working on Unisys mainframes in a manufacturing setting. This evolved into the lead network engineer for American Military University. The first online-exclusive accredited university in the United States. He has led a global multi-million-dollar Department of Defense technology program. That supports over 500,000 users. John advises high-net-worth families (300M+) on all technology and cybersecurity matters.

John is active in his community. John served four years in Culpeper County Broadband Planning Commission. The purpose was to expand high-speed internet access in the rural community. He has served on the Board of Directors for chambers of commerce. Served as the chairperson of marketing, and membership committees. John has been a regular at mock interviews and career days for local elementary and high schools. John has led technology entrepreneurial sessions for high school-age students. He instructs them on the steps to create a mock technology product and create a business plan. They "pitch" their ideas to other business leaders in the community.

In 2023, John served on the Technology Advisory Committee for Stafford County Public Schools. He assisted in writing the first A.I. policy voted on and approved by a School Board in the State of Virginia.

John currently works with two different cybersecurity organizations. John is a member of ISC2. He wrote new and reviewed questions for the current version of the Certified Information Systems Security Professional (CISSP) exam. This is the gold-standard information security certification. John is part of the Cyber Security Forum Initiative (CSFI.US) Cyber reporting team. The team aligns national security threat scenarios to common and uncommon cyber frameworks. The team also has access to information that cannot be disclosed.

Press List – Author
Mind-blowing AI Tools are here to stay
Date: March 4, 2023
Link: https://fredericksburg.com/opinion/comment-mind-blowing-ai-tools-are-here-to-stay/article_b603e478-b7c4-11ed-a7b0-838023b605f9.html
Category: artificial intelligence

Artificial Intelligence (AI) has seen an unprecedented leap into the public consciousness, especially with the advent of tools like ChatGPT, showcasing the potential for machines to mimic human conversation with remarkable fluency. AI's history, dating back to 1956, is built on the premise that human intelligence can be emulated by machines, leading to developments in reasoning, learning, and perception.
This technology has quietly underpinned everyday tools, from recommendation algorithms on YouTube to autonomous driving, without widespread public awareness of its mechanisms. The discussion around AI now also encompasses ethical considerations, such as the potential for plagiarism in AI-generated content and the embedding of biases within algorithms. Despite these challenges, the integration of AI into daily life and work is inevitable, urging a collective effort to harness its potential responsibly and ethically. The narrative is clear: AI is no longer a futuristic concept but a present reality, transforming how we interact with technology, understand creativity, and approach the ethical dimensions of digital innovation.

Cybersecurity is a people problem
Date: Oct 15, 2023
Link: https://fredericksburg.com/opinion/column/comment-cybersecurity-is-a-people-problem/article_042531f0-6924-11ee-8b91-fffa2f546f8c.html
Category: Cybersecurity
Cybersecurity incidents often stem from human error rather than technological flaws. For example, a major breach at MGM Resorts was enabled by social engineering, exploiting inadequate employee verification processes. Similarly, the Equifax breach resulted from unpatched servers, highlighting a lack of attention to basic security practices. Other incidents, like a casino hack via an internet-connected thermometer, illustrate the risks of integrating insecure IoT devices into critical networks. These examples underscore the importance of robust security protocols, regular updates, and education to mitigate human-related vulnerabilities. Awareness and proactive measures can significantly reduce the risk of cyber attacks.

Think Twice before using TikTok
Date: May 28, 2023
Link: https://fredericksburg.com/opinion/comment-think-twice-before-using-tiktok/article_55e76904-f3fe-11ed-b8a0-4fc03a885c17.html
Category: Cybersecurity
TikTok faces increasing scrutiny for its data privacy practices, with concerns over potential data sharing with the Chinese government due to its parent company ByteDance's ties. The platform's massive user engagement has drawn legislative attention, resulting in app bans and hearings aimed at mitigating security risks. Users are encouraged to critically evaluate their TikTok usage, considering the privacy and psychological implications of their engagement with the app.

‘Brute Force’ cellphone attack secures conviction
Date: April 22, 2023
Link: https://fredericksburg.com/opinion/columns/comment-brute-force-cellphone-attack-secures-conviction/article_0d2b4d80-ddff-11ed-8cd7-3b730ec21d54.html
Category: cybersecurity, law enforcement
At the heart of Alex Murdaugh's trial for family murder charges was a crucial cell phone video that challenged his innocence. The U.S. Secret Service's expertise in unlocking the phone revealed evidence critical to the case, showcasing the power and potential privacy concerns of digital forensic technology. This situation underscores the importance of robust personal cybersecurity measures, such as multi-factor authentication and secure passwords, to protect against unauthorized access to sensitive information.

Technology education evolving in Fredericksburg Region
Date: July 1, 2023
Link: https://fredericksburg.com/opinion/column/comment-technology-education-evolving-in-fredericksburg-region/article_248daac4-16b0-11ee-b3af-1ffb021e4fb5.html
Category: technology education

The document discusses the evolution of technology education in the region, highlighting the shift from traditional vocational programs to modern Career and Technical Education (CTE) offerings. It showcases local initiatives to engage youth in technology through summer camps and hands-on learning experiences. Programs range from building drones and gaming PCs to video game development and entrepreneurship in technology. These efforts are aimed at equipping students with industry-level certifications, real-world experience, and fostering a passion for technology from a young age, challenging them to think critically and innovatively.

Cybersecurity and the Internet of Things
Date: November 30, 2020
Link: https://www.youtube.com/watch?v=9UgaxG574TI&t=227s
Category: cybersecurity, IoT
John Barker leads a panel through a discussion of the cybersecurity risks in everyday household items that now connect to the internet.
Creating a Culture of Security
Date: Jan 23, 2020
Link: https://www.insidenova.com/culpeper/data-dump-creating-a-culture-of-security/article_6fd2bbb8-3de8-11ea-991b-9f8d164e71d4.html
Category: cybersecurity

Creating a culture of security is essential in combating the increasing threat of cyberattacks, which affect organizations of all sizes. Implementing foundational cybersecurity measures like firewalls, strong passwords, and patch management is crucial. Leadership must prioritize and practice these measures to influence the organization's culture positively. Regular training adapts to evolving cyber threats, emphasizing social engineering awareness. A non-punitive environment encourages reporting mistakes, fostering trust and improvement. External audits validate cybersecurity practices, ensuring adherence to standards. Despite existing regulations in some sectors, many companies lack comprehensive cybersecurity measures. Upcoming regulations, like the Cybersecurity Maturity Model Certification, will enforce stricter compliance and auditing, potentially extending to wider markets influenced by cybersecurity insurance trends.

Ignorance is not an excuse anymore!
Date: November 21, 2019
Link: https://www.insidenova.com/culpeper/data-dump-ignorance-is-not-an-excuse-anymore/article_a5309ae6-0c92-11ea-a3cf-e716081495ce.html
Category: cybersecurity


In recent travels and networking, a concerning trend of improperly secured websites has been observed, highlighting a persistent issue with security certificates. Many businesses, from startups to established companies, neglect basic web security, often resulting in vulnerable websites. The misconception that security breaches are unlikely and the lack of knowledge about the importance of SSL certificates contribute to this problem. It's emphasized that securing a website is a fundamental task that should not be overlooked, as it verifies the site's authenticity and secures data transmission. The article suggests actively ensuring web designers or hosting providers implement SSL certificates and explores options for securing websites, including free services. Ignorance of web security is no longer acceptable, underscoring the necessity for all, including those without technical backgrounds, to prioritize online security.

Is Your Cloud Data Safe from Prying Eyes?
Date: July 5, 2018
Link: https://www.insidenova.com/culpeper/archive/data-dump-is-your-cloud-data-safe-from-prying-eyes/article_c728ffc4-f902-5674-89be-9b178ad12ee1.html
Category: cloudy, security, privacy
The narrative explores the evolution and concerns surrounding cloud data security, focusing on encryption practices and the tension between user privacy and government access requests. It emphasizes the importance of encryption for data in transit and at rest, highlighting user control over encryption keys as critical for privacy. Major tech companies' struggle with government demands for data access is discussed, underscoring the ongoing battle for data privacy. The piece suggests that while cloud storage offers enhanced security and convenience compared to local storage, users should be aware of the potential for their data to be accessed by service providers or under legal compulsion.
Project Management Institute (PMI) Network Without Cringing (Really!) (Featured Guest)
Date: August 7, 2017
Link: https://www.pmi.org/learning/careers/network-without-cringing-really
Category: business, networking