Though 2020 has felt decades-long already, we still haven’t had to deal with the long-term effects of the pandemic.
But we will. The question is: Can your security?
- How the pandemic is impacting security
- The threats companies face now and in the future
- Finding opportunities in a post-COVID-19 world
To hear this episode and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
You’re listening to the Virtual CISO Podcast, a frank discussion, providing the best information security advice and insights for security IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
Jeremy Sporn (00:25):
Hello and welcome to another episode of the virtual CISO Podcast. I’m your host for today, Jeremy Sporn. John Verry is taking some personal time, much deserved personal time. So I’ll kick this conversation off real quick with an introduction to our guest for today, Reg Harnish. Reg is a very experienced business leader, cyber security practitioner, and speaker who brings a very unique perspective on how businesses, especially security leaders in those businesses, can take advantage of this challenging COVID situation that we find ourselves in. It’s really cool stuff. I know you will all really enjoy his conversation with John.
John Verry (01:15):
Reg, good morning. Thanks for coming on.
Reg Harnish (01:17):
Morning. Thanks for having me.
John Verry (01:19):
So I always start simple. Tell us a little bit about who you are and what it is that you do.
Reg Harnish (01:25):
So Reg Harnish, I’ve been probably best known for my work in cybersecurity with GreyCastle Security, but really my professional background started earlier and I got involved in startups back in ’93 and worked for a very small company. It wasn’t my own. I really got a sense of what it was like to be involved in every part of the business. I was kind of bit by the startup bug. That was out in Santa Fe, New Mexico. I moved back to Albany New York, where I’m from, and got involved with a software startup. I was employee seven there and over the fall. And then the subsequent five years, we ended up growing, competing with Oracle, and Bond, and JD Edwards.
Reg Harnish (02:08):
And we had some pretty desirable software. We ended up going through an IPO late ’99, early 2000, which was super exciting. I was running a lot of the technology there. I was also involved in deployment of software. I got to travel the world. And getting to witness and experience a rapidly growing company like that was super exciting for me and I was just hooked. So after the IPO, wanted a different challenge, I ended up moving to New York city and working with Kimbal Musk on a venture to look a little bit like YouTube back in 2000, 2001. And once again, just got to work with some great people and in an exciting space. And it was an exciting time for us, even though it was really a difficult time for startups, 2000, 2001.
John Verry (02:57):
We started in September 1st, 2000. I know all too well. And if you were around New York city, right? 9/11 hit and there was no work to be found for nine months I’d say. We couldn’t have any.
Reg Harnish (03:09):
It was funny. After we exited that venture, I moved home and I said, “I’m going to take some time off and just golf and travel and visit my family, et cetera.” So I’m going to do that for three months. Three months turned into like six turned into nine because it was just really nothing going on.
John Verry (03:27):
Reg Harnish (03:28):
Yeah. So after that I ran into two guys who had started a company called Autotask and became the chief technology officer up there.
John Verry (03:38):
I think I’ve heard of Autotask.
Reg Harnish (03:38):
John Verry (03:40):
We were on Autotask at one point internally.
Reg Harnish (03:43):
Yeah. So I was there at the beginning, third largest individual shareholder for some time, was the CTO there for about six years. And the rest is history with Autotask, just recently went through a merger acquisition worth close to a billion dollars. So it was exciting. Again, this was a little bit different because you to start to shift from spending all of your time, learning how to build and grow a company to actually using some of the skills, and the experience, and the knowledge you’ve gained over the years. So I could feel my career starting to shift from one on just the learning and figuring out how to do this stuff to one of teaching and mentoring back then and again, just working with some great people who had been there and done that. I was just very fortunate to find these guys and it worked out really well.
Reg Harnish (04:33):
And then I left Autotask in about 2007. Was that right? 2007, 2008, did some not so meaningful work from 2008 to 2010. And then 2011, I started GreyCastle Security. The idea was born in 2010 over some grilled vegetables and hotdogs, but maybe it was the Italian sausage. So I started GreyCastle Security in early 2011, launched the business officially June 1st and it’s been a great run there. I ended up starting out as the chief security strategist because even though a lot of my professional background was in technology and starting and growing companies, I had fallen in love with cyber security in the early 2000s. At Autotask we had had very large prospects, multibillion dollar prospect, which is probably the biggest customer we had ever run into and they wanted to buy a version of our software, but we had to pass a security audit.
Reg Harnish (05:40):
That was my first introduction to the 27,000 series. And just fell in love with security in general, got my butt kicked of course, but we ended up landing that deal. It became a big and important milestone for the company and just for me, the rest of my career, just gravitated towards cybersecurity. So GreyCastle Security, really, I think our timing was good and our messaging was good and we did enough different. We weren’t focused on technology. Back in those days, managed security service providers who were managing firewalls and intrusion detection devices and things like that, that’s really what folks were looking at. And we focused exclusively on services and honestly, some of the harder things to do in cybersecurity, and made a name for ourselves. And we’ve been on the inc 5,000 list, four years in a row and continue to be one of the fastest growing professional services firms in cybersecurity. So that’s been an exciting run.
Reg Harnish (06:44):
To finish the story, my most recent venture, I have my own … I’ll call it advisory forum called Slingshot Cyber Ventures, where I’m advising a handful of young sort of growth stage cybersecurity companies. But I’m also the CEO and technically an MSSP, I guess, although I’m not fond of the term, a company called OrbitalFire. We’re focused exclusively on small businesses and how to change the cybersecurity thought process and functions because I feel like small businesses have largely been left behind by the industry.
John Verry (07:20):
So for anyone who kind of picked up on the fact that Reg Harnish mentioned GreyCastle a couple of times in those Pivot Point’s Security, you probably know GreyCastle Security. GreyCastle is a major competitor Pivot Point. And you’re wondering like what the F is Reg Harnish doing on this podcast. Bottom line is Reg Harnish is one of the nicest and smartest people in the industry that I’ve ever met. I’m a big believer in … I call it [coopertition 00:07:43]. I like what he’s doing with Slingshot Cyber Ventures. I think it’s important. I agree with Reg that we need more good companies that understand what the SMB/SME space needs. So that’s why he’s on the podcast, despite the fact that yes, he is our competitor.
Reg Harnish (07:58):
Yeah. I’m not nice or smart.
John Verry (08:02):
I disagree on both, but that’s okay.
Reg Harnish (08:04):
But I totally agree on the coopertition and even at GreyCastle, we always took a different approach. We were students of our competitors and we watched the industry. We felt like, and I still personally continue to feel like, if you do a great job, you’re going to get the work. So it’s, yes, you need to understand your competitors from a positioning standpoint, but it doesn’t need to be a combative relationship.
John Verry (08:34):
I agree completely. There is so much work out there. You’re not going to put us out of business. We’re not going to … you put yourself out of business. Right? I mean, that’s the way I look at it.
Reg Harnish (08:40):
John Verry (08:41):
So yeah, before we get down to business, I always ask the question, what’s your drink of choice?
Reg Harnish (08:48):
My drink of choice, oh, by far is sweetened ice tea. It has been since I was a kid, yeah.
John Verry (08:53):
Reg Harnish (08:55):
Unfortunately, I use chemicals. But it’s funny, we didn’t have soda in my house growing up when I was a kid. We never had soda, but iced tea was seen to be in a full supply. So I had converted to iced tea long ago. Now I can’t even really drink soda. It gives me hiccups immediately.
John Verry (09:12):
Well, that’s probably a good thing because soda’s crap, although if you’re using artificial sweeteners, dude, you’ve got to stop that. Get a good green tea. There’s always a picture of green tea in our refrigerator, but it’s just native green tea. And if I really need a little bit hankering for something sweet, I’ll throw a little honey in there, especially Manuka honey from either New Zealand or Australia. But it has a lot of good antimicrobial properties and things of that nature. I’m actually 83. I don’t realize that.
Reg Harnish (09:42):
Well, you don’t look a day over 80.
John Verry (09:46):
Thank you. I appreciate that. I will admit during the summer sneaking a little bit of honey bourbon into it as well.
Reg Harnish (09:52):
Yeah. So it’s funny, because I’m sure most of your folks are talking about some kind of alcohol, but I’ve almost never had … My first sip of alcohol when I was in my early 40s.
John Verry (10:03):
Get out of here.
Reg Harnish (10:04):
John Verry (10:06):
[inaudible 00:10:06] get through college.
Reg Harnish (10:07):
Yeah. And even now, I might have a frosty beverage if I’m on a beach somewhere, something beachy like a Mudslide or something like that. But really I don’t drink at all.
John Verry (10:21):
Different strokes for different folks, that’s what makes the world interesting, right? So the Genesis of this conversation was you had done a presentation that I had seen that I thought was interesting. I believe that title was something like the post pandemic security challenges and opportunities or something similar to that. So with your blessing, Reg, I’d like to ask you to re-up that in a more conversational style. So in that presentation you outlined four, what you referred to as new challenges. So why don’t we start talking about those four new challenges you talked about?
Reg Harnish (10:51):
Sure. Yeah. Well, I think a lot of these are not secrets, but I think the pandemic has both exacerbated existing issues and then created new issues that if you’re in the business of solving cybersecurity issues and trusting risks that you have to be aware of because when they talk about the new normal, it’s not just about people working from home, it’s about the way we execute and operate, and the way we calculate risks, the way we address risk. So I think there’s some things that are really important. The first is that budgetarily most companies are in a different position than they were in March, even if there’s been just a stalling on revenue or stalling on spending. The conversation around finance is very different today.
Reg Harnish (11:39):
So if you were on a cybersecurity team or you were a services provider, you probably had already felt like you weren’t given enough money to do the job that you needed to do. That just got worse and it’s going to stay worse. I think most experts believe that the economic fallout from the pandemic will far outlast the health concerns. We deal with the seasonal flu every year and no one’s wearing a mask because of measles. We get over that stuff. But the economics of this is going to be important. I think smart cybersecurity practitioners, whether you’re internal or external, are going to have to really think about how does your solution address either shortfalls in revenue? How does it address overall total cost of ownership?
Reg Harnish (12:28):
So my suggestion when folks ask me is to say, “Hey, look, go back. There’s lots of things out there.” You may have been driving a Ferrari, but today you’re going to start thinking about a Honda, however, both are vehicles. So how do you solve problems with less money? That’s going to be a real challenge for organizations, particularly in the industry where it’s very money focused, right? It’s very revenue focused. So I’m encouraging folks to start to think about how to change your messaging, change your product, and change your approach such that it’s actually either costless or it respects what we’re going to see in terms of financial fluctuation over the next 12, 24, 36 months, who knows how long the fallout for this will last.
John Verry (13:17):
Yeah. It’s interesting because I do think that we haven’t felt the fallout. I think that the government propped us up. I think we’re now just going to start to see people defaulting on mortgages and loans. I think we’re going to see a lot of those restaurants close and I think we’re going to feel this cascade through. So I agree with you, budget’s a huge issue. I think one way to do that and one way we’re doing it is we’re trying to figure out how to do more with less. So increasingly we’re trying to look through concepts of automation and even just the idea of, and I think this would be important for organizations, is how do I bring somebody on and get them up to speed faster? How do I have a world class onboarding program? How do I have a world class training program? How do I automate processes that are currently manual that can be automated so that way for the same investment I’m getting more done? I know that’s one of our internal initiatives right now, is doing everything we can to automate things.
Reg Harnish (14:10):
And honestly, sorry, in some cases it’s actually just about doing less.
John Verry (14:14):
Yes, I agree. I agree.
Reg Harnish (14:15):
It’s just about doing less because right now I think many organizations are in this foot race to bring in the latest, greatest technology, upgrade this, do that. But for me, if you look at the difference, there’s diminishing returns on your cybersecurity investments. So think about your risk tolerance and what’s acceptable in your organization, say, “Hey, listen, we’re just going to do less than cyber security now. And that’s so that the business can continue to support its mission and vision, which is survival right now. And it might just be a matter of doing lessons cybersecurity for a bit.” I think that’s a perfectly sound strategy because cybersecurity, we’re not doing that to secure things. We’re doing it to support the vision and the mission of the business. And if the business can’t operate, then what have we done? What are we doing to contribute to that? So I think in some cases it’s just a matter of doing less.
John Verry (15:09):
Right. Well, it is, but it’s going to have to be a risk based approach to doing less, right?
Reg Harnish (15:12):
John Verry (15:12):
I mean, you got, A, our risk tolerance. If you’re going to do less, that probably means your risk tolerance has to go up. And really what it does is it says, where can we afford additional risk by cutting what we’re doing, right?
Reg Harnish (15:25):
John Verry (15:25):
Reg Harnish (15:25):
Or it may mean shifting investments. So if you’ve only got a set budget, you may say, “Hey, listen, even though we know that preventative controls and we’ve seen through all our analysis preventative controls may have this positive impact, we can’t afford that. So we’re going to shift more of our investment to our response capability and we’re going to roll the dice for six months because we’re doing less.”
John Verry (15:49):
Right. So the second thing you had expressed a concern about in one of the challenges was talent. So let’s talk about talent.
Reg Harnish (15:58):
Obviously, no secret that the there’s a major gap between supply and demand in cybersecurity talent. And honestly, we’re not doing a great job of manufacturing folks who can start in a role and truly be effective quickly. So before a pandemic, we were in that situation. And now those folks, a lot of them, many of them who are IT folks to begin with, have been redeployed, working on VPNs or helping people print from home, setting up Zoom licenses, worrying about this virtual workforce. So you have fewer cycles available to you from your cybersecurity expertise.
Reg Harnish (16:39):
I also think in terms of the industry at large, there is increasing demand on cybersecurity from CISOs to firewall administrators. I think there’s increasing demand on those resources. So if you were struggling to find, attract, hire, and retain cybersecurity talent back in March, it’s only gotten worse for you because there’s greater demand. And those resources are redeployed or allocated to other tasks that may not be cybersecurity related, or you don’t have access to as many cycles as you did in March.
John Verry (17:17):
Yeah. I’ll bring up one other thing that I think is also going to exacerbate that shortage a little bit is that the ramp up of the Cybersecurity Maturity Model Certification program and within the defense industrial base. I mean, you’re going to see just an inordinate number of companies that are going to need a lot of attention. Right?
Reg Harnish (17:34):
John Verry (17:34):
And then that’s going to just draw down our demand. And then the second thing is we haven’t really felt, and I think one of the things that a lot of people have kind of put to the side during this pandemic is dealing with privacy in the California Consumer Privacy Act. But they’re not going to be able to put that to the side for that much longer. So you’re going to have an already insufficient workforce that now has two other priorities. So I agree with you. I think talent is going to be a problem. That’s a bad situation when your next issue was workload.
Reg Harnish (18:05):
John Verry (18:06):
So we don’t have budget and we’re having a problem finding people, all right, let’s talk about workload then.
Reg Harnish (18:12):
Yeah. So cybersecurity issues don’t just vanish if you ignore them. They tend to stack up. So we effectively stopped doing cybersecurity. Certainly, I can name many organizations who basically put a pause on their cybersecurity investments, or again, they had reallocated their cybersecurity talent to other more pressing issues. So in March we sort of turned off the spigot, but that’s the exact opposite. So the workload was already overwhelming in March. I don’t think any cybersecurity team out there felt like they were getting to everything that they needed to do.
John Verry (18:53):
No one was working 30 hours a week.
Reg Harnish (18:54):
No, no. Major backlog in March. And now your cybersecurity resources have been redeployed. But as you say, CMMC and a hundred other things, it hasn’t stopped, right? Your risks haven’t stopped, cyber criminals and our adversaries haven’t stopped. So since March, our production went down and the workload itself continued on that accelerating curve. So the gap between what we needed to do and what we have been able to do has widened severely since March. This work hasn’t gone anywhere. So now if you’re the CISO or you’re a small business owner, you’ve got to make some decisions on, okay, my priorities may have shifted a little bit … which is my fourth bullet.
John Verry (19:39):
Reg Harnish (19:39):
My priorities may have shifted a little bit and I have less money to spend and I have fewer cycles in terms of talent, how do I get through this workload now that has been stacking up since March and increasing? Whether it’s dealing with a new regulation, because you’re a defense contractor, or you’re a retailer, a bank, a university, it doesn’t really matter. I mean, we’re now faced with this mountain of work and where do we start? So priorities has never been a strong point for the industry. We all talk about risk assessment and how it helps prioritize and narrow your focus. But we’re not good at risk management today, in my opinion, so we’re faced with a brand new challenge in that area as well.
John Verry (20:26):
Got you. So now in your presentation you said, “Hey, these four newer challenges build on four previous challenges that we were already struggling with.”
Reg Harnish (20:36):
Yeah, that’s right.
John Verry (20:37):
So you mentioned, certainly we had a problem with the perimeter disappearing. It’s only gotten a lot worse. Talk about that.
Reg Harnish (20:47):
Yeah. So if we had talked or believed that the perimeter had vaporized prior to March, I mean, it’s essentially-
John Verry (20:56):
Reg Harnish (20:56):
It’s atmospheric now. So the idea that your data has become ambient, and that it’s literally everywhere, and it’s more difficult now than it was, it was already difficult to inventory to classify, to monitor and track, that just got way harder to do effectively. Obviously, much of it from the work from home situation that we’re in today. But organizations continue to generate data at increasingly alarming rates and the discipline around data management has really not gone anywhere. I don’t think we’ve gotten much better at inventory and classifying and tracking our data than we did in March.
John Verry (21:45):
No, and it’s very interesting you say it that way because I actually think one of the interesting side effects of CCPA is going to be the fact that this idea of inventory and tracking and knowing your processes act on data, and knowing where it’s being stored, which is a requirement for personal information, I think will become sort of more something we think about for all of our critical information. So I agree with you, that perimeter issue is bad. The other one, which I liked that you had was the noise is deafening. What noise is that?
Reg Harnish (22:13):
I think this is a self-induced issue. The cybersecurity industry, no doubt like many other gold rushes before it, has become one of tremendous opportunity, great wealth and riches. And sometimes it didn’t really matter if your solution actually worked. But if you look at what Gartner has recently published, 3,500 startups that they’re tracking, and it’s very difficult for decision makers, CISOs, and others to make decisions or even figure out what solutions are available and not just in technology, also in services as well. That market has become flooded with providers, manufacturers, vendors, and listen, snake oil let’s face it. So it’s very difficult to deal with that when you have so much stimuli.
Reg Harnish (23:03):
If you go back to decision makers and CISOs and others who are faced with mounting issues caused by the pandemic now it’s even harder because the sheer volume of solutions or people trying to get your attention is increasing in ways … listen, I’m frustrated. I work in the industry and I consider myself in that body that has created this problem. But I think the industry is not doing buyers a lot of favors right now. It’s not clear what you do and what you don’t do. I can’t tell you how many organizations I’ve run into where their marketing is better than their product. So it creates issues for folks who truly want to commit to a cybersecurity program, and manage risk, and do the right things. It’s hard to even get started.
John Verry (23:54):
Yeah. I agree with you. I mean, the noise is deafening. Before those 3,500, I had heard a number like something like there were consistently 12,000 different information security products on the market at any point in time, which is nuts. And then I think the other problem that you run into, and I think you see this as well and you and I are both risk guys, right? We take a risk centric approach. People have a tendency to take a product centric approach to information security. When you ask them about their security strategy, they start to rattle off the products that they’re putting together.
Reg Harnish (24:21):
John Verry (24:22):
I think that kind of goes into your next point, where complexity is unmanageable, right? Is I’ve got all these overlapping products and I don’t fully implement any of them. And then I end up with the gaps in coverage or gaps between the products, which is where I think a lot of the challenges are. So I think that’s what you meant by your complexity is unmanageable on your next issue on the pre COVID challenges.
Reg Harnish (24:42):
Yeah. I mean, the easiest way to explain this as try and put a number on the ROI on any of your cybersecurity technology stack. As you said, I mean, you hit on a lot of the, what I’ll say, common issues, which is these products are large, complex. They take a long time to deploy. They require lots of care and feeding, sometimes teams of folks requiring these are managing these deployments, the settings, configurations. And meanwhile, you’re just kind of sitting back there saying, “Well, what did I get out of this? Was it worth it to me?” So answering that question, which is really the fundamental question that should be answered in a cybersecurity program, which is, is it worth it? Because just to remind folks, there’s lots of organizations spending tens of millions of dollars in cybersecurity and still getting hit, or having problems, or failing in compliance. And then there’s organizations who have done absolutely nothing who have been lucky.
Reg Harnish (25:39):
So you got to talk about return on investment and complexity is a major barrier to that. I look at a lot of the leading products out there, particularly these massive platforms. Even if you’ve bought it, you’re probably only using 10%, you’re trying to bolt on product X with product Y and they don’t work very well together. And meanwhile, you just want to figure out a way to manage risk in a sort of post pandemic world. Complexity is really making that difficult.
John Verry (26:10):
Yeah. I think one of the issues there, and it gets interesting, and I think this is something you are trying to address with OrbitalFire and some of the other companies that you’re launching, is that if you’re in the SMB or SME, look, I think a best of breed approach makes sense if you’re big enough and you have enough resources. But I think you might be better off as a small company with a single throat to choke kind of approaches. I know that what you’re doing with OrbitalFire, I think that’s sort of the way that you’re looking at it as well.
Reg Harnish (26:40):
It is. Yeah. And I’ll talk about what I think is important for folks to consider going forward, but yet complexity is as many say the enemy of security. I don’t totally agree with that, but I do think it adds challenge and resistance to an effective risk mitigation or risk management program. It’s just complexity that generates friction and resilience in your progress and your forward motion.
John Verry (27:09):
Right. And your last pre COVID challenge was something you labeled trust is fleeting.
Reg Harnish (27:16):
Yeah, this is my cynical view on the industry, which is it’s not just that there’s snake oil on the market, which we understand that that’s the case. It’s not a unique to cybersecurity, but I think there’ve been enough folks who have made investments, done hard work and still failed in whatever category you want to describe it in. So they’re starting to ask themselves, “How do I trust this vendor? How do I trust a salesperson?” Investors are asking themselves, “How do I trust my investments?” I think industry-wide, there’s a question mark on our approach and the way we’ve done this. Now, this is not all manufacturer and vendor issues. This is the folks who would rather take a blue pill than actually do pushups.
John Verry (28:08):
Are you saying there’s a blue pill I can take instead of going to the [crosstalk 00:28:13]?
Reg Harnish (28:14):
Listen dude, I’m 10 pounds overweight consistently, so if there was a blue pill, I’d know about it.
John Verry (28:20):
There is a blue bill, but that’s for a different reason, right?
Reg Harnish (28:25):
Yeah. Right. Okay. So you wanted to white space, there it is.
John Verry (28:31):
Well, I think question mark on the industry, our approach, the solutions themselves, how we’re applying them, and what buyers are interested in doing, like how do we change the mindset? I think there’s been a real erosion of trust over the last five years or so.
Reg Harnish (28:47):
Yeah, I would agree.
John Verry (28:48):
So you’ve painted a pretty bad picture here with all these challenges, but I think there was some reason for a silver lining in your presentation where you think that these challenges have also created some opportunities. So why don’t we run through your thoughts on opportunities?
Reg Harnish (29:04):
Yeah. I really do. I’ll try and hit all these sort of together. I think there’s a significant opportunity for providers, vendors, manufacturers, as well as the folks who are responsible for actually managing risk in organizations to really hit the reset. This pandemic has globally, universally, and deeply caused organizations to rethink a lot of the things that they were doing. We should piggyback on that opportunity and say, “Hey listen, okay, we get it. We kind of messed some things up in the first 10 years.” Yeah. Trust is a problem, complexity, the perimeter, all of this stuff. We all admit to ourselves and talk about them in circles. And certainly, you and I have had many conversations, but I think if we don’t take this opportunity to hit reset, we’ve missed a real chance at starting over in some ways.
Reg Harnish (30:00):
So I think the opportunity is if you can do that now fairly, I don’t think anyone would be surprised if a CISO walked into a boardroom and said, “Hey, listen, here’s what we’ve been doing for the last five years. And let’s be honest, none of us had been real happy with it. The pandemic has given us new life. It’s given us a new way of thinking, and we’re going to go at this differently.” It’s going to be more centric on data. It’s going to be more supportive of the business vision and the mission. We’re going to figure out how to translate complex cybersecurity concepts into business language. We’re going to go back to the basics. We’re going to do some of the things that are proven and always work and demonstrate return.
Reg Harnish (30:42):
We’re going to figure out how to virtualize our workforce in a way that makes sense, because if you look at any of the frameworks, I mean, there’s thousands of controls. A couple of people can’t be masters of thousands of controls. So we’re going to figure out how to get experts working in every one of those areas without having to hire an encryption expert. Everyone needs an encryption expert, but you might only need them for four hours a month. So you got to figure out how to attract, and retain, and deploy, and allocate, and manage resources in a completely different way.
Reg Harnish (31:17):
And then for me, something that’s really near and dear to me is that if you believe in managing risk and the fundamentals there, an effective risk management program helps you ensure that you do the absolute minimum that you need to, to manage risk to an acceptable level. So for me, I’m encouraging everyone to go back and say, “Hey, listen, figure out what you can throw away, stop paying for, or you can turn off, or get rid of, or get back to not just the primitive basics in terms of your operations, but also scale back and think about the things that are really working.” Because if you are doing more than you need to, you just wasted the company’s money or you just wasted your customer’s money.
Reg Harnish (32:03):
So I think all of these things have really come together in a way it’s like, I’m hoping the light bulb goes off for a big part of the industry and say, “We didn’t like what we’ve just done. Everyone’s looking at us and there’s question marks and they don’t trust us. And there’s questionable return and our products are overly complex. We just didn’t do a great job communicating with the board.” You can get reset right now and do those things differently. And you have a great excuse to do that.
John Verry (32:30):
Right. So you probably lost a few people when you said do the absolute minimum. But that being said, isn’t that exactly what a good framework says, right?
Reg Harnish (32:37):
John Verry (32:38):
Is that what ISO 27001 says, right? You and I both are ISO 27001 fans. Now, what it basically says is implement controls that are proportional to your particular contextual risk and your risk appetite. So it’s don’t do more. In fact, I would argue that when you aspire … and I always say this to people, right? So when someone will say to me like, “Hey … ” Let’s use password policy because I think anyone listening is familiar with what a password policy is. They’ll say, “Hey, can you give us a password policy? Because we’d like to do everything ISO 27002 says. And I’ll say, “Wait a second. What are you doing now? How do we know that that’s not already effective?” “Yeah, I know, but I want to do everything that they say you should do.” “Why?”
John Verry (33:17):
I mean, if what you have is already effective, the only thing we’re going to do is by aspiring to do more that’s unnecessary. What we’ve done is increased the complexity, which increases the risk that we’re going to make a mistake on the stuff that was already working, or I’m going to run a risk that I’m going to get to my certification audit and I didn’t do two out of the 12 things that I said I was going to do, despite the fact that the eight out of the 12 were all I really needed anyway. And now I’ve got a nonconformity and now I have an issue in my environment that I didn’t have before. So I actually agree with you a thousand percent. I mean, it sounds like a funny thing to say, but I agree completely. So I also like what you said, “Develop a new skill, data management.” From your perspective, is that, that concept of information governance kind of coming to the front and center a little bit more and taking an information centric approach to information security?
Reg Harnish (34:04):
Yeah, I think the terminology, I think, changes depending on who you are or what industry you’re in, but me, it comes down to something very simple, which is know your data, know what you have, know it’s important. So it’s criticality, it’s replacement value, understand the classification and what it’s worth to the business, and then focus your controls on the stuff that’s actually important. I think there’s a secondary skill, which is get rid of the stuff that isn’t producing a return for the business. So we’re all in storage cheap. I think we got into this mode where we were just collecting everything about our users, about the industry, about our competitors, about user behaviors. And if you’re not doing something with it, if that data isn’t fuel for an engine, meaning it’s not producing output, then it’s just a liability.
Reg Harnish (34:55):
So part of data management is also not just focusing on the stuff that’s classified as critical, or confidential, or sensitive, or important, but also figuring out a program or a process for jettisoning and cleaving off that stuff that is no longer important or not important enough. You could make the argument that every piece of data is important or could be used, but if it’s not important enough, figure out a way to get rid of it and reduce your cybersecurity footprint. It’s really important, but listen, I’ve worked with hundreds of enterprises, maybe thousands of enterprises, probably thousands, can’t name a single one that had an accurate inventory of its data assets along with the criticality, and the cardinality, and the replacement value and lots of other things.
Reg Harnish (35:46):
So it got ahead of us. Data expanded like other gases to fill the volume of its container and we didn’t do anything around the discipline to ensure that we’re doing smart things with data. We just collected everything and it’s gotten us in a problem. So I think we’ve got to be better stewards of data. I think we’ve got to be better experts in that area and really understand again, if you look at everything from 27,000, to NIS, to whoever the first step in every one of these processes is inventory or data. And everyone just seems to skip that step. I think it’s going to be even more important going forward.
John Verry (36:27):
Yeah. So I think you can almost summarize a lot of what you’re saying in a weird way is know when to say no, which is a fundamental skill that all of us, I think, struggle with.
Reg Harnish (36:36):
Well, the way I help others understand it is personal fitness because there’s amazing, amazing parallels between your own personal fitness and your cybersecurity fitness. So ask yourself, is it worth going for a walk or maybe you run, or do you do pushups, to eat a salad, to get more sleep, drink more water? What’s it worth to you? So I told you earlier I’m 10 pounds overweight. I probably lied. I’m probably more like 12 pounds overweight because I’ve made decisions about my own personal fitness and personal health. I’ve asked myself the question that we don’t ask in cybersecurity, which is, is it worth it? Is what I’m doing worth it and have I reached my goal? Is it worth it?
Reg Harnish (37:23):
For me, I have a four-year-old daughter, so I am now insanely motivated to extend my lifespan and to maintain a level of fitness where I can walk through Disney World or whatever, throw a baseball. So what I would call my risk tolerance has changed significantly, so my program has changed significantly. But we’ve got to ask ourselves, is it worth it? I think if you relate or correlate your cybersecurity program to your own personal fitness and personal health program, it makes it much easier for you to understand and to make good decisions. So yeah, you’re absolutely right.
John Verry (38:02):
Yeah. It’s funny, I actually use the personal fitness thing quite a bit as well. I always like talk about the idea of someone coming in and establishing your program for you being a problem, because much the same way, if you were going through a personal fitness program, you’d want it to reflect who you are and what you do. You don’t want somebody to come in and tell you, you eat nothing but kale salads and you’re playing tennis every day when you have a kale sensitivity and you’ve got a torn rotator cuff. I think that’s what we do sometimes and maybe that’s why trust is fleeting. We bring in these people from the outside and we let them tell us what to do without making sure that it’s the right thing for us specifically to do, much the same way like if you do, if you look at you as a personal trainer, which I like that analogy, you need to work with your personal trainer and you need to make sure that the program is personalized to your organization. We call that context or scope. Right?
Reg Harnish (38:52):
John Verry (38:52):
Yeah. So good stuff. So I loved your presentation. I think we did a pretty good job of covering it. Anything else you wanted to add before we wrap here?
Reg Harnish (39:00):
Well, I’ll just mention one other thing. I think COVID has given us a whole new context, so to speak, for framing these conversations around risk. Because if you just go through your day, you’ll drive past people who are in their cars by themselves, completely isolated and still wearing a mask.
John Verry (39:21):
Yeah. Why do they do that?
Reg Harnish (39:22):
… which, okay. And then there’s people walking through a crowded beach with nothing. So they’ve each made personal decisions about what it was worth to them. So if we extend this personal fitness and personal health concept and analogy out to stuff that’s very top of mind today with meaning, well, what have we done about the pandemic? It makes it very topical. So you can have those conversations in a completely relevant and recent set of vocabulary. I just think that’s, again, just another opportunity that we have here in the pandemic.
John Verry (39:58):
Yeah. I would agree completely. So like you said, you’ve worked with, as I’ve been fortunate enough too, probably thousands of different organizations over the years. So I’m going to ask you a fun question. So give me a fictional character or real person that you would think would make either an amazing or horrible CISO and why?
Reg Harnish (40:16):
Amazing or horrible CISO. I’m going to strike out of this, but I’ll throw one out there, but it’s going to date me also. Do you remember droopy dog?
John Verry (40:25):
Reg Harnish (40:29):
He was very sleepy.
John Verry (40:32):
Just so you know, someone used another, in the last podcast I did. It was Natasha and Boris. Do you remember from Rocky and Bullwinkle?
Reg Harnish (40:41):
John Verry (40:41):
Now, it’s a droopy dog. Okay, go ahead [crosstalk 00:40:43].
Reg Harnish (40:43):
The Droopy dog is somehow … he was slow. He didn’t have much energy. He was droopy, but I think that positioned him to do things more in a more calculated way. And the results were always positive for him despite his seeming shortcomings. I think he ended up pretty well. I think CISOs could be a little more droopy.
John Verry (41:11):
That’s interesting. So that’s the tortoise and the hare concept. And sometimes that more deliberate, more measured approach, I actually agree with you on that. I do think that, and you can always tell, anyone who comes into an organization and the first thing they start doing is rearranging the organization or buying product, to me, is the hare. And it just shows me that they don’t know what the hell they’re doing. The guy that comes in and says, “Look, it’s going to take me 90 days to figure out what’s going on here and then we can start to put together a plan.” That’s the guy that you want. So I agree with you. I like Droopy dog.
John Verry (41:44):
So one last question for you before we say goodbye. So you’re a guy that works in this industry every day, all day and you talk with people everyday, all day. Any other suggestions for topics for the podcast that somebody might want to listen to?
Reg Harnish (41:55):
Oh God, there’s so many. I think digging into a few of these, what I’ll call, accessibility issues in cybersecurity would be interesting. Meaning how do we take solutions, whether they’re services or a technology stack and figure out how to right size them, build them so that you’re using 100% of the product all the time, that there’s immediate measurable ROI, and that they are affordable to the organizations who are buying them. I Think if you follow deal flow or look at what investors are doing in cyber right now, there’s a whole cottage industry around accessibility, which is not looking at the best of breed, but looking at the good enough of breed and figuring out how to make those successful. I think there’s a lot of meat there that we didn’t get enough time to cover today, and there’s a lot of products. I think folks who were sort of on that bandwagon right now that I think it’s going to have some legs.
John Verry (42:55):
Yeah, no, I agree with you. And I do think like the folks like, what you’re trying to do with OrbitalFire, I mean, this idea of coming to somebody with a simple, comprehensive solution that they’re not sitting there trying navigate through 16,000 products and put together the right set, I think your approach is a super solid one. So I think you guys are going to enjoy a lot of success and I wish you nothing but the best of success. All right, cool. So thank you.
Reg Harnish (43:20):
John Verry (43:20):
How can folks contact with you if they want to reach out?
Reg Harnish (43:24):
Sure. So slingshotcyberventures.com or orbitalfire.com are really the two places where I’m spending. But really I’m at OrbitalFire most of the day, full-time at this point. I’m super excited about it. I think we have huge opportunity, particularly because there’s, I think, 22 million prospects out there for us right now. And in a lot of ways we have very few competitors only because what I’ve seen, just being a guy who’s grown businesses, most businesses have to start to move upstream, right? Their overhead increases, their margin erodes, so they’re looking at bigger and bigger deals. So again, just naturally there’s this sort of progression or momentum towards moving upstream to medium enterprise, to large enterprise, to Fortune 10,000, whatever. We are solely and exclusively focused on small business, which I’m super excited about. So that’s where I’m spending most of my time these days. If you follow me on social media, that’d be great.
John Verry (44:28):
Reg Harnish (44:29):
I talk a little bit about some of the other companies that I’m helping advise. One I’m particularly excited about is called CYRISMA. It kind of ticks a lot of the check boxes for me, accessibility, affordability, it’s basic. It really focuses on the controls that every organization needs to do. It doesn’t matter if you’re pursuing security, or compliance, or privacy and it’s data centric. And then there’s other examples as well.
John Verry (44:52):
Good stuff. And the 22 million, I’m assuming that’s the number of small business. What’s that number?
Reg Harnish (44:58):
Yeah, 22 million, small businesses registered in the United States.
John Verry (45:02):
And what’s that definition when you say a small business?
Reg Harnish (45:04):
That’s problem. Don’t ask me hard questions, John.
John Verry (45:09):
Yeah. But if you had to venture a guess, is that 22 million under a thousand people, 22 million under 500 people?
Reg Harnish (45:17):
The government probably has a definition on this, but my guess is that these are truly like small businesses, like fewer than a hundred employees, maybe fewer than 50 employees, something like that.
John Verry (45:26):
Wow. That small. Interesting. Yeah, that’s a massive marketplace. The funny thing too, is that, and I don’t know if you experienced this, I’m always amazed, you’ll go and you work with small businesses. By the way, as you know, our client base is 90% SMB. That’s where we live every day and that’s where we actually enjoy working. And I’m always amazed. You go into these smaller companies, have this perception that they’re at less risk because they’re a smaller company. It’s like, “No, you don’t understand. I’m not a target.” And you probably see the same thing. I’m always like, “Look, you may be a target or maybe not a target, but you might have a competitor that wants to know what you’re doing. You might have someone you pissed off as an employee, someone pissed off as a customer. So you may be a target.” But whether you’re a target or not, it doesn’t matter, a large percentage of the attacks are opportunistic anyway. Right?
Reg Harnish (46:11):
Right [crosstalk 00:46:12].
John Verry (46:11):
A guy sets up a scanner looking for … there’s a new Joomla, WordPress flaw. He sets up a scanner and he’s scanning the internet. He stumbles upon your infrastructure. So yeah, I mean, it doesn’t matter if you’re a two person company or a 50 person company, you have the same risk as everybody else and you’ve got to have a good information security posture, or it’s going to cost you at some point.
Reg Harnish (46:31):
Yeah, probably. Yeah.
John Verry (46:33):
Cool. Well, listen, Reg. Awesome job. Thanks for coming on, always [crosstalk 00:46:40].
Reg Harnish (46:39):
Thanks for having me. This has been great. I appreciate it. Good to see you as always.
You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at firstname.lastname@example.org. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.