Evan is down in Mexico and took Ryan Cloutier (Head of SecurityStudio) and John Harmon (President at FRSecure) down with him. The two replace Brad this week, and together, the three break down cyber attacks in 2021 and more happenings in the security industry. Give this episode a listen and send questions, comments, and feedback to unsecurity@protonmail.com.
Protect Your Organization from Cybersecurity Threats
SecurityStudio helps information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:22] Evan Francen: All right. Welcome Unsecurity podcast listeners. This is episode 139 and the date is Tuesday July 13, 2021. Joining me here, we’re on site in miss molloy to Mexico and I’ve got my good buddy and president of FRSecure John Harmon here. Say hi John.
[00:00:42] John Harmon: Hi John
[00:00:43] Evan Francen: yeah, I got that. And then my other buddy who runs the other company security studio Ryan’s also here. Right.
[00:00:52] Ryan Cloutier: Good to be here in Mexico.
[00:00:53] Evan Francen: Yeah. So I figured we’re not brad’s not with us because mexican band width is always kind of funky.
[00:01:02] John Harmon: Yeah.
[00:01:03] Evan Francen: So I figured we’d do the podcast here locally. Amongst the three of us share some thoughts about security things. You guys have both been on the show before, but it’s been a while since you’ve been here. So we talk about what’s currently going on in your world and what we’re seeing and see what the, I guess the conversation takes us sound good. All right. So desert with you, john, you’re president of fr secure busiest health great years so far. First half of the year is, you know behind us now we’re ahead of pace. Things are going well. What are you feeling
[00:01:36] John Harmon: feeling good? You know, it was all the covid stuff, you know, this time last year we had no idea what’s going to happen or what was going on. It seems like everybody woke up after Labor Day and decided like, okay. And there was no pandemic. We need security stuff. And it’s been kind of bananas since then, which is great. Unfortunately a lot of that activity has been, you know, forensics and incident response, which we’re very happy to do but rather be preventative work. You know, like it’s, it breaks my heart a little bit whenever you get that. Hey, I’ve been ransom weird and I don’t know what to do call. You know, it’s just uh, right in the fields. You know, you just, your heart goes out to them, but it’s nice to be in a position to help anyway.
[00:02:14] Evan Francen: That’s cool. But it was happy that, you know, you do say, I think year over year we’ve had more incident response work this year than in years past. However, the, I didn’t notice that the number one thing that we’ve sold in the first half of the year has been risk assessment, is that
[00:02:32] John Harmon: right? Yes, that’s still correct. Which is fantastic. Right? If our secure is kind of known in the industry for security risk has been quantitative risk analysis, which you developed and now security studio is perfecting and you know, get it out there and everything and then virtual Seaso continues to be, you know, having the data, having the assessment is great, right? Which can just point out problems with these people look right. So the ability to kind of project plan out what is your security look like over the next few years and that’s sticking around and open it through that still very popular thing. Yeah, that’s
[00:03:06] Evan Francen: cool. That’s very cool. So speaking of you mentioned scared studio, I got Ryan here, the not officially named president, but we call you president of security studio, I think it’s just formalities. Right? So you’re leading pretty much leading that organization now, which is really cool. I love the way you stepped up over the last year build off. We’ll adjourn just said, I mean, how are you seeing the business first half of the year? Success, not success. Yeah, I would say, you
[00:03:33] Ryan Cloutier: know, first half of the year was was a little bumpier just because the markets that we serve are the underserved markets, they were dealing with the pandemic. So you’ve got state, local government, you’ve got K 12 schools, they had so much to address during the pandemic that unfortunately a lot of the security work that they needed to do that back Bernard. But as we came out of the pandemic, you know, we saw a huge surge in a need and a demand for it. One of the things that we’re hearing a lot right now is around vendor risk management and uh the need for more organizations to provide virtual thunderous match because they just, they can’t keep up a lot of these organizations that we serve our, our smaller, uh, you know, the stretched really thin. So we’re working on some innovative solutions within the tool set to make that easier were this year we’re gonna be diving in deeper with our partners and helping them to stand up and structure programs and probably the thing I’m most proud of and excited to talk about this year that we’re working on, a matter of fact, we’ll have our official kickoff for it at the end of the month. The security studio has partnered with an organization called the accent A B A X M T, I believe. Okay. Uh, and what they do is they help underserved communities get employment. And so we’re partnering together to create a new workforce of risk assessors in the rural areas of Wisconsin where there’s a huge demand from the company’s their manufacturers, a lot of large manufacturers, but there’s a very small talent pool. So we’ll be working very closely with them to create new entrepreneurship opportunities and to actually create a formal training program where we can partner with them to create new certified risk assessors. So that’s really excited.
[00:05:29] Evan Francen: That’s super cool show, you know, information secure has always been known as being a cost center, right? Kind of one of those necessary evils. And we’ve always professed that if you do security, right? It can actually be, you can make money, you can set yourself apart in the marketplace to market differentiator, you can find areas of opportunity because complexity being the enemy of security than the opposite would be simplicity. Right? So if I take a 20 step process and make it into a three step process, not only do I make more money or profit, you know, but I also thank myself more secure, but on the other whole twist on this too and we do it at half are secure. Does the mentor program, right? There’s opportunity for you to create a career, for you to make money yourself personally. It’s cool. Now that’s serious. Studio is doing the same thing. Kind of a different men to write, reaching out to people in these rural communities that giving them opportunities to have careers and information security. That’s cool.
[00:06:32] John Harmon: Yeah, that’s pretty, I mean I think back, You know, when we first started doing and you know like formalizing the risk assessment and back then it took somebody with 10, 15, 20 years experience of like 100 hours to do an assessment like this. And it was very, very costly. And even still today, if it’s important to you to have like a rank level security expert, do the assessment. Still very expensive. Oh, but the tool is kind of outpaced the need for that kind of expertise. So you don’t have to be a virtual see. So you don’t have to be some high powered security professional to get a worthwhile risk assessment. So that’s awesome. We could create this niche in the industry of risk assessor and still have all that good data that you would get from a security professional. Just the software automates it. Right? So we can start moving the money from measuring the problem to actually fixing things right? It’s amazing that so often there
[00:07:25] Ryan Cloutier: Yeah, that really is the goal. The goal is to help people to be able to focus their budget On the solutions on actually solving the problems and putting in the necessary security controls. Uh and the reality is is uh you know, we have 6.5 million businesses right now going completely unserved because there is a limited resource pool, even if you have the money, good luck getting on anyone schedule right now. So being able to create more opportunities to get more folks doing this work. Um and the cool thing is a lot of people already possess the skills that they would need, You know, just to be able to converse eight, I tell people all the time, if you’re a business analyst, project manager, uh you know, it really any kind of communications type wall where you’re interacting with people and having conversations, you’re 80% of the way to being a risk assessor.
[00:08:20] Evan Francen: Yeah, and I love one of the things that I think when our minds sort of melded together, uh it was this information security of life skill, right? And people need to really embrace that, right? We did the s to me to try to get people at home, right? Nobody is responsible for information here at home more than you meeting the head of the household, right? You make the rules, you determine what’s appropriate, what’s not appropriate. You’re the one who secures that router or doesn’t secure that router, you know? So there’s and as we continue to go down this path, right? Where things get more and more and more electronic and more digital, that becomes more and more important, Right? And so trying to not leave people just kind of dangling uh and saying, oh yeah, I guess it is kind of the security guys problem. No, it’s
[00:09:05] Ryan Cloutier: not. I hear all the time and I don’t know about you guys, but all the time when I’m talking to, you know, your average small business owner or even just people on the street, What they say to me is you guys need to make this simple, Okay, I don’t have time to learn all these things. I don’t want to learn all these things. I don’t want 50 steps to secure my home louder. I want one. I want simplicity. Make it work easier for me. I know I need it. I know I want it. I know I’m supposed to be doing it, but there’s nowhere in my life today that I can fit in an extra five hours to eat a security pro. So I think we’re going to continue at security studio to focus on how can we further simplifying, how can we make this has turned key of a solution as possible to really accelerate folks to doing the right things being able to secure. But most importantly, getting them focused back on the businesses that they run instead of being in a state of fear about ransomware coming later this afternoon or tomorrow. We want to get them focused back on doing good work.
[00:10:14] Evan Francen: Yeah. And these are life skills, right? The, it doesn’t even have to be at home. I mean it works, it’s at home as well and we’re down here in Mexico and just prior to us starting this podcast, recording, john you are giving a talk to what some high school students about security things, how did that
[00:10:33] John Harmon: go? You know, it went really well. It was a favorite of a friend of mine was like, hey, there’s this thing that, you know, we talked a bunch of high school kids about security or privacy or whatever. So they focused in on financial apps, like banking apps or Paypal or cash app or you know, whatever that is and it was super cool. So you can kind of run through the content like here’s some good resources and then get questions. That’s my favorite part of the answer. Really awesome questions as the students that just to, you know, normalize this a little bit, if I can slander my own people a bit. I think technologists and security technologies in general like to keep a little veil and make you think that only we can do what we do because we’re so smart, you know what I mean? It’s part of something that’s broken in our industry until like bring that down and be transparent. Used to be like the name of the game is you can’t be 100% secure, so just don’t be low hanging fruit, you know what I mean? You transparent like help simplify this a little bit, make it a little more attainable because you put these like huge bars out there, there’s really high, like you must be at this level, otherwise you’re just wasting your time. People aren’t even going to attempt it. So it’s fun. And the kitchen young like that is always good to, you know, thinking here the questions are asking, it’s like better than some of the security box.
[00:11:50] Evan Francen: I love that man, one of the best socks paper gave us a bunch of sixth graders. Alright, my daughter’s going to ask questions like, wow, I love that perspective. And that goes back to, I mean we’ve preached this before to that, you know, I’m a big proponents, all three of us here about diversity, right? And I know that in the last few years that words kind of been stolen to mean something maybe a little different than what I’ve always thought it to me. To me, I love the different perspectives, right? If somebody with a different background, skin color and that stuff doesn’t matter. To me, it’s the background, it’s a different view of the world that you bring to the table. That’s so important. When you talk about those high schoolers, I mean they’re bringing this viewing like, wow, that’s a good question because if you’re going to connect with them, you have to take the time to do this, right? That’s really, really cool. You mentioned nothing about us using this vernacular. These words, I think that they make me feel really good. I feel super smart when I use some big ass word. You’re looking at me like, wow, you must be smart. That’s bullshit because I’m not connecting, you have to understand the words I’m using just this last week. I think it was maybe the real weekend, it was somebody used the word hacker and they take offense. This is somebody who is a, a hacker, right? And he was sort of taking offense at other people. Maybe don’t have as many years of experience in his industry calling themselves hackers. So I replied on, there I go. If you’ve ever used duct tape before, you know, hacker. Yeah, I mean it’s a you don’t, computer is not required, right. The ingenuity, looking at things from a different perspective, creativity, some skill to use something in a way that maybe it wasn’t originally designed, you know, for that, to me is a hacker, right? So we’re all hackers, some level,
[00:13:39] Ryan Cloutier: absolutely, I completely agree with that, you know, one of the things that I did this week virtually is uh, the gen cyber camp run by alexandria College back in Minnesota,
[00:13:54] Evan Francen: the technical school.
[00:13:55] Ryan Cloutier: Yeah, they did the kick off and I was on a plane on the way here in Mexico, so I had reported it. But one of the things that I tell those young aspiring security professionals to things when they say, you know, what, what other skills do I need besides, you know, learning how to actually pen test or do networks and things like that and it’s communication flash psychology. Uh, and the other one is no, that you work for the business, you don’t work for anybody, you don’t work for security, you work for the business. And if you have that mindset when you actually this industry, there is no limit to where you can go because that is the rare skill set in our industry to the point, john made earlier that you made, you know, for me security people always seem to want to be smart and right at the expense of getting the right things done at the expense of building that relationship that will allow for culture developed, which actually needs to behavior change. And so, you know, if I have 11 great to pick about our industry. One thing that I think is really broken in this industry, it’s that wanting to be smart, right to your point about the guy that you were interacting with you online, you know, you lost an opportunity there to build favor, to build rents to just have the ability to sway them to a different way,
[00:15:18] Evan Francen: right, and get off your pedestal, right? Being a hacker doesn’t mean that you can, there are some people who are very, very, very creative who are super duper smart that can’t even use it in computer, right? And I would try to be locked in a room trying to get out of prison with that person. Then some of these computer people, right? Because their creative, they think definitely they’re smart, they see things how things fit together. I think puzzle makers are great hackers because I see how pieces fit together one piece, go to this piece and they all fit together. So it I was kind of upset because you to take this elitist attitude like how dare you call yourself a hacker When I’ve got 20 years experience and I can take down this server right now. You totally missed the point of what hackers
[00:16:06] Ryan Cloutier: well, and can you get out of the puzzle room, right? Yeah, you
[00:16:10] Evan Francen: can you wipe your ass, you
[00:16:13] John Harmon: want to be right or do you want to be correct?
[00:16:15] Ryan Cloutier: Yeah, exactly.
[00:16:16] Evan Francen: Well you’re right because we’ve it’s kind of been weaved in this whole conversation to about information security is a life skill and it’s a safety issue, right? More than it’s ever been and it continues to go more and more than that way where I might have the most elitist hacker skills ever. I can’t protect the person at home, was about ready to have their child either preyed upon or you know, their privacy is gone or house burns down. I can’t help that. Right? So we have to get these other people to join us, you know, kind of this big mission.
[00:16:51] Ryan Cloutier: Well, and I think it’s a tie off on that. It’s it’s a societal problem and we have to approach it as a society today, we’re not, it’s a societal problem that we’re approaching is this niche where only this group of security people can can solve this. And I think that leads to them, the average person kind of throwing their hands in the air and saying, well, I can’t do anything about it. So why try and I honestly, the only way we’re going to get ahead of this is by approaching it as a life skill, as a foundational life skill. Light looking both ways before you cross the street, washing your hands, wipe your backside, right? These things that we teach our youth, especially we’re gonna put an ipad in the hand of a four year old, we need to understand the impact of that. We need to understand
[00:17:39] Evan Francen: that. And at what point do we, what point do we just give up on the person that’s just not going to listen and they’re going to cross the street by looking both ways anyway and they’re gonna hit kill. Yeah, I mean I started to ask, I started to ask myself that question. Like I told you, it’s not 10 times. I can’t waste any more time here. I need to move on to people that will listen, that will embrace that will protect themselves. Sorry, this one’s gone because you talked about it to john about some of the ransomware stuff, you know, or some of the incidents that we respond to. We have had to sit across the table from presidents ceos of companies and tell them essentially the company is not going to survive. You just got hit by a semi truck because you didn’t look both
[00:18:20] John Harmon: ways. Yeah, that’s uh you know, it’s never satisfying. You know, if, you know, there have been times when we met with people, you know, and it’s pretty easy to get people, you know, companies to talk with you about security, right? Everybody has a question. It was a little curious right separating the intellectually curious from the economically serious attitude over things. Like are you actually going to do anything about this? Are you going to take my recommendations? Are we just Bs and about security here? Like I’m happy either way. You know, but you should do something right? You should be getting a theft. You should have a plane should be working that plan, just you know, making those, those simple kind of fundamental incremental changes, but you know, you tell me what pound sand and you know, I’ll call you if I ever need to and then that call comes, it’s Your business is going to die because you didn’t make these fundamental incremental changes if there is no told you so like you can’t write but it is an urge, but it’s it’s so unfortunate and it was so easy to prevent most times, most of the time when we see these things, it’s not the 1% of hackers that can just you can’t stop. It’s not those guys thank God is right. It’s it’s somebody messed up, somebody clicked on emails, it was an oversight. It was just something knucklehead. It was, you know, rdp open on the internet, right? It’s just stuff that it’s best practice. It’s fundamental. It’s easy, but you just didn’t have her iron ball, but I think it can cost you everything.
[00:19:50] Evan Francen: Yeah, I think a lot of times people maybe get overwhelmed when you look at all the security things and we noticed this, I think c I s noticed this, I’m happy to see that implementation groups we want with level one, level two, level three, not all that unlike, you know, their implementation groups because we also have to meet people where they’re at, right? You talk about critical infrastructure one of the and it just keeps pounding in my brain, you know, the ultimate attack, right? Because that one was so well publicized, there’s lots of them, by the way, if you google, you know, water treatment facilities that have fallen victim to ransomware, you’ll find more than Oldsmar. But the reason why that one sticks out is it’s critical infrastructure and what we did with critical infrastructures that created this. Cool. And I see CSF we made it voluntary, which was one problem. And the second problem is you can’t give a water treatment facility manager, somebody who makes the water pumps work, make sure the water gets to your house, can’t give them a nice DCFs and say do this. Right,
[00:20:51] Ryan Cloutier: right. Yeah. And I do see a ray of hope, you know, one of the things that I’ve seen just in the last couple of months that that really gives me hope is our counterparts need entrance industry waking up to the fact that the model that they’ve had for the last few years of providing these large ransomware coverage, you know, offerings with very minimal expectations of doing the foundations and fundamentals with, you know, a questionnaire that has seven questions on What I’m now hearing from clients that we interact with is that set that one pager is now 15 pages and there, you know, chancellor underrate. Uh
[00:21:35] Evan Francen: but the one thing, one biggest complaint we would get about our risk assessments from, from cyber insurance underwriters was it’s too long and I was like, well seven questions, I mean, come on that’s too short. Can we find a middle ground and it’s good to see now that, you know, they’re kind of waking up. But it’s also frustrating because we told you when were people, you know, I don’t know. Listen, well,
[00:22:02] Ryan Cloutier: I’ll give you a personal story from my childhood. I was told not to run by the cool repeatedly. I was told this over and over and it wasn’t until I drove a tooth through my lips that I learned. And so I do think we are going to have a little bit of that. You’re going to have to hit the wall to wake up to this. But I’m hopeful. So I heard, uh, one of our mutual friends that Lloyd’s of London is no longer issuing very high value policies. They just won’t do it. Uh, and you know, that’s going to have a trickle down effect. And I honestly think when the business goes to renew and they see a 40-60% increase in their premium or an outrage which use will recover them. I think that’s not being the wall moment for these businesses. I think that’s when you’re going to see them start to wake up. Okay, wait a
[00:22:53] Evan Francen: saying from a vendor is management perspective to, I know many organizations that won’t do business with another organization. If you don’t have a cyber insurance policy thinking that that is
[00:23:02] John Harmon: due diligence,
[00:23:03] Evan Francen: they have insurance or not. There’s so many different ways to, you know, I think provide adequate security to the people you serve beyond just having cyber insurance. That’s a little frustrating. But back to the point tuba, um, You can’t save everybody, you know what I mean? And we’re Christian three Christian guys, you know, it reminds me of when Jesus said, you know, shake the dust off your feet and you know, continue down the path and I’m starting to see myself do that more, not because I’m frustrated, but because we have so many people, I think the help that I can’t keep spinning my wheels here. I’m sorry when it hurts when that tooth does go through your lip, I’ll be here to help, I’ll come running with a towel to try to help you
[00:23:50] John Harmon: Out. You know, it’s that 80, 20 right? It’s that 10% on either side because you have the 10%, they’re just like, it’s right, they’re not going to come along so that till it hurts enough. And you’re just like those are, those people are frustrating, but on the other end you have some companies that are over doing it right and they’re they’re eating up our time. You know, and you know, security experts time because it shows well because it looks good, like they have their act together, they have all their own security team, They have everything that you would possibly want, they’re very, very unlikely to have any meaningful event affect their the flow of their business. But they’re like over investing in security. And so we just sit around and twiddle our thumbs and do the same things over and over because it makes the board feel good or whatever it is. Like those people also drive me crazy a little bit. It’s like, hey You guys got this like you should be maybe spending your money somewhere else here in a different way. Now can we, you know, move on. And there’s that Middle 80%. That’s on the spectrum somewhere that we can get, you know, really move the needle on.
[00:24:50] Evan Francen: It’s like that guy, that guy, you know, you go over this house. We probably will have a friend like this. And There’s like 18 locks on the door. There’s camera surveillance everywhere, alarm systems inside the house. Everything. I mean they’re like over secured everything. It’s like, hey bro, you live in Konia. You know, there’s no crime right here, right? Right? You’re trying to protect
[00:25:12] John Harmon: against, you know, he wants your help. He wants you to come over and help him help you dig like a laser trip wire around the house. It’s like
[00:25:18] Evan Francen: no dude, come help,
[00:25:19] John Harmon: come help them unlock. I think so.
[00:25:22] Ryan Cloutier: Well that’s the same thing that usually has the 40 ft single Pane Bay window. All right? So for all that. And yet you still have, you know, easy to buy a piece of glass. And then we talk about this all the time when you’re managing risk. What’s your next most unacceptable risk. Right? What is that? You know, you can chase, you can chase down every little thing I deal with. You know what I’m working with schools. I will run a vulnerability assessment. It will come back with 12,014,000 findings. Well, that’s not 14,000 unique vulnerabilities. It’s two vulnerabilities across the entire environment and you know, so but helping them because they don’t know if they see as a number account and it causes panic. And so you’ve got to sit them down to number. Hold on. Really, only talking about to here. It’s just everywhere. Let’s push that patch out. And it still surprises me how a few organizations today are doing adequate patch management. All right. You know, we won’t go too deep into that press.
[00:26:26] Evan Francen: That’s not something new right now. It’s not everybody should know that now. So then on things like that I’m starting, I’m starting to sort of just with the dust off beat. The guy got the next thing that I need to work. You already know this, right? If you just choose not to do it, that’s your problem. Not only that, but we put it into context for you to write. We did we do assessments. Step one, step two, step three. Right? So, you know where it’s on the spectrum of things because it doesn’t it doesn’t make any sense for me to do patch management, I have no asset management doesn’t make sense to do any asset management if I don’t have roles and responsibilities figured out. Right? So back it up to, where do I start this thing, start shoring those things up and then you get to patch management and just the way you do business, Right, it’s work. And I think a lot of things, you know, in 2021 now we grew up hard working folk too, right? I mean you grew up in Montana, you know of texas and Montana working hard, you grew up following your dad all over the place, handyman, everything. And and I grew up a 20 you know, son of a 20 year marine, we all had kind of work beaten into us so I don’t mind work, but I wonder how much people we talked to like yeah that looks like we’re still easy button, can I buy something to fix it?
[00:27:45] Ryan Cloutier: I think that’s part of it. I also think there’s still that fundamental disconnect. We don’t treat this, we don’t treat information security or I. T. Like we do the rest of our physical world. If I go into a manufacturing facility and I asked them about maintenance, they can tell me an exhaustive detail about this equipment between this bearing when it’s going to fail the maintenance schedule, they have to prevent that, the downtime they planted their to their production line, all these things and then I asked him about maintenance and their IT systems and they just blankly stare back well
[00:28:22] Evan Francen: and to their kind of to uh, It changes so damn fast. Right. That big machine that you, you’ve had it in your plant now for 20, some odd years. You know, I’m like a second or third or fourth generation of mechanics maintaining that machine. And in it you’re like, Yeah, things were populated I think 14 times and we’ve installed eight other applications that basically do the same thing that that one does, but just in a different way because the guy over marketing likes his way and then the guy over there legal likes his way on the Ceo. He wants his own applications do the same. I mean it’s just like what the hell when you stop the chaos and say no, no, no, no more applications until we figure out what the hell we have
[00:29:02] Ryan Cloutier: for this
[00:29:05] Evan Francen: insatiable demand for more. It’s nuts because it does come crashing down how many times we’ve done john in an incident response where like I didn’t even know it had that system or I thought we were protected because we bought something like it wasn’t protecting the thing. You thought you had all the time.
[00:29:24] John Harmon: These uh setups that like on paper are impressive. You got a tool for this tool that a tool that double checks in case this one doesn’t work and all this other stuff. But they forgot to point all that at their assets, like you missed the first step, Like that’s the only works if it’s looking at everything and you’re going to have a look at everything because you’re not doing that, somebody sold you a bill of goods, saying that this would do it for you and it just doesn’t, you know, again, it’s always the fundamentals.
[00:29:51] Evan Francen: Yeah. And then from a veteran management perspectives, I just did the State of New Jersey is, you know, one where they asked us a bunch of questions and they actually, that was a good assessment. We’re not, I think I like the way they were to that, but um, a lot of times, you know, are customers or were the vendor will ask us if we have these certain technologies, but doesn’t really ask enough about how we’re using them while we were using them appropriately. And so it almost makes risk more than not having a tool in the first place, because now I’ve got a false sense of security, I’m not checking for, you know, cracks in the foundation anymore, because I feel like it’s hidden by like multiple layers of paint now, you know, until it comes crashing down and I was going to write something and I know this is nowhere near the right time to leave from a political correctness perspective, I’ll get my ass handed to me. Yeah, well, because I was going to write about the, you know, the building that fell down in florida, right? You talk about the difference between physical and digital, logically, there’s the same damn thing. It’s just the form that they take, right? So I have this building that we can all touch and see and whatever. And the foundation went to crap. It wasn’t maintained appropriately. Maybe not appropriately, but it was multiple layers of pain. They continue to sell new condos there. I mean, it was pretty well occupied and the foundation failed, it came crashing down. The same thing happens from a logical perspective, right? Where you build all these things, you put all these things, more stuff, more stuff, more stuff on the outside. It looks like a beautiful piece of art, right? But under underneath it, it’s all rotted. It’s coming down. It’s going to hurt. Uh on the physical side, people died, you know, 100 ish. Hundreds of people, you know, that which is really breaks my heart because the same thing is going to happen on the digital side, because we’ve become more and more and more dependent on the digital stuff to keep us alive.
[00:31:50] Ryan Cloutier: Yeah. Uh and we see that in all industries, you know, there, I’m working with some folks who are working on a project for an H and C. C. Because they’re trying to get this executive order, you know, they’re trying to honor the executive order, The fighting went out and they need to separate the O. T from Knight. This hasn’t been done before, the way that it needs to be done. And so, you know in those systems were talking about, you know the folks that are helping to snap it, hope it right now. We’re talking about research laboratories, being unable to conduct research or something happens. There is a physical impact. We’re seeing it in our critical infrastructure. Um you know, we’re uh huh. It’s just it’s spiraling. You know, the medical stuff fascinates me the amount we have surgery robots out, you know where the doctor is. Re remote hands. You know, you’re getting surgery done at your local hospital and the surgeon is 3000 miles away controlling that robot through an internet connection. Well, what happens on that dark day when somebody decides to hijack that signal? And unfortunately they’re not thinking about that. They’re not when they’re building this technology? It seems to me that it’s happy path only and they’re not thinking about the destructive use cases. We talked about this the other night on another podcast that we do about software development practices, How we need to take a really hard look at the security components and do secure by design at the onset of the idea, not trying to hot patch on some security control after build something that’s insecure
[00:33:27] Evan Francen: you’ve got so much wisdom that we shared over the years. I mean, we said that something that’s insecure the car will always be insecure period. So if you started an application. If you started an application, you didn’t start following good secure coding practices almost from the get go, you’re just piling more crap on top of crap on top of crap and it may look like lipstick on a pig, but it’s still a pig. We saw this happen for those of us who are running 24 was a thing. The reason why you had to completely redesign everything. The Colonel and everything from 24 to win the next version and you do this on multiple next versions is because the core of the colonel was written insecurely. You could never secure it. That’s why I always had to patch is always had service packs. You remember those days well and so if we could go back to writing securely from the very beginning good coding practices. Now the problem is the slow things down. We have a sensational lust for more and more and more new features, new features. We’ve adopted new security, we’ve adopted new technology way faster than our ability to secure it. We are so far behind the current right now. That’s why Biden’s when you look at Biden’s executive order, it looks like holy crap. You want me to do all this stuff. Yeah, that’s just kind of the beginning. Right? You’re so far behind right now. I mean it’s almost start
[00:34:47] Ryan Cloutier: over well and I think of it as getting to the start line, something I say a lot when I’m helping, especially the schools navigate this. The goal of what we’re about to do isn’t to get you scared. It’s to get you to the start line so that we can be again to secure, there’s just, there’s so much free work uh, in those environments, you know, they don’t know the networks, they don’t know the assets, news, you know, there’s just all this stuff, it’s on the internet, it’s like, okay, you got to go back
[00:35:16] Evan Francen: to square one building comes crashing down, you can’t patch the building right? You have to start, you have to wipe it clean and start over again and that’s what you need to do. And so many of these technical environments that I’ve seen from, from network to network infrastructure. Just that where the network was designed right, well, you’ve got segmentation. Well, great. And that’s really good from a performance perspective, probably because you know, limiting my layer to traffic, perform an isolation perspective, which is the secure way everyone things built. You can’t do it because you’ve got to, you’ve got applications all over the place, servers all over the place, clients all over the place. You and then you start to kind of go down this path, these are moving things into their appropriate little buckets, but you still can’t lock it down and then you start talking about zero trust stuff, Forget about it if you want to do zero trust you should have done that from day one now, you’re just retrofitting a whole bunch of crap and if you look at the Zero trust architecture stuff which is funny as funny, sad, it’s sad. It’s not funny. But look at you look at sts guidance on zero trust, you know architect architecture, you have to add like four or five serious components into the ark into the architecture, into the infrastructure to even get close to it. And from a guy like me, I’m looking at it. Okay, so I have more complexity to fight the thing that I don’t understand already. Seriously if I was doing zero trust in almost any organization, I would start scratch well you have to clean the brand new environment, move things over as you go.
[00:36:51] Ryan Cloutier: Yeah, absolutely on that. And you and I have talked about this Zero trust is a great buzz term but you can’t actually communicate
[00:36:59] Evan Francen: zero. There’s that guy, is that due to a Flasher who thinks he actually invented this. I’m like you invited the main, you did not invent any of these concepts like as some of the units guys that were. Yeah. Uh so anyway, uh first secure the theme, what would you say like the first six months of the year or calm now we’re moving on to the next six months. If there was a theme that you could think of that to summarize for the first half of you look like is there something that comes to mind the word or a phrase
[00:37:38] John Harmon: they have to sum it up simply. I guess it would just be focused right? We have a really good team and they’re, they’re doing their jobs, everybody’s performing at a very high level expected outcomes are coming true. You know, it’s all of that. Um, I think, you know, everything is going pretty well the second half of the year is going to be just as bananas were on this ridiculous growth curve and these commitments that we’ve made on that. But it’s all kind of born from, you know, I hope I’m wrong about this, but we’re not finding a lot of help out there. You know what I mean? Like there’s pockets in places where organizations are partnering and they’re doing things. But from our mission perspective, when we learned this when we’re on the road show not a lot of effort secures out there. There’s a lot of private companies that also consult. There’s a lot of compliance companies that also do some good things. But you know, A group of security professionals that are testing the way we test depend, test the way we test the assessments, the way that we do them the events in response the way that we do it. That is 100% solely focused on actually fixing the problem and not appearing to his way too rare when you find them. It’s like brother, I’ve been looking for you and you know, but it’s, we’re just kind of like all right. I guess we’ll just get to the point where we’re credible enough and big enough successful enough where people want to emulate, right? And that’s, that’s kind of been our focus and it begins and ends with, in my opinion, our security team, which you started and that has really grown and not the leaders that are coming out of that, you know, Megan and brad Oscar is a once in a lifetime kind of guy and his team american Tyler now, you know who we started. You know, he’s the one who, you know, couldn’t who are at a vulnerability scan at the hospital, right? And took it down way back in the day and now he’s, you know, he’s grown and learned so much and all the stuff that he’s doing with our party now. I mean like this is it’s a special, special experience. Very happy to be apartment. What’s
[00:39:39] Evan Francen: really cool man. And you lied at the teeth. I can’t believe how well it the whole company’s lead, you know it but it goes back to that foundation to, right? I mean, you remember the early days you are employed when it was 466, no one in my opinion, whatever. Yeah. No, but the you look at all the struggles, we went through trying to build this foundation, right? To build this. This is how we’re going to do things. We’re not going to compromise. We’re not going to compromise. Just like I wouldn’t compromise the foundation of a building if you’re going to compromise anywhere, why the hell would you compromise on that? But you were there alongside me, alongside Kevin, alongside numerous other people, Some have are still here something that have come and gone to lay this foundation and to see where you guys take it. It’s it’s crazy to watch.
[00:40:33] John Harmon: Well, in a couple of circle, we’re talking about perspective, right? We added that to our core values this year was like, we value perspective, right? So I’m writing now kind of uh, you know, as we get bigger because it was a short time ago, years ago, I knew everybody all right. Everybody knew who I was. Everybody knew who you were. We all we all got together all the time. We knew each other’s families now. I mean, there’s people that have started months ago I’ve never met in the flesh and you know, like they’re just, we don’t have the credibility with those team members and and rightly so, you know, I’m agree that I should just get credibility as leader because of my title, right? You gotta, But I said, I got to write some of the stuff down. What do our core values me? What what, what are principles? You know what I mean? And the thing that I’m adding, you know, right off the bat is like, hey, here’s our principles like product agnostic like meet people where they’re at like, we take care of our own. We’re always learning like these are, are things right? But I start off with what I consider the possibility that we’re wrong about all of it, right? Have a healthy skepticism that there is a better way, right? Like some like what we don’t have the monopoly on the truth. We’re doing what we think is best. We feel like it’s coming from a good place. But how many times have we done that? It’s only blew up on us. We’re wrong. So consider the possibility that even with all of the collection of experts, we have all the great minds, all the great horrors that we’re just not doing it right? Yeah. You know, it’s like, just have that in your mind, there might be a better way to never stop looking for that. Never stopped listening for other perspectives and looking at that Because how many times have you known something for sure? And it just wasn’t. So it was a Mark Twain quote somewhere. It’s like, it’s what you don’t know that hurts you. It’s what you’re sure that isn’t. So we’re going to be very painful lessons to learn
[00:42:24] Evan Francen: even in that man that you’re an exceptional leader and I’m not just blowing smoke. I mean, it’s true and I, there are two things like about, but I want to beat them together. One is, uh, we’ve always said truth. Uh, trust credibility and you need to like us, right? That’s how we get new customers trust is fairly easy. We struggle with that unsecured studio because people just don’t know us. Yeah. They think they’re full of crap honestly. And I even put that out there, like when I talk to people, like I know you think I’m full of shit, but you can look at what we’ve done. I mean, truly this isn’t, this is not
[00:42:59] John Harmon: no, it’s not
[00:43:00] Evan Francen: theoretical, right? The credibility piece, I think that does come with size and you know, uh, hearing more about us, right? We’re coming out of our own little market now, not little our own market in Minneapolis in Minnesota, even though we have customers across the globe, we’re starting to branch out and be physically and all their locations, which I think is super cool. But the one thing I think that, and I think that’s really unique about fr secure is most security companies are led by security people, meaning people that started in information security and grow a business. Right. The thing that makes you think just no damn cool is you didn’t start a security that you are now. I totally, I would trust you with my, I would trust you as a sea shell in a heartbeat because I understand your where you come from and how you do things logically and all that stuff. But a lot of the security companies you look at out there, you know, like Mandia kevin Mandia getting security guy, look at another company that I really admire, his trusted sec, you know, uh it’s a security guy relates that right all over the place. So I think it’s uh that’s pretty exceptional. The one of the things I was thinking about Lot of ransomware, 20, half of the year in the industry, certainly our own I. R. T. Uh we talked about zero Trust, I think security fr secures working on solutions on all those fronts. Uh now we’re going to be in Nashville.
[00:44:39] John Harmon: Yes, come to me about that. So hacks and hops, which is an event series that we have done for a few years. Obviously positive for 2020 is kind of now back on the menu, right? So this is a format, we’re extending the formats used to be kind of a half a day. We have a panel, you know, come to a cold spot. We do the U. S. Bank Stadium, you know, in Minneapolis. Well now that we’re deliberately focusing on some expansion markets, were going to do them in those markets right? Because in Minneapolis it feels more like a customer appreciation kind of event. Always get new people there. But it’s like, yeah, you see a lot of familiar faces like what we want to run the people through a track like an all day long track. Like a real value and get their perspectives and panels and have you speaking an Oscar and chris and you and like we want this collection of ideas were just like, hey, this is a rally, like let’s go do it. But you know, we have a couple of years and we enjoy each other. You get access to security experts will do it in a cool place that we’re doing it at the titan stadium hopes were doing it. I think like the happy hour kind of closing that is on the field Stadium. Yeah, more fans like garth brooks concert out there or something. But yeah, it’s super fun. So Alex is gonna kill me and I don’t know the exact date. I suppose I can find it here on a thursday
[00:45:59] Evan Francen: are secure dot com and find it. Yeah,
[00:46:02] John Harmon: sign up for, we’re expecting Between seven and 900 people to show up, which is, I know people
[00:46:10] Evan Francen: uh, from the school shit so, and other things that I do, you know my rabbit or squirrel chasing mine, we have people coming from florida, uh, new york I think, I mean there’s people coming from all over the country to go to that, which is really cool. I’m excited to meet some of those people.
[00:46:27] John Harmon: Yeah, we’ve, you know, our sales team and our marketing team have been very open, right? It’s like we’re not just focusing on Minnesota and five state area around it anymore. That’s always going to be our home base, but you can’t throw a rock in those markets is not anything fr secure and everybody knows who we are. You know, we’ve been around forever, but you know, we’re targeting, we called the bluegrass region so Kentucky Tennessee indiana Ohio, you know that kind of market because that’s Oscar a lot of his team, you know, are there. So it made sense. And then of all places Montana, which kind of, I called my home states where I’m having my family still lives and Idaho and eastern Washington and Wyoming, you know, that kind of areas exploded. You know, and it’s great and we told those people will start to meet with them. Like, hey, if you can help us, you know, like be a good reference force, if we do good work, you know, whatever, like we’ll put an office here, we’ll start hiring people, it will be a part of the community and it’s fun to see that coming true. It’s going to come with an event like, you know, packs and hops and all that stuff, you’re gonna start seeing that, that happening in a lot of different markets and all
[00:47:34] Evan Francen: that because not only is it cool to spread the truth because this is really, I mean where our heart comes from is helping people, we understand that information, security is not about information or security as much as it’s about helping people, you’ve talked, you know, Ryan, you were talking about the working with accent and all that really cool stuff and sub security studio does fr secure with the CSP mentor program with, you know, the product agnostic is, you know, sticking with the values. Uh, it just continues to show forth plus those are all really good Harley riding areas, just saying
[00:48:11] John Harmon: lots
[00:48:12] Evan Francen: of beer so I can do some here. I think, I think it’ll
[00:48:15] John Harmon: be fun. You’re going to think that a couple of successful times
[00:48:18] Evan Francen: using
[00:48:19] John Harmon: successful in that context. Yeah.
[00:48:21] Evan Francen: So Ryan on the security studio side, uh first half of the year, I think, was because that’s where I spent a lot of my time, john and his team are killing them and they are secure. If anything, I try to stay out of it so I don’t want to screw it up, you know what I mean? So like, all right, you guys just keep doing that thing. But on security studio, first half of the year was really cool. I learned a lot of things about us, about our markets, about what we’re doing, where we’re going, you know, it reminds me of a lot of the things we did at the security studio. I’m sorry that are secure with the foundation laying base, right? We’re not, there’s certain things we’re just not going to compromise on. It’s harder. It hurts more. Yeah, but I’m going to be a better person I think will be a better company for it. So first half the year, same thing, you’re sort of theme summary of the first half year and what do you think the second half of the year for
[00:49:16] Ryan Cloutier: security. So first half of the year, I would say, uh foundations, right? Making sure the foundations that we’re setting our solid strong, that that we have are fundamentalists as a business, as a product. Really solid. So that as we begin to build this more and more, you know, we’ve got that good groundwork laid. So that’s that’s the first half year really is a lot of foundations work. 2nd half of the year is expansion. You know, we we are very blessed uh anyone that gets exposed to the tool, you know, The tool self itself, that’s that’s one of the nice things because it is so simplified because it is so easy to use. We don’t have to be a security expert because the security expert lives inside the tool that that knowledge that seven
[00:50:07] John Harmon: half of the expertise.
[00:50:08] Ryan Cloutier: Exactly, right. And we’re continuing to do so as we add more frameworks, as we look at new ways to innovate to reduce the amount of time it takes. I can’t reveal too much, but we have a couple of really awesome things. We’re doing that will increase spender accountability. That will help that single source of truth the truth. So, you know, because we hear all the time. Right? Nobody likes doing a risk assessment. I’ll just be very honest. Right? I do. But I have a hard job, my job I have is convincing people to do this thing that nobody’s jumping out of bed doing risk assessment. Yeah, right. What we want to do is, and what we’re going to focus on for the remainder of this year is continuing to be able to accelerate them through the assessment, to mitigation remediation. We want to get them to mitigation remediation as fast as possible with a nice clean and easy to consume task list, right, let’s get him to doing the work and getting that going. And then the other thing that will focus on in the second half of the year is enrich our partner network and enriching our partner relationships and ensuring that our partners are fully equipped to be able to serve their customers and to create new revenue opportunities for them as well. So as we start to do some innovative things that are vendor risk management space, there’s going to be a lot of opportunity to prevent virtual vendor risk management, which we’re hearing a lot of demand for. Its a growing thing. People just don’t wanna, you know, they just don’t want to do it. Right. So being able to do that for them and I think, you know, probably toward the latter end of the year, we’ll start looking at the consumer as well.
[00:51:54] Evan Francen: I think that’s
[00:51:55] Ryan Cloutier: a that’s a big part of
[00:51:56] John Harmon: what we want
[00:51:57] Ryan Cloutier: to do it. It’s taking us to me to that next level. It’s and like with all things that we do, we want to simplify. So we want to simplify the processes simplify the tool and really again accelerate people through that that assessment process as easily as possible. So we’ve got some really cool things we’re looking at from an automation perspective. We’ve got some interesting cooling that were. And the process of developing right now that’s going to you know increase the accountability of the organizations to their information security practices as well as accountability back to those third party vendors which I think my gut instinct tells me will be the hot area of focus by the end of this year from a government perspective but also from a business to business perspective as we see more and more man service providers getting attacked. I think the conversation is going to shift to what’s in that contract and how are you protecting me? Can you prove that you’re doing what you’re doing? And that’s where I think security studio is going to shine is we’re going to be able to help those organizations even if they don’t have an I. T. T. To be able to hold those vendors accountable to be able to show scientifically exactly what’s going on. You know and just objective versus subjective approach I think is going to pay off in spades.
[00:53:20] Evan Francen: Yeah I had a good discussion with my guarantee this useful for New Jersey about that. They do an assessment. Like a lot of people have done assessments and skill You know, 1-5, right on every question, which is good. I think it’s going to get those opinions. And I think you could do that. If you, let’s say if you wanted an objective result, quantitative results, you have to do that and like Any 20 different perspectives. You know what I mean? In order to get that too, give you the truth. Right. I think the two falls. Okay. But anyway, you mentioned one thing that I think is really important and we’ll wrap this thing up the uh huh. Nobody likes to do risk assessments, right? But here’s the deal. Everybody likes to drive the damn car. Nobody likes to do the tune ups and all changes and you know, that’s our job as security people. Right? Right. Is to do the tune ups to do or make sure they’re being done appropriately. Right? And then you can drive the damn car thankfully. You don’t have to do risk assessments every single day. We will get there because we do have risk assessments that will dynamically change over time. But yeah, that, that, you know, stick in the ground once a year, once every couple of years. Risk assessment. It’s just maintenance man. I mean, everybody’s going to do it and look at it that way. Uh, awesome discussion you guys. It’s cool that we’re sitting here and portable arte. That’s the way, right. Next call this place from here. You call Puerto Vallarta. Uh, that’s cool to be here. The people here are amazing. I’m looking forward to a couple of years from now when, when I moved down here and we have between now and then we’re going to be down here a lot and we’re gonna invite people down here a lot and it’s not no other reason than to give thanks that they trusted us. They look at us as credible. That’s why I’m here. Right, I didn’t, I didn’t get here any other way than the map, so that’s cool. Uh So we’re gonna go check out the beach, do some stuff, we’re gonna go scuba diving on thursday. We’re gonna try not already had my first ticket for people that are listening, it costs, it costs me 100 bucks to get out of it and there’s no record of it anywhere. So you figure out is that finding, is that a bribe? It’s up to you. I’m just saying there’s no record cash. Um but wrap up, we’re going to find us on social media. Ryan, where do we find you on social media?
[00:55:40] Ryan Cloutier: If you want to interact and ask questions you can find me on linkedin or you can find me on twitter @cloutiersec.
[00:55:50] Evan Francen: Awesome and we’ll be done show thursday night to from here, Shinsho, we will john, what do people find you if they want to get in touch with you. What’s the best way to like? Hey, I heard you on the shit show. I’m sorry, I’m security podcast and I like this one thing to say, where would they go to find you?
[00:56:05] John Harmon: Uh always, you can always go to the fr school website, my information is there and feel free to reach out. Very responsible an email. So I always do that and then linked in this pretty good. I’m on a couple other platforms. Those, the two that I kind of keep up with.
[00:56:18] Evan Francen: All right, awesome and I think people need to find me and if you don’t probably don’t want you to, so we’re good and then I have a good one guys,