Cybersecurity Events and Recaps

Unsecurity Podcast

Brad and Evan are joined by FRSecure President John Harmon. They discuss the upcoming holiday break, recap cybersecurity events for the SecurityStudio Roadshow so far, and talk about the latest news in the industry.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:21] Brad Nigh: welcome back. This is episode 59 of the Unsecurity podcast. I’m your host this week Brad Nigh. Today is december 23rd and joining me is my co host, Evan Francen. Good morning Evan.

[00:00:30] Evan Francen: Good morning brad. How are you?

[00:00:32] Brad Nigh: Good. So, full transparency. We have a guest in studios for using a different set up and it feels really weird not to have the headphones on.

[00:00:42] Evan Francen: We took a selfie. Have you can introduce our guest? Yes, he’s just sitting there not

[00:00:47] Brad Nigh: doing anything. So in studio guest is fr secure and security studio president john harmon. Good morning John.

[00:00:52] John Harmon: Good morning. It is.

[00:00:55] Evan Francen: Yeah, not sure it’s well, yeah.

[00:00:57] John Harmon: So I was told I needed to do with this whole mike situation. I’m not a lot of mumble or say things under my breath because it will catch everything. Right. No mumbling.

[00:01:05] Brad Nigh: No, no mumbling. All right. So before we dive in, we like to have a check in john how are you? How was your week? What do you expect this

[00:01:13] John Harmon: week? It was really good. I’m a big fan of this time of year. The christmas season, you know, and my house is decorated and everybody’s happy and we’ve been driving ourselves crazy and all the shopping now with some family come in yesterday. So that’s really exciting. It’s always a good reason to clean the house If nothing else. I’m doing great. Good.

[00:01:32] Evan Francen: Your wife? Your wife sister? Yeah,

[00:01:35] John Harmon: she’s my brother in law. Yeah. They came in last night.

[00:01:38] Evan Francen: Your brother in law’s here too. Were you expecting that? Yes.

[00:01:41] Brad Nigh: Okay.

[00:01:43] John Harmon: Well and they know it, they know each other because we introduced them. So he’s a good friend of mine from way back. We used to work together and everything. So great to see him. That’s

[00:01:53] Brad Nigh: cool. Very good. But you Evan how you been?

[00:01:56] Evan Francen: I’ve been. Well, uh, what did I do? We have the heck Mac thing last week. That was really nice.

[00:02:03] John Harmon: A

[00:02:04] Evan Francen: lot of school people there. It was their security summit, their second annual security summit. That was

[00:02:10] John Harmon: pretty fun. Was the east central Minnesota education consortium, cable construction something. There’s always the season,

[00:02:19] Brad Nigh: their expression.

[00:02:21] Evan Francen: It’s like six letters. Yeah. Uh then um, kids came over on saturday. We celebrated christmas. Open up gifts. I made busty. The snowman you saw, I showed you a picture of busty. Everybody should be combusted in the snow.

[00:02:37] John Harmon: I like, I like how you’re, you know, there’s so many snowmen out there and you, you took it to a different place. You made it uh, you know, you made some gender equality having right there, front garden and I commend you for that.

[00:02:50] Evan Francen: Hey. No discrimination here, Not for this guy. How about you brad? How was your

[00:02:55] Brad Nigh: week? Good. It got a lot done kind of, you know, trying to wind down and get everything done so we can take it easy and get get people a chance to recharge over the holidays and hit the ground running in january.

[00:03:09] Evan Francen: Yeah. Do you have a busy week, you guys? No.

[00:03:13] John Harmon: Uh from a work perspective. Yeah, I got tons of stuff to do. We’re from uh lovely and long suffering mrs harmon and I are heading to Montana on Wednesday to see my family. So we’ll be there for a week. Be nice. It will be good to be somewhere else while I’m doing all this work to just unwind and get to see everybody and catching up on a bunch of stuff.

[00:03:34] Brad Nigh: It’s funny. He said, do you have a lot of Miami? That is No, because I don’t have a ton of meetings like, no, I actually get to like Focus on one thing for more than 20 minutes at a time.

[00:03:47] John Harmon: There’s that whole back burger thing gets pulled right to the front border burger when you don’t have me your calendar all all day every day. But

[00:03:53] Brad Nigh: I’m excited to work on that stuff. That’s not really work at that point. That’s the fun stuff. Yeah. So All right. Well, uh, so kind of ending the year. You guys finish up the road show a couple of weeks ago now too. Well, last week was your first week back. So that would be fun to

[00:04:11] Evan Francen: my account is the roadshow?

[00:04:13] John Harmon: Yeah. So we’re still still evangelizing the mission, Right? Yeah,

[00:04:17] Evan Francen: I gotta write something then. All

[00:04:18] Brad Nigh: right. All right, so now you’re officially

[00:04:20] John Harmon: Yeah, no barbecue though. That was kind of a we did a copious amounts of beef jerky though, is there? Oh my

[00:04:26] Evan Francen: God, my birthday last week. So everybody but me and bought me, meet my kids bought me meat and then we celebrate christmas on saturday. Got more meat. The guy or banker or personal banker at fr secure slash security studio. He must have come in while we’re at it. Mac, He brought me meet everybody brought me me. I got so much damn meat. And so when you eat so much meat, you know the because it’s all cured with salt and everything. I’ve been drinking like gallons of water. I’m sorry about what? No barbecue. Is there even any barbecue up in Bram?

[00:05:09] John Harmon: Oh, I don’t know. There’s gonna be some up there. We just didn’t look hard enough. We were kind of just

[00:05:14] Brad Nigh: such a ham for christmas

[00:05:16] John Harmon: just stopping the soul. Really so good. I’ve never done that just seems like very intimidating.

[00:05:21] Brad Nigh: You know, you’ll never eat him any other

[00:05:24] John Harmon: way. I love smoked ham. I just want myself, but it’s

[00:05:27] Brad Nigh: not so easy

[00:05:28] Evan Francen: what they

[00:05:29] Brad Nigh: I’m doing it for christmas at home, but I might be convinced next week to three smoker one christmas is doing for everyone who comes in. All right,

[00:05:39] Evan Francen: So you probably don’t want me to publish your address?

[00:05:42] Brad Nigh: You’re welcome to. Have you heard it?

[00:05:48] Evan Francen: You see the shirt that his wife got?

[00:05:50] John Harmon: Yeah, did you guys got

[00:05:52] Evan Francen: matching shirts now, people can’t see it online, but

[00:05:56] John Harmon: yeah, it’s pretty sweet. That’s what I do. I grow a beard and I know things, yeah, takes it right down to the core, the fundamentals

[00:06:04] Evan Francen: beards and knowing things.

[00:06:06] John Harmon: We all have beards, the governing dynamics. Should

[00:06:08] Evan Francen: we make that a rule that if you want to be a guest on the show, you have to have a beard?

[00:06:12] John Harmon: I don’t know if, I don’t know if they would like that very much. She wants to come on the show again, she

[00:06:16] Evan Francen: Can take one on.

[00:06:17] Brad Nigh: Could we

[00:06:19] John Harmon: have a santa beard now,

[00:06:20] Brad Nigh: santa suit anybody santa beard? You don’t have your own. We will provide a beard for you. Oh man. All right. So, you know, since you guys are done figure kind of a fun way to, you know, almost wrap up the year is uh, asking some questions about the roadshow. So didn’t put all the questions in the notes because you said you have to have some

[00:06:45] John Harmon: fun, what’s the fun of that? Right?

[00:06:47] Evan Francen: Some surprise questions.

[00:06:48] Brad Nigh: So what color underwear, you

[00:06:50] John Harmon: know, before you get started boxer briefs?

[00:06:53] Brad Nigh: Yeah, 1st, 1st question, Always boxers. First question, I’m gonna throw you guys off question that everybody wants to know is, was the roadshow really just an extensive ploy to get you to travel around the country trying different barbecue. Okay. Thank

[00:07:11] John Harmon: you. There’s no other way you can, you can get a tax write off for barbecues. It

[00:07:16] Evan Francen: was expensive.

[00:07:17] Brad Nigh: Yeah. Yeah. So everyone wondering, yeah, that’s, that’s the answer.

[00:07:23] Evan Francen: What we end up doing, like 28 barbecue joints,

[00:07:26] John Harmon: barbecue joints over 10 weeks. Yeah,

[00:07:31] Evan Francen: it’s a lot of barbecue. It was a lot of barbecue, but it was, there were some really good stuff there.

[00:07:36] John Harmon: So, you know, being back in town now last monday. So we, we got back from Dallas where we had, um, pecan lodge again on, on friday friday before last. And then on monday I came back, had lunch with uh, chad spoke from our team and guess where we went.

[00:07:56] Evan Francen: I found large. I wish okay

[00:07:59] John Harmon: with the bigger rooms with the barbecue again. So I asked me if I’m sick of barbecue. I have very much not. Yeah.

[00:08:05] Evan Francen: Yeah. So we had a reason for actual, an actual reason for going on the road show.

[00:08:10] Brad Nigh: Yeah. So what was the actual reason?

[00:08:14] Evan Francen: Well, for me and you probably, you might have a different answer. So I don’t know if we, you know, we’re explicit and wrote it down or anything, but it was for me it was to get out on the road to preach this unity message around information, security around, getting people to speak the same language to work together. Um, so for me it was preaching and learning I learned a ton of things from a ton of different people from all over the country. That’s what it was for me about

[00:08:43] John Harmon: you. Yeah, I think from a from a pure business standpoint, I think, you know, we have a scene amount of brain power in this building at any given time and we have these ideas and we started the software company and and we know that there’s a use case for it, We know there’s there there, you know, but we have to get other people’s input, right? That was part of making the tool free. That was a part of getting it out there in the community, trying to build this whole thing. And it was really interesting for me to go out while you were preaching and hear all the questions and talk to everybody and whether it was a one on one meeting or at the presentations themselves, it was like, are we crazy, are we taking crazy pills or is this like really what we think it can be? And we learned right away very early on that, yes, this is exactly what we thought it could be and it’s more we’re getting all this feedback and all this wonderful direction from the community that we’ve built so far and I’m excited to see it grow even further, but we can’t do that alone. So we got a lot of uh believers on the way to that are helping us out and everything. I think that was as much the point as um, you know, just spreading the message is getting validation that our message is welcome and that it’s actually gonna do some good.

[00:09:51] Evan Francen: It went so fast. I mean, you think of, you know, it started in october in uh Harrisburg pennsylvania talking to B sides and it just seems that seems like it was like yesterday, remember we took a selfie in front of the state capital. It’s like, you know, made a lot of good memories too. That was fun.

[00:10:14] John Harmon: Yeah. We never got sick of each other. Really. I mean, it was another concern. Maybe it was, you know, can never be together this long with this lunch and we we

[00:10:24] Brad Nigh: had a great time. That’s where all the barbecue comes in, right? You have to have that common,

[00:10:29] John Harmon: makes us docile and impressionable, full and barbecue

[00:10:33] Evan Francen: here. I’m still not, you know, I mean, what security is for people who don’t know, I mean, what security studio does and what we have is a, a platform that we created that really focuses on the fundamentals of information security. So what’s a fundamental risk assessment? You know, I think people pursue, you can always find flaws and everything right? So if you’re looking for the perfect risk assessment, keep looking, you’ll you’ll never find it. That doesn’t exist, what it is is it’s a nice, solid fundamental risk assessment that we started at fr secure and we’ve done thousands of times right customers like it, we like it. So it was taking this tool bringing it out on the road, getting other people to look at it, use it, give us input um and all that kind of stuff.

[00:11:26] Brad Nigh: So that’s a good kind of segue here. So when you were out on the road, you know, who did you meet? What were the, what was the audience? Was it technical? Was it sea level? Was it compliance?

[00:11:38] John Harmon: Well, I think we, we intentionally went to a lot of ssh chapter meetings besides ice aka iC squared. You know, we went to our people, we went to the security community, you know, knowing that we would get probably the richest feedback from them and they would understand some of the fundamental kind of undercurrents what we’re doing. But along the way you meet people from every walk of life. My honestly my favorite thing that have come out of this and you guys are really focusing on this with the podcast in 2020 is all the people in our industry that are in transition that are looking to maybe break into the industry. They’re trying to figure out what their places and and where they should go and kind of getting experience of networking and all that kind of stuff. So I’m excited to see you guys do some of those interviews and work with some of these people because that was something like the ah ha ha another mission along with the mission. like we can be connectors in that way. That was really cool.

[00:12:35] Evan Francen: Yeah. Yeah. Most of the people, I think most of the people were security people, but like john said along the way is one of the things I would ask every time I preached and I think What do you give them like 30 talks, something like that. Over the course of something like, I mean there’s just a ton of talking. Um and I’m an introvert. So every time I talked it just got just got exhausted. You know, I wanted to go back to the hotel and go to bed. But the uh I always started that, you know, somewhere in the talk, I always ask, you know how many of you are security people and then watch how many people raise their hands and I’d say 70 ish percent of people were probably security people. Yeah, we went, we went there because we wanted their feedback, We wanted validation that this is actually a legit thing, a legit tool.

[00:13:31] Brad Nigh: So what was the, maybe the one piece of feedback that that really stuck out to you anything like it could be a theme that you heard or one person said something that you’re just like, whoa!

[00:13:46] John Harmon: For me and understanding to that I’m not coming from the same place. You guys are like, I’m not a security expert. I didn’t come up. I’m, you know, I’m more of the business end of things. But hearing the feedback and seeing this undercurrent of everybody’s looking for perfection. Speaking

[00:14:02] Evan Francen: of everybody after all that meat. Yeah, yeah. Business end, business end, sorry, constantly my bad. No,

[00:14:11] John Harmon: but seeing the, you know you said this is a fundamental risk assessment and everybody’s wrap around the actual, trying to find something with no flaws and one of the principal, you know philosophies is something insecure at its core will always be insecure and you’re not getting the fundamentals correctly. So why are you wrapped around the axle trying to get these, you know, higher thought, higher level, you know, functions of security implemented when you don’t have the basics, policy and governance, you haven’t decided who’s even responsible for information security. And here we are talking about A I and Blockchain and we have to use this methodology or that it’s like, yeah, even people who have been in this business for tens of years sometimes are way off base and that was a big shock to me. I thought that would be a tougher road to hoe with the business people that I was meeting and they got it right away. They were like, well of course you gotta start with the basics and it was the super advanced professionals that had these ah ha moments like well I thought you guys might have been here already with the basics, but you’re not. Yeah, it was cool to kind of bring that back home.

[00:15:16] Brad Nigh: It was fun

[00:15:17] John Harmon: watching it work.

[00:15:18] Brad Nigh: It is surprising the number of companies and individuals that go, well, we need to have this maturity assessment and writer and you don’t even know what you have. Why are you worried about? So yeah,

[00:15:34] Evan Francen: wanted to see you. It’s interesting how many people, everybody, almost everybody is out in the audience nodding their heads right from the biggest groups to the smallest groups. Everybody agrees. Everybody agrees. Yeah. This is what information security is. Yes. We’ve all taken it for granted. Um, in terms of just the definition of information security And yes, you know, we need to focus on the fundamentals and yes, we need to do risk assessments. And yes, 90% of organizations aren’t doing risk assessments. Yes, yes, Yes. But then you don’t see them do anything. Right, right. You know, so I think nobody likes to do risk assessments, but maybe you can, maybe it’s a frame of mind because you can’t build a security program without one. And it’s it’s just funny how everybody agrees. Sometimes I just want to wring their neck. You know what I mean? It’s like you understand what I’m saying and you get it, then do it. You’re getting paid $80, $90,000 a year to run security at your organization and you’re not doing the fundamentals.

[00:16:42] John Harmon: Yeah, it was amazing to those same. People are not in their heads like, oh, you have the basics right? Raw. This is, this is awesome. Hey Evan, what do you think about this latest Blockchain solution of this company came out with that does all that stuff. And you know, it’s just like, well, do you know how many points you have in your network, we’ll know what we’re thinking about Blockchain, so way

[00:17:03] Evan Francen: i

[00:17:03] Brad Nigh: it does have machine learning way, thank

[00:17:07] John Harmon: God all would be lost without that. That was the frustrating

[00:17:10] Evan Francen: part, you know, I think if you go into these things with expectations of like that’s why, you know, we kind of both went into it, I think john and I with kind of an open mind, you know, we wanted to, we did have set goals, we wanted to get 30 partner leads because we do want a partner to write this is meant to be a community effort. So getting people involved, working with our tool, it’s not even a sale really because what ends up happening is it’s a revenue generator. If you’re an information security consulting company and you’re doing assessments in any variety of different ways. This is a way to do an assessment cheaper with better quality, faster, higher margin, I mean, it’s just like it’s a revenue generator

[00:17:57] Brad Nigh: for one and it gives you a roadmap for an action plan of what they need to do and then you can say,

[00:18:05] Evan Francen: oh yeah, which feeds right into the whole managed services agreement and it was, you know, people that have come before us have really done this. I think a disservice because you can tell people something is free. And I think there’s some kind of catch to it, right? Or you know, I’m looking, we’re looking for partners and then people think, well, what are you trying to sell me? It’s like, I’m not trying to sell you anything right? I want you to yes, there’s a fee, but it’s not, it’s a revenue generator, right? It’s just people are like very skeptical and people have been burned a lot. So that was kind

[00:18:42] John Harmon: of set when they’re used to the alternative method like this isn’t theoretical, we know it works right? Thousands of these are the ecosystem and we built an entire services company off of this. We know it works when there’s margin in it, right? And we could have kept it kept to ourselves and scaled and hired every assessor and pillaged everybody. We possibly could and went national and kept it all private and proprietary. And instead we’re giving it away. Were saying like, just help us cover our costs and you take this margin, you build this practice, you figure out how to connect the dots. We don’t know everything come partner with us and still they kind of get that outside of the I like, yeah, but what’s the cat like this can’t be possibly this good. It’s like we’re just driven by different things I think. And sometimes you get those reactions and it’s uh not my call anybody out. It’s like a reflection of how they operate. You know what I mean? It’s just like I wouldn’t do this. That that would be a bad business decision, right? I wouldn’t give my margin away to somebody else. I would build this and take full advantage of it. So why are you doing that? I was like, well, hey, don’t put your stuff, don’t put that evil on me Ricky bobby. Like we’re just trying to do the right thing here.

[00:19:46] Brad Nigh: You know? Well, I mean how many small to mid sized businesses are there in the U. S. 3.5 for

[00:19:52] Evan Francen: 20 – 1003.1 million.

[00:19:54] Brad Nigh: So I mean there’s no way we could do all of them. Right. That’s the other thing that people don’t get

[00:20:03] Evan Francen: Watson hunting, you see in our industry is, you know, nobody disputes the number. I’m surprised how many times people didn’t ask for some citation. In terms of like when I give them numbers like where’d you get those numbers? Because truly I just sort of estimated that 90% of that 3.1 million isn’t doing risk assessments based on I don’t know, 25 years of experience. You know, working with those types of companies until let’s just say that that’s true. We’re all fighting like the security consulting companies were all fighting for tripping over each other bashing each other for 10% of the market. Whereas if we can, maybe, maybe if we join together, we could go out and get the other 90% that’s just sitting there like.

[00:20:53] Brad Nigh: you know, not aware.

[00:20:54] Evan Francen: Yeah, just like frustrates me. So I’m hoping we made some progress in that. I mean we’ll see

[00:21:02] John Harmon: Live. It’s a really good conversations with those than that 90% as well for one reason or another, have kind of come across my desk and you know, maybe there’s a near miss or some kind of problem with potential incident or you know, they heard it in a conference or whatever and somehow snake their way to to my phone and they’re like, hey what do we do? You know what what would your suggestion be like you do a fundamental baseline security risk assessment, figure out where you’re at and then you can figure out where you’re going. You know, they’re like, well how do we get started on that? It was like there any resources for this because we’re all in fighting all the time. There’s nobody out reaching out to that community.

[00:21:39] Brad Nigh: Yeah, I mean, and and coming, you know, still relatively newer to the consulting side, right? There wasn’t anything even three years ago. Get the nist CSF, but it doesn’t really give you a good way to assess it, right? Are you doing this? You can go through it, but it’s not. So okay now what what’s my action off of this. So yeah, there’s just not a lot out there.

[00:22:06] Evan Francen: Well, it was funny you were on the phone on friday when we were talking to mike. Ah Mhm. May come and work as a channel partner manager for us. And he’s been in our industry for quite a while and seeing a lot of things. And he’s as we were talking, he was like, yeah, there’s just there’s no competition for you being the way we do our risk assessments. The way we make it available for everybody. The way we partner, the way we We’re trying to get that 90%. I don’t really care about the 10%. They’re already doing risk assessments right? They’re probably getting somewhat some security correct.

[00:22:44] Brad Nigh: And you know, they get these other ones I think I’ve heard is we’ve gone against big national companies and our assessment comes in like half maybe 2/3 of the cost. And well, why aren’t you charging more? And the answer is easy. If I charge you all the money that you have to tell you what’s wrong, Are you going to fix anything? Like we know we know what our margins are. We know where we need to be. Why are we going to overcharge? It doesn’t advance the mission? And they’re like, you can hear their brain explode on the other side is they’re trying to process.

[00:23:18] John Harmon: So like anti capitalist. But you said it’s a great, you know, mantra. It’s like if you if you if money is the point, you’ll never make the mission, but if you make the mission the point that will make the money.

[00:23:30] Brad Nigh: Yeah. Well, and then they require their analysts to fly first class because it was all the stuff I’m like, well, just send a short of analyst, if it’s a long flight, Alright. We’ll

[00:23:42] Evan Francen: say what, a shorter,

[00:23:43] Brad Nigh: shorter, a long flight. It’s no big deal. I just sent a short person. I’m not going to charge you for first class for an assessment really.

[00:23:51] John Harmon: Yeah, It’s the, well, and, and in the age of, you know, like there’s a lot of consolidation, you know, happening in our industry right now. And I get asked a lot to like, well who are your competitors? You know, what’s your biggest competition? Like as fr secure anyway as a consulting company. And uh, you know, in my time here, seven years, I’ve seen three of our like most direct competitors that I’ve seen here at least in our five state area locally. They’re not even in the market anymore. Right? So what is my biggest competition in action? Doing nothing

[00:24:22] Brad Nigh: Well. And that’s what happened, right. They quit moving forward. They had what they had and they were happy, but that was the end of

[00:24:28] John Harmon: it. It’s people who are looking at this giant thing that they know they’re supposed to be doing something with and saying it’s either too costly or too complicated. They do nothing. Yeah.

[00:24:38] Evan Francen: Right. Yeah. Yeah. It’s funny even companies that do, I was talking to one company on the road show and they were they do risk assessments. And so I said well then you should have a good tell me the state of your security program. He’s like what do you mean? Like what’s the state of it? Like because it’s relative right? He’s like wow. You know I have a state like okay I can tell you how I think you should do it right? You should you need to have some scoring. You need to have something in place where you can say Our security program is you know, if you use the CMM I it’s a three

[00:25:14] Brad Nigh: five have something,

[00:25:16] Evan Francen: right? If you use, you know the security studios, you know, as to organs, You know or 6:22, you know something. But that’s that’s how you can communicate your state. So then you automatically know sort of where you’re at and people got it. But you know, I don’t think people like to do work. People like to do risk assessments.

[00:25:37] John Harmon: Well it’s not sexy

[00:25:38] Brad Nigh: but I think also there’s a misconception of risk assessment versus an audit. Right? So I think a lot of people here that no

[00:25:46] John Harmon: cringe

[00:25:47] Brad Nigh: audit, I’m gonna have to but that’s not what it is.

[00:25:52] Evan Francen: We’ve been audits right? I mean there’s different kinds of audits when I was a c, so there were some audits I hated and there were some audits I was actually looking forward to. Usually the ones that were internal, internally driven. I could use you know to identify things to make my program better. Right? If it’s an external audit where it’s just you know to find the gotchas

[00:26:11] Brad Nigh: and Yeah. But I think that’s what a lot of people still. Yeah. And I still hear that a lot too of well the last time that we have a time out this is not not it. This is an assessment to help you identify strengths and weaknesses. Understand where should you be focusing what how

[00:26:29] Evan Francen: many people like how many people actually want to know the truth. A lot of people don’t want to know the truth. So we’ve heard that on the road show to like yeah I don’t want to know because I don’t have to do something that’s like that’s not that’s kind of a stupid logic. Really. Right? That’s gross. Yeah.

[00:26:48] Brad Nigh: The only thing I can think tell

[00:26:50] Evan Francen: your customers that right.

[00:26:53] Brad Nigh: Only means that I could think of not wanting to do it from. But I’m also

[00:26:58] Evan Francen: imagine telling customers that sorry we don’t want to know how poorly we’re protecting your information because I’m gonna have to do something. But truly it’s their information that

[00:27:08] Brad Nigh: it was not Equifax’s defense. No. Oh sorry they

[00:27:13] Evan Francen: missed a match. I can I can cut them some slack.

[00:27:17] Brad Nigh: That was that was a joke. We’re gonna stir it up now. Now the only thing I can think of is is how frustrating and you know it is to say to the business hey these are the issues and then getting no support. So maybe that’s the next piece is how do we provide better actionable business decisions out of that result? Right. I think the scoring really helps with that in terms of making it easy for a business to understand, hey your risk was 4 50 credit scores of 4 50 where you at, we got to do something.

[00:27:54] John Harmon: Yeah. We’re so data poor in our industry though. I mean when we get to the point where you can actually do like quantitative risk analysis, like your score is this therefore your monetary exposure is that you know that that’s kind of the holy grail for for our life from a business standpoint. But you know at the end of the day to just because you don’t understand something doesn’t mean you shouldn’t care about it, right? So just you know, I think there’s work to do on both ends. I think boards and executive teams have been very cavalier about this and very they’ve had the wrong expectations. They’re not understanding this and they’re, you know, excuse generally as well. I just don’t understand computers. I’m not a computer guy. It’s like watching youtube video. You know what I mean? Get up to speed a little bit and then I’ll tell your I. T. And security people to like take uh a few notes on how to like communicate up a little bit. We need to meet in the middle on this. So much

[00:28:48] Evan Francen: of it is lip service. Right. I mean, if you ask any executive, any board, hey, security important to you, would any of them tell, you know? Yeah. Look at reactions. What

[00:29:00] Brad Nigh: have you done?

[00:29:00] Evan Francen: It’s the state of

[00:29:02] Brad Nigh: your security report

[00:29:03] Evan Francen: is responsible. You know, those basic fundamental things are missing. So you’ll say it, but then it’s not backed up by action. I mean, I’m trying to figure out what the legitimate excuses for the 90% of organizations that aren’t doing risk assessments. Do they think that there’s a better way or there is a way to build a security program without one.

[00:29:25] Brad Nigh: I don’t know. They just assume it won’t happen to me. That’s the biggest one. I think we are such a

[00:29:32] John Harmon: false. I think there are times that attends a false sense of security. They assume that somebody somewhere has been covered.

[00:29:38] Brad Nigh: We spent x amount on blinky lights. Were you

[00:29:42] John Harmon: or were all in the cloud or I work with a managed service provider or have insurance or you know, whatever it is. It’s just a, you know, there’s, there’s not enough depth of understanding I don’t think. Yeah.

[00:29:53] Brad Nigh: Okay. Right. Um, next question, anyone in particular you met that really just stood out to you.

[00:30:02] Evan Francen: Mm hmm a lot On the bad side. There was the guy from sacramento. Remember him. Yeah, I’ll tell you about

[00:30:11] Brad Nigh: that. Yes. Well,

[00:30:14] Evan Francen: for the listeners, I was giving a talk in Sacramento. Uh huh. Yeah, there was this guy who just had to add something every time you always have to add something, right, You know, to your talk to something you were saying. And then it got to the point where I think it just really started to frustrate me and I was probably 20 minutes behind. Yeah. In timing, you know, and so he said, can I, can I just add something? And I’m like, what? The two of the smartest person in the room and then the rooms went quiet. So awkward. That was awesome. I totally don’t do it again. But yeah,

[00:30:52] Brad Nigh: it’s just kind of shut the heckler down a little bit.

[00:30:56] John Harmon: Yeah, it was just, it was, it was, that was weird. That was a weird day. It

[00:30:59] Evan Francen: was an egotist and academic.

[00:31:02] Brad Nigh: Uh, yeah, there’s people that, yeah, exactly. That feel like they’re the smartest in the room and have to let you know are the worst.

[00:31:09] John Harmon: Yeah, I think on the other side, john ross from Dallas, that was, you know, just a guy that we met at the thing and took an interest in and what we’re doing. That was that the iC squared event. We re visited him last friday brought a bunch of people to lunch and just kind of helped us, you know, network and interface and get some feedback and everything. The Dallas crew in general. I mean jp down there, Maria biotech three times three. Yeah they were very welcome. They weren’t great. We did that event with Michael Schindler and that group there um did the iC squared event that we just did another one smaller one but we did the you know similar kind of thing and yeah it was all really good. Uh Yeah there’s a lot of good people, some of them are just like I mean frankly the people like behind the counter at the barbecue restaurant so you just talked to and you get to know and find out it’s a family owned restaurant and grandpa started it. Dad still around and sons working the you know the pit now and there’s some there was some cool stuff stuff there but stands out to me maybe because we’ve been there a bunch of people get invited back but the Dallas crew

[00:32:19] Brad Nigh: but

[00:32:20] John Harmon: also that’s where I was born so like any excuse to go back

[00:32:23] Brad Nigh: that help man. I grew up I grew up outside D. C. So I have a natural hatred of Dallas Dallas

[00:32:32] John Harmon: but next weekend we might be a bad little Redskins playing the cowboys next year. Next week.

[00:32:38] Evan Francen: Yeah cowboys er seven and eight.

[00:32:43] Brad Nigh: Yeah

[00:32:44] John Harmon: and still in position to win the

[00:32:45] Brad Nigh: division. Can yeah I could win the division

[00:32:49] John Harmon: at 50 at

[00:32:51] Brad Nigh: yeah not a great year for the alright but

[00:32:55] Evan Francen: the first person I met was the first person who met was Charles Gide.

[00:33:01] John Harmon: Oh yeah, business information, that’s a great company york pennsylvania. Yeah, if you’re in the central P. A area that’s a good, good company to look up, if you’re one of those 90% that not sure what to do or whatever, they have a good thing going there. The whole besides event was really cool as well. We met some good folks.

[00:33:19] Evan Francen: 10 Bechtel, remember he was on our podcast, he gave the keynote at Besides in Harrisburg, that’s where we met him and I think he, I actually double check with him, but I think he landed, I got

[00:33:32] Brad Nigh: himself a job now, you know

[00:33:33] Evan Francen: something about that because he’s, you know, he’s such a pioneer, you know, to see him without work was kind of heartbreaking. Uh in Arizona Rachel Hartley. It was crude, bet security was fun to meet her. Um every place there was somebody Quintin out in san Diego who I was there and you were, you were, I think in the west coast of that east coast

[00:33:58] John Harmon: that day was in Virginia that

[00:34:01] Evan Francen: day. That was really cool. The hsbc folks.

[00:34:05] John Harmon: Oh yeah, those guys are great.

[00:34:08] Evan Francen: Every place, low octane folks. I mean the locked in people down in Kansas city, there was a great meeting. Uh every single week, that was the best part of the entire thing. It was just getting to meet people in every event. You can’t possibly maintain friendships with that many people, you know? So that part kinda sucks. But yeah lots of

[00:34:32] Brad Nigh: cool people still have that that kind of relationship though. And

[00:34:36] Evan Francen: Quinton was the most unusual. You have to ask meaning unusual, like unique. You just really cool cat. Uh And Oscar esque. Oscar, Oscar makes our director of technical services because I put those two in touch. And Oscar called me when we were in Kansas city on our way down to Q. 39 barbecue. And Oscar is like, what’s with this Quinton guy? What do you mean? He goes this guy’s hilarious, I love him.

[00:35:03] Brad Nigh: But

[00:35:05] Evan Francen: yeah Clinton

[00:35:06] Brad Nigh: is cool. Uh so is did how many of us 30? Is that what you said?

[00:35:13] John Harmon: 30 talks, 30 events? We got 61 potential partners that we’re continuing to work with and figuring out you know how it fits and all that kind of stuff. And then 28 barbecue restaurants in 10 weeks, We had thanksgiving in the middle there. So it was really nine weeks over a 10 week period.

[00:35:33] Brad Nigh: So what was one event that stood out to you the most either good or bad

[00:35:40] John Harmon: good event? I think the I. C. I. Event in Dallas, which was it was very different and he didn’t speak at that one. We were just it was like speed dating kind of thing. So I got like serious people in the room that you know had buying power were there to evaluate technologies that were specific to their business needs and You know got uh what 15 or so you know companies vendors of some kind and then the attendees moved from table to table and you got kind of a five minute, you know what’s happening and it was really cool because it was obvious everybody there had some kind of like technology, you know, they were slinging and all we did was like just sitting bs with people until they asked us what we did were like oh yeah we’re here for business right? Yeah, so we do a security assessment software

[00:36:26] Evan Francen: and how many times we were told twice I think in that event that we were the only people that actually ask them what they did, you know I mean everybody was there to tell to tell what I have to sell or what I can do for you rather than just asking and listening

[00:36:43] Brad Nigh: to what makes us better versus what are you looking for. I really like, I really

[00:36:49] Evan Francen: like the network center event because it was me, you and we brought Justin and steve with us that was fun except we really pissed you off on the

[00:36:59] John Harmon: wheel Dude, It was some man, you know it’s Fargo North Dakota, it’s 20 below outside the winds blowing sideways and we have all this equipment to like load up. So I pulled the car over thinking like oh yeah everybody will just load it up real quick. I don’t know he is smoking and talking to somebody from network center. I end up loading up everything and then I go back in to like grab something. I come out and I’m informed that I get to drive home to, we’re on the car already

[00:37:25] Evan Francen: like, see that’s open, is the

[00:37:26] John Harmon: driver’s seat. I’m like, oh yeah, I’m driving, how cool. I just load the car and driving. Yeah, we’ll do that.

[00:37:31] Evan Francen: That was, that was a tough week though because as soon as we got back like I was, we gave the talk in Fargo and networks and that was really well attended that they put on a great event every year. Uh it’s that envision conference up there um, in the main stage and we just really cool, everything was cool. And then um, and that’s where Zoe ran into Zoey, so it was also on the podcast. So some of the people that we met on the road show been on the podcast, probably two or three of them. But the next morning I had to get like a 5 36 o’clock A. M. Flight to Rochester new york the next day. So that’s why I didn’t drive a mess. Excuse somebody use for now. But that was a great event. I really like that one and then I like any place where it was warm,

[00:38:26] Brad Nigh: so the phoenixes and west Orange county

[00:38:30] John Harmon: san Diego, you know what phoenix of? I spoke at that. I have to say event earlier this year and then you spoke this a Ricky, his name is Ricky martin. No, I’m not kidding. And he’s the coolest guy. He’s awesome. He organizes all the speakers and a lot of the vendors, everything for that chapter events very well attended. The people are fantastic. We’ve made some good relationships there. Leanne from the fr security team was down there visiting family and like on her personal time came and to the event and hung out with this. So that was a good one for me.

[00:39:03] Evan Francen: Okay. We didn’t go anywhere in florida. I’ll be a besides in Huntsville Alabama. That’s not till, I mean the road shows kind of officially done this chapter anyway.

[00:39:15] John Harmon: Yeah, we’ll probably go more, I mean were, you know, still formulating and everything. We got this kind of 60 Body of like 60 partners that we’re working with and figuring out, you know what to do. So there’s a lot of just kind of at the office work to do, you know, for a while. But I think it was starting in february, we have a couple of events, but most notably is R. S. A. And that’s big, but I think somewhere in between is where we’ll kind of end up, there’s a lot of good industry events, There’s a lot of good kind of regional events, there’s ones that we can go to and you know, speak to a wider audience and we have the message crafted and have some fans out there. It’ll be easier.

[00:39:51] Evan Francen: Yeah. School stuff and government, local government stuff. I think it’ll be fun

[00:39:55] John Harmon: to O M N C C. C Minnesota county Computer consortium. We have like 22 or to buy the, I think by the end of the second week, 27 Minnesota counties had signed up for an account and started doing this. That’s an assessment. That was the most successful from an end user adoption perspective, like a single event in that short of time. Wow, that was in their great group. They’re fantastic. We love working with them.

[00:40:18] Evan Francen: That was fun. That was a good one too. And that was the cybersecurity summit two in ST paul, I don’t know, there were so many damn events and they were all really, really good. The only one that wasn’t good was that sacramento one because we had a jerk

[00:40:30] Brad Nigh: ball. Yeah. You know, if you think about it 30 events and you had one that was, you know, kind of ruling by someone that’s pretty good.

[00:40:41] Evan Francen: But I didn’t really, really nitty, there was just kind of like, I felt dirty.

[00:40:45] John Harmon: It’s dude

[00:40:46] Evan Francen: and I feel like a jerk because I called him out,

[00:40:49] Brad Nigh: you know, do what you gotta do. Um, the last thing I wanted to really talk through is what is, you kind of mentioned it a little bit john, but what’s the one thing you learn that really surprised you are

[00:41:03] John Harmon: all of this? Yeah. Other than, um, it wasn’t like I, I lost faith in our industry or anything, but that whole like, oh wow, yeah, we’re really wrapped around the axle. It’s weird stuff right now. I think um, a big surprise to me going out, there is sometimes you go to these events and I’ve been to some of them, they’re like more networking opportunities, you know, and they happen in every walk of life and people are there to be seen, you know what I mean? It’s kind of a right not these events, everybody is there to learn something, everybody is there to really collaborate and find something that they didn’t know before. Everybody’s listening intently. Everybody’s taking notes. Like the security community as a whole are very diligent and their need to consume. And I was very impressed and very surprised by that. I thought there would be a little more politics along the way and you know, just people that were there to just kind of be seen, there were, that’s a dedicated group. You almost have to be. I mean, we all know you have to be half crazy to be in this business in the first place. So I was surprised, pleasantly surprised by that.

[00:42:15] Brad Nigh: Yeah, I think you see a lot of it where everybody is facing very similar challenges from the business perspective and so you get a lot of collaboration and how are you doing this? Because I’m not having any luck and

[00:42:28] John Harmon: it was good validation that you know the right people are involved. Do we need to get on the same page? Start speaking the same language. Yes. Do we need to work on the fundamentals a little bitter? Yes. Do we need to be better communicators? Yes. But the fiber of the people that we met is absolutely there. That gives me hope that this is actually doable.

[00:42:47] Evan Francen: Yeah. You know what surprised me is that there wasn’t more vendors at the events because vendors, you know, they sponsor it because that’s how they make their money but they weren’t there. None of them. I mean very few. And so I think what it shows is vendor response to these things because it gets their name there. But it shows to me that I guess I was surprised that they didn’t participate more, you know they’re paying sponsorships but they’re not participating in the community. That’s interesting. You know what I mean? Because of I don’t know it’s like I want your money but I don’t want to be

[00:43:26] John Harmon: and actually only contribute anything other than a check.

[00:43:28] Evan Francen: Right? So that’s that surprised me because you know, I have vendors are sponsoring all of these things I C. Squared, you know I Saca S S. S. S. A you know, besides they’re sponsoring all these events. Yes. I was surprised how often they didn’t participate in the event.

[00:43:51] John Harmon: Well in many times to you know you kind of go like, hey, you’re not a lot of sell anything to keep the sales pitch out of it, blah, blah, blah. You don’t ever think that, well sometimes scare people away, but there’s never like a counterpoint or another question, You know, they’re not saying like, okay, well then how do I do it? How do you should just be successful in the past? You know, rather than just getting, like, if you have any questions about whatever back in the, in the back over here, it’s like, what’s your mission? Like, like, like get, get beyond the product that you sell and tell me how I can jump on your cause, you know, these people are very, very attuned to that. So, you know, there was even a, um, change in mindset, I think that the security vendor and product community needs to have and their ability to contribute and if they can’t, that’s another problem, right?

[00:44:36] Brad Nigh: Yeah. I think it goes back to what you got feedback from that Dallas event where you guys are the only ones who asked what they did and that’s been my experience do is any of those events coming up. It’s always, here’s what we can do for you, here’s what we can do for you, but I don’t care if it’s a fit or not, that doesn’t then how does that fit with what we’re doing, it doesn’t help. And so yeah, you get told what you can’t sales pitch and I, I don’t know what to do. They don’t want to send an engineer because they’ve got

[00:45:10] John Harmon: work to do. Yeah, that’s one thing I’m very proud of our, our secure sales team about is that are quite are our questions and our engagements always start with, well, just tell me what’s going on, like what are we doing here? Why why are we even talking? You know, and and getting to that point where, you know, and you said it 1000 we don’t sell things to people that they don’t need, you know, so we we know something other people don’t and it’s our like it’s a moral obligation to be of service to be of help. And even our sales team understands that, which is great that comes from the top. You set that tone early on, but I don’t know that a lot of other sales professionals have that, right? There is not there slinging things and that’s a that’s a crappy existence I know from experience, but this community in particular will not abide that we’ve got to take a different problem.

[00:46:05] Evan Francen: That’s one reason, that’s what now that you mention that that’s one of the things I really appreciate about talking with mike, you know, a potential new salesperson, Excuse me, He didn’t seem like that at all swinging. He seems like a guy that genuinely cares and wants to help

[00:46:19] John Harmon: people you understand is like, it’s it’s, you know, security studio dot com not dot org, right? I mean, you got to sell things, you have to have to make money, you have to pay people well, you know, it does cost money to make the mission, but it’s not worth selling your soul. Right? Right.

[00:46:36] Brad Nigh: Yeah, awesome. Great discussion. Thank you john Evan. Yeah, Now it’s for some news. So there was a ton actually had a news, some news news. So there were a bunch of stories.

[00:46:52] John Harmon: I love these stories, man was great. I love these together. I read

[00:46:55] Brad Nigh: them well and I pulled like four out that I was like, because there was one about a logic bomb for a seaman’s employee that former employee left a logic bomb and was like too much. Uh first one is Krebs on security, ransomware gangs now outing victim businesses that don’t pay up and uh, you know, kind of not surprising but kind of sucky. You knew that was going to happen at some point. But yeah, they’re saying now that the maze uh ransom where if they don’t pay up, they’re gonna start releasing the data, they’ve exfiltrate ID and I mean, this could be pretty devastating to companies, especially if you’ve got regulatory requirements and, you know, hipaa fines or whatever coming your way and and tell you from experience most of time when we’re doing and I are, we can’t tell the company if there was exfiltration or not because we don’t have logs, we don’t have anything to look at to tell you that the fundamentals. Yeah, no. Uh, but yeah, it’s a I can’t I don’t know. We can tell you based on the ransomware, whatever we found that it’s very it’s possible that it can do it. But I can tell you one way or the other right now, they’re sitting there going, what do we do?

[00:48:19] John Harmon: I am obviously not endorsing this practice in any way, shape or form. I’m going to qualify it by saying that I’m not encouraging anybody to do this. I’m not saying it’s a good thing, but I am a silver lining guy. So if there’s one thing that come out of this, if we can all just accept that when we have ransomware on these things happen, that if we don’t declare it, if we don’t take ownership and say, here’s what happened and here’s how maybe if you’re in the same situation, you can prevent it. Here’s how the level of importance you should go on to it, that there are going to be consequences. Um, if this ends up being a, you know, the strike point for actually getting some of this data publicly available, this will probably be one of the most significant events in our industry. Yeah,

[00:49:06] Brad Nigh: on. And hopefully maybe it starts getting people being more proactive and not putting their head in the sand going, huh, well, can’t it won’t happen to us. Yeah, it’s going to be

[00:49:19] Evan Francen: well, and in this case, if you pay the data is out anyway,

[00:49:25] Brad Nigh: you got no guarantees.

[00:49:27] Evan Francen: They can just keep asking for more and more and more and more because they still have your data. And what also is going to happen for from a regulatory perspective. And from a reporting perspective is if you get hit with ransomware, it’s a reportable breach, you know? So, yeah, it changes kind of everything around ransomware.

[00:49:46] John Harmon: Yeah. And also debunks at all. There’s a lot of attitude from the business community right now of like, okay, so get a bridge. So what, like breach fatigue, You know what I mean? Well, now there’s real consequences now that you can’t hide from it. Now you really understand the fallout. And you also are tipped off in the fact that these aren’t just idiot criminals half the world away. They’re smart, They’re business people. They’re figuring out a way to force your hand. It’s just tactics, right? So gear up.

[00:50:19] Brad Nigh: Yeah. It’s gonna be uh, it’s gonna be a wild ride.

[00:50:24] Evan Francen: Yeah. On the Yeah, it’s interesting. Yes. We rebuild all these networks. You have to rebuild all these networks with white last wait list. Yeah. You know, egress and ingress, primarily aggressive. If you wanna stop the ox filtration. I mean, you’re talking like

[00:50:40] Brad Nigh: this is a massive undertaking. Some

[00:50:42] Evan Francen: serious work. Yeah. But

[00:50:45] Brad Nigh: uh All right. Just

[00:50:48] Evan Francen: delete all your data. Now, how

[00:50:51] Brad Nigh: can I eliminate risk shut down. Yeah. Uh, next one off of threat posed. 267 million Facebook users. Phone numbers exposed online. So that’s it. You know, shocking. Just be aware that a lot of phishing and spam and sms phishing attacks now

[00:51:11] Evan Francen: we like our chords a lot of vision,

[00:51:13] Brad Nigh: vision and smashing and fishing

[00:51:17] Evan Francen: the voice phishing.

[00:51:19] Brad Nigh: Um Yes possible. They said it’s one of it was potentially stolen from the facebook’s developer ap I before they restricted access to this. That information who knows? But

[00:51:34] John Harmon: you know what this reminded me of whatever I read this this morning. Uh You know what I got in the mail this past weekend a phone book. I’ve never been more offended in my life. These things still exist quit wasting paper. Like what are we doing here? Phone book

[00:51:50] Evan Francen: pages work pretty good for starting your.

[00:51:54] Brad Nigh: Yeah.

[00:51:54] John Harmon: Yeah like you know people are like, oh my god my phone numbers out there. Like it was always out there. Like this is like the tweet. It was like somebody said uh um Hey if you use facial recognition software, the government has your face L. O. L. It’s like, well what do you hear about driver’s licenses,

[00:52:12] Evan Francen: passports by

[00:52:14] Brad Nigh: god. Yeah the Big one. But that is it does give the ties that user name. So if there is any non anonymity. I don’t know. Well that’s

[00:52:25] Evan Francen: the crazy thing too is we get freaked out about the things that are just like stupid to get freaked out about. But then the things that we should get freaked out about, you’re ignorant. Just you know,

[00:52:37] John Harmon: it’s like it’s newsworthy. But this is going to get my blood pressure up at all.

[00:52:40] Brad Nigh: So the fact that facebook, right? Yeah. Facebook, they don’t care about your privacy should have been real good freaking Zuckerberg secure. Yeah. Making all that money stowed ians right. All right, this next one is pretty big info. Security magazine wa wa stores plagued by malware since March. We don’t have we

[00:53:03] Evan Francen: can get over the kept kept laughing. Was it was 3:00 in the

[00:53:09] Brad Nigh: morning, wow. No, they’re like a convenience or gas station kind of in the Yeah minis the mid atlantic area. But yeah, they discovered malware on the payment processing servers on December 10 contained by December 12, which is pretty good. Unfortunately they can show that it started after March four. So Uh they said by April 22, malware is thought to have spread to most of their stores. So it was out there for eight months undetected on their payment processing. So, I’m gonna guess uh that’s not gonna be a fun pc. I uh experience the next time they go through that don’t

[00:54:02] John Harmon: call me well. And from experience, like just seeing how these things have been done to. I would I would bet any amount of money that these guys are p ci compliant doing air quotes pcs complaints, they have a rock. It’s been certified and do it like clockwork for years and years and whoever does that. Rock is about to get a ton more business because of this and consulting hours and redoing everything and all that kind of stuff. Maybe it’s another firm or whatever,

[00:54:33] Brad Nigh: it’ll be someone else because we’ve worked with others that have been had a breach and we’re compliant and they were not allowed to use that firm and that firm is now under basically every single Rock they put in is under extra

[00:54:48] John Harmon: scrutiny. I’m sure trust ways all of Iraq’s or an investigation and they could care less what you

[00:54:52] Brad Nigh: write. Another

[00:54:55] John Harmon: example

[00:54:55] Evan Francen: of being a client for

[00:54:57] John Harmon: the council. Another example of being compliant doesn’t have anything to do with security,

[00:55:02] Brad Nigh: correct? Yeah. It’s having seen that some of the compliant Rocks and sample sizes and it’s like how do you justify that? That’s

[00:55:15] Evan Francen: well, yeah, I mean risk

[00:55:17] Brad Nigh: checking things.

[00:55:18] Evan Francen: You know, normally I don’t get I don’t get upset with organizations who have breaches, right? Unless it’s like clearly negligent. So I don’t know the details of how this happened but the fact that it was able to sit on critical. So this would be a critical server. Right? So critical server, you typically have, you typically have, you know, better controls, right? Enhanced controls, file integrity monitoring uh you know DLP you have something on it, Process monitoring whatever. So application whitelisting on and on. You can put on the server and the fact that this was sitting there for nine

[00:55:58] Brad Nigh: months. We still see it where people are like, well we don’t have in point on the servers because it impacts performance.

[00:56:04] Evan Francen: Which is so cool. This isn’t this is what is wrong with you in 2003 anymore.

[00:56:09] Brad Nigh: No. Where do you think Attackers are going to target where your sensitive information is? So not on endpoints.

[00:56:16] Evan Francen: So the fact that they didn’t detect it, you know, for that long is definitely troubling. But then they must have some must have had some sort of incident response plan because if they found it on the 10th and it was contained at 12.

[00:56:29] Brad Nigh: That’s that’s a pretty good place. That’s a pretty good containing time. Especially for as widespread as it seems to have been. It was 800 plus stores and it was on all of them. So

[00:56:40] Evan Francen: to prevent detect correct, you know, missing on the detect piece

[00:56:45] Brad Nigh: maybe. Yeah, but All right. Whatever. Next huahua. The next one. That’s good. Like subs anyway. Uh Next one is just kind of fun. Uh just shows that people still suck at passwords off of naked security. Got sofas dot com. Hello 123456. My old friend, I’ve come to talk with you again. The one thing I did like so I lied to the story and then also to the actual report of the top 50. The one thing I did like on this is the author did take the sites and services to task a little bit websites to start to task for why are you still allowing these to even be valid passwords? Put something in place that validates against the worst 1000 worst 10 0, whatever it is and don’t let people use them. So I did like I like that approach on this,

[00:57:43] Evan Francen: but you know that that’ll make it inconvenient and then people,

[00:57:47] John Harmon: someone has to work around,

[00:57:48] Evan Francen: people won’t sign up for your no, your whiz bang new things you have to difficult for people.

[00:57:55] John Harmon: So there was a train of thought that I had about this and it was somebody else’s idea that said, when do we start charmer who was was on the road show. So he said when we started making credentials like how do we, when do we start classifying them as as classified information? Right? Like if you are writing your password and keeping it anywhere, assume that you’re writing down a child’s name and a health diagnosis down there, it’s that sensitive. You would never stick that in a public. You would never leave somebody’s personnel file on an open desk. That’s a no, no, that is the law and people are sticking their passwords using 123456. They’re not taking this seriously. How do we start bringing the hammer down on people who are doing

[00:58:41] Evan Francen: using their team analogy, that’s like everybody being he named Mike johnson, you know, I mean, it’s like everybody keeps using the same passwords and we’ve been teaching, you know, pass phrases and how to do it.

[00:58:57] Brad Nigh: Well when people hear that, especially non security people, they’re like, well what do we do? Pass rates here, do this? And it’s like, that’s really that’s that works

[00:59:07] John Harmon: one. And here’s the here’s the thing though, right? We can bring the hammer down and that’s usually how it goes or we can try to, you know, usurped this with technical controls and and that kind of thing. But I don’t think that there’s enough. We’re good. We’re getting to the point now, we’re pretty good. Everybody’s going through the training as a group. What do we sit down with people like we have associated with our benefits, like a financial advisor that will come and sit here all day. You can make an appointment, half hour appointment with him or her and sit down like, hey, here’s my bank account looks like here’s what I have, what would you do here? And they will, they will advise you, why don’t we have that for security? Why don’t as a part of offerings just go sit down what I want to be like, here’s how you set up last pass. Let’s look at how your facebook settings are. Let’s look at what your browser settings are doing, let’s look at if your software is updated on here, find your phone, whatever it is. Like give give people that personal attention until they can grasp these basic basic things or maybe even take an interest in some other things. But isn’t it always the fundamental things the basic things they can take advantage of. People have crappy passwords, they don’t lock their computers, they don’t have passwords, they don’t have their computers patch, they don’t have their phones up to date. They have, you know, all of that stuff.

[01:00:19] Evan Francen: I think two reasons why one is too costly to be able to give

[01:00:23] Brad Nigh: People one on 1.

[01:00:24] Evan Francen: And the second reason is people wouldn’t show up. I think you try to tell people you try to help people protect themselves and they still ignore you.

[01:00:33] Brad Nigh: Yeah I think that’s not going to pay. I think

[01:00:35] John Harmon: if you I think if we just made it like hey as a part of a virtual cso engagement we’re going to come in one day a quarter and take half hour appointments for an eight hour day and just anybody who wants to come sit down with us, sit down with us and let’s do

[01:00:48] Evan Francen: it. It’s gonna be expensive.

[01:00:50] John Harmon: Yeah people don’t wanna, we pay for it through our benefits for a financial advisor

[01:00:55] Evan Francen: and I never want to see him. How long did he sit there by himself? Probably a long time people are like

[01:01:03] John Harmon: But he had something to sell us to, he wants us to use his advisory services right anyway. There’s some trying to give people the benefit of the doubt a little bit like maybe they just are reluctant to speak up in public. Maybe we’re using words like pass phrase and 90% of people are like oh yeah that’s really cool. And they’re like right over my head I don’t

[01:01:20] Evan Francen: I think what happens here is you start to marry, you know I I posted something last week where I said that you can’t separate information security, privacy and safety right there all together. The way the world works today they’re all integrated with each other. And so I think as people start to realize that more, I mean I think it’s gonna get worse before it’s gonna get better. Well I think part of you start tying in one of the things confessed to me with getting money. Like if I if I want to get alone which is to me score or you integrate that with your credit report right? And I

[01:01:54] Brad Nigh: think it works to it. That’s the way we do it is how we’ve been doing it where we’re including that’s to me that personal risk assessment we’ve come to companies for their employees because people are embarrassed. They don’t wanna do it. But if you can do it a little bit more anonymously maybe that’s where they start getting questions. You start seeing some activity and now

[01:02:14] John Harmon: I’m saying that there are there are legitimately people out there because I know them they’re in my family that if you told them like hey your bank password that’s only until you change your password, they wouldn’t have no idea where to begin. They don’t know how to go into settings. I don’t know how to reset password. They don’t know how to change anything that I wouldn’t want to change it to. They Just that basic of the thing that we all know how to do 10 times over and have last past life. My

[01:02:37] Evan Francen: own wife doesn’t have to do some of those things and then when every time she asks me, I’m like I don’t I don’t want to help you. But you know Yeah, all

[01:02:51] Brad Nigh: right. Last one also off of naked security from so foes and this goes back to something evident mentioned that at some point this is start costing lives. So twitter trolls are now attacking epileptics with seizure inducing images. This did happen in 2016 to journalist Kurt Eichenwald um where he sent a seizure inducing gift via twitter. Well now what we’re seeing three years later is during national epilepsy awareness month, an army of trolls carried out assaults taking over the epilepsy foundation, twitter handle and hashtags to attack anybody who’s following and they were sending out pictures with those hashtags had flashing or strobing lights targeting people with epilepsy, which I mean I just don’t understand

[01:03:42] Evan Francen: that’s another example what we just talked about were you can’t separate information, security, privacy and safety, right? I mean you can you can use computers now to affect people’s I mean you have been for a while but now it’s gonna it’s gonna become so widespread where Yeah, it’s gonna get crazier than this man. I don’t

[01:04:01] Brad Nigh: know. I don’t know. And what’s what I’ve struggled with. What? Why? What’s the point?

[01:04:08] John Harmon: I don’t know something. Yeah. That’s that’s one of the things like the only sensible answer to a question of why is because they’re insane. Well yeah, there’s something not right in people’s heads that they would actually do. So this makes me so angry. I can’t even begin. This is just so it’s a poc spirited. There’s nothing redeeming about this at all or

[01:04:27] Evan Francen: there’s a pOC behind it. I mean, don’t put anything past criminals and the way they can use things to get what they want. I mean, I don’t know. I don’t I mean, I don’t know the answer, but I think I think excuse me. I think there’s more to it than just this eventually.

[01:04:45] Brad Nigh: Yeah. Uh We’ll see anyway. Alright. It pisses me off to. Yeah, that wouldn’t bother me. My All right. That’s it. Episode 59 is a wrap John thank you again for joining us. Although I said that’s the first time. I’ve been here. So

[01:05:02] John Harmon: you guys are very welcome and thank you for having me. It’s always always a pleasure to think it’s my third time really. Can we maybe do the afternoon one of these times though, do

[01:05:12] Brad Nigh: you?

[01:05:14] John Harmon: It’s kind of early in the morning. A little sharper

[01:05:18] Evan Francen: what

[01:05:20] Brad Nigh: we’ve done a couple on a friday afternoon and it’s going to be fair.

[01:05:26] John Harmon: Evans been here long enough. It’s basically afternoon for him. Just regular workday.

[01:05:30] Brad Nigh: Thank you to our listeners. Keep the questions and feedback coming. Send things to us by by email at If you’re the social type socialize with us on twitter, I’m @BradNigh Evan is @EvanFrancen john how do you want people to interact with you?

[01:05:48] John Harmon: I’m on twitter @HarmonJohn So my last name first and my first name last and then you can always find me on linkedin and all that kind of stuff. Unfortunately, facebook and instagram are off limits for me.

[01:06:00] Brad Nigh: So smart. All right. Thank you. Lastly be sure to follow @StudioSecurity and @FRSecure on twitter for more goodies and that’s it. Talk to you all again next week. Mhm.