Cybersecurity Roles Belong at the Executive Table

Unsecurity Podcast

Learn about how many of the top organizations in the world are missing the memo when it comes to cybersecurity roles, and listen to how GDPR almost ruined Christmas.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: We are back December 30th 18 2008 episode of the insecurity podcast. So I’m Brad Nigh with me again is Evan Francen. How are you Evan?

[00:00:36] Evan Francen: I’m doing well man the last show of the year.

[00:00:39] Brad Nigh: Big show, we got to have some fun at predictions from last year and predictions for next year and

[00:00:47] Evan Francen: I sort of suck at predictions,

[00:00:50] Brad Nigh: you know, I’ll be honest. So you know, that’s one of the things that we’re gonna be reviewing your predictions from what december january. I get it pretty well.

[00:01:00] Evan Francen: Yeah, I suppose, you know, it’s always a crapshoot. You never know.

[00:01:05] Brad Nigh: It’s kind of a go big or go home. Right?

[00:01:08] Evan Francen: Yeah. Tomorrow is christmas or New Year’s Eve. You got any big plans?

[00:01:15] Brad Nigh: Um, I will be working but I’ll be in the office normal. But actually we went in yesterday looked at a puppy and they came today for the home visit. So we’re hoping that they will be bringing by a new puppy tomorrow.

[00:01:33] Evan Francen: Mm start in 2019 with another family member.

[00:01:36] Brad Nigh: Yeah. The 11 month old puppy that where the kids are tired of him chewing on them so we’re getting another puppy so he can be distracted.

[00:01:48] Evan Francen: You can chew on each other.

[00:01:49] Brad Nigh: Yes.

[00:01:51] Evan Francen: Cool. How was your christmas?

[00:01:53] Brad Nigh: It’s good. It’s good that the nice caps Stanley cup banner, that’s hanging in the office just to rub it into everyone at the office.

[00:02:01] Evan Francen: Yeah, we’re stuck with the Minnesota wild finally won a game again.

[00:02:08] Brad Nigh: Oh yeah, I can, I can relate and understand how it is. How about yours?

[00:02:15] Evan Francen: Yeah, it was a really good christmas. Uh you know, we downsized uh in a smaller cuter kind of home and we had 11, you know, I have five kids, so we had tons of people in my house and they just left saturday this last, you know, yesterday uh so it’s nice to have my home back. I was, it was cool because you know, all the christmas presents I got this year were stuff I’ll actually use, you know, I don’t like clutter. So yeah, I’m happy about that.

[00:02:50] Brad Nigh: That’s good. Yeah, I got some like upgrades on some old tools that we’re missing, like a bunch of wrenches and some some stuff like that and then some good stuff for the, for the office and stuff, so it was, I’m with you that it’s more useful that way.

[00:03:07] Evan Francen: Yeah, I mean I don’t need anything, you know, I don’t want or stuff that I have to take care of or more stuff I have to look at every day, I mean just this, this was the first christmas where I really felt like the whole family just valued family as opposed to things, you know, so that was really, really cool.

[00:03:24] Brad Nigh: That’s

[00:03:24] Evan Francen: good, yeah. Mhm man it’s a store for us today,

[00:03:30] Brad Nigh: you know, I think the one thing I wanted to talk about it made me before we really go into the stories is the and when I was looking at like the predictions from last year and coming up this year, the one thing I want to talk about was what was the most surprising trend around information security that you saw this in this past year, Like that you just were looking back was just like, huh did not see that coming.

[00:03:55] Evan Francen: Mm It’s a good it’s a great question. Uh I guess I’m a little disappointed. Um I know it’s not a trend, you know I think a lot of the things we see today are the same things we saw 2025 years ago and some of that stuff I think we’ll talk about later. Um I’m sort of surprised that there wasn’t more like there’s still not a national data breach notification or privacy law here in the United States and I still, you know, I think that’s surprising that another calendar year goes by where we’re still sort of like half in, half out, you know? Right. But I don’t think anything really surprised me. You saw a lot of ransomware attacks this year, we saw a lot of uh you know people just kind of struggling with the basics of of information security. Um Yeah, I don’t think too much really surprised me. How about you?

[00:04:55] Brad Nigh: Yeah, it was more double ongoing trend of of the how these breaches are happening. It’s just people clicking on emails, they shouldn’t just missing patches because they didn’t realize what their assets were, where things were. So I as much news as bit the odds, there’s been the last three or four years, I would have expected that to start to get better and it just doesn’t seem like it is right.

[00:05:26] Evan Francen: I think one surprising trend actually not, I think about a little bit more because as we’ve taken security studio, you know, with fen defense and uh you know, now we have a, the other side of our business, it’s separate from fr secure where you and I spend, I think most of our time. Yeah. Uh now that we have a product, um I think one of the things that’s sort of surprising is how much money is being invested into the security industry without any uh fundamental profit or anything, you know, like, you know, like then defense uh is a new product. It’s, you know, we’ve got last week was a great week, you know, short week and we signed up, you know, I think five new customers. So it’s going really well. But as we’re looking at some of the competition, I mean you look at like um prevalent and other players in this, in this market, they’ve raised 10s and in some cases hundreds of millions of dollars and they’ve got $345 million in revenue. It’s like, what the hell? So there, I guess I’m really surprised at how much money is being just just dumped into the, into, into the security market without any. I mean so speculative right now because who’s gonna emerges the winner? It’s uh that’s kind of crazy. I think,

[00:06:53] Brad Nigh: yeah, I guess it’s still so new. Nobody really knows what, who’s the winners winners are going to be. So it’s just, yeah, speculation

[00:07:03] Evan Francen: Inside I think is for $660 million $600 million dollars or something right now. And you know, I think if maybe $15, $20 million dollars in profit, maybe our revenue, I don’t know, I don’t know what the numbers actually are, but I mean the multiple is like 2030 times revenue is what these companies are being valued at, wow. So from a security studio perspective, we’re not taking investment, we don’t want to be speculative. We really want to be more sort of homegrown and fundamental. So, um, you know, we’re not really playing that game.

[00:07:46] Brad Nigh: I think that’s good though, right? Because then you’re not answering to investors, it’s, we can do this the right way, right, Not worry about that outside pressure to just yeah, do it the way they think it should be done to make, make them their profit back.

[00:08:03] Evan Francen: Can you hear the snowmobiles outside my window. I just had like five snowmobiles go by a lot of sunny, loud as hell and I don’t know if you could hear it.

[00:08:13] Brad Nigh: No, no it was funny. We had uh we I had a couple of neighbors, they were out with their like ATVs and snowmobiles with slides behind him dragging the kids around earlier today. So it’s fun to watch and I need to get one of those.

[00:08:28] Evan Francen: Oh yeah. And by the way that the money, the money thing, I cover that in Chapter eight. I guess. I’m surprised at how pervasive it is. You know chapter eight of the book that are built next week. It’s a money grab and yeah I guess you’re seeing that play out. I just didn’t realize it was so bad or good. Depending on which web site of the

[00:08:53] Brad Nigh: uh Yeah I guess. Yeah. There’s a lot of money out there. A lot of money to be made. Yeah. Billions, wow. It’s crazy. So you mentioned the book so it’s gonna be out next week. Well you know published. Okay.

[00:09:12] Evan Francen: Yeah. So the book right now is is that the printer um just run uh this time of year. Um I mean you just can’t keep wanting it to come and come and uh january. I’m told by the we’re told by the printer Before January nine. So. Mhm. I’ll be I’ll be I’ll be gone during that time. So um I guess everybody else will be able to see it before. I actually do.

[00:09:41] Brad Nigh: I

[00:09:45] Evan Francen: know right? It’s like hell. Tyler man timing sucks.

[00:09:50] Brad Nigh: Yeah. Well he’s just gonna have to cancel vacation.

[00:09:53] Evan Francen: Well not really a vacation, right? It’s starting the next book. It’s true. And then you and I, we talked about maybe You and I tag teaming on a book, second half of the year this year. I think this is going to be a really, really exciting year. 2019 is going to be a lot of fun.

[00:10:10] Brad Nigh: Yeah, I think you mentioned that second book and I was thinking about it, you know, that I could, I could help out with that. So

[00:10:18] Evan Francen: I’m so happy that you, that you asked.

[00:10:22] Brad Nigh: It’ll be fun. It’ll be good experience.

[00:10:25] Evan Francen: Yeah, well that will be the third book in to less than two years. Uh, you know, it’s kind of aggressive, but you know, I’m not going to live forever.

[00:10:34] Brad Nigh: Just a machine. We’ll see, Oh, you can tell, we’re a little bit punchy here at the end of the Q4 and holidays.

[00:10:45] Evan Francen: It’s been a great year. Very excited.

[00:10:48] Brad Nigh: Yeah. Anything else you’re excited about around with, you know, office or anything?

[00:10:57] Evan Francen: Yeah, I think uh, the budget, you guys put together, you know, promoting john harmon as president of fr secure. Uh, and then the budget and just the management of, you know, you and the rest of the team there. That’s super exciting. So that’s cool. I kind of knew about that a week or two ago this week. Um, on friday, the president of security studio, which is, you know, James Williams and his team put together a marketing plan. And so friday, we had a three hour meeting about this plan, you know, and I don’t understand marketing, you know, and I realized that most ceos don’t, so I don’t feel bad about that, but I’m frustrated that like, you know, it’s a mystery to me. So I’m like, what the hell are they doing? I don’t get it. You spend lots and lots of money on it. Well, they give this plan and it’s awesome. So I’m really, really excited about the security studio side of the business as well this year. I think security studio for a, essentially a startup is going to be profitable this year. So then you have, we have two profitable companies with really, really bright futures. So that, that solidified for me last week. Um, so I’m just, I’m pumped man.

[00:12:24] Brad Nigh: Yeah, that’s helping them out with a lot of the projections and figuring out all that stuff. So it was fun. I like getting dirty into the spreadsheets.

[00:12:35] Evan Francen: We’ve talked about that and they didn’t go pie in the sky, you know, type things. I mean, they put legitimate, I think not easily, but will be attained goals for that. Yeah. And then we had some time together last week to, that was fun. I did, we did the map, the mapping of Fisa score to, um, uh, you know, a bunch of other. Yeah. Yeah that was cool.

[00:13:01] Brad Nigh: We’ve both been working on some some stuff around vigorous management and I was looking at we both put together you know, times about, okay each of these tasks as a vigorous manager, how long would it take for vendor? And we can’t. It’s interesting because we both had slightly different approaches to kind of what some of those tasks would be, but at the end I think when you compare where they’re at, we were within, you know, 15 20 minutes of each other. So that’s like oh they

[00:13:34] Evan Francen: better. I was working on the then defence Arli calculator. And you were working on then defense as how it fits into the V. V. R. M. Business or fr secure. So you have to estimate the number of hours it takes to do these things. And obviously I do too with the ry calculator and we were able to compare those. It’s cool.

[00:13:54] Brad Nigh: Yeah it was pretty good. So

[00:13:57] Evan Francen: yeah that’s all exciting stuff man.

[00:13:59] Brad Nigh: There’s oh I was gonna had something I was going to bring up and Jose and talk about shoot, I don’t know, I remember at some point and talk about it next week. But yeah next year is gonna be good. I think uh we’re gonna have to start looking for people because I’m looking at at our current levels and uh

[00:14:27] Evan Francen: our staffing

[00:14:28] Brad Nigh: for staffing and how many how many people are how many you know D. C. So engagements each analyst has a good problem to have is to go, huh? They may have to speed up our hiring. We’ve got too many people asking for help.

[00:14:44] Evan Francen: That is that is exciting. And I think to date we’ve we’ve had a really good success in attracting good really really good talent. Um What do you remember when we started 2018? So a year ago, do you remember how many employees there

[00:15:02] Brad Nigh: were? Isn’t it around? I was like what 40, something like that.

[00:15:08] Evan Francen: Yeah I think you’re probably right. And then I think what are we at now,

[00:15:12] Brad Nigh: 70 75.

[00:15:15] Evan Francen: Yeah I think next year will probably be 120 maybe

[00:15:22] Brad Nigh: if it wouldn’t would not surprise me.

[00:15:25] Evan Francen: It’s really cool.

[00:15:27] Brad Nigh: Yeah I mean yeah keep talking about it but you know August of 2016 it was 24 employees, 25 employees something like that. So

[00:15:39] Evan Francen: yeah yeah when we’ve grown the right way, you know we haven’t we haven’t fumbled too much. I mean everybody fumbles a little bit but um yeah it’s uh it’s really need to be to be a part of it. Well

[00:15:54] Brad Nigh: that’s what that’s part of what’s the fun is nobody there is above admitting they made a mistake and changing it and being open to suggestions are you know corrections if it is justified right? There’s no pigheadedness of no we’re doing it this way because we’ve done it this way and we’re going to continue doing it this way,

[00:16:17] Evan Francen: know that better. Never happened.

[00:16:19] Brad Nigh: No. And the people that say the people that are that way don’t last.

[00:16:24] Evan Francen: Right? Right. Well, I sent an email on friday to our executive leadership team, asking them what they would like to see out of me, You know, as their ceo for 2019, you know what? Give me 5-10 things that you really like to see me do this year so that, you know, I can enable you. Then I got I’m just trying to get responses back, but that will essentially be my job description for this year.

[00:16:53] Brad Nigh: That would be good. Yeah, we’ll see what you actually have a job description, just like whatever comes up.

[00:17:02] Evan Francen: Well, I’ve Okay, so I googled, you know, what does the Ceo do give me, you know, what’s a job description for a Ceo And and I looked at job description as your job description, looking for some trend, looking for something that’s similar between them and there isn’t really a standard. No, it’s different across different organizations.

[00:17:24] Brad Nigh: I think you probably look more at skill set versus, you know, actual job descriptions that there is so much just experience and dealing with people and just as kind of higher skills.

[00:17:41] Evan Francen: Yeah. As as our company ups its game. I also need to up mine, you know. Yeah,

[00:17:50] Brad Nigh: it’ll be

[00:17:51] Evan Francen: good. Oh yeah, I have zero concerns, Like truly zero. I don’t have any.

[00:18:00] Brad Nigh: Yeah, I think my biggest concern is, can, can we keep hiring fast enough? Yeah, we can. Oh man, right. All right. So I guess we can die then we got a bunch to cover today. Yeah, we’ll go in first story. I wanted to go through. I thought it was kind of just humorous more than anything, but it was off of texture.

[00:18:25] Evan Francen: You your, I

[00:18:29] Brad Nigh: do have my green shirt. I’m not wearing it today. But uh, it was titled off of detector how the G. D. P. Are nearly ruined christmas and uh, you know, you hear that title and quiet what happened was a small town named Roth in Germany as a long standing tradition where Children right down the christmas wishes and they would then place the monetary in the market and then the city council would get together, they collect them and read the wishes and try to get the Children what they wanted. Okay, just kind of a fun wholesome tradition. And now with G. D. P. R. They can’t do that because it now collects names and other identifying information, which is, you can’t do. So they were saying no, we can’t do it anymore. And uh finally they came back and uh got a disclaimer from a local radio station put together the solution and the wish list had a standard format with a disclaimer on it. So those unintended consequences out of some of the laws that get placed there with good intentions.

[00:19:44] Evan Francen: Well, that’s the thing, I mean, you take a law that wasn’t intended, you know, I don’t think to ruin christmas, no, necessarily even intended to be applied in this way that, you know, I mean, this is the interpretation part, right? Right? You have G D P R. And that was one of the problems that’s been a problem all year long with you. Pr and even before that was how is this going to be interpreted? How is it going to be applied and without any precedent? You know, people do stuff like this? Yeah, and then you have kids who honestly, I don’t think they give a crap about GDP are they want christmas, right? They want, and so the kids are losing their innocence because of things like this, you know, when you have to tell your child, I’m sorry, we’re not going to do this thing that I’ve been, you know, that it’s a long standing tradition that their parents probably did it. Maybe even their grandparents did it and it’s and we’re not going to do it this year guys because, you know, we don’t want to be in violation of GDP are

[00:20:51] Brad Nigh: right, but and I think the town, I mean without any any guidance, I think, you know, they have to do that, right, they can’t just collect it and then get sued. Yeah, I don’t know,

[00:21:07] Evan Francen: I’m I’m more of a risk taker out. Just what is wrong with it. You know what I mean? Don’t disappoint the kids. And if if uh, you know, they want to, they want to smack down on us, you know, his first violation, you know?

[00:21:25] Brad Nigh: Yeah. And I said, you know, if there’s probably some lawyers out there that would have helped.

[00:21:31] Evan Francen: Oh, there’s always lawyers, no shortage of that.

[00:21:34] Brad Nigh: So anyway, I thought I was just kind of funny about The title with that one. So anyway, did you read some

[00:21:42] Evan Francen: of the comments

[00:21:43] Brad Nigh: to? Yeah, some of them were pretty insightful. A lot of them were just flaming wars. Mhm.

[00:21:54] Evan Francen: But yeah, GDP are,

[00:21:59] Brad Nigh: Yeah. I like the one that said there was one that was, it was saying you don’t think that the government already has the records. How is this any difference? That’s a good point.

[00:22:11] Evan Francen: Yeah, absolutely.

[00:22:13] Brad Nigh: Hopefully we get some more clarification or hear about what exactly the expectations are.

[00:22:21] Evan Francen: Well, this is the challenge with compliance though. You always have the letter of the law versus the intent of the law and, you know, trying to apply it. Um, you know, at the end of the day, what are we trying to do? We’re trying to manage risk. Well, right. We’re trying to manage. So I get the kids information. I need to be a good steward of that information. The problem isn’t so many people don’t know what it is to be a good steward of that. It right. And so you have idiots who, sorry? I’m getting I’m kidding getting hot but people who don’t treat other people’s things well and then everybody else has to suffer for it.

[00:22:58] Brad Nigh: Right? Yeah. I mean it’s like we have speed limits, right? One person ruins it for everyone. Mhm. Totally true. It was not my intention to get you all riled up today. But man, that was pretty quick.

[00:23:14] Evan Francen: I don’t like seeing kids suffer because we were bad at their jobs.

[00:23:19] Brad Nigh: Yeah. Yeah. Yeah. The compliance part of it and you have to do these things, but it doesn’t really say what is good or not. You have to interpret it. Right.

[00:23:32] Evan Francen: Well anyway.

[00:23:34] Brad Nigh: All right, moving on. Uh Next one was off of Krebs on security. Chief security concern for executive teams. It’s the title that one and came out Couple two weeks ago or so. They reviewed a websites for the global top 100 companies by market value and found just 5% of the top 100 firms listed. A chief security officer or Chief information security officer on their website and only a little more than a third listed as ceo and executive leadership. So I think excuse me, um you know, this is really kind of cement what we’ve seen in a lot of the struggles that that are out there uh in companies, you know, your c so doesn’t have they’re not at the top level, they’re reporting up and they’re buried under level layers and it doesn’t it’s not efficient, you know, you’ve got filters going all the way up and they can’t do their job. You know they have the example and they’re about Equifax where you know, it got split where the Cso was under the chief legal officer because there had been a prior personality conflict between the CSO and the C. I. O. And but when they got to new people in, they didn’t resolve it and now they’re trying to do work and they’re not talking and yeah, it was interesting to see those numbers the way they are, but it didn’t really surprise me.

[00:25:10] Evan Francen: Well it’s really frustrating. I mean this is another one of those things where you know, we’ve been screaming this for 20 25 years that if you really want security to be uh taken seriously, you need to have it reporting to the top. And it’s disappointing to see that. And I don’t know where she cribs admits it too in his article that it’s not really clear where CSOS or you know, just because they’re not listed true. Um you know, five but 5% of the top 100 firms list the chief information security officer or C or chief security officer. And you know it’s that’s frustrating because everybody claims, you know, yeah it’s a top priority, you know customer privacy customer security, it’s top priority and yet it’s in practice that’s not true because I think even even if they’re not listed I think in most cases you know Csos or if there is a Cso or Cso it’s reporting up to the C. I. O. So we’re still treating this like it’s an I. T. Issue.

[00:26:24] Brad Nigh: That’s what this issue. Yeah. There’s that conflict of interest immediately right there when you go that way. Right? Because yeah.

[00:26:35] Evan Francen: And so you I mean what something is going to have to give at some point, you know whether this might be a compliance thing. I mean this might be something where all right you know right man. Change compliance somewhere issue a new law that says you have to have a c. So reporting to the top I mean I don’t know.

[00:26:56] Brad Nigh: Yeah. Well I will say the one good thing out of it um towards the bottom of the article. But they site a survey released bike censure and that one had 1400 C Suite executives about it. And it’s saying that now two thirds of companies have uh this chief executive or board of directors having direct oversight of cybersecurity. So it seems like maybe the smaller mid size.

[00:27:28] Evan Francen: It’s a survey how many of them are going to claims they don’t. Yeah. I mean I mean if you ask, you know, think of our own clients if you ask them, hey do you have oversight of cybersecurity, Direct oversight of cyber security. I mean they’d all say yes, wouldn’t they? Most no they don’t.

[00:27:50] Brad Nigh: I don’t know. I think you know it’s uh This is in their 38% of companies bring the cso into all discussions at the beginning stage of considering new business opportunities. So I mean, you know, 62% don’t. So that doesn’t surprise me. So there may be some truth to that.

[00:28:12] Evan Francen: Yeah, I don’t I think you’re an optimist.

[00:28:15] Brad Nigh: Hopefully I’m looking for any any glimmer of hope

[00:28:20] Evan Francen: here. No, no, no. I mean there’s hope, I mean it’s probably better than it used to be, but we still have so far to go, most Ceos are really clueless about information security, they’re making significant decisions I think without what about risk?

[00:28:38] Brad Nigh: I think that that’s the that’s kind of the rub on that one. It just says that they uh Ceo and board of directors have oversight of cybersecurity doesn’t say anything about them actually having somebody in that role that knows what they’re doing. They’re just saying now it is at least being looked at at the highest levels,

[00:28:57] Evan Francen: right and a lot of times it’s being reported through, I mean look at reporting structure. So uh to see Ceo who reports the Ceo uh usually it’s the Ceo and the sea so might report to the C. I. O. And you see how that I mean that’s that’s a problem.

[00:29:17] Brad Nigh: Well then right, without seeing that full report, you know, I’ll be honest.

[00:29:23] Evan Francen: So the ceo is getting oversight. But what is the message he’s getting or she’s getting is the one from the Ceo our CTO and not the message, not the direct message from the Ceo, the sea. So I mean I saw the same thing. I’ve seen it so many times. Even even, you know, at a company that I’m working with right now, the sea, so did report to the board, which was awesome. But then they kind of screwed up I think and lost their political capital. And now they report two layers down. They report, they report to like the sea out of the C. I. O. Maybe.

[00:30:03] Brad Nigh: Yeah.

[00:30:04] Evan Francen: Because I think, I think one of the things we don’t want is the border, the Ceo getting a watered down version of what, what really is happening.

[00:30:12] Brad Nigh: Oh, I agree. It should be directly from, you know, the Ceo of caesars mouth and, and they have to be able to work without fear of, hey, if I tell them something they don’t want to hear, I’m gonna get fired and dull replacing. You need to have some something in place there for that. I think that’s why I like doing the consulting thing. It’s like you said, I can go in and tell the truth and you know, you have to deliver it the right way. But if they don’t want to hear it and they fire us. I’ll just go work with someone else.

[00:30:47] Evan Francen: Right. I sleep all knowing that I told the truth.

[00:30:50] Brad Nigh: Right? Yeah. I don’t have to try and make it fit a narrative. It’s hey here’s here’s what it is

[00:30:58] Evan Francen: because I mean how many we have maybe, I don’t know. We have so many customers and how many board presentations have we actually done?

[00:31:08] Brad Nigh: Um

[00:31:11] Evan Francen: And as a percentage

[00:31:14] Brad Nigh: Good Lord single digits. Right.

[00:31:17] Evan Francen: And so we’re creating, you know, it just did just say, you know, even in our assessments we do uh I think really top notch assessments and we have an executive summary report that people seem to like really well yet it still doesn’t get reported to the board. And I wonder because oftentimes when we’re doing our work we’re doing our work for Ceos. Mhm. A lot of times a lot of, yeah. So I think a lot of times the C. I. A. Was like all right thanks for the report. And they were like, you know, would would you like us to put together a board presentation? Oh no no I got it. I got it.

[00:31:52] Brad Nigh: Mhm.

[00:31:54] Evan Francen: Well okay. What what are you going to say? I mean it’s not my place right because at the end of the day it’s your job, it’s your company but yeah but that’s that water down thing. Yeah they go out there, the board doesn’t see it.

[00:32:10] Brad Nigh: Yeah that’s a degree. That’s one area we definitely struggle with is even you know, we make sure we make it very clear. Hey I’m happy to do this. We’ve got, we do this all the time. Not, you know, talking to executive levels. It let us explain it, it’s probably gonna be a lot easier for us to answer their questions about what methodology or what we were looking for. What does this result mean? Then somebody interpreting it based on, you know, free of the, we’re just reading through the report right? They don’t want it.

[00:32:50] Evan Francen: Right. Well, the things that dominated C suite is revenue generating type of roles. And I think the Cso’s I think we haven’t done ourselves much of a favor in our industry uh because we haven’t quantified, well we haven’t managed risk. Well, we haven’t, you know, were viewed as a cost center. You know, you just keep dumping more and more money into information security. What value do I get?

[00:33:17] Brad Nigh: Well, I think that’s why I like the way we report it and it is it is measurable over time because now that hey, we spent X number of man hours, we spent this much on technology, We spent this much on, you know, policy procedure, whatever it is. Our score went from a 4 25 to a 5 15. Now I can actually put a dollar amount to that increase and then show how much that decreased risk. And it gives that here’s what we did here is what We spent, I don’t know, $5,000 for percentage point or whatever it is, but you can at least get them to see and understand it. I think that they that dollar amount approach, they tend to get more. Mhm.

[00:34:08] Evan Francen: Yeah, I agree. Yeah, I agree. And I call this in this uh call this empty promises. I think it’s where I cover this a lot to in the book. It’s just and the empty promises. Everybody says every every executive says that they take information security very seriously. The top priority. Yet you see it actually applied in their businesses. You wonder if it was such a top priority then why aren’t you getting the story directly from the horse’s mouth? Why does it have to report through?

[00:34:37] Brad Nigh: Mhm. I think that goes to they don’t know, they don’t know any better. They think they’re doing the right thing maybe. But it’s not

[00:34:45] Evan Francen: there’s definitely a conflict there. There’s a conflict between the Cso and a CIA which is healthy if it’s managed well if it’s indirect, you know, like a filter, it’s not helpful.

[00:34:58] Brad Nigh: Yeah. It’s

[00:35:01] Evan Francen: a good a great article, man. And I think a great thing for you could talk about this for a long time.

[00:35:07] Brad Nigh: I think the best thing for that I got out of is people are actually starting to talk about it though, right. Krebs is a pretty big name. So we’re starting to see some extent. You’re having some stuff around it. So maybe start getting subtraction now.

[00:35:22] Evan Francen: Mhm. You are an optimist.

[00:35:24] Brad Nigh: I try.

[00:35:26] Evan Francen: That’s why the things I love about you.

[00:35:29] Brad Nigh: So next one this one is going to be fun for me. I was excited. I was trying to figure out putting together all the things and I was like zero Hold on We’re gonna look at Evans 2018 predictions and see how he did. So now we’ll get to see uh see where you’re at. So your first prediction was around G. D. P. R. And it being a really big deal. Yeah and these are all out on our website on our secure dot com under the blog section there. So if you want to really read through them and and nit pick you can. But uh I think you’re it’s pretty pretty accurate on that. Um You know you set the tone for enforcement early and often and organizations to be penalized for noncompliance. So you’ve seen that and there are some pretty big numbers that were thrown around for fines. Obviously they’re still fighting them. But I’ll give you a green check mark for prediction number one.

[00:36:26] Evan Francen: Yeah that one was you start off your predictions with as much as as much of the sure thing as As possible. So we knew going into 2000 18 the GDP are even though the enforcement began on May 25 ah we saw it in our own business to how people were really kind of confused and ramping up. But the one thing that I think people are still confused with is how it’s actually going to be interpreted and we have to wait for some of those things to happen.

[00:37:00] Brad Nigh: Yeah I was getting that said a lot earlier in the year. I think my approach at the time is hey look let’s read through it. We’re ultimately a deal if it comes down to, do you know what you have, do you know where it is and if somebody asks for it, can you provided to them and are you protecting it at the end of the day? That’s all it’s about. So you know like well what about it’s going to be a couple of years before there’s anything finalized as my guess because it’s going to take a while to go through the courts and you know all that stuff. So

[00:37:34] Evan Francen: but in the meantime if you if you do the fundamentals of information pretty well you’ll be in a really great position for G. D. P. R.

[00:37:42] Brad Nigh: Yeah just data asset management. Do you do you even know what you’re collecting? Do you know where it all lives

[00:37:50] Evan Francen: exactly what and that doesn’t just help you for G. D. P. R. That’s a security fundamental foundational thing.

[00:37:56] Brad Nigh: Yeah. Yeah I read through the lawn, you know I only kind of blacked out a couple of times from the reading law. But ultimately guys it’s pretty much about those fundamentals. It’s not that difficult if you do it right. So unfortunately I think there’s a lot of uh back my uh reverse engineering or whatever you want to say to fix those things that weren’t done. Right?

[00:38:28] Evan Francen: Yeah. All right. So my second prediction was ransomware attacks continue being more sophisticated.

[00:38:37] Brad Nigh: Mhm. That was true. That was true. We definitely saw a lot of the ransomware that that we dealt with an incident response this last year. So

[00:38:47] Evan Francen: yeah, that’s a crappy trend.

[00:38:50] Brad Nigh: I was in that cell in two checkboxes, hey, At worst, or what made you do? 10, and

[00:38:59] Evan Francen: all

[00:39:02] Brad Nigh: right. Uh Number three was IOT attacks will get nasty. So mostly Ddos related. I think that that’s been the the ongoing trend on that is just dido’s they’re using his body yet. I haven’t seen anything else yet.

[00:39:19] Evan Francen: Mhm. I didn’t see a lot of I mean, I expected I think more high profile IOT stuff this year and uh you know, there wasn’t wasn’t much, you

[00:39:32] Brad Nigh: know, I think well, but if you think about it, I think the biggest thing is from an attacker’s perspective, it’s more valuable to have them as a botnet is a for Adidas than for anything else yet, the value is not there, they’re not seeing a return. So why why spend the money or the effort doing it if there’s no return on it. Yeah. Yeah, true. I think it will happen is more things go online, but I’ll give you a half check. Yes, the dash, no, not negative. Just a dash. Alright. No. Red X. Cool. Alright. Because it was number four,

[00:40:15] Evan Francen: oh yeah, for more financial fraud attacks through partners. The Yeah this was written not long after I just responded to 18 an instant response where uh unfortunately the attacker got away with more than $800,000 from a company that it was kind of a sad story but um expected more of those attacks because and when he did the incident response, I was like man, it was just so easy for the attacker to do this. Uh So I just thought well you know, I know how Attackers work, this is gonna we’re gonna see a significant increase in that this year. Yeah.

[00:40:58] Brad Nigh: Oh yeah, I mean we’ve had we’ve seen couple calls in and yeah, we’ve gotten rascal, can we get your, what are the odds were going to get our money back? No, no no, just the bank, you’re you’re pretty well out of luck A Day, Maybe two.

[00:41:18] Evan Francen: Yeah. Yeah. So that was that was I mean I think yeah, we’ve seen, I mean the last couple of instant responses that I’ve been involved with uh have targeted specifically accounts payable. So clearly um motivated by financial uh fraud. So I think I think that I think I got that one right now.

[00:41:43] Brad Nigh: Absolutely, it’s a check plus

[00:41:47] Evan Francen: it might out do the dash then. So

[00:41:50] Brad Nigh: they evens it out. Cool. Alright, so number five was lack of qualified security expertise. Problems get worse, outsourcing of security services will grow. That’s definitely got that one nailed that.

[00:42:03] Evan Francen: Yeah and some of these two I’m like now I don’t know if I When I wrote this back at the end of 2017. I don’t know if it was as much duh as it is now but now you know I read it and I’m like oh yeah I

[00:42:17] Brad Nigh: mean right. Yeah and yeah we have quadrupled the number of the R. V. C. S. Allegations from january to where we’re at right now. Yeah. I mean that’s crazy growth.

[00:42:35] Evan Francen: Well so I I said in the in the article that I would that I was expecting growth to continue beyond our 40% projections so we way over to that too.

[00:42:46] Brad Nigh: I like to set the bar low. Right?

[00:42:49] Evan Francen: I just you know trying to be reasonable and

[00:42:52] Brad Nigh: it could cripple it. What are you gonna do this year? Uh A load. Right. Yeah I got that one. All right okay.

[00:43:04] Evan Francen: Crypto currency chaos was number six. Price, volatility and regulation. I didn’t I expected to see more regulation but I didn’t

[00:43:11] Brad Nigh: no they hit spreading rumors about it. But so I did look because I was I was just like all right. I’m gonna call him out on this if he was wrong but So December 17 it was at $19,783 and then dropped to 13,000 in december february 5th was at $6200. So it dropped dramatically and now the last one I found was from november 24th, it was at 37 78. So just a fraction Where it was at 13 year ago. Bitcoin. Yeah the value of Bitcoin.

[00:43:51] Evan Francen: So Bitcoin went from 19,000 in December 2017 to like 30 600.

[00:43:57] Brad Nigh: Yeah, went for almost 20,000 to under 4000.

[00:44:01] Evan Francen: It’s crazy how many different uh crypto currencies that are. I mean That was more than, I mean the last I saw there was like 2000,

[00:44:12] Brad Nigh: I can’t keep track. One of the other thing is yeah, there was a bunch of stories about some of those uh I don’t even know what they call the court, the the exchanges where they would just be like, oh sorry we lost everything and close up and go away and then what actually happened to them. Right.

[00:44:32] Evan Francen: So yeah, I still don’t, you know, I haven’t had the time or the energy really to dump a lot of research into Cryptocurrency other than you know, reading news stories here and there. Uh Yeah, just some of it is still, you know to be honest, it’s still sort of a mystery to me. I’m not playing in that market. I don’t have enough chaos as it is

[00:44:55] Brad Nigh: right. Yeah, I had one friend that I know about that, you know started really early in it and was able to catch out earlier the early half of 17. Not when it was at a tie but still got out at a really good time man. It would have been nice, but yeah. Um all right. So number seven cyber insurance s and the market will explode. So The expectation was what estimates accounted for 19% of cyber insurance. You think it’s going to be 34-38%. We definitely get asked about it a lot more.

[00:45:41] Evan Francen: Yeah. I haven’t done research you know, since this article to see you know what the market is now. Yeah. But yeah, it’s it’s becoming almost commonplace and the underwriting process, it doesn’t really underwrite on risk. It’s just underwriting on. Yeah. I mean I think that the cyber insurance market is doing the insurance market. Yeah. Is trying to grab market share so they’re pricing it aggressively and just signing people up. I don’t think they have any true understanding of what the risks are. Yeah.

[00:46:16] Brad Nigh: Yeah. So funny about this. The foster who adopted the puppy, the foster. Um, people had to come and do the home visit and all that because we have the other dog and they have to make sure anyway to ask what you were just talking. That’s what they did. And I told her and she’s like, oh I’m insurance and I’m an insurance and I know our cyber risk division has just exploded and they’re struggling to figure out how do we actually do anything and what will be in touch. But it was interesting to hear from the insurance side of it that that they’re just getting asked all the time and getting requests all the time and they don’t know how to properly underwrite this stuff yet.

[00:47:03] Evan Francen: No. Yeah. And it’s just sign them up. I mean that’s what I’m saying. It’s just sign him up, sign up, sign him up Pricing still seems like it’s kind of all over the board. Their underwriting based on, you know, one One page applications, maybe 5-10 questions. I mean,

[00:47:22] Brad Nigh: yeah, one of you, have you had a risk assessment performed? That’s it that did it cover? Was it look at what we see the results. Have you done one? Yes. Perfect.

[00:47:34] Evan Francen: Yeah. So I I don’t know. It will be interesting to see how that market starts to sort of solidify because we’re starting to see now losses just in our own incident responses. I mean one that we did just not that long ago that breach it was it was it was a brand somewhere attack and it costs the company probably Quarter million dollars, maybe $3,000 and submitting that to insurance. And I think insurance is going to cover it. So You’d have to cut, you have to collect $103,000 a month premiums. Yeah. To pay for that.

[00:48:12] Brad Nigh: I think you’ll start to see, I think 19 You’ll see a lot more around formalizing that as these breaches start really hitting them in the wallet

[00:48:25] Evan Francen: but I do okay on that one.

[00:48:27] Brad Nigh: Oh I’ll give you I’ll give you a check. Yes just on anecdotal evidence there.

[00:48:35] Evan Francen: Yeah we have to do research too badly.

[00:48:37] Brad Nigh: That’s hard.

[00:48:39] Evan Francen: Oh who’s got

[00:48:40] Brad Nigh: right.

[00:48:43] Evan Francen: All right so it was a tax on U. S. Government and critical infrastructure. I expected more. Mhm mm There may have been more but I don’t know

[00:48:54] Brad Nigh: we haven’t heard about any no no.

[00:48:58] Evan Francen: Uh huh. So I think maybe

[00:49:00] Brad Nigh: yeah maybe a dash because you know what’s happening, we just haven’t heard about

[00:49:04] Evan Francen: it. Exactly something and something in your gut is telling you it’s happening. You just don’t know. Yeah right so nine I’m glad I’m very happy to hear. Uh So I my knife prediction was a breach will occur in the world will result in loss of life. Mhm. Um and again these might it’s possible you know because now you have medical devices you know IOT everywhere, cars that are driving themselves I mean there may have been a loss of life or an indirect but thankfully you know there’s nothing yeah

[00:49:39] Brad Nigh: I couldn’t find anything. So that’s a that’s a check with like wiping the brow

[00:49:45] Evan Francen: when I put my last yeah sentence in that prediction was I don’t like this prediction at all. It’s hope I’m wrong. So I hope I hope so because you know loss of life is

[00:49:57] Brad Nigh: yeah and the last one was new law protecting us citizen identities fail. That would be an ex we’ve missed on that one but you know overall that’s passing take it. Yeah.

[00:50:11] Evan Francen: I wonder when we’re going to get off our Butts in the United States and Pass A Good one. Not a that GDP are but a good law.

[00:50:23] Brad Nigh: Yeah. Well I mean we started to work on one and then it was busy. It’s busy and it was like a it was a mess. Mhm. So

[00:50:34] Evan Francen: my bonus prediction was the book will be completed and published this year. I’m nine days I’m going to be nine days later

[00:50:41] Brad Nigh: man that’s a tough one to end on a big red X on that one you completed. We’ll blame the publisher, the printer there.

[00:50:50] Evan Francen: Yeah there you go. That’s it.

[00:50:53] Brad Nigh: I have no idea.

[00:50:56] Evan Francen: Well that was fun man. I appreciate that it was back and revisit and just see you know.

[00:51:02] Brad Nigh: Yeah. Yeah I think he did a pretty well pretty good job. I wouldn’t have wanted to do it.

[00:51:09] Evan Francen: Well I mean now you’re gonna do it again don’t I?

[00:51:12] Brad Nigh: I’m gonna. Yes you have to I mean I hate doing those things those that hard So which leads me to the next one which is the 2019 predictions.

[00:51:25] Evan Francen: Yeah you got some good sources here.

[00:51:27] Brad Nigh: So I have articles from threat post cso online and tech Republic. The tech Republic one is more about data breach predictions The other two are just cybersecurity predictions and you know, reading through it. It was kind of interesting. They had a lot of sort of similar but then contradictory at the same time. So you know, threat post has quickly run through a marsh specter like attacks sophisticated iot attacks, ransomware is back Operational technology and it converge faster patching saying the patch time from 90 days to 30 days or less, which made me laugh because Companies struggle to patch in the 90 day window. Right? Yeah, for sure, insecure biometric supply chain attacks which we’re seeing privacy legislation. GDP our impact and then more of around Apache struts and all the vulnerabilities there. I’ve overall attempt threat post predictions were pretty good.

[00:52:28] Evan Francen: Yeah. Yeah, I think uh yeah, I agree predictions are risky, you know, who knows? I mean yeah, it’s like nobody’s got a crystal ball but sometimes you know like my predictions, you know, I kept them sort of safe. I mean there wasn’t anything crazy. No and the CSO online ones, the ones that you have from the CSO online uh nine cybersecurity predictions for 2019 all look like pretty safe.

[00:53:00] Brad Nigh: Yeah, the one the one that I didn’t like on that one was their last one. More organizations are going to require master’s degrees in cybersecurity for cynicism CSS we already had a huge shortage of qualified people and now you’re gonna make it even harder to get

[00:53:16] Evan Francen: right and that’s and that’s just stupid too right? Yeah. I mean we’ve seen I’ve seen so many security people with masters screen, they don’t know squat. Yeah. You know there’s three things that make a good security person, the intangibles, education and experience and that education is just one component. We have a whole we have a whole crop of CSOs and really really good experienced information security people who are either retiring or just leaving uh the industry. And if we don’t capture some of their wisdom and some of their knowledge, uh master’s degrees, whatever requiring masters degree for information security is not going to it’s going to fail because like you said to We already have 300,000 open positions today. What and who’s going to spend $60,000 to get a master’s degree to deal with the headaches that we deal with every day. I mean it’s not right happen.

[00:54:19] Brad Nigh: No I think you’ll see because there was a while even in just an I. T. Where it’s like oh you have to have your bachelor’s degree to do just this entry level type jobs. And then they realized oh wait a minute you know you look at the steve jobs and the uh Bill Gates and all them that they don’t even didn’t finish college, it’s like you don’t have to have that to be good at this in this role

[00:54:47] Evan Francen: now there’s so many different ways to get educated, write, write books, there’s seminars, there’s there are classes, their certifications, there are mentor programs. I mean there’s all types of ways there, but, and there are college degree programs to in college degree programs might be one path, right? I don’t want to knock anybody who takes that path, but it’s not the only path. And we can’t be exclusive about the only path we’re going to take if we’re gonna solve this problem we have. Right? So yeah, I don’t like that one.

[00:55:21] Brad Nigh: Yeah, that was the only one on there. I thought overall though, was it was pretty good.

[00:55:24] Evan Francen: I didn’t like the first one that much either where they claim ransomware is going to taper off but still wreak havoc, Attackers are still making tons and tons of money and read somewhere that I don’t think that’s going anywhere this year.

[00:55:37] Brad Nigh: I think. Yeah, I think what he was saying, I think they’re looking at more targeted versus just, you know, wide ranging ones, but I don’t think it was. Well,

[00:55:50] Evan Francen: uh, well phrased, why can still go by a ransomware kit.

[00:55:55] Brad Nigh: Yeah.

[00:55:56] Evan Francen: Yeah, understand. It would be cool to see. So we should grade these, we should take these and then grade them next year and then I don’t make any predictions. I’ll just stay totally safe and just say,

[00:56:11] Brad Nigh: well now we can, we can make some new predictions and then grade you against them.

[00:56:17] Evan Francen: Yeah, I’ll just I’ll just predict that I’m going to be a year older if I live another year that I’ll win that one.

[00:56:26] Brad Nigh: Yeah it sounds pretty safe.

[00:56:29] Evan Francen: I agree. So next week next week uh I’ll be doing I’ll be leading this show from Cancun.

[00:56:39] Brad Nigh: That will be much better than me doing it from the Minnesota.

[00:56:44] Evan Francen: I don’t know man, I’ll be might be more distracted,

[00:56:48] Brad Nigh: you’ll be warmer. That’s for sure.

[00:56:51] Evan Francen: Yeah I’ll be doing it in shorts, probably not shoes but I will be starting the second book which I’m really really excited to do because those and I think that’s what I’ll do for the next show is talk about the motivation and the inspiration for this next book which is really the people that I’m going to be with uh next week. That will be a lot of fun.

[00:57:13] Brad Nigh: Yeah that’ll be uh be interesting.

[00:57:17] Evan Francen: Yeah I like those guys a lot.

[00:57:19] Brad Nigh: You can you can convince one of them to come on.

[00:57:23] Evan Francen: Oh not a bad idea. That could get sideways quick but well you

[00:57:30] Brad Nigh: know I mean have you not listened to our own uh podcast so far hasn’t been an issue.

[00:57:37] Evan Francen: We haven’t missed a week yet though. I have eight consecutive weeks. I know most to you, my friend uh

[00:57:44] Brad Nigh: to you as well.

[00:57:46] Evan Francen: one of our sales people um said he arranged for a guest and it’s a guest who had a big breach. So when will keep that anonymous? But I might have something uh not next week but in the future

[00:58:09] Brad Nigh: interesting. I hadn’t heard that. That’ll be really interesting to hear the other side of it from there. You know from there there. Uh huh. Take.

[00:58:19] Evan Francen: Yeah exactly. Talk them, walk them through the emotions and you know the stress and all that stuff. That might be fun, good show Brad

[00:58:28] Brad Nigh: That’s just fine.

/by