Modern Cyber with Jeremy Snyder - Episode
39

Richard Hollis of Risk Crew

In this insightful episode of Modern Cyber, Jeremy chats with Richard Hollis, Founder and CEO of Risk Crew. They explore the cybersecurity industry's persistent challenges, including the "circle of failure" in strategies, product design, and consumer expectations.

Watch Now
Richard Hollis of Risk Crew

Podcast Transcript

Alright. Welcome back to another episode of the Modern Cyber Podcast. As usual, I am your host, Jeremy. And I think we've got a really fun conversation in line for you today. Just based on what we were chatting about in kind of the preshow warm up here, I I'm delighted to be joined today by somebody who has a little bit of a controversial view as to how to think about things, but it is a view that I think has a ton of merit to it, and we will get into that in many other things in today's I'm delighted to be joined today by Richard Hollis, and Richard is the founder and chief executive of Risk Crew.

Risk Crew is a unique London based consultancy specializing in cybersecurity risk management, ethical hacking, and user awareness training. Richard is a seasoned cybersecurity expert and Arvant privacy rights advocate. We're gonna talk about privacy as well in today's episode. Richard possesses over 30 years of hands on skills and experience in designing, implementing, and testing the security integrity of business information technology systems. That is a mouthful, but just bear in mind, the point there is protecting these systems and the data that is inside of them.

Richard lives and breathes cybersecurity and understands how to simplify it and make it relevant. Richard, thank you so much for taking the time to join us today on Modern Cyber. Jeremy, thank you. Let me start by saying a big fan of the podcast. I I love it.

Very pragmatic, straightforward, and it's one of the very few I recommend to colleagues in the industry. And, now I can recommend it and say, hey. I've been on it. So this is it works. It's a it's a win win for me.

But thank you. Good to be here. Either choose to recommend or not recommend your own episode. Unleash that. This goes.

Yeah. Yeah. Exactly. Exactly. But, Richard, I'm I'm super curious just to kind of start off there.

One of the things in the intro there, you know, seasoned expert, 30 years of hands on. Talk to us a little bit about your journey, you know, some of the experiences that have kinda brought you to where you are today, and then, you know, kind of what led to the founding of Risk Crew. Well, Risk Crew was founded maybe 20 years ago. I'm an old guy as you can see. And I've been in the industry before when the industry before there was an industry.

I've you know? Okay. I was, working at the state department securing Wang Computers in the in the nineties. I mean, you know, before that. Yeah.

Then we we understood as computer security, then I went to information security, and then it went any anyway. So I've I've I've been along for the ride is is how I put it. And I think, what you've gotten me is a is a a certain perspective where it's always been about process. It's not been about product. It's been about risk management.

For me Yeah. Cybersecurity is an oxymoron. No such thing. Never was a secure computer, never will be. The and cybersecurity means risk management no matter what you call it.

Yep. So I'm one of those guys who who saw the world of of of cybersecurity as the information that we process store transmit, how we're gonna protect that whether it's in transit or in in storage. And I've and and I've always taken a big picture, but above all, a very pragmatic, what am I getting back for this expenditure? Yeah. So I believe in things like ROI.

I believe in things like key performance indicators. How do I measure I'm more safe, you know, today than I was yesterday? Yeah. What am I gonna do tomorrow to be more safe than today? That's the that's my approach.

And I got that from a a combination of, I I've been in security prior into things like operational security for buildings and architects, and I'm a guy who sees vulnerabilities. I'm a paranoid schizophrenic who was, you know, spent a lot of time on the streets when I was a kid and could, you know, spot a vulnerable car or a bike that could be stolen, you know, but I knew very, very early on. I can't I can't do time, so I'll end up in and I didn't wanna carry a gun for law enforcement. So I found myself in what is clearly a security, you know, associated with I have I've I've found to develop an eye for spotting vulnerabilities that could be exploited. Carried that into computers.

Been doing that ever since. So And was the journey straight from the state department to risk crew, or were there some stops in between? No. I took a stop in, I I well, I spent I think we were talking beforehand. I spent about, geez, 15 15, 20 years in DC Yep.

Working in government and and the overseas installation, sensitive installation, security for that in CommSec. And then I took a gig, and I came over to Europe, Geez 25 years ago for the Phillips as their what is not what would have been a CISO position and left that to start what is now risk crew, delivering, you know, process, risk management ideas and and pen testing, red team testing, things like that. But, big picture process solutions, you know, from a small boutique consultancy. Awesome. Did you spend some time in Eindhoven along the way?

I did. I did. Yeah. Yeah. Yeah.

Which is, you know, that that yeah. Philips was, at the time, it was their cell phones, which was really sexy, at, 2,000, 2001. And, yeah, it was a it was a it was a fun gig, and at the time cell phones and and Philips were the, you know, the new technology. So Yeah. Yeah.

We automatically got into things like CommSec Security and and, yeah, left that to start to come to London. So the business is located in London and been here ever since. Awesome. Awesome. I think Eindhoven is one of those places that's a little bit off the radar for a lot of people, but it's one of these, like, true brain trust centers of a ton of technical capability, a ton of talent.

You know, I spent some of the early nineties in Finland during the early years of Nokia, and, and then we we actually saw from the Finnish side, and I'm a Finnish citizen, but we saw from the Finnish side this huge recruitment effort to pull people across the, in this case, the Baltic, but across the Baltic to Sweden and some of the early staffing of Ericsson coming off of that. You just saw these little, like, centers of excellence popping up in this new what was at the time the very early early cellular, technology field. So, a huge fan of of some of these kind of off the radar places where you actually find these great clusters of talent and a lot of domain knowledge and whatnot. I wanna take, a second to kind of go into something that you shared with me prior to the call and that's your white paper on, I guess, you call it the circle of failure. Walk us through just, I guess, what what led you to start that and then, you know, some of the high level thinking around it, and then we'll we'll dive into some of the finer points.

About a year ago, I started to, as I said, I'm getting I'm getting old. And Yeah. Yeah. I started wondering, am I getting cranky, or why am I just so dissatisfied with my industry? I think I'm you know, I I've come to an age where I look back and said, what have I done with my profession for the last 30, 35 years?

And clearly, I had to struggle to look for any evidence of success in if my job if the job of the cybersecurity industry is to, prevent, breaches to systems and loss of sensitive data, I don't see I I I I still anyway, at the time when I wrote this, I didn't see any success. I didn't see any evidence that we're doing a good job. And I and, you know, it started with, you know, the World Economic Forum listing, you know, 3 out of 10 of their top ten threats to companies associated with cyber and breaches and the data losses. You know, everywhere you look, every every day I woke up, I read another breach that was just mind numbingly huge. And and I just think alright.

So I I literally started to say, what what is wrong? How can how did we do so poorly in the last 20 years? If if the industry is 20, 25 years old now, the first virus was identified in what? 84 if you wanna go back that far, but Oh, wow. I I I I don't know.

I I I started to look at the the the arc, our story arc. Where do we start and how far we come? Where are our wins? And and because our losses faces every single day. And I and and Jeremy, it was really disappointing.

It was really Yeah. Yeah. In fact, it was more than that. I started to think, what have I done with my profession? What have I did I waste my time?

Did I make a difference? Did I move the needle? You know, and it's like pushing that boulder uphill. But the next morning, you get up, and the boulder's back where it started, and you gotta start this started again. And so I felt like for as far as long as I've been doing this, we haven't come very far.

And my message is things I've been telling my clients and and, you know, as professional in the advice I've been giving really hasn't changed. I mean, really hasn't changed much from social engineering to fishing. I mean, all this stuff is the same. We just just we're just not making any headway. Anyway, so I came up with this thing and I started to look at all these, you know, at the 5 elements, you know, whether it's product vendors or manage security service providers or or or businesses Yeah.

And buyers and consumers and looked at all the elements that make up our our industry. And I thought, no. I don't think we're really designed to to be successful. There's not, and I just to get really quickly, the what I call the circle of failures, we don't we don't sit down and define a strategy for our businesses or our personal lives about how much a risk appetite. I have very few, companies I know when I talk to them, I said, what's your risk appetite for loss?

And they say, well, we just bought a firewall. I said, that's not what I'm asking. 0 risk. You know? Exactly.

Or 0. That's it. I don't wanna lose it. That's what it but we failed to define a a strategy to made to to reach 0 risk. That's it.

Yeah. And then, of course, fund, you know, fund it, and implement it. And and and so what we tend to do, Jeremy, is implement, in my view, product for strategy because we don't define our strategy. Guys like me, we went off to our, you know, to the Himalayas to learn the secret of the code and it was you know, there were 3 attack vectors, people, process, and technology. Okay.

You know, we can and and and with those three attack surfaces of the, you know, vectors to our to our systems, our our information, through our people, through our processor, through our technology, we don't come up with a strategy where we equally address all three of those vectors. And what do we do? We all tend to buy a product to just and implement product instead of a strategy. So we use technology to kind of band aid over the other areas. That's it.

Because we were told we were told secure Internet equals a firewall. Then they go, oh, we don't know. We were sold the, you know, from firewall marketing vendors who said secure Yeah. Yeah. Internet equals firewall.

Then we all jeez. Wait a minute. Then then we got viruses. Well, then you need antivirus solution. Well, then you need this.

Then you need that. And it was always every year we had a new product because that was facing a threat from the year before and the year before year before that. Anyway, but we've all we've consistently neglected our people and our process and year after year, we spend more and more money and breaches rise and rise. And that's an adverse relationship to guys like me who think, wait a minute, why don't we spend more and reduce and the natural reaction should be to reduce the number of breaches. But I've been doing this for 30 years and every single year, there's more breaches than the year the year before.

And every customer I have, every year spends more on cybersecurity than they did on the year before. And there's no relationship. Yeah. And, I mean, to that question, I mean, I just one of the things that kind of comes to my mind. If we go back to the Sisyphus analogy that you gave at the beginning, right, of pushing the boulder up the hill.

Right? Part of it as you were saying, and I was like, well, but the problem well, part of the problem, not all of the problem by any means, but part of the problem is that the hill changes every couple of years. Sure. And the hill changes without actually talking to Sisyphus who is responsible for pushing the boulder up the hill. Right?

Yes. The business decides we're going to adopt new technologies. We're going to move to cloud. We're going to adopt AI. Whatever the the thing of the moment is Sure.

Is the new technology to kind of Absolutely. Innovation. And so, like, nobody talks to Sisyphus about what this new hill is going to look like or how steep it is to be to push the boulder up the hill or by the way whether the size of the boulder is going to get larger or smaller and and all of those things. So, like, there's some part of it that I think, you know, the natural technological change always is going to pose challenges. I couldn't agree more, Jeremy.

The only constant in my profession has been change. Threats change, vulnerabilities change, businesses change, technology change. Every year, change, change, change, change, and it we always are playing catch up. Okay? And and but it's funny that here's here's my point is our industry is not geared for that changing ever changing landscape.

Okay? Our products, for instance, by and large, the bulk of the products out there are for problems we had last year or the year before and even before that. They don't keep step with the threat actors. Their capability, their versatility. Every year, there's a new threat.

There's, oh, there's a new oh, we didn't see that coming. Really? Because Yeah. And this is what I think my industry has failed. My industry has failed in that leadership to keep threat, to keep pace with the changing threats, vulnerabilities, technology.

Security, I don't know, Jeremy, but my in my profession, security technology first, security second. It's a bolt on. Oh, wait. Yep. It was a bolt on to the Internet.

Was a bolt on to Wi Fi, was a bolt on to cloud. It was security technology for security second. Alright. So why can't we after 3 or 4 technology changes, shifts like Wi Fi and cloud, we can't come up to speed and say, hey, maybe this AI thing, you know, which has already got away from us, maybe we should have talked about secure by design there. Yeah.

No. We don't. No. We totally don't. And I mean, just exactly to your point, I I, had a conversation on exactly this topic a little while ago, and I was kinda telling somebody that I knew that I've lived through kind of 3 3 waves of this over my career cycle from back from when I was a practitioner up until now when I've been more on the kind of product vendor side for the last, 8 to 10 years or so.

And those changes were, you know, really honestly the initial adoption of desktop computing and the rise of the first wave of the Internet and a lot of the things that you talked about with, let's say, early firewalls and keeping bad actors out of your network, that's security. Oh, keeping viruses off your desktop, that's security. Right? I lived through that phase, and I went through my share of the Melissa virus incidents and some other things, and I had a really nasty FTP breach at one point that we can get into time permitting, and then the cloud and now AI. And, you know, I I would argue there's kind of another one right kind of halfway between cloud and AI, and that's APIs and and kind of the transformation of architectures from, like, we build it all in house to now we're integrating all these 3rd party systems via API to perform critical business functions.

But in every step along the way, exactly the thing that you said that it is technology first security second, I've seen that in every single every single cycle that's come up. And I do understand it from the standpoint that, hey, we're in a competitive market, whatever company slash business we are. And if we don't get our thing out to market first, our competitors will. I understand the logic and the motivation around it. And I think the truth of the matter is that there aren't that many businesses that have really, let's say, like, suffered for taking this approach of technology for security second.

If you look at the order of the fines or you look at, let's say, the lack of real regulatory shutdown of a business for not complying with compliance standards or regulatory requirements, I just don't think those things have much teeth in them. And so I would I would almost put to you that, like, the consequences aren't that bad of going technology for security second. The market does not reward security. It never has, never never does. And you see that in web applications.

Look at the OWASP top 10. 70% of it is the same as it was 10 years ago. You know, we're still continually pumping out web applications full of the same vulnerabilities for cross sites for injection. Script. Yeah.

It's this this is what I'm saying. Why could you know, we're not past that. We should be on another top 10 and another top 10 and another top 10 and have fixed 30 you know, the last 3 years fixed fixed 30 major critical vulnerabilities in our application, but we don't. We don't do that because just like you said, Jeremy, the market doesn't reward. It rewards speed.

It speed to market and, of course, you know, sexy little trinkets. But at the end of the day, it also rewards apps that pull data and give data back to. So it has backdoors and has a function functionality of data, egress. Alright? We know whether it's a whether it's an app for your phone or an app for your web, you know, so that's it's built in, and we rush to market, and it we don't incentivize security.

I can't we're still preaching about security by design. And and that's that's where I'm at is I'm looking at that, and what I call the circle of failure is that we're not defining a strategy. We're neglecting people and process, and so we put all our eggs in the technology basket. And our products are our cybersecurity products by and large have let us down because they've been reactive rather than proactive. They they're step behind the threats when in my mind, they their job should be to be a step ahead of the threats and selling us things for next year's threat to keep to keep us out of harm's way.

I don't see that. Yeah. Sorry. Go ahead. No.

I'm just I don't see that even on the basic level that you look at the breaches from major product vendors who've had 0 day vulnerabilities. I'm sorry. What's a 0 day vulnerability? It's an unknown unknown. Jeremy, can can you explain to a grumpy old man how a product vendor would have an unknown anything in something that they sell me to protect my systems?

And just because of what you said, there's open libraries and their source code from other 3 and they don't know what they're selling us. And then, you know, what we're finding, Jeremy, you you correct me if I'm wrong. I've I'm saving cybersecurity products as the attack vector of choice by our threat actors because they're trusted to us. You you you know, you you look at the major and and because we trust these these huge firewall vendors who have zero day vulnerabilities, and I can't get my head on that. It'd be like hiring a builder to build you a house, and then you go in the house and find an extra room.

And the builder, I don't know how that got in there. What did you put in the house? You saw me. I I don't get it. So this this Yeah.

So we have we have I think we need to acknowledge we have problems with our our products, and it's what happens. And I think the proof is that we have year after year, we have more and more and more breaches. What do we do? We buy more and more product and we go around that circle of failure again. And there's there's there's quality missing from our industry.

Alright? And we are not learning our mistakes, correcting these things, like secure by design. I cannot believe there are security vendors who are not practicing secure by design and that there are zero day vulnerabilities with cyber security products. For me, I'm thinking, that's that's talking the talk and not walking the walk. And I'm disappointed in my industry, and that's what you see in this white paper.

It's it's complaints of where's the quality? Why aren't we demanding more? You know, and I I look. I think the software industry as a whole has a quality problem and maybe the cybersecurity industry in particular, and I'm I wanna come back to that question in a second, but there's something else that you said that I wanna dig on for a second that I'm I'm kind of curious, and I've had this experience working with customers and I was recently having a conversation with a a company that does consulting high level strategic consulting with, c level executives from kind of very large global enterprises. And one of the things we're talking about relative to cybersecurity was, you know, why are they struggling with this kind of new wave of technology, security platforms.

So take cloud security, take AI security, take whatever. And one of the things that we kind of figured out in talking it out over a little while was that part of the problem from the customer side in that scenario is that, they have these annual budget cycles. And so they don't buy a product to fix a problem until they've already had that problem for a little while. Why? Because they need some kind of justification for the funding for the initiative.

And so they'll they'll, you know, here we sit in 2024, so they'll be like, oh, well, what kind of things have we struggled with today? Well, okay. Well, we struggled with I don't know. Let's just say cloud as an example. We struggled with cloud this year.

So let's create budget or let's request budget for 2025 to then, like, buy a cloud security solution. And then they get to 2025 and they go through the selection process. And because they're a large enterprise, that takes them the better part of 6 9 months. And so they get towards the end of 2025 before they even buy a solution, and then they're really implementing it in 2026. Meanwhile, in 2026, I don't know, the price of GPUs has come down so dramatically that they've decided to move back on prem for all their AI workloads, and this cloud security thing is no longer relevant for them.

Or who knows, you know, like, the nature of AI systems at the time is so different that the cloud security solution they bought is no longer appropriate. And I think these kind of like 2 year cycles that you see within the enterprise means that you're always buying a a solution for a problem that you first observed 2 years ago. Yep. And I I I think there's some aspect of that that I think is is also a challenge, but there's one other part of it that's really struck with me, which is that you you mentioned kind of let's say like success criteria. And I've had this experience in working with a number of enterprises where, success criteria is designed for the proof of concept phase.

It's like, oh, we're gonna buy a cloud security solution. What are our test cases for this cloud security solution? It's like, well, we're gonna, I don't know, we're gonna sample 10 accounts and we're gonna look for, like, bad security group rules and misconfigurations and over provisioned IAM across these 10 accounts. And that's gonna be the success criteria for picking which tool we buy. But then nobody thinks about what's the success criteria 1 year down the road.

Yes. What what kind of positive return should we be getting from this product after 1 year of, like, implementation live within our environment? And I don't mean to put the point the finger at customers, but I just think that like, a lot of organizations are stuck in these cycles where this is the behavior that they exhibit. I I'm curious, like, do either of those things resonate with you in your experience? They do.

Absolutely, Jeremy. I'm I'm nodding my head this whole time saying, you know, you're you're absolutely right. You know, a CSO's got a budget, this next year budget. So he's gonna put budgets against what his current problem is. And by the time he gets the money purchases, you know, beta is the solution, rolls it out, trains the people on it.

You know, that was last year's problem. And there's always a new there's a new thread. I I absolutely as buyers, I think that's a buyer ignorance. You know? You're you're you're you're putting nuts away for, you know, when you know nuts aren't gonna be enough.

You need to so I I I think that's a certain educational, you know, awareness where the leadership could be it could be fixed with vendors taking the leadership and say, I know, you know, I know what you're looking at now, but coming down the pike, this is gonna be a big threat. You know? Yeah. Whether it's ransomware or anything else. Look at we're always surprised by some sort of, hey.

Didn't see that coming. I'm sorry. What is ransomware? It's malware. Do you know anybody who's not used doesn't use 2 to 10 different types of and hasn't been using it for the past decade.

It must have been on. Yeah. We got a malware problem. Yeah. Yeah.

So one of the things you said there, though, really sticks with me, which is around vendors taking the lead on helping customers understand success criteria. I mean, after all, if a vendor is designing a solution to a particular problem, they should know what that problem is, and they should know, you know, kind of what benefits a customer could reasonably expect to get out of their platform. Right? Absolutely, Jeremy. This is what I this is what I advise my customers to do, especially things like managed security services where you're looking at a SIEM or, you know, for an incident notification.

What is an incident? You know, kind of the definition of shit here should be defined by the customer and made real by the vendor who's selling that. And and and that's that's that's a big gap in in managed security services that that I don't see. The vendor's definition of, of a incident matches the buyer's definition, the customer's definition of what they they need to see on their network. But, yes, that's that's exactly it.

And then and then base the ROIs on that. But more or less, what I see is and and and you're right. It's it's a disconnect between buyer and seller that the buyer doesn't really know what they want until they see it. Right. Right.

And then they and it's deployed on their network, you know, and they they suddenly they have to work through all these false positives to understand what it's actually capable of picking up. Yeah. But the environment in general is from from me, I look at the managed service, vendor issues, and I think, well, they're they're selling a process. It's not a product. It's their process.

It's it's we'll identify this activity down your network. But one of the one of the first things I see is, well, what about software as a service? What about Salesforce or GitHub or what could and what business doesn't have an asset in software as a service these days? But, you know, so a managed, you know, a security, alert provider who's not covering where your information assets are for me is just it's useless. It's, you know, it's not applicable technology.

It's like a you know, there there it is. It's a smoke detector that constantly goes beep beep beep beep beep, you know, and you don't know if it's weak batteries. But the onus is on your team, your your SOC team, to get up, go check. Is this a battery? Is it a is it a false is it positive, false positive?

That that whole idea we're talking about, you know, this concept of false positive. And I don't know. The last time I looked, which is about a year ago, the industry was accepting 4 out of 6, 4 dot 10 alerts. That's 40% alerts of false positives. Normal.

Yeah. And that's after 2 years. That's about that's after getting all the kinks out. You know, and when you initially, implement it, it's up to 60, 70% false positives. Then there's a lot of tweaking and get it right and get it homing, you know, get that carburetor.

So it is picking up. But at best, it picks up, you know, 60 60% are real alerts. 40% are still false positives. And to me, that that's all that's an overwhelming frustration with anybody sitting behind a sock who's gotta get off and go check it out. And when you're wrong, Jeremy, this is my, you know, my grumpy old man coming back up.

When you're wrong 6 out of 10 times, maybe, just maybe, you're not ready for market. Your your tool isn't fit for purpose. And so what happens is what happens is what all my customers that, you know, they stop they stop investigating. They've got all these uninvested these logs full of uninvested activity. Why?

Because, you know, 4 out of 4 out of 10 times, it's a false positive. Yeah. And so that's where my focus is, you know, on this smoke detector where we need somebody to put out the fire, you know, to to to break the analogy. I'm sick of smoke detectors. This might be a breach.

This might be something. This might be something. The house is on fire here. We the breaches alone demonstrate we are not capable of of of of that kind of service being effective. But but picking up on that point, I mean, 2 things.

Number 1 is I think 4 out of 10 is actually low by some of the estimates I've seen. I think I've seen estimates of much higher. Yeah. But but the second one that I I kind of, you know, getting your grumpy old man kind of had on around this, you know, what do you say to the situation where there's this adage right that like defenders have to be right a 100% of the time, attackers only have to be right once. Right?

And so I think it breeds this line of thinking that is we want every alert to fire because we don't know which one is going to be a false positive versus the one that's a true positive. And so I see kind of a hesitancy amongst a lot of customer organizations to suppress alerts and to kind of, you know, default ignore things that don't rise to a certain threshold. And so so I I've seen customers where they're like, yeah, we over employ on our security operations and we know that a lot of our people are spending more than 35 hours a week chasing down false positives. But for us, the ROI on the one true is so high or let's say the negative sides are so potentially consequential that we have to operate this way. So is this a buyer's problem or a seller's problem?

If you take this down to a personal level, if you went out and bought a burglar alarm for your house Yeah. Okay, and you and your partner had to get out of bed at 3 o'clock in the morning to see yeah. Is this a real break in? Is this a you know, was this a false alarm? You know, back and forth and back and forth.

So maybe maybe that burglar alarm concept just isn't good enough, and you need a better product. So because you bought it to identify a breach or, you know, a potential there's somebody else in the house. You bought the burglar system to protect your family and you while you're asleep at a very vulnerable sensitive time. So if something just kept going beep beep beep, I tell you, you do you would do what any other consumer would do. You don't rip it out and throw it out the window and call the vendor and say, what the hell?

I want my money back. But we don't do that in our industry. And because then we could get closer to what is the problem. Is it fit for purpose or is it not fit for purpose? Or if because if you live in a house where there's people up all the time, you know, your house is active 24 hours a day.

Maybe you don't mind. Oh, could somebody go check that thing and see if the back door because the back door alarm is buzzing and see if that's left open. And there's people up around, but if you're if you go to bed at 10 and wanna sleep until 7 o'clock the next morning, and you get tired very quickly, you come into work the next day realizing you got an event log full of incredibly suspicious activity, and you've got 2 people to check it out. And that's their whole day right there. Yeah.

Yeah. No. I think your point is well made. I wonder if I can for a second. Let's take the other side of this conversation because I think, you know, I don't disagree with anything that you've said and I actually think that you're spot on that it's actually incumbent on us as vendors in this space, a, to do a better job, whether that is in the secure by design aspect of our own products or in terms of being much more conscientious about, like, what the actual customer experience of this product is going to be.

I mean, just, you know, just from a usability perspective, one of the things that we do and we've taken a lot of pushback from customers on this over the years is when customers adopt our API security solution, there are 0 alerts turned on by default, 0. Customers have to explicitly opt in to every alert that they want turned on. We give them kind of, you know, a default starter pack of different types of malicious activities and behaviors that they can detect, but then we also give them all these tuning options and they have to kind of explicitly turn them on. And one last thing we do is we do a little on screen preview. So whatever configuration options you've just selected, it's going to show you your last 14 days of data and how many alerts would have been generated based on the the selection criteria that you just used.

And so we've tried to be pretty conscientious about that. I know not every vendor works that way, and I also know that there are customers who have come to us and been, like, why do I have to go through the the process of opting into all your alerts? They should just be on for these types of attacks. But putting that aside for a second, I think your points are very, very well made. I'm curious though when you work with customers and I know you do work with customers who I I know you're not anti product as as far as like as far as your white paper may may come off that way at the beginning of it.

But how do you talk to customers about, let's say, changing the way they think about product selection and then about, let's say, product implementation and then vendor relationships going forward to get better outcomes. The example you run up, Jeremy, is is the best example where you as a as a provider are are are having the customer opt in and the customer decide how much risk they're willing to accept and not, you know, putting everything on a default setting and set this up, you know and and the inferences in the transaction that you're they're buying something that's going to secure their system and and check a box. But so I I absolutely feel that this is a buyer's problem. Where I end up on this is this is my fault. You know, I tell you, I've come to the end of my career, and I think this is my fault.

I I have complaints about leadership from the industry, and from businesses, from from from uneducated buyers and from from from sellers who don't don't take a leadership position and educate their buyers. Well, okay. But at the end of the day, I think this is a consumer issue. I don't think we're asking for more. I think we're getting the products that we deserve in in one hand.

Because if that's the approach that you take, sell me a firewall, which you think that firewall is gonna come without management, without configuration and patches and update and, you know, and and rules and all this work that comes along with buying a firewall. And we don't. We we wanna buy something, plug it in, and that's it. We're we'll move on to the next thing and, you know, get me some better cookies at this next meeting. So I've I'm my my rant, that white paper is all to get people excited about a consumer, engaging, doing due diligence, you know, just, with a vendor.

Do you use the product? Does it work for you? Where's its strength? Where's its weaknesses? And a certain transparency, we don't we don't ask for liability in our accountability if it doesn't need it.

We we buy it. It's bright and shiny. We plug it in. You know, 2 years later, the person who knew it moved on to another job. We don't know what it is.

It becomes shelf where we've we've discussed this on many, many other podcasts like, you know, like this. We know the problem, but no one's taking the leadership to fix this. We need better buyers. And what I'm advocating is, you and I, we go out and buy a flat screen TV. We take it home.

It doesn't work. You take it back. You take it back. You ask for your money back. But we we we go out and buy a firewall.

We take it home. We get traffic through a port that is not supposed to have traffic through that port. We don't ask the vendor for our money back, much less engage in a dialogue of why is this traffic still getting through into my systems when I bought this firewall to prohibit this. We don't. We don't.

We go out and start looking at other firewalls, but we have the you know, I've got a brother. I won't eat dinner with him because he'll order a glass of Coca Cola, and he'll come to the table and he'll have too much ice and he'll send it back. And then it'll come back and it's got too little, and it sends it back. I mean, he's such a a finicky consumer on every other aspect. He demands quality in every other aspect of every other purchase that he buys.

But we, as consumers in the cybersecurity industry, I think we're getting the products that that are not fit for purpose because we're not asking for more. I think if we just started asking for more, just like the conversation you brought up, this why is this coming to me on a default? Why don't I have to opt in rather than, you know Yeah. It just just, you know, that to me makes all the difference in the world. That's a completely different approach between a buyer and the seller.

Now you set the settings, and, you know, my product will work on these settings, but you need to determine what's gonna what's the right settings for your business. And they've got to put some skin in the game like a consumer would. Yeah. It's the same as, you know, a guy my age looks at Ralph Nader in the states, you know Yep. Yep.

Who without Ralph Nader, we wouldn't have seatbelts in our car. Right. When I was a kid growing up, you know, they could not get Detroit to put a little canvas seat belt with a buckle on there for a couple bucks, and and we were having accidents at 20 miles an hour. People are going through the windshield. You do not get in the car these days, you know, without, you know, safety, you know, airbags and and antilock brakes and shatterproof glass and, you know, harnesses and my god.

It'd be but that all came from, you know, getting Detroit to recognize maybe we we can sell cars with, you know, that people don't die in as a as a as a value add, you know. Yeah. And I think that's what we finally, the consumers said, there's enough enough people flying through windshields at 20 miles an hour. And clearly, the analogy here works because you look at the breach statistics and you think, well, how much do we have to lose to prove that, you know, we're we're all taking a beating here? We need Yeah.

This is where legislation usually steps in, like the airline industry or the safety, the fire and life safety. It's the same thing. We can't, you know, protecting our offices from fires and protecting our systems from breaches. Well, along those lines, I mean, there was a point in your in your white paper that kind of, like, caught my eye, and I didn't know how to think about it at the time. And granted, I I read it kinda quickly, but it was exactly along the line of regulatory oversight.

And I think the the headline that you used, if I remember right, was that basically the regulatory response is kind of is a response to the failure of our industry to protect data to start with. And and, you know, I I kind of understand what you're saying. It's like, hey, you know, GDPR is there because we've had so many privacy breaches. Right? And and we've had so much misuse of data, and so we've had so many records breached and exposed and lost and so on.

But by the same token, along the lines of thinking about seat belts, you know, a regulator had to step in and mandate that for automobiles and we're all the better for it. So, like, how do you see that balance between, like, you know, we could have done better, we didn't, cats out, you know, cat's out of the bag. I don't think we're we as an industry are going to get to a point where we're actually, like, completely protecting records because as we've discussed, the technology will keep changing. Yep. Right?

But maybe the regulatory, oversight has a place for us. Like, how do you think about that balance? I think, what came to me in my lifetime first was Ralph Nader first, regulation second. Safety regulation second. He screamed to congress.

He got he there was a consumer when I was a kid. You know, I I learned to drive in a in in a car with I had no seat belt. You know? And then and then and then regulation came out to mandate the use of those of that seat belt. But, you know, they to get a car out, you you you get it with a bucket seat and the seat belt's pushed down into the bucket.

You don't see it. You get, you know, out of sight, out of mind. But what what there had to be was a a a effort to educate the consumer, the buyers of cars, that you need these seat belts and to protect your family. You need these seat belts or your children can, you know, go through the windshield at 20 miles an hour. And then getting people, you know, just like with electroshock, you gotta train them.

You get pulled over, you're not wearing a seat belt. Hey. That's against the law. You know, the law came after the awareness that, you know, that that we had to start putting safety features in cars. And then we had to start telling people, no.

You have to use them. You cannot drive down the street without without you put other people in danger if you don't have a seat belt on. That's the progression. So getting back to the, you know, the analogy of cybersecurity, I don't see that. I I see regulation as a sign that we have failed.

When a government has to step in and start telling you how to protect personal sensitive data, maybe that's because businesses and and we as consumers have failed to get upset that all these people are losing our medical records and our tax records and our Social Security numbers. And what where's the consumer? We don't seem to care Yeah. Until we get our credit reports and somebody else has stolen our identity. And then, oh, jeez.

And then you your your credit card may or may not reimburse you, but, you know, you're chasing a bad credit record. But that kind of consumer sensitivity, you know, when I tell you, when, you know, PCI for me was the first was the the first indicator. When legislation regulation comes on to tell you how to protect your systems, that's clearly because you're not doing it yourself. Yeah. I mean, this is such a great point.

I think, like, especially this aspect of if I think about all the breaches that my own data has been involved in, the response every single time is identity monitoring services. Identity monitoring services. There's no financial penalty to the organizations involved and in fact, they're like I don't I can't think of a single other thing that has ever happened in response. And to your point, like, we as consumers are not demanding change, and that's on the consumer side. On the b two b side, I I do think that there is an aspect where to as you say, customers should be demanding more from their vendors, and I totally get that.

We're we're running short on time. We've only got about a minute and a half to kind of wrap up here. I apologize to our audience. We may have to have Richard back on to kind of consider the conversation because there's one thing in their ISPs and their failure in this whole equation that we didn't even get into today that I'm actually also passionate about and I've had I have a lot of thoughts on. But, Richard, I guess, you know, just 2 things.

First, any quick closing thoughts for today's conversation? And second, for people who wanna learn more about either risk crew, some of the work that you do, find this white paper, what's the best resources for and the best place for them to go check out? Well, thanks for that, Jeremy. So it's Risk Crew.com. The paper's on there.

You can find it on the on the landing page where you'll find the paper. And it's a it's a 20 page white paper. But if you would, I'd like to, you know it's not all doom and gloom. In the paper, I I I I I end the paper with things that you and I can do to affect change in our industry if you if you buy the, the premises in in the paper. But I I do wanna we've been talking about vendors.

And I I do wanna say one last thing is, for me, one of the biggest failures is the businesses. Okay? I I mentioned, you know, not calculating ROI, not establishing KPIs for the things they buy. But at the end of the day, I I, I'm shocked. I'm really shocked of how we don't understand.

This is not a game. This is not, protecting ones and zeros. This is this is about protecting data about people's lives. And and and I see that in businesses. They see it as their client's data.

You know, they don't understand that there's there's people's grandmothers and grandfathers and children's and, you know, it's somebody else's medical records. And still, look, we have this cognitive cognitive dissidents, you know, in thinking it's ones and zeros. It's a database, and it's not. I I I think we have completely sidestepped in our industry, because, you know, it's virtual data and we don't understand that that those ones and zeros are are some of the health records, or medical records, or credit records, or, you know, or the religious beliefs, or that this is very sensitive data that we're losing, and we just don't seem to take that very seriously at all, you know, until it touches you, until it happens to you. And then or your wife or kids or grandmother, God forbid.

But, you know, we are just getting farther and farther away from the real meaning of this data is data about people's lives. I don't care how innocuous. I don't care if it's where they buy their air conditioner or what blood type they are, or if they're HIV positive, or if they're Christian or Muslim or or, you you know, what's sexual preference. We just just we don't understand how sensitive this data can be. And and that, for me, is the biggest failure in my circle of failure is how businesses seem to have side stepped this, and that's somebody else's data.

And I'll take the fine. You know, I'll take the fine for DPA noncompliance GVR. And and that that on a personal level has really disappointed me in in in and I I anyway, that sounds kinda negative, but I do feel that we we have this disconnect. Yeah. Because it's not our data at the end of the day.

But I think taking it as a call to action to anybody in our audience who is listening to this right now, whether it's you as a consumer and kind of demanding better protection for your data from the organizations that you interact with or if you're in the vendor community, put some thought into how you can do better both in the secure by design nature of your own products. But then, really in particular, one thing that really hit home with me is what is the result that your customers are getting? What are the tangible benefits? What is the risk reduction that their your customers are getting from the use of your product over time? And what is the role that you and your organization can play in helping them get there?

That in particular hit home for me from this conversation today, Richard. And from the white paper, we will have a link to risk crew on our website from the show notes of today's conversation. Richard, thank you so much for taking the time to join us today on Modern Cyber. I've really enjoyed the conversation. Same here, Jeremy.

Thanks for having me. It's a pleasure. Awesome. We'll talk to you next time. Bye bye.

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!