Sponsored by our friends at Veeam Software! Make sure to click here and get the latest and greatest data protection platform for everything from containers to your cloud!

Sponsored by the Shift Group – Shift Group is turning athletes into sales professionals. Is your company looking to hire driven, competitive former athletes? Shift Group not only offers a large pool of diverse sales candidates from entry level to leadership – they help early stage companies in developing their hiring strategy, interview process and build strong sales cultures that attract the best talent for early stage companies.

Sponsored by the 4-Step Guide to Delivering Extraordinary Software Demos that Win DealsClick here and because we had such good response we have opened it up to make the eBook and Audiobook more accessible by offering it all for only 5$

Sponsored by Diabolical Coffee. Devilishly good coffee and diabolically awesome clothing

Does your startup need strategic technical content? The team at GTM Delta delivers SEO-optimized, compelling content that connects your company with technical users to help grow your credibility, and your pipeline.

Need Podcast gear? We are partnered up with Podcast Gear Pro to share tips, gear ideas and much more. Check it out at PodcastGearPro.com.

Craig Goodwin is the Co-Founder and Chief Platform and Strategy Officer at Cyvatar, a technology-enabled cybersecurity as a service (CSaaS) provider.

He has over 15 years of experience leading security across both the public and private sectors, building holistic security functions that combine the range of security disciplines under a single effective function.

We talk about the method of delivering Cybersecurity-as-a-Service, the reason it’s more critical than ever, and also the approach of building leave-behind process and platforms to deliver the best customer experience. 

Check out Cyvatar.ai here:  https://cyvatar.ai 

Watch the Full Show Here

Transcript powered by Happy Scribe

Welcome, everybody. It’s Wednesday. Or at least it is if you’re catching this when it comes out fresh because this is the DiscoPosse podcast, your weekly leading technology startup podcast, and you’re about to get exposed to a fantastic conversation with Craig Goodwin, who’s of Cyvatar.ai. Now Craig is really fantastic. He’s co founder and he’s somebody who I really enjoyed because as a chief platform and chief strategy officer, he had this beautiful mix of having lived the life of doing the things around security and now brings them to how to deliver these as a platform, as a true cybersecurity, as a service.

Really great stuff. His methods, approach, just a very enjoyable discussion as well. Somebody I would love to spend a bunch of time chatting with. And speaking of spending a bunch of time chatting with. I got to tell you that the reason I get to spend a lot of time chatting with these amazing people is because of the amazing folks that actually make this podcast happen and supporting it. So I want to implore you to please do me a favor. Number one, go check it out because everything you need for your data protection need. You can get from our good friends at Veeam Software.

I’m a longtime friend, fan, and they are really cool and that they’re supporting the podcast and making sure that as they look to bring their own message to the market. I’m pretty pleased that I’ve been able to be a part of that featuring some of the great folks at Veeam as well. So go to vee.am/DiscoPosse. They just came off of AWS re:Invent. They got a really cool campaign. It’s a comic book download, so really cool. So go there. It’s actually the landing page. If you go to vee.am/DiscoPosse, you can get your very own AWS superhero comic book.

Please do that. Very cool. I absolutely recommend it. And also, of course, speaking of protecting, the one thing you want to make sure is not just protecting your data wherever it is by protecting it inflight. Protecting your network, protecting your identity. You can do this by using ExpressVPN. I’m a longtime user of ExpressVPN because I travel a bunch and as part of it, I want to make sure that I’ve got consistency of experience and safety while I’m traveling around and using other WiFi and other networks.

So please do try that. Go to tryexpressvpn.com/DiscoPosse. It really is just that easy. Oh, that’s right. And also, have a coffee company. I hope that you enjoy it. I do. And if you want to go check it out, it’s diabolicalcoffee.com. Not much more to say about that. Really, really good coffee. Go check it out.

Hi. My name is Craig Goodwin. I’m the co-founder of Cyvatar, and you’re listening to the DiscoPosse podcast.

So thank you, Craig, for joining. I’m definitely in excited mode in what we have a chance to talk about, because when I saw Cyvatar come up on the list. You’re actually on my companies to watch. And it’s a rare treat when we can dive into, I’ll say it’s funny. It’s like this burgeoning area around cybersecurity and offering it as a service and injecting ourselves earlier in the development and operational workflow. It’s new to the world, which is terrifying because it shouldn’t be. But this is why the opportunity is huge.

So I think the best thing we can do for folks that are new to you. Craig, if you want to give a quick bio and we’ll talk about Cyvatar and the challenges that you’re solving.

Absolutely. Pleasure to be here, Eric. And thanks for adding Cyvatar to that list. I’m sure it’s a long one given what you do, but I’m privileged to be a part of that. Sure. My name is Craig Goodwin. My background. I’ve been on the end user side of cybersecurity for about 18 years before that. I was in the intelligence services with the UK government and fell out of that when chief security officer was just becoming a thing, really. And then spent 18 years building, operating, running large scale cybersecurity businesses as an end user.

So companies like Monster Worldwide, Ferguson plc, CDK Global, which is a big automotive tech firm out in Chicago and then Fujitsu before finally co founding Cyvatar with my co founder, Corey White, who is based in Orange County in California. He’s also got a long history in cybersecurity, but from the other side of the house. So he’s been building and running cybersecurity vendors for 25 years, and I come from the end user side. So the first pitch of cyberattack is always that we’ve got both ends of the spectrum.

We’ve been there and done it from an end user perspective and also a vendor’s perspective. So we know what’s broken and we know what we need to fix to deliver better outcomes for customers and businesses globally.

I think this is really why I loved your sort of mix in the founding team. It’s a fundamental problem that we have in so many startups is that we attack it purely from the intellectual like this is sort of the scientific method, and we come at things and there are points when you have to have a very opinionated resolution to things. It’s often how we succeed, is you can’t just sort of do incremental change. You have to come in and say, this is the way that it’s going to work.

We have to remap some of the processes. But because you’ve come from the experiential side, the buying side. I used to do the customer deal as well for a couple of decades, and it allows me to approach technology in a way that I know well in a pure intellectual approach. Fantastic. But will this actually get adopted and used in the way that we would hope. Really, the thing that I want to focus on, Craig, is this idea that you’ve seen it in flight. You’ve seen it in play.

You’ve actually implemented solutions, and you know that it’s much more a human problem sometimes than a technology problem, especially in the area of security and cybersecurity. So how did that two sided approach influence your choice to start the company?

Yeah. When I met Corey a couple of years ago, at the kind of founding of Cyvatar, I was in that place where the industry is going crazy right now, particularly from the VC point of view, there are, I don’t know. It changes every day, four and a half thousand plus products out there or something crazy. So I was having a lot of VC friends. A lot of founder friends say to me, you should found a business. You should do something now that you’ll be able to get the funding.

You should take that knowledge that you’ve got as an end user and create something. And I’ve been thinking about it for 6, 12, 18 months, but I wanted to find the right, and it sounds like a bit of a cliche, right? But I wanted to find the right thing, the thing that actually solve the problem as an end user. I’d fought with it for 18 years, and the kind of problems that I found were that I bought pretty much every product that existed. You could say the Noah’s Ark of Cybersecurity, but two of everything.

And that was true. You’d go out and you’d convince yourself as a CSO that your number one objective was to convince the executive team or the board to give you more budget, and you do that. And I do that really well. And then with that budget, I go and buy some more products, but still wouldn’t get to secure. I still wouldn’t get to the actual outcome that I wanted as a chief security officer. No matter how many products I bought, I still found that I needed large internal teams or my own platforms that I built myself internally to actually do the hard part.

And the hard part was actually the fixing. Actually getting into the outcome of secure. And I found that 90% of the products on the market would point out my problems for me, but simply add to that list of things I had to do. Add to the problems that I had to fix and not actually fix or solve any of those problems. When me and Corey met, he told me about his idea for Cyvatar and as a service solution, I said, Well, look, I’ve done that internally, three or four times over.

I’ve built the platform that we need to build to allow that to be successful. I’ve been the end user side consuming that. So let’s join forces. Let’s bring those two components together. He’s been running services businesses for 18 to 25 years, so he knew that one-off services just didn’t cut it anymore. I’ve been running the end user side and knew that products didn’t do it. So then things combined just led to what Cyvatar has ultimately become, which is the ability to pull to your point people, process, and technology altogether into easy to consume subscriptions that mean you’re getting to an actual outcome rather than just finding more and more problems.

Well, I remember, the thing was ADT security or something. It was like something like a physical home security company that had a great set of commercials. And it was the whole thing of there’s monitoring. And then there’s us, right? And this whole thing of like a guy, a bank is getting robbed. And someone just looks at the guard says, “Aren’t you going to do something?” And he says, “hey, he’s robbing the bank”. This is monitoring. Obviously the first layer is always discovery doing that monitoring that observability, which is sort of the new catchphrase in the industry.

But then from that point, is being able to action on it, is the gap, rather than just basically saying, hey, there’s something going on. And now it’s your fault. Your just handing it off to an operator or developer. And this is a complex ecosystem in the organization. The CSO doesn’t have effective control over IT in the same way, because they generally report up, like directly to the CEO. They report up, if anything, possibly adjacent to a CIO, possibly through legal and procurement. More so than just operational IT.

And there’s really a lot of stuff that falls under that bucket. So while they could say, there’s my aspiration to achieve a secure workplace, a secure environment, this now has to cross into seven different divisions of IT and many, many other things.

Yeah, 100%. And I could talk about that for days. I think to unpick that a little bit. You’re absolutely right. I think the trend and it’s going to continue to be a trend is decentralization of the security function. I used to joke or half joke as I was building security functions, that my ultimate goal should be to not need a budget as a chief security officer, right? Because I shouldn’t need to protect the organization. It should be so ingrained into everything we do as a business to your point, the different departments that actually, they understand it.

And I build such a strong culture of security that they pay for out of their own budget. Craig doesn’t need a separate security budget. I’ve tried to do that at the businesses that I’ve always been at, which is to put the power in the hands of the developers, for example, right? Where they have the tools, the power to be secure by design as they build their products, as opposed to what doesn’t work, which is Craig’s team coming along and acting like the police, right?

Which is definite cliche in the industry. But it’s hurt us for many, many years as that kind of outsider type approach to security. And then the other thing you touched on, which is just incredibly important and a lot of people forget is the politics associated with it. Like, how do you drive behavioral change that first day shouldn’t be about looking at technology. It should be about going to buy a Starbucks card, so you can take all the executives that you’ve got to influence out for coffee and build those relationships. Right?

Because that is 100% the most important thing. And one of the things that we’ve done from Cyvatar is enable that. The platform that we’re building or the platform that we’ve built really enables that decentralization. It enables those workflows to be created across organizational bounds and put the power in the hands of the people that actually need to fix it, as opposed to just firing a load of vulnerabilities and alerts at the security team and expecting them to do the hard work in chasing up and getting things fixed and influencing people.

It becomes the challenge. I was at an organization, and this was in the 90s through the 2000s and the CSO didn’t exist. That function wasn’t there. It was at least rare in sort of the Canadian world, particularly, we’re such a friendly bunch. We didn’t need one. Right. And all of a sudden, we see a CSO show up. And this is right around the time that Sarbanes-Oxley also was implemented. So you had, first of all, a functional change in the organization that they were separating out this role of information security officer, and also everybody that had the CXO title was signing their name on a contract that put them personally liable for the outcomes of their organization.

And it really changed things. So immediately, the first thing that happened, as we do with security organizations is they hired a bunch of VPs of security, and then they hired a bunch of directors, which are basically sort of their very high titled interns. And they began crafting policy, crafting policy. Quick. We must craft policies. And it was almost like a Monty Python ask level of, quick a proclamation. And they would come and they would post it on the board, and they would email it out and send. And immediately you’d say, “Well, we can’t do this”.

And they’re like, oh, no worries. Then file for an exception. And then they built a system to file for exceptions. And they had created the sort of process spaghetti. And I was torn, right? Because with what’s going on, I recognize what you needed to do is we need to actually look as an organization. How are we going to attack this problem? How do we recognize the problem within a medium, this is like putting a government into a functional organization and where they don’t see the outcome, they don’t see the negative side effects.

They just simply have to come in and say, policy checkbox. And then as it made it further on the organization, we would just find ways to get through the audit safely. And that was the first phase. But then from there like we’ve seen it in action. We’ve seen real. No one wants their company name to show up in the news. And it’s like when somebody has their name show up in the news and the word embattled is in front of it, there’s certain things you never want to have.

And I’ve got good friends who are solar winds, and that was a tough one to watch them go through where the reputation attached to being exposed to a vulnerability carries for a long time and has a real commercial effect on them just as an example, right?

That was one thing where they’re in the news. So at first it was like, in 2009, it was probably happening all over the place, but it wasn’t in the news. Now there’s a really significant risk that it’s prevalent that this is active in the industry, like DarkSide did it. They created ransomware as a service. This is fantastic. But how do we attack the problem and make sure that we don’t end up in the news? But most importantly, that we aren’t vulnerable. That’s the real thing. Obviously, the news is bad, but let’s actually fix the problem.

So if the ransomware has a service, then what do we do to counteract that?

Yeah. And I think you hit the nail on the head and we could talk for hours about the compliance versus security debate. But I think actually, in a number of cases, compliance is damaged, what we would call real security. Because if you think about, you mentioned the top down approach. One of the things that all those compliance standards first say is, go and get the board approval, like, get your executive buy-in all that stuff, which makes it that very policy focused, like top down approach where we create mandates and then we try and force it into the organization and actually back to that decentralization conversation.

The most effective way I build security is from the ground up. That doesn’t mean negating the executive buy, and you need the budget. You need people to understand what your objectives are, but being very clear with your sponsorship, your leadership, about what is the objective. Do we actually want to be secure, or are we just ticking a box for compliance purposes? If your answer is we actually want to be secure, that’s a very different journey than creating a ton of policies. And that’s one of the fundamental principles when we started Cyvatar, was that there’s a ton of really quick and easy ways to go and get SOC 2 compliance, for example, like, I say, 27001 compliance and will help with the operational aspects of that.

But the majority of the small to medium sized businesses and other companies that we’re serving wants is to be actually protected from ransomware, is to be actually secure. And to your point, like solar winds prevent their name from being in the media because they’ve lost data or been hacked or been interrupted or whatever it might be. They actually want to be secure, and that then differentiates them from their competitors because they’re more secure. So what we’ve done with Cyvatar is build real security in and security that actually gets you secure, which is a big step change from a policy, creating something and telling everyone that they’ve got to do it.

This is real world. How do I prevent that from actually happening and moving to that prevention? Moving to that remediation is the key step that the majority of vendors in the market just don’t appreciate or don’t help customers to achieve right now. .

When it comes to differentiation, it’s funny, I lead them. I’m not going to compare you to anybody. I’m going to compare you against the industry at large, in that you’ve chosen to price by human rather than object. And this is interesting because quite often when we think about security services, developer services, all of these services, they’re effectively marked per application per object per cloud target, per whatever. There’s always some technical target. So let’s talk about that, Craig. The idea that you’re basically working at the human layer with technology and thus you price, I’ll say differently than most folks would expect.

Yeah. 100%. And that’s another indication of number one, kind of that really customer centric approach, making the experience for the customer a lot more streamlined. One of the things me and Corey are constantly looking at the industry or taking our experience and changing the way that things should be done and making it simpler when we thought about the customer consuming it for anyone that’s ever commissioned a penetration test, for example, that horrible booklet of, like, 20 pages you get from the provider that says, and it used to take me even with a security team, four weeks to fill in the technical data to have to gather this technical data, to even get the scoping document back for a penetration test. Right?

And that just can’t be the way it is. So what we wanted to do is number one, make it customer centric, number two, make it really easy to consume. So therefore, what we do is we use the number of employees in the organization as an indicative factor for the size and scale of the organization itself. Right. And that then allows us to build those subscriptions, build those solutions based on the size of the business and scale it effectively. For example, we’ve got customers who have 500.

They’re in the entertainment industry. They have 500 employees that never touch a computer, for example. Right? And we’ll work with our customers to figure out how that subscription works and how best to address it and make it more palatable for that customer themselves. We have other customers where some of their employees have got three or four different laptops. And in the old model, that means four or five different licenses, right? We want to deliver security, true security for the customer. So we’ve build all that complexity.

And we just say, let’s base it on head count. Let’s base it on head count of the organization. As you grow, we grow, and we’ll partner with you to deliver security, whatever that means for the size and scale of your organization.

When it comes to the mapping to importance of the business, it really is a human tally, right? Because the scale of the workforce is effectively a marker of the network effect of risk, because the more people you have, like you said, they’re specific. Some employees, they’ve got seven devices hanging off them. They’re much more active, their field work, so they may be sort of more exposed than others. But then back office folks, they log into the computer only to get their morning email. And then the rest of the stuff they’re doing is they’re scanning paper into systems.

It actually makes complete sense. And you start to think like, ‘Why hasn’t someone done this before?’

That’s my favorite thing. Like, my head gets a little bit bigger because I love it when we sit down with customers. And hopefully that’s an indicator of a good idea, because we sit down with a ton of customers and customers go, doesn’t that exist already? And they’re like, actually, no, no one’s done it like this before. No one’s done it the way that we’re doing now. The reason that we built what we built is because the business model exists elsewhere. The likes of Netflix and the B2C space, the likes of Trinette and others within the B2B space for HR.

Why would you not have that model for security? And that’s what we’ve built with Cyvatar. We always use the example of why would I bother building a HR function at this point and even our revolution? I wouldn’t. I’ll go and outsource it to Trinette because they’re better at it. It makes sense. It works for the scale of business and how we operate. I don’t want to be a HR professional, just like a lot of these businesses don’t want to be security professionals, right? They want someone who can do it for them and actually get to the outcomes of secure.

So that’s why we built the business model that we did for sure.

When you looked at, obviously, the first thing we have is we have team, the three T’s. Right? Team, TAM, technology, as they call it. Right? You’ve got your co founder. You have to address on the technology side, you both come at it from each angle and see if you got a good sense of where you in the technology stack will be able to attack a problem. When assigning TAM, this is really about choosing your first market. What is the ideal customer that you wanted to begin with? Because it literally could be anywhere from SMB up to global enterprise.

There’s a lot of potential. And if you’re a VC, of course, there are like trillions of TAMs. They want this Gartner Esker type of up and to the right quadrants everywhere. They want to see a lot of that stuff. But you, as a founder, you have to be pragmatic about your first market.

Yeah, 100%. And you’re right. There’s a ton of opportunity in terms of even larger enterprise organizations. I’ll talk about that in a second. But if you think about the absolute target market, it’s those Greenfield organizations that haven’t built a security function yet. And what that normally means is probably 500 employees or less in the technology space where the ROI, the return on investment, associated with the model that we’ve created is quite frankly, a no brainer. When you talk to customers and you spell out what it takes to build a security program these days, with the cost of talent, with the complexity of tools, with just everything that’s out there.

And back to that original point about the CTO, and the startup really wants to be focused on making their products great, not doing the cybersecurity stuff. You come in and you take that pain away. And the model from a Greenfield perspective, just makes absolute perfect sense. And even a lot of our customers have got a single contributor, the first CSO hired, like you mentioned before, or the first security person hired into the organization. Even then, what they’re not going to be able to do on day one is justify another ten resources.

And that’s relatively lucky, right? So to have a solution that enables them to be successful and deliver those outcomes as well in a cost effective way, that’s number one target. Right. And also to your point, from the vendor perspective, it’s just a massively underserved market. We talk to a lot of our partners who say anyone under two and a half thousand employees. Our VCs are telling us not to touch because the economics don’t make sense when you get to a certain scale and we throw the term democratization around.

But it’s true. We’re taking these best-of breed technologies that perhaps wouldn’t be accessible to that smaller end of the market and making them accessible, making them consumable because you don’t need those internal resources or expertise to get them in and operational quickly, which is what we’re able to do.

Yeah. It’s kind of funny. Like I’m in the tech space and I meet with large organizations all the time, and they have more developers at most North American banks than the vendors they buy from. So it’s really difficult to go in there and sort of say, all right, we’re going to do a ground up development of this service approach because they’re just like, well, we’re going to use you for six months, and then we’re going to take a team and make them shadow you and then build the thing you do.

So it’s actually often a dangerous thing, especially for a start up to go in with a great fundamental challenge solver because they’re just going to go in. Tech companies are the same way. Right? Large social networks are famous for this one, right? Where they’ll buy a company, buy a product for a year and then not renew. And you’re, like some people on the sales teams are like, I don’t understand, why didn’t they renew? Because they are filled with amazing technologists. And they just watched what you did for a year. That’s all they needed, they needed to be close enough.

I think one of the real differentiators that we’ve got is that we started as a platform player. Right?

So we’re not a product led company. We are true platform. And you see it, we all see it. There are many businesses out there that claim to be platform based organizations. The problem that you’ve got is particularly with the larger businesses. They’re tied to their own products as well. So if you’ve got a shitty antivirus product and then you go and build a platform, well, guess what, which antivirus products are going to be the one you use in that platform. Right? And that’s the problem. What you’ve started from is a very blank canvas that we’ve started from a point where we’re building the platform first.

And therefore, if you want to integrate with us, we will be picking the best-of breed technologies. We’ll have a selection. We’ve got three or four different partners in each of our solution areas, and our member services team is constantly assessing what’s the best out there, what’s going to get the best value for our customers? What’s the best solution? And the customers are subscribing to a flexible subscription, which means if one day AV number one is the best one on the market, we’ll install that. If next day AV number two completely outdoes them and gets to a better state of prevention than number one, we’ll change it out for them.

And that’s all part of that subscription. So it’s focused on the subscription outcome as opposed to the particular product or technology that you’re driving.

Yeah. One of my favorite platform stories. And like, I’m in product marketing, I know, it’s always like, you’re not a tool. You’re a platform. It seems like better marketing. But Dave McJanett, who’s the CEO of HashiCorp, and I said, I described to him and I said, it’s great because you effectively got all these layers and it ultimately makes a platform. And he goes, well, we describe as it, if you squint hard enough, it’s a platform. But it really is a separated set of tools that integrate very easily.

And it was funny that even he was unwilling to use the word platform for fear that it would have this connotation of something that is easy. It’ll be automatic, you have to buy one thing, and then you have to buy the other four things. Their goal was ultimately interoperability, which is, again, this is why I wanted to pick on this point with you, Craig, by being able to know that you’re looking for the best of capabilities, the best-of breed. And you are handling the integration since the interchange.

It means that I don’t, as a customer, have to get locked into going to antivirus A and looking for the best deal, because, effectively, they’re going to tell me why I need them, and then they’re going to suddenly become the one that wants everybody else to integrate with them. I want to have a platform approach where that I can think of it as a framework that I fit things into. And then it gives me the comfort that I can negotiate with those vendors now, because before, especially an antivirus vendor, it’s the easiest thing in the world.

We have 3000 endpoints. How exactly do you think you’re going to change that over? It’s one step away from, it would be a real shame if something were to happen to your car, now, wouldn’t it? Like that’s almost a Mafia-esque type of way. But I’ve worked in organizations where we’re like, I actually had 22,000 endpoints and yeah, we got it done because we threw humans at it. But it was a huge expense. It was a huge lift. It was a huge risk. So if I can offload that risk and that assessment of the right current set of platforms to you, that’s a huge win in my eyes of why I would say Cyvatar is like, all right, this is a true platform play.

Yeah. And you got two things, I think. Number one, you’re absolutely right. A lot of those businesses, like I said before, four and a half thousand products out there, like, what startup wants to come wade through all of that.

The periodic table of things.

All Eric’s product marketing. Who wants to go wade through that to find the one problem. Sorry, the one tool that’s actually going to fix your problem, right? No one can. No one does. Right? So, yeah, that’s number one. My own member services team are experts in the field, have been doing it for 100 plus years, whatever the combined number is, and they will pick the best-of breed, right? Agnostically and build them into the partner framework, build them into the platform. And like I say, we’re not afraid, right?

When partners aren’t performing or it’s not the best tool anymore. We have the capability and the wherewithal to change that out. Because we’re so customer focused, we want it to be about the customer and delivering the right outcome for the customer. The other big deal here, I think, is really important. We went on this evolution, I think you mentioned it earlier for inSecurity from technology, and then we’re definitely focusing on the people right now. But the process bit for me, is probably even more important than the people, right?

Because you can have the best cybersecurity experts in the world. You can have the best tools in the world. If you haven’t got the process that makes those things successful, you’re still ultimately going to fail. And what we’ve built with the platform that we call the operating system for cybersecurity is the process of security, what we call, we’ve got proprietary methodology that we call ICARM, which is installation, configuration, assessment, remediation and maintenance. So you go from all the way from installation of the tools, all the way from maintaining a full security program.

But essentially all it means is the process of security. Like, how do you get from a point where you have nothing or a very immature security function to the point where you’ve got something that’s functional operational and you’re maintaining the organization in a clean maintained state and the tools can be interchangeable. The people can be interchangeable. But that process remains constant. And that’s what we built in the platform. And that’s why I think we are so successful in such a short space of time in terms of getting those outcomes for our customers.

We’ve got that experience, we’ve got that knowledge. We built those processes into the fabric of what we do. And that’s why we’re driving this speed and easiness of security that just amazes people to the point where they don’t believe us sometimes, to the point where people go, how do you do that? And it’s because you’re taking that fundamental approach and you’re building the processes right.

And I don’t want to talk about people leaving the platform, but the subscription model opens the door to a sense of freedom in that they’re not locked in to you, which is a strong thing, right? It’s sort of illegal and functional lock in is difficult, and people don’t want to take on a new thing because there’s sort of a risk there. What’s the thing that, what they say to you, Okay, Craig, I like what you’re doing, but let’s just say for whatever reason, we have to change gears in six months, and I stopped my subscription.

What does that mean for my organization?

Yeah. So we built ‘cancel anytime’ into all of our solutions, just like any other subscription but don’t like using it so much. But back to the Netflix example. For as long as you’re getting value out of Netflix, you’ll continue to pay your subscription. And me and Corey, and the whole of Cyvatar, is not afraid of that model. We truly believe that with those process components, with the people components, with the way that we’re driving value for our customers, it challenges us to continue to continuously drive value across that lifecycle and that lifetime value of that customer.

And we’re not afraid of that challenge, right? We haven’t had anyone canceled yet, and I’m hoping we’re not going to in the future because we are driving that consistent value. We all know my favorite quote ever. I don’t know who said it, so I might just claim it as my own. Security is a condition to be managed. It’s not a problem to be fixed. And that is absolutely true. It’s not a one-off engagement. This is about growing with the customer, partnering with the customer, and being that continuous source of security for the business.

So the short answer is, Eric, as long as we continue to deliver value and the customers see value from it, we’re not scared of it, but we’ve built-in’ cancel anytime’ so that customers, if they really don’t see the value, can make that break.

And I love this idea that you talk about something to be continuously managed. This is not like a juice cleanse to suddenly make you healthy. Security is something you just sort of throw a tool at it, and then by magic, it’s fixed. It really and truly is an operation, because even if the choice is right today, it’s not to say that that particular product or some process that you’ve got won’t be suddenly vulnerable just because of a change in the ecosystem or change in process in a month or two months or six months.

So that’s why it does need to be the subscription and the service model really makes sense to me, because this is something that I want to make sure is maintained. And we think about maintenance as SNS on a contract, right? Like, oh, I can phone 1800. I’ve got a problem with something, but that’s really not what maintenance is about. Maintenance is about maintaining the health of the ecosystem, right?

Yeah. I love the hygiene and health analogies. I think they’re really helpful when you’re thinking about cyber hygiene and cyber security. It’s that continuous process. Corey always gives the example of, I don’t know whether this is true or not, but always gives the example of doing the dishes, right? Doing the washing up, you leave it for three or four days and you’ve got a massive pile and it’s a hell of a workload to get through. Whereas if you do little bits on a daily basis and you could do the same analogy a million times over, whether it’s automotive maintenance or whatever, it might be doing those little things and keeping up with it means that actually over time you’re continuously maintaining that state of hygiene.

You’re continuously maintaining that in a clean state, which makes your job much easier over time, means it doesn’t cost you as much. We talk about another good example is always the developers building code. And if you wait until a vulnerability or whatever is out in the wild, it costs you 50, 60 X, the cost that it would be to fix it while it’s in the development lifecycle. The same is true for general security across the board. Fix it while it’s being happened, build it in, make it a maintenance. Again, back to process.

Make the process continuous, and you’re in that position where you’re getting much more value out of your security program. Pentest is another great example of that. How many organizations just do a one -off pen test every year? How many times have I done a one-off pen test next year. They come back the year after and say, why is it the same as it was last year? Yeah, of course it is. And that pentest somehow makes you secure. But no one does anything about it. It shouldn’t be one-off, it should be continuous.

And in our threat and vulnerability management program, that’s what we’ve done. Yes, you get a pen test every year, but also you’re continuously scanned all year round because you might do your pentest on the coming Monday. But who’s to say six months before that, you didn’t have a vulnerability that’s been hanging around for the last six months. So, yeah, I can’t say enough about the ability to be continuous in that program. And that’s what subscription brings.

This is the funny thing, right? Like you said, compliance and security, while seeming to go in the same. There’s an ampersand between them, like it’s attached to most people’s resume in that way. But it truly is separated functions because compliance is the annual or the quarterly checkbox to make sure that you’ve passed a test. Security is an ongoing operational process to make sure that that’s happening. You said pentest is one that’s interesting because as we develop more active testing, it teaches us to make antifragile systems as well, much more than defensive.

But truly, I’m going to build a system so that it can withstand continuous penetration testing. Actually, at this one place I was at, we used a product and they would do, like, regular scans. So every night, it would go and scan all this stuff and it would wipe out half of our homegrown applications because it would just basically batter them like a denial of service. And then you’d have to restart all these services. And I was like, they said, well, can you stop scanning the system?

I’m like, no, can we start developing to be prepared for it? Like, it was funny that integrating, the tooling changed the practice of development.

Yeah, one of the things that I always liked. And I was talking to someone about it the other day. I was used to just talk about, security is another facet of quality, right? Developers, a lot of development organizations understand the concept of quality. They’re constantly scanning the code for quality. They want to create quality products and quality code. But security is somehow some kind of outlier from that. And when we started to take, and one of the tips I always gave to kind of CSO as they were going into large product based or application based organizations was borrow from what’s already there.

Like take the quality scoring mechanisms and just add security in as a facet of that, because they’re building quality code. They wouldn’t, for the life of them, send out bad quality code. So security is just another facet of that. You can’t build a quality application or product if it’s not also secure. So borrow from that language of the existing business instead of trying to be a special snowflake on the side.

Yeah. Now let’s talk about the Forbes Technology Council. So this is a rare opportunity to be invited in to be a part of this. You’re involved, which it’s a testament to, obviously, your history and your skills and your involvement in affecting the industry, not just purely from your product perspective. What do you feel is a real strong opportunity with something like what the Forbes Technology Council is able to do?

Well, like you said, the name Forbes is one of those things you grow up with, I think, isn’t it? You go through school and you think about Forbes and who do I want to talk to and what’s the goals for me? So, yes, incredibly privileged. I think it’s a great group of people. There’s a great online platform where we share ideas. And to your point, Cyvatar has always been for me, about fundamentally changing the way the industry operates, not just about creating a product, not just about solving a spot problem.

Like a lot of the current solutions do. It’s about fundamentally changing the way we consume. So I think both ways, number one, giving to the Forbes Technology Council, sharing my 18 years worth of CSO experience with other members, helping them to understand how you build security programs, how you do security effectively, what you should be focusing your investment on, but then backwards as well. We get a ton of feedback from those council members about what they want to see, because ultimately, one of the things that we built with Cyvatar is we wanted it to be a business tool as much as a technical security tool, right?

Our audience in startups, particularly is CFO sometimes, it’s CEOs, it’s cofounders, who are not necessarily the most technical savvy people. They want a business outcome, not a technical outcome. So taking feedback and you see a lot of security vendors will take feedback from the technical security communities, which is great and valid. And we do that as well. But also, there’s a massive advantage to taking feedback from senior technology leaders, senior business people who can say, you know what, Craig? I don’t want to see a cross-site scripting vulnerability in an application.

Quite frankly, I couldn’t care less. Tell me how and when it’s going to be fixed. Tell me what it really means to buy business. Tell me how much it’s going to cost me to sort it out. Tell me how I can solve it in the future. Those kind of things, those ROI business based conversations is what we want to solve as a business. And therefore, hearing that feedback, having the opportunity to share that with Forbes Technology Council. Senior technology leaders really benefits Cyvatar and really benefits the way we’re building the platform and the business.

So, yeah, it’s a fantastic opportunity. And I’m proud to be a part of it.

When you’re a certified CSO, which is quite often, the CSO, sadly, is a role that they’re like, it’s like the CIO, which at one point when I was in first getting into tech, CIO used to stand for career is over, right? It was just somebody from the business unit. They were just like, you’re the CIO now. And they’ve served their two years to ride off into the sunset as they headed to retirement. Now it’s an active function and then CSO sort of fell into the same thing, like somebody has to be a CSO.

You, you’re the CSO, right? Make sure no one picks up USB sticks and push them in their laptop. And there was a sudden, you’ve heard a wide eyed thing of like, how do I be an effective CSO? And it’s because it’s a burgeoning role. Certification is something that I think had been vastly missed. So what is the path to certification and what are ways that professionals can look at working towards that?

Yeah. Well, I think that particular qualification is interesting. I think more widely the question around kind of experience as a CSO, to your point being thrust into a role where you’re told to stop USBs being put in computers, for example, I think ultimately comes back to it. And a lot of the responsibility falls on the individual. I did a talk a number of years ago about challenging CSOs as to whether they really are CSOs or not. And what does it really mean to be a CSO? And quite frankly, I don’t have the answer.

I don’t think anyone does. The answer no one likes is it depends. But what that means is when you start that job, you need to fundamentally understand why the role was created and what the executive and the business expects you to do and make sure that’s compatible with what your skill set is. And that’s what needs to happen more in the industry. It’s the same with, I always say, ton of CSOs will join a role and won’t have had a budget conversation for the first twelve months.

They just plow on, on the understanding they’re going to be allowed unlimited products and tools, right? Getting those things upfront, what is my role to our conversation about compliance versus security? All right, you’re hiring me as a CSO, but does that mean you just want us to get top two compliance if it does. And you’re happy to take that you approach that in a very different way than a role that says, actually, I want you to be the technical knowhow, I want you to work with the development teams to embed security into the development lifecycle.

Or I want you to be the strategic leader that is the figurehead for security across our business and drive sales cycles by being better at cybersecurity. All those roles are roles of the CSO, but in different organizations of different maturities and different expectations, and you’re ultimately setting yourself up for failure. If you don’t have that conversation up front with the executive team, with the business. It’s a long way of saying it depends. But as long as you’re clear up front what your role actually means, that’s the only way you’re going to be successful.

Yeah. And I think that’s the ideal thing, even like the CISSP, if you look at the foundations that it tests, it’s very wide range. And it’s everything from physical security to low level programming, understanding all the way up to much more high through technical cloud and networking. It shows you what it takes to really be a security leader in an organization or CSO. It is much more than just one aspect of it. And quite often it’s counter to what we’d expect if we make things more difficult.

If we make things technically challenging, that’s not always securing the environment, it could influence poor practices, because if you make everything super complex and people are just going to write it down, they’re going to write down their passwords. They’re going to do things that will then move against the policy setting, and it becomes, you’re effectively working against yourself by coming with this top down of you will not pass approach.

Well, the advice I’ve always given to anyone kind of early in their career or moving through their career that wants to ultimately become CSO in the end, is wider rather than deeper. It’s becoming more and more a business role. It’s becoming more and more about strategic leadership, about business leadership. There’s been a trend in many large organizations where CSOs aren’t coming from technical backgrounds anymore. You’ve seen people come from the risk function or the project management function or the program management function into CSO roles. And for me personally, I think that’s a really positive thing, bringing people in with that wider business experience.

That wider kind of programmatic experience and strategic leadership, I think, is really important because you get that separated agnostic view like boys and their toys tend to get excited about security technology and AI and all that kind of stuff, whereas someone that takes a business centric approach and says, what’s most important for the business, what is it we’re trying to protect? What is my job here? Like, all of those things contribute to being much more successful than diving in and going, oh, I need to buy this product.

So I think that’s really important. Back to SIT phase, it’s incredibly wise. I think it’s a great certification that you have, out of all the ones that exist to get you that kind of width in terms of understanding when you’re ready to do that. But I think as your career progresses, you want to know a little about a lot of different things. I’m no technical expert. I have technical people who do that for me. You can’t do everything. And it’s about having a little of a lot. I think as you grow up as a CSO.

In the world of tech, especially community is incredibly important, and the ability for people to find a peer group. We’ve talked about the Forbes Tech Council, which I primarily is savant at the C-suite. There’s a lot of folks that are there that they can really look at the leadership level. There’s others that go further down in New York. But then you’ve got the bottom up, sort of the SANS and even the BSides and those types of conference opportunities. What is if you’re saying, as a Cyvatar founder, what’s your community of practice that you feel is effective in helping your team both empower as well as to stay close to what’s really going on out in the world?

Yeah. I think it massively differs depending on the team. Right. So for me and Corey as co-founders, it’s entrepreneurial organizations. It’s learning from other founders, people that have been there and done it. And actually, one of the things that I’m really passionate about is not in cybersecurity. I’ve got some great friends who are founders in cybersecurity, which is fantastic. But you’ll see from the way that we’ve built the business, we haven’t learned from cyber, we’ve learned from other business models, and we brought that into the immature space that is cybersecurity.

So therefore, when we’re learning from other businesses, subscription based businesses like ourselves or SAAS businesses or whatever. So me and Corey have been very conscious to take those learnings from other areas. And the other thing to remember is we read a lot of books. We listen to a lot of audiobooks, get ideas from those things, but don’t prescribe to one single thing. There’s millions of different ideas from different theories and different books all come together to create a strong business model. So I would say, for me and Corey, that’s important.

But then, obviously, like our member services team, they’re heavily embedded in the ethical world of security. It’s their job to know what the best products are on behalf of our customers. So they’re absolutely interacting in the black hats of the world, the cybersecurity conferences of the world where they can hear have their ear to the ground so that ultimately our customers don’t need to do that themselves. And we’re taking that burden away from them. And then we encourage everyone. One of the things that we have all done in the business is go through a course called Scaling Up, which is a methodology for building businesses.

And we’ve been really open with the whole team from the beginning. It would be easy just to have me and Corey do that because we’re building the business. But actually, we wanted everyone to understand that methodology. The Rockefeller methodology for building a business. We wanted everyone to know what that meant, how it operated, so that as we grow, we can be completely transparent with the whole team. And everyone understands that they play a part in it. Everyone understands that they’re a part of the growth of the business. We do KPI stand up calls every day where everyone sees what the business is doing.

Are we failing in certain areas? How do we change that? And we have those open conversations with the team where everyone shares the learning and we build the business together. And me and Corey think that that visibility is incredibly key. So to your point, there’s definitely external communities, but there’s also internal communities where we bring all of that together and we grow as one team.

And I think this is also a testament to your approach in that when I choose a vendor, why we say the three T’s begins with team, I have to depend that the company that I’m buying from has viability, and it’s really difficult, right? If you’re like, they look around and know that, I’ve got twelve series A technology companies that look exciting and you know that they are close enough in their messaging and in the end, in four years or six years, there will be three series D company. But I have to lay that bet.

And your approach is beautiful, right? It’s differentiated because this means that trust that you will grow with me as an organization, as a customer versus like, yeah, we got a widget problem, I get to solve your widget problem. That’s fantastic. There are pure specific problems to solve, but being consultative and not just looking at like, all right, I’m just looking to get the CRC and get bought by Accenture like, whatever the thing is, not that that couldn’t happen, but you’re looking at growth. You’re looking at building a foundation on which you can grow with customers.

And again, like I said, the weird thing is I called on the pricing and the subscription model early because it’s such a rare treat that, you know, that the sense of freedom gives you the ability to be free to adopt. It’s such a funny thing, but it’s a welcome change, especially in the world right now, where we have to be able to adapt. We don’t know what four months from now is going to look like, and just that sense that you could buy as you need grow in a consultative approach, learn from experts who are, their economy of scale is knowledge scale.

I can’t possibly, with an 800 person organization or 4000 person organization, trust that I can hire 25 people that I’m going to send to conferences every week and make sure they’re on top of things and that they’re doing their bloody job. That’s why I love the approach.

100%. And I think that’s why it’s so important for us. If you look at me and Corey, you look at many VC funded businesses, ostensibly, you have a very technical founding team. You have a team that is focused on product building the widget, whatever it is. And that is what the team is really highly focused on. They’re very good at doing that. And then you get a ton of sales people who go out and push that with you and push that product, right? Our business is fundamentally built on the experience of the customer, where we add value is in that people and process space, it’s not necessarily what we’ve got some solid technology in the platform.

It’s not product led, and therefore it’s really important to us that the customer and the customer’s experience is at the heart of everything that we do. And that means that we approach it slightly differently. That means that all of our team members are highly skilled in what they do, highly skilled in making the customer experience incredible. And second to none, not necessarily highly experienced in selling a widget. Right?

Which is not what we’ve built the business to do. And to your point about cancel anytime we fail, we fail as a business. If the customers aren’t seeing the value and the fundamental value proposition that we deliver, so that’s where our heart is at. That’s where we focus. The business is all about that experience.

Yeah, because there’s nothing worse when you buy a product and you just look concerned. It’s always the matrix is the same and look like I said, I’m in product marketing. I know the dance we do. You’re going to have a three column thing and most people will land in the middle. You want to edge them towards the far right. You want to put them in the enterprise plus, or we call it platinum or unobtainium. We call it some exciting new thing, and it’s always like basic bronze, iron, cobalt, whatever. We try and make it like no one buys that thing.

But the fact that you’ve got a freemium entry point all the way up through effectively scaling on consultative additions to what you’re doing. You’re using a human based counter on the engagement level. Like I said, it’s a refreshing change. And I was excited by the approach, and I’ll be excited to have you on when we announced your series D as well. So mark your calendars, kids. You’ve got a lot of really good stuff coming ahead. I’m sure.

Yeah, we’re super excited as well. Thanks for having me on, Eric. Yeah, I think you mentioned it there. We want to take that consultative approach. We’re not afraid to say customers, don’t buy this. It’s too advanced for you right now. Don’t go buy APT protection against AI threats when you’ve got, you haven’t done your basics of building a threat and vulnerability management program yet. You don’t know what assets you’ve got. So we take customers through that journey. We don’t sell them something they don’t need, and we really help them to build a program that’s strong enough for where they are in their maturity in their growth phase.

But then, from a Cyvatar perspective, we grant super quick. Really excited to be on this journey. I say to the whole team, we want to enjoy the ride as much as the destination, if not more. So we’re having a great time doing it. Team is incredible. Customers are incredible. And yeah, looking forward to updating you on series B, C, and D, hopefully.

Definitely a lot of good stuff. And as far as the building approach, too, this is something we can actually, I’d love to have you back on, and we can dive into the founding team relationship of a technical founder and a nontechnical, is always such a, it sounds almost like a pejorative, but in that you’re not purely technical as a founder. It’s such an interesting mix and finding that match, it’s kind of hilarious. I’m sure when we look back on it, it’s always like chapter one of every book where you’re like, here is Craig.

And then he was sitting in a coffee shop in San Francisco.

It was a pub in San Francisco instead. I said, it super fast. The story of Cyvatar is just, the founding story is an incredible one because there were so many factors that might not have led to it happening. I lost my father a month before RSA in San Francisco. I nearly didn’t go. I was very tired at the end of a long week, and I nearly didn’t grab a beer with Corey. All those things just capitulated. And I eventually did. And the rest is history. Corey would say it was the universe.

I’m English, so I’d say it was luck, but whichever one it was worked out in the end, and like I say, the rest is history. But yeah, there’s a good story for a book there one day.

Yeah. And it’s hilarious that when you look back on it, you realize how many of those opportune moments that really, truly like I said, it’s luck of occurrence and somebody else as well. I literally just went into an Apple event and I happened to be sitting next to somebody. And next thing, they were backing my start up that I had never thought I was going to build four months later. It’s like just by the happenstance of sitting in a seat, never know what can occur. But it’s much more than the luck of the moments.

It’s the gumption and the choice of the team to put the time and work into it. So it’s pretty amazing see it come together. Good stuff. So, Craig, if people want to reach out to you and get connected, what’s the best way to do that?

I love the social media. I’m all over it, Eric. So hit me up on LinkedIn. I’m on Twitter or obviously Cyvatar.ai for Cyvatar stuff, but I’m pretty easy to find online, so feel free to reach out.

Excellent. Well, thank you very much, Craig. It’s been a real pleasure. And there you go, folks. The links will be down in the show notes and such. And yeah, this was great. And sure enough, just like I said, history always tells you that if I say I’m going to have technical problems, we had technical problems. But we got through it. And this was a really great conversation. Thank you very much.

Sponsored by our friends at Veeam Software! Make sure to click here and get the latest and greatest data protection platform for everything from containers to your cloud!

Sponsored by the Shift Group – Shift Group is turning athletes into sales professionals. Is your company looking to hire driven, competitive former athletes? Shift Group not only offers a large pool of diverse sales candidates from entry level to leadership – they help early stage companies in developing their hiring strategy, interview process and build strong sales cultures that attract the best talent for early stage companies.

Sponsored by the 4-Step Guide to Delivering Extraordinary Software Demos that Win DealsClick here and because we had such good response we have opened it up to make the eBook and Audiobook more accessible by offering it all for only 5$

Sponsored by Diabolical Coffee. Devilishly good coffee and diabolically awesome clothing

Does your startup need strategic technical content? The team at GTM Delta delivers SEO-optimized, compelling content that connects your company with technical users to help grow your credibility, and your pipeline.

Need Podcast gear? We are partnered up with Podcast Gear Pro to share tips, gear ideas and much more. Check it out at PodcastGearPro.com.

Scott N. Schober is the President and CEO of Berkeley Varitronics Systems (BVS), a forty-year-old New Jersey-based privately held company and leading provider of advanced, world-class wireless test and security solutions.

Schober also invented BVS’s cell phone detection tools, used to enforce a “no cell phone policy” in prisons and secure government facilities. Scott is a highly sought-after subject expert on the topic of cybersecurity.

Scott shares his story of his own recovery from identity theft, techniques we can all use to protect ourselves, and the challenges that are faced by everyday people in a growing increase of cyberwarfare and cybersecurity attacks.

Check out Scott’s book: Hacked Again

Visit Scott’s website at https://scottschober.com 

Thank you for the great lessons in this episode, Scott!

Transcript powered by Happy Scribe

Hello, and good morning, good evening, good afternoon wherever you are.

This is Eric Wright, the host of the DiscoPosse Podcast. You’re in for a really great episode. We talk about cybersecurity, online security, personal security, ransomware, and much more with Scott Schober. Scott is an author. He’s also the founder of Berkeley Varitronics Systems. He’s a well adored voice in the InfoSec and cybersecurity world. He’s been featured all over the place. So it was a real honor to share time with Scott, and it’s a lot of great lessons in here. You hear about his own journey through challenges in having his identity stolen and how he recovered from that.

And he shares a lot of the practices that will allow you to do that really compelling story. Plus, he’s just a very good speaker, definitely somebody who I would love to see on a stage somewhere in his presentation mode. And of course, speaking of ransomware, how do you stop ransomware?

Easy. You use our friends over at Veeam Software in order to make sure that you’re protected for everything across data protection, including ransomware protection, because ransomware is about making sure you protect your assets, whether they’re in the Cloud, whether they’re Cloud-Native, whether they’re On Premises, you are vulnerable. Unless, of course, you use the good practices and the great software at the fine folks at Veeam. So go to vee.am/DiscoPosse, and you can get hooked up with that. And if you want to stop ransomware as well, make sure you try and ease up the in-flight traffic that you do and that’s protecting yourself using things like VPNs.

I’m a user of ExpressVPN. I highly recommend it because it allows me to ensure that wherever I go, my traffic is protected in flight. It’s part of an overall practice, so easy to try. Head on over to tryexpressvpn.com/DiscoPosse and that’s the easiest way to get set up and you get a little bit of a bonus. You get a free month, you get some neat things. Do that head on over to tryexpressvpn.com/DiscoPosse.

And of course, one last thing. If you want to be able to stay up late to be able to fight your ransomware and think about better security practices, then do it by drinking fantastic, devilishly good coffee, like diabolical coffee. So head to diabolicalcoffee.com and you can get set up there.

All right. Anyways, let’s go back to the show. This is Scott Schober. He’s really cool. I enjoyed this. And this is the DiscoPosse Podcast.

Hi, I’m Scott Schober, President and CEO of Berkeley Varitronics, cybersecurity expert and also author. And looking forward to a great conversation with the DiscoPosse Podcast.

Scott, thank you very much for joining today. This is especially enjoyable as I’ve spent a lot more time now in the security and cybersecurity community. Been diving back in, and naturally your name pops up and your content tends to pop up just because you’ve got, number one, you’re a very prolific voice in the community and in the industry, and it’s just super high quality. So you are CEO of an organization. You’ve actually got your own company. You’re an author. So we’ll talk about Berkeley Varitronics. We’ll talk about your book, and this is one that I definitely will recommend.

We’ll make sure we have links as well for folks that want to hear about Hacked Again. And more than anything, you’re just such a great, respectful voice in the community. So thanks for joining. If you don’t mind for folks that are new to you, give a quick little intro and a bio, and then we’ll jump into the challenges that we all face right now.

Yeah, absolutely. I have the honor of running a small company. We’re a wireless security firm. We’re in business 49 years. I’m actually next generation. It was founded by my father. And over the years, we’ve kind of changed what we do as a company. But we’ve always had the unique challenge where people come to us with complex problems and we try to provide a simple solution. Oftentimes it’s tied in with wireless. And that really blossomed for us. In about the mid 1980s, we developed the first wireless test tools, and these were receivers, transmitters and propagation software so you could actually plot out and look what the cellular coverage was and have an idea where in the world to put cell towers.

A lot of the offshoots of that in the 90s and the 2000s were understanding how cell phones work and providing more advanced tools and the offshoots of all that were a lot of security problems and solutions. And a lot of the solutions we came up with was because we understand how bad guys think and the vulnerabilities that are inherent in mobile phones. And hence we launched a bunch of different security tools and products and provide services and expertise and knowledge base. And in the process of doing all of this, the education of it, especially in the past ten years, I found out I had a target on my back, and these were the cyber criminals going after me to basically silence me.

That’s really kind of the Genesis of my story, Hacked Again. That was my first book was what happened when I got victimized and targeted by these cyber criminals. And a lot of it is really the mistakes that I made. And it’s kind of embarrassing because here you are as a CEO, running a cybersecurity security company to help with physical security and cybersecurity. And here we are, we’re a victim. We’re getting repeated DDoS attacks, Twitter hack, debit card, credit card. We had $65,000 stolen out of our checking account, became a federal investigation.

So I kind of detail all of my misfortunes and all the things that I’ve learned from the community, and I try to share and give that back so others don’t go down the same path that I’ve gone down and hopefully can learn from some of my mistakes. And in the process of that, it obviously gets a lot of attention in the world of cybersecurity, on the speaking circuit from books. So I launched two other books. As a result of that, I focus a lot in the world of media, TV and radio, and blogging to share and provide tips that people can use to stay safe, whether it be just from a consumer side, a small business Fortune 500 company, but really trying to harness my knowledge base to fight back against cyber criminals.

And that’s kind of become my mission.

Well, if anything, in fact, I’d find that those who’ve been on the other side of it effectively a victim of this situation are the ones that I would most likely have a greater trust in because you’ve actually genuinely experienced it. You’ve understood the recovery process, you’ve really seen the exploit in action. The challenge we often find is you end up with a lot of pundits and experts, right? And I use it as someone who gets asked all the time to do things as an influencer or as whatever.

And I’m like, I can speak about a lot of things, but I can’t speak with truth and conviction about everything. I can read about a thing and then speak about it versus you have lived experience. You have skin in the game in actually going through this. And so I find that just the credibility is so much stronger also that you’re willing to share in the challenges you faced, because that’s also another problem everybody kind of wants to say, oh, I would never. Countless financial advisors who are bordering on bankruptcy, countless bankers who haven’t paid their taxes in nine years.

There are all these people who do a job and yet have sort of fundamental issues in their own handling of the very same thing that they are supposed to be experts in. It’s an odd world in that way that sometimes the voices are the loudest, but not necessarily the most ideal that you would have.

Yeah, I think you make a great point. And I always joke around with my wife, and there’s kind of an old adage, you always say that the electrician house always has electrical problems and things like that, and there is some truth to it, and it can be embarrassing. And I’m the first guilty of it, especially when I look back and was targeted and hacked. But as I talked to other cybersecurity practitioners and some of these guys, I learn a ton of things about. But yet I see they themselves are lacks in cybersecurity often, and they’ll send me a password by email and say, Well, I trust you. It’s okay.

And I’m like, no, stop, please don’t text or email that or they’re not using multifactor authentication or whatever it is. So we, as a community in cybersecurity sometimes are not setting the best example for others. And I’m hoping that we can over time, break that trend. And most of the things that I tend to talk about are not items that are big spends are super complex and technical. And I think that’s kind of a misunderstanding industry people hear cybersecurity. And at least years ago, when I first started talking about it, people would look at your deer in the headlights.

What in the world is this guy talking about? Acronyms and this word and that word. Now it’s become a little bit more mainstay. And people understand if they hear ransomware, they hear fishing attack, they hear multifactor authentication. It resonates with them. They get it. Maybe they don’t practice it or utilize best practices, but they get the sense of those terms because every day you turn the news on, we hear about these things. Cyber attack, ransomware attack. It happened with phishing, it happened these credentials were lost.

So it’s become kind of the norm. And hence the reason why I wrote my second book, cybersecurity Is Everybody’s Business. I kind of had to pivot from understanding from a technical standpoint. Here’s what it is with a CEO wireless security company compromised. But now when I talk about cybersecurity, it does affect my grandmother. It affects my kids, my family, my business colleagues. It affects everybody, and we have to do something about it, or we will be victimized. And hopefully that resonates through some of the pages there and the stories and things that I share because I think it is important for each person to take control of their own security, just like you want to secure your home, secure your car.

You want to have some type of strong cybersecurity stance just so you can fight back and not be victimized because the cyber criminals are winning. That’s the part that bothers me so much, despite the effort of what I’m trying to do and a lot of other great people out there men and women, countless hours trying to fight back and defend people and define good security practices and make things simple. In a sense, I feel like we’re losing. And it’s not just on the personal level, but even as a global level.

Look at what’s happening in the United States with countless ransomware attacks, especially that seems to be an area that now the government is stepping up, which is good. You’ve got the Biden administration now talking to tech companies, and these are the guys that really are embedding security into their products, especially the IoT type of products and mobile phones and things like that. Hopefully this will start to make a difference and resonate through the community or through the United States and get us all safer. And that’s important.

The interesting thing is sort of the adage of we have to be right all the time, and the intruder only has to be right once. We are basically holding up a shield and hoping it doesn’t fail. And at best, it’s a shield that we borrowed. We cannot be experts. They, this proverbial sort of The Royal They. This is all they want to succeed at is just trying and trying and trying until a small way of breaching that armor, it’s a small data breach. And we have this real unfortunate problem that I agree with you.

I love that the government is moving towards at least raising it because it has an incredible impact that they’re there. The downside is often the first step will be to somehow legislate it away. And that is very much not the way. And in fact, sometimes can hobble real true technology organizations and companies and groups that, like many of us are doing, is trying to fight, trying to create ways in which to hold off these breaches, hold off these attacks. And we get sometimes hamstrung by the very same legislation that is designed to protect the rest of the greater good that it’s like, oh, now you’re on the wrong side of some code by law violation or something or another, right?

Yeah. There is truth to that. And I think to some degree that adage, it is pointed and it makes sense. And then I often also think about the counter. And if we look at cybersecurity and I have to say nothing is 100% secure. I think that, I always put that out on the table. So when people are unrealistic, it kind of balances it out. However, when you look at the government and some of their failures or misgivings of the past endless breaches that have happened from pretty much every agency throughout the government, it doesn’t mean going forward.

It will be constant failure, because if they start implementing these best practices and you’ve got private and public working together, communicating, sharing vulnerabilities, sharing weaknesses, then you can start actually blocking them, stopping them and working together. So there’s kind of that silver lining I look at when that communication is there the sharing of information. It doesn’t matter that we don’t have to get it right every single time. But when we do is start implementing best practices and don’t just throw our hands up because I hear that all the time.

When I present at these security trade shows often, a lot of times I’ll interact with the audience and I’ll hear a little bit sense of why bother. I don’t have anything that’s that valuable to steal. They’re going to get it anyway. The government can’t secure it. No company can keep my information secure.

So why bother?

And that’s not a good way to approach cybersecurity, but rather, if each person takes some personal responsibility, do what they can. And it starts at the simplest level. Sometimes it doesn’t mean you have to go out and spend a ton of money, but creating a strong password. This is something I’ve talked past ten years until my eyes are blue. And yet people look at you and say, yeah, very important yet then you question them or quiz them. Well, how many characters is your password? Six characters.

Well, why is it six? I can’t remember more than six or eight characters. And is it a common name? Well, yeah.

Do you use it across multiple logins? Well, yeah, because that way it’s easier to remember. So right away, they start to break down their security. And these are things that we control. So if you don’t reuse the same password across multiple websites, that just takes you to another level, because guess what? More than 50% of all people still reuse the same password across multiple websites. But when we start looking at odds and these security breaches, we wonder, why does it keep happening? Because of us. People are the problem.

Human weakness, and we’re complacent. We’re laxed in cybersecurity. I always ask people and challenge them and say, do you use multifactor authentication? And most people say, oh, yeah. Do you use Gmail? Well, yeah. Do you use multifactor authentication there? Well, no, I have nothing private there to share. And I’m like, well, yes, you do, because before you know it, you’re sending a password, a Social Security number, bank account information. At some point you will. Do you think that that email is truly encrypted private, and Google never reads any of the content of it?

Well, they do. Because you’re paying nothing for it, when you pay nothing for it, what are you doing? You’re trading your privacy. So they’re not going to write Scott Schober bank account number. However, that metadata, data about me will make that correlation. And that’s where it’s really powerful. And we have to realize these companies are selling us as the product, and we have to use caution. So when we do use multifactor authentication, encryption, are cautious about what we share through our email, which is the most common way.

It’ll give us a much better cybersecurity posture.

Yeah, a lot of people sort of take that approach that, well, I used to fax this stuff, and it literally sits on someone’s desk on the other side. But you knew whose desk it was, right. Even if you didn’t know, at least you knew it went to a physical building, and they had a responsibility to shred it. Gmail. Not only did they not shred it, but they’re using it to design other things. They can sell to you via selling your information and meta-information. As you said, they’re not taking the content of your email and directly giving it away.

But they’re developing metadata about you as a persona to then sell to subscribers, vendors, et cetera. And there’s a reason why you get amazingly targeted advertisements. When you go to a website you’re like, oh, that’s funny. I was just looking up something about Subway sandwiches and also I’m getting ad for Subway, or I’m getting ad for Jersey Mike’s because they are buying competitive positioning against advertisement. And you’re like, how did they know so much? Well, you said or wrote it somewhere. Most likely or did a quick Google search.

We literally call it a Google search, right? Like at that point, you know, it by trade name.

And it’s true in so many other ways to your point. We’re so accustomed to what we call it a Google search. And I use Google. It’s great search engine. However, I also used DuckDuckGo. And there I can do searches. Not as good as Google. Honestly, they’re not as good, but they’re pretty good, but it gives a level of anonymity and privacy because again, they’re bouncing around the IP address. It’s encrypted and probably more important, they’re not selling my information, and hence other companies pushing ads toward me.

It really does is it allows me to control my digital footprint. I talk about that often each of us has a digital footprint. The more we put out on social media. The reason for social media. So we can be social. Talk about the trip we went on, share pictures of the kids or whatever else the case may be. But sometimes we’re too social on social media, and we’re giving little tells about our private lives that people can put together a picture of us and perform identity theft, hacking into computers.

All of those things are combination of things socially engineered, where they pick up a phone and garnish a little bit of information from the Secretary, maybe someone in our house innocently, slipped something. And next thing you know, they use all that to get into a computer network. That’s how a lot of these big breaches happen. Third party access, weak passwords, socially engineered phishing attacks. There’s lots of different ways. All the culmination of all of those together are effective means until they can get into that network, and then the game starts and they can really start accumulating stolen personal information and use it to their advantage.

And of course, that all ends up on the marketplace, the dark web, the underbelly of the internet, where they can sell these things and they can do it effectively, make money, stay anonymous and grow the criminal Empire.

You can tell when you’re sitting next to a security person, when you hear them, and they ask the question, like, what’s your mother’s maiden name? Metal four underscore underscore star, even the security questions. This is one of the challenges I often tell people. I’m like you want a basic to transpose the real thing. You don’t want to always use your actual mother’s maiden name. You want to have a key phrase that you may use and maybe add an Identifier to the particular service. There’s different ways you can approach it.

Scott, maybe if you want to talk about ways that we can protect ourselves, especially around those challenge phrases because they feel it’s secure automatically, but they can still be pretty laxed about it.

Yeah. And I think that unfortunately, the concept of security challenge questions when it initially came out was really good. The negative side is probably the specific questions are not unique enough to us to make it a true authenticator or another level of security, because really, security is achieved in layers, and that’s really the intent of it. I always use the analogy. We secure our homes. We don’t just have a simple doorknob lock that we turn, we have a deadbolt, we have an alarm, we have camera, we have those fake stickers that the place is patrol, so on and so forth to do what, to deter the thief, to move to the next house where the window is half open and they’re going to go rob that house.

Same thing in cybersecurity. We want to have these levels of security. So when a security challenge question comes up, what high school did you attend? Anybody can do a simple Google search and see. Scott Schober attended Edison High School, and that’s probably the answer he would use. I actually claim that it would be safer to use password 1234 as my high school that I attended, as opposed to the actual high school I attended. I know that sounds counterintuitive, but guess what? Somebody trying to hack into my account would not put password 1234 in there.

They’d be trying all the different high schools if they looked. Oh, he grew up in Edison. He probably went to Edison High or this high school or this high school, and they would guess it. Case in point, similar to this, a couple of years ago, I was presenting at a, this was a government security conference down in the Virginia area, and I had a keynote there. And also Kevin Mitnick, the world’s most famous hacker had a keynote. He actually invited me up on stage and he wanted to perform identity theft on somebody.

So he picked me out of this crowd of 400, 500 people. I was a little embarrassed and a little nervous going up on stage thinking, oh, gosh, what’s he going to do here? So I just said, Kevin, please go easy on me. I’ve read his books. I certainly follow him. He’s a great guy. He’s done some amazing things, good and bad, but any event. To start off, he simply looked at my badge and said, Scott Schober got on his computer, entered it in, pulled up information. He said a couple of simple questions because you just got to answer yes or no Scott.

Do you live at this residence? Yes.

Do you have another house here? Yes. Are you this old?


Is that your mother’s maiden name? Yes. Now I’m getting scared and he goes, okay, the final thing, I got to get your Social Security number pulled it up. Is that your Social Security number? I said, yes, that cost me one dollar. I got nervous. I said, oh, gosh. And then he goes the final piece to perform identity theft on Scott Schober, his date of birth and he goes, does a search and pulls up a screen. All said about 20 or so different entries for different dates of birth.

He goes, is that your date of birth? I said, no. Is your date of birth on the screen at all? I said yes. And one instance is correct, I’m not telling you what it is. And he kind of laughed. And he says, “You’re ruining my routine here”. I said one trick that I’ve always done is every site that I sign up for. I use a different date of birth, so I get different throughout the year, different reminders, Congratulations or happy birthday on all these different dates.

But that is used actually as something that I can control, and it helps keep me secure. So if somebody was going to do identity theft or say, take credit out in my name, they call the issuing bank, there’s a stolen credit card, this and that. And at some point the bank says, what is your date of birth? And the cyber criminal responds with the wrong date. Guess what? Conversation over phone hangs up. Security is in my control, and not all of us can do that. So simple things we can do that will help keep our cybersecurity posture much, much more secure.

Now, obviously, I have my credit frozen. I recommend that for everybody. Do it with the three major credit monitoring agencies. They talk between one another. Is it a pain? Yes.

And there’s always that trade off between security and convenience. If it’s not convenient, it’s probably more secure. And that’s what I do in all my cases when creating a password, when freezing credit or dethawing credit. Making cybersecurity decisions. I balance that. How secure is it versus how convenient it is? And I always try to err on the side of security. And that seems to help to keep me secure for the most of the time. However, that being said, as I mentioned, Eric, nothing is 100% secure. Despite my best efforts, I’m constantly targeted.

I have been hacked. I still receive repeated attacks. It’s just I got to keep up in my game and doing a better job to fight back. And we all do.

This is the challenge we face. As you said, it’s an opportunity crime like bicycle theft is purely about convenience of the availability of a crime. It is very rarely do they want to go out of their way to break into your garage to steal your bicycle. What they want to do is they wait by a place where a lot of students go for lunch. They are likely to forget their lock. They ride up, they lean it against the wall, they walk into the restaurant, they come back out three minutes later, no bicycle.

Especially even if it’s on the dark web. All this stuff like you said, they have to do it in bulk. It’s a systemized approach to the hack. So if your mother’s maiden name is password123. Even though, like I said, it sounds insecure, it’s not, because no one’s mother’s maiden name would be password123. So it will fail on a systemized hack. And unless they really want you in particular very badly, and they’re individualizing the attack, which. Let’s talk about that.

Scott, especially once you’ve been breached. Unfortunately, you go on a short list that often also gets shared, that hey, we have one. And they can show how you were exploited and then ultimately, at that point, then they begin to go a bit deeper. So talk about your own experiences there.

Yeah, a fair amount of security. The way I implement it, I call it security by obscurity, making it a little bit more challenging. In other words, I don’t do things that the normal person does. And again, I can’t recommend this for everybody, but I often will put it out there so people can just reflect upon it and think about it and make the personal choices that work for them to help them stay more secure in the world of this crazy cybersecurity. So since I’ve had my debit card compromising reissued a million times, I don’t use a debit card.

It’s inconvenient. It’s a pain, but I try to find that balance. I don’t have an Amazon account, but if I want to buy something for Amazon, I have other people that have an Amazon account that I will just pay them cash, reimburse them. So I do some things, too. I call it staying off the grid a little bit to keep it a little bit more secure. And I try to mix up my digital footprint, as we were mentioning before, using multiple search engines. I’d like to put in random things that have absolutely nothing to do with my interest or my desire every once in a while to throw curves out there.

And why? Because I always like to keep myself in check. And when you see a crazy ad pop up on your smartphone because you did a search on Google last week for a kayak. Now you’re getting pitched with kayak ads. You make that connection and say, yes, it’s still happening. So I even do things. And this is maybe the next level. I balance it on paranoia, maybe a little bit, just because of the things I went through. Yes, I shred documents. Maybe to a fault. I use a micro cross cut shredder that’s going to obliterate a 2000+ piece as the same as NSA groups will use to really make sure it’s impossible to take this confetti and put it back together.

I use when transporting files via computer to another computer. If I’m using it on a USB stick, I’ll actually use an encrypted stick. They’re cheap, they’re effective. They can have one that holds three terabytes. Works between Mac and PC. You don’t have to put a driver on there. You have a unique code that only you know, you enter it to lock and unlock the stick.

AES 256-bit encryption is on there. Somebody else tries it if I drop or the stick is stolen, it does a mission impossible and erases it. You can implement things like that. That’s about $60 for a base stick with enough memory on it to hold lots of documents. I’m controlling my cybersecurity. Do I use anti malware virus scanners, anti key loggers? Yes, I do. In reality, they only stop about 10% to 15% of the threats coming in because the threats continually evolve and there’s zero day threats. You can’t stop everything.

I patch all my software as quick as I can. iOS. I’m careful not to use a lot of different sites that I surf. I have different computers for different things, especially because I go out on the tour and go on the dark web. I’ll use a VPN to make sure my information is encrypted. Traffic is bounced around, so law enforcement doesn’t knock on my door and lock me up. Not that I’m doing anything bad. I do it more for research a lot of times finding stolen credit cards, identity and things like that.

I’ve even worked with several different media outlets. When we find that information, we’ll actually work together and report that to the authorities, number one and to the individuals that were compromised so they can take some solace that there is something they can do about it. And that’s important. Another tip I recommend a lot of people don’t do this that I think is very important. The dark web, I’ve mentioned that a few times. That’s where all this information, stolen credit cards, debit cards, bank account, passwords. That all ends up on the dark web in volumes that cyber criminals are selling.

They’re using cryptocurrency Bitcoin digital money, basically, so they can remain anonymous. And the dark web things are encrypted. The IP traffic is bounced around, so you don’t know where the criminals working from and the sites are not indexed. So it’s really hard to find the criminals. So when you think about those types of things, we have to be aware of it. And what I do is every month I scan my email addresses. I have about four email accounts that I primarily use. I send them to a company. It’s called Cyberlytics.

I am on the board of advisers there. They got a great product and they have an engine that basically crawls and is in the dark web looking. So if it sees my email account and it’s correlated to any of these breaches, it will alert me. And why is it so important? When you know right away that your email, your possible personal login, credentials to a particular site, say LinkedIn is compromised and you see the date of that breach, how many were affected and that you’re part of it.

Guess what? I go on to LinkedIn and I change my password and I think that’s more effective approaches being proactive as opposed to what many people have recommended. Change your password every three months. Statistically, actually, when you change your password every three months, it doesn’t actually make you any stronger. From a cybersecurity perspective, I argue and counter and say, actually, it creates a situation where it actually may be worse. It gives another opportunity where somebody could intercept that password where it’s being stored. You have to write it down, record it, put it in a password manager.

Again, another opportunity for somebody to hack in there, be it the conduit wireless, through the Internet, email reception part of a breach. Who knows? So just because you’re changing your password more frequently doesn’t make it more secure, but rather make a really long, strong password. Both characters or more will take a long time to compromise. And if it’s so obscure, you can’t remember it. My rule of thumb is that’s a good password. I write it down a physical black book. And again, layers of security as I was talking about Eric, lock the book in a safe, in a locked office, in a locked building with an alarm with cameras, layers of security.

Unlikely my little black book is going to be compromised. I also use keychain passwords for less secure accounts, but I need convenience when I’m traveling and then also, I’ll use a password manager. I personally use Dashlane. Great product. Good balance between security and convenience. It’s not too hard, it’s affordable, but it’s secure one password to remember your information. Your password list is encrypted, and hopefully it does never get compromised and someone can hack it and get your master password. So don’t ever write that down on a sticky note or leave that lying around because that’s the golden key to basically everything you own.

So you got to again balance and manage your security. And I always say, separate your really strong passwords, bank accounts, stock portfolios for US government login sites that’s kept near and dear to me, where I control that. Other ones that are more common and useful when I travel to speak or different events and things, they’re on a password manager. So again, I can control it. And I’m controlling the device that it’s on, and that device is secured and encrypted and backed up, which is very important.

So again, we need to unfortunately, spend a lot of time keeping our stuff secure.

There’s small things even to, like you said, the master password. Quite often. The issue we have is that somebody says, hey, I’m trying to protect my passwords. I’m going to use a master password that I definitely won’t forget, which is ultimately one of their actual passwords, which is probably floating about the dark web. And my suggestion to folks is often take a complex pass phrase. And like you said, don’t write it down, don’t put it in a spot, but put it in three spots or even two spots.

And you can even email part of it to yourself. And then in another area, get the other half. I used to do this in an organization that I was at. We had the top level root password for active directory as an example. I would have three different people create the password. I would create the first six characters. The next person would create the next six. Then the third person would create their six. We would each put our six characters into an envelope and then do this for three instances and then put them in different locations.

One goes to Iron Mountain, one goes to the opposing office, and one goes in a secured file cabinet. And when I first implemented this practice, people are like, this is a little crazy. I’m like, no, you can at any point in time. If I leave, you can recover a password. And if I leave, I don’t have the password. It’s ideal. So none of us have the complete understanding of the way to get in. Yet we all know how in a pinch we could collectively come together and get it effectively.

It’s like turning the two keys at the identical time in order to unlock the nuclear codes and such. But I had a greater responsibility to that corporation. But then I took those practices, and I kind of use that for my own. I’m a fan of Dashlane myself and the other one as well, and I won’t mention the name but people can click on the links below if they watch the YouTube. One of the supporters of the podcast is a VPN. I won’t say just because I don’t want to be like, Scott Schober supports this. Well, like, no.

So lots of VPN products are out there and people say like, well, I don’t look up things on the Internet that people, I wouldn’t be comfortable with people seeing him like, that’s not the point. It’s other things that go in transit with it, it’s other man in the middle attacks for just simple password. Simple.

You log in the email wherever you go, you go to Starbucks. So I have it on my phone and I have it on my laptop. And like you said, it seems like a hurdle. But once you do it two, three times, you just know. On my phone, it’s always on. As soon as it initiates the network, it’s automatically on the background. So I don’t have to be as concerned. Like you said, I love this layered approach. And in practice, when we do it, I think that starts to allay the fears.

Like I said, the same way that people know what ransomware is. If you, three years ago said, ransomware is a thing, people will be like, they just look at you strangely.

You’re going to take my child. Wait a minute.

Exactly. I’ve seen that Liam Neeson thing. Is that what you’re talking? That Liam Neeson movie? I searched about 17 Liam Neeson movies. But if we introduce these practices, it’s actually not terribly complex to do. And then it becomes part of your, you think harder about the next time you write a password somewhere. You think maybe I should be thinking about how I manage this and it becomes pervasive to other secure things. Like you said emailing. How many times do you do this right? They sent, a bank sends you a DocuSign, and then. Well, not a bank.

But somebody could send you a DocuSign to sign a job form, and then they ask you to email back your PDF unencrypted with your Social Security on it. Like, why did you make me DocuSign the thing?

Wait a second.

That’s supposed to be secured and marked and protected. But yet then you asked me for an incredibly powerful piece of information about my life over unencrypted email.

Yeah, and that’s why I tend to like to kind of work in the realm of that security by obscurity by doing things maybe a little bit unorthodox and different. So if someone is targeting me, it’s not going to be that clear what direction I’m going. And I like your analogy there about kind of dividing the password up and keeping it secure and having a way that you could still gain access to it. And then if you do leave the company, it doesn’t go with you. That’s a good balance.

That’s a brilliant example of why it’s so important to just think these things out, and I often encourage it till it becomes habit forming. Some people, you wash your car once a month. We need to do cybersecurity things that we make sure we follow that habit. Maybe you do a data backup. It should really be daily. But if you’re not doing anything once a month is better than nothing at all, especially if you’re a victim of ransomware attack. So implementing systems where you could be disciplined to follow structure that works for you so you can maintain it.

If it’s too complex. I’ve learned quickly people don’t do it. People are lazy, and that seems to happen again and again. I always comparing complacency with cybersecurity and trying to help people realize once you are a victim and hacked and compromised, it could be anything. It could be DDoS attacks. It could be your social media account, your credit card, or debit, your checking account. Once you go through the pain process of it, and it happens again and again and again. You say, I’m never going to go through this again.

You don’t want to go through a federal investigation when $65,000 is taken out of your checking account. It is not fun. It is time consuming. And if you’re running a business like myself, it’s taking away from that. So your whole sole focus is to get that money back and secure it. So it doesn’t happen again. And people don’t sometimes realize they hear it and say, oh, that’s a shame. Well, you were targeted that’s what you get. But you can prevent that. And then you can implement certain things to prevent it from happening again.

Like in that particular case, I sat down with my bank and understood through the investigation, who got the money, how much they got, which accounts they got it for, what it went for. I asked those questions and they’re required by law to tell me under a federal investigation. So it’s interesting understanding. And then how it happened through the bank, how they had access to my account. Somebody impersonated a teller, in a sense and digitally, how they can manipulate and take that money out from a wire transfer.

What did I do in response? I said, Well, from now on, no wire transfers can go out of our bank account unless I’m there in person signing for it and proof of my ID. So suddenly it puts up again, not convenient, but secured. Never had it happen since then. So sometimes you have to look at your personal situation and put in some security layers to make sure it stays secure. So you don’t fall victim to the cyber criminals, and they’ll just move on to the next target.

It’s not that they’re going to give up. They’re lazy. They will move on to the next person that has a password with a sticky note on their computer that doesn’t have a secure account that shares passwords, that doesn’t use multifactor, whatever the case may be. So I encourage everybody to do those things, but just realize once you start doing that, you’re not going to be targeted and victimized, they’re just moving to the next target. It’s a numbers game.

They prey on the fact that humans by nature, as you mentioned. Right.

And we know this, unfortunately. We don’t like friction. We don’t like additional rigor and processes. And yet when we are the victim of a breach or victim of anything. Right.

I know a lot of people that give up drinking every Saturday morning, but then they take it up very effectively on the next Friday night. So when you’re on the direct impact, other side of a personal breach or a fearful thing, and usually they think it’s some complex thing, like somebody with a balaclava and a mask over their face, sitting in a data center and like, no, it’s floating out there. It’s a list. It’s very easy. You get a text message and look, I get them all the time.

And it’s kind of funny because I know what it is. I know this is a phishing expedition, right? I know I get the email, but sometimes they’re good, and even I want to like, I’m going to make sure this is very well done. I want to just triple check how well this was made because they pick a bank that you’re a member of or a cellular phone company that you have an account with. And if you don’t know, it’s just very easy to, oh, the first thing that hits you is, oh, my goodness.

This thing says I’ve been breached. I need to change my password right away. And I used to test this with people all the time. In the Kevin Mitnick style, when I was at one organization, I would pick up the phone somewhere in the office, and I would say, hey, this is Pete from the help desk. I just need to double check if you shared your mainframe password with anybody recently, and they’d be like, no. Okay. I just need you to confirm what it is right now because we’ve seen it, and it looks like it may have been compromised, and they’d be like, and of course, you would use almost always something very simple.

But even if it wasn’t because they are now in fear that they are at risk. They say, it’s Pete from the help desk. It’s Monday123 or whatever they give to me. I’m like, okay, thankfully, that’s not what it is. So you shouldn’t have any problem. If you get any weird issues, then just change your password and photos of the help desk again. But they just see internal number. They save them from the help desk. I’m in fear that my account could be a problem.

I’m going to help them help me. And it worked every time Scott, that’s the scary part. I’m like this easy to do. But human nature was very easy to exploit.

I say it in a weird way. The beauty of social engineering. Since we’re creatures of habit, we’re trusting individuals. When we hear familiar terms and acronyms, especially in a particular space, we will divulge information very innocently. I look back a couple of years ago, we had a vulnerability assessment, done a penetration test at our company after we were hacked and compromised. And it’s interesting going over some of the stuff with the company. I thought, Jeez, we were hacked. Compromise, we take all these great stances and do this and that we’re 100% secure.

We’re going to get through this flying colors. There were still little areas that we were too close to that were identified. And one thing that they brought up, and I said, I’m curious when you guys go into other companies, typical company. How do you get in what’s your most effective way? And they said, well, for example, when they do a lot of work for law firms because they have a lot of personal information. They say, first thing we do is we don’t even go in the company.

We don’t even try to hack. We don’t even do anything. The first thing we do is pull up in the parking lot with some of our wireless tools, and we try to do a Wi-Fi hack, a lot of free tools. And there’s some that are very low cost you can buy. And oftentimes we start with a simple phone call. We spoof the number, we pretend we’re another law firm. We call the receptionist and tell her and say, oh, I’m so glad you got there. Hey, we’ve got this really important proposal.

We got to send it over right away to whatever the senior lawyer is there, Mr. Smith, but we don’t want to tell him we’re a little bit late. We’re so sorry, but this is important to him. Could you just give us the password for your Wi-Fi network so we could email it right over? This is really important. And you’re talking fast and you’re moving through it. And next thing you know, they’re like, he needs a password. Well, I know what that is. It’s password123 or whatever it is on a sticky note on the desk.

They innocently give it to him, even though that has no connection with emailing them this fictitious proposal. Now they’ve got the password to get into the Wi-Fi network, plant malware, work laterally, start gathering up personal information so that they can go to the CEO and say, hey, look, not only we get in compromises information, here’s the weak spot and how we got in sometimes we don’t realize it, but people innocently will give information to just somebody. That sounds very convincing. And that’s a huge caution. What’s the way to counter that?

It’s really just with security awareness training companies like KnowBe4 and many other companies educating people, having that formal process, making somebody an example or sharing some of these silly stories help them just to think and stop before they give out information. We’ve been targeted with them. One employee came up not too long ago and said, Scott, I got this strange email you’re giving gift cards out to all employees. And I heard about it by accident through this person. Are you really doing that? And am I really supposed to give them?

No, stop. Thank you for reporting. Even in security companies, it doesn’t matter. The company we can all easily give in if there’s certain things that sound very credible. And that’s to me when you got to stop right away, pause and say, Hold on, let me investigate it. Make a phone call, text, email, knock on someone’s door and say, hey, do you want to confirm this? And especially if they’re targeting an older population, seniors, the elderly are more prone to being targeted for things like that. Scams on the phone.

Email phishing attacks sounds too good to be true. It’s probably too good to be true. It’s not real. So we want to really pause and have a trusted individual where we could ask the question and just validate it to see if it’s a scam or not.

When a bank phones me or when I phone a bank or when they phone me, especially. And they say, hey, we just need to confirm your identity. And I say, okay, give me a number that I can phone back to get you. And I will do that. And they say, Well, it’s a collective bank. We can’t do that. I’m like, I have no way to confirm your identity, and they’re like, but you’re the one we need to confirm. I’m like, no, you see, that’s the interesting thing.

I know who I am, and I don’t know who you are. So if we can’t meet in the middle on this, no one’s getting confirmed today, and we’ll meet at another time. And it’s funny the resistance they have because they’re like, this is just in the same way that it’s irritating for me to have multifactor and write a password and multi parts and separate it. But it’s what I have to do. It’s what I’ve set. And in the same way, like you said, it goes beyond just raw technology.

This is not about hacking the Wi-Fi and breaking down keys and doing this stuff that we see sort of the Hugh Jackman Swordfish spinning around on a chair with 14 monitors and breaking into the mainframe, which I always laughed. It’s always the mainframe. But the truth is, technologists like yourself, like all your smartest engineers on your team, they’re fantastically good at what they do in the technology space. But if they get an email from what looks like their bank, ask them to fill out a W138 A, and it needs their social.

The bank teller knows as little about encryption key as you do about a W138 being not even a real form, right? The same way those lawyers, if you tell them, hey, you’ve got whatever some judgment thing coming up, you try and use their lingo at them. They will immediately say, hang up the phone. This is a fake call, but you tell them I need to get the Wi-Fi password because we haven’t been able to email you. They’re like, this is a thing I don’t know about, but it’s critical to my business.

Let me get you that password, and it’s very easy. Like I said, it’s just natural human behavior. I’m enthralled by the ability to exploit it, but frightened at the same time. It’s such a weird dichotomy of knowing that you can do it. But then knowing that there’s just so much we have to do to protect against it.

Yeah, it reminds me of a colleague in the space, a slightly parallel space. Frank Abagnale Jr. You’re probably familiar with the movie. A lot of people have seen that. I think it was Leonardo DiCaprio or whatever is the main character. And Tom Hanks in there, too. Loved the movie, but I had the privilege of going down to a security event. I won’t mention the company, but at this event he was the keynote speaker there, and he talked for a good hour plus, and afterward I got to go up and meet him and chat a little bit, and we exchanged contact information.

In fact, he was nice enough to write some praise about my second book, Cybersecurity Is Everybody’s Business. But I learned a lot from him from the standpoint of social engineering, not just from that movie, but understanding how it works from the mindset and understanding kind of who your target victim is going to be and understanding the key phrases, the word, the look and the feel and a sense of urgency. When you give a sense of urgency and authority to anything, you can breach right through. And nine out of ten people will let you through that secure spot.

We’ll trust you because we’re trusting individuals, and that’s good to say that. And I like that value and quality in people. But from the pessimist in the world of cybersecurity, that’s not a good thing. I always tell people trust nobody, unfortunately. Even those that are closest to you because those are the ones that are going to give little tells about how you can be compromised. And it’s a shame the world we live in right now is filled with cyber criminals, but they’re using that to their advantage.

So let’s not make it any easier for them, so they can socially engineer information out. Double check everything I often say with phone scams. If somebody calls up as you mentioned there and they claim they’re the bank fraud department and questioning transactions, you say, hold on a second. What’s your name and phone number in case we get disconnected, that’s a fair question to ask. What did you find out? Nine out of ten times. Click phone hangs up. Guess what? It’s a scammer. That tells you right there.

So simple things you can be proactive. Put the onus on them to give you a little bit of information. They’re not giving you anything proprietary or confidential. My name is John Smith. I’m with the Bank X-Y-Z fraud department. I could be reached at this extension. Okay, you jot it down. It’s probably more likely the bank if that’s the case, if they’re divulging some information and now you have something you can check and verify. I’ll go on Google and do a quick check, go on LinkedIn, throw their name up and say, oh, they do work at Bank X-Y-Z.

Okay, the number is not spoofed. Okay, this is legitimate. I did make this transaction. So you start to go through the process before you divulge anything that’s personal or private.

And I guess it’s probably apropos. I’m going to take your question. I’m going to give it to you, Scott, because I love to hear your take. What keeps you up at night? We’ve talked about a lot of things, and I love your content, especially Evan Kirstel was one of the ones the episodes I like. Evan’s a great guy. I really appreciate his content in general, as a good human. But what’s top of mind in your concerns these days?

Well, I do have so many one that kind of concerns me because I have gone down this path as everybody else is. I constantly go back to the world of IoT. I love innovation. I love technology. I love wireless, love cybersecurity, but I’m kind of at crossroads a little bit, because as I embrace new IoT, the latest camera, the latest watch, the latest iPhone, you name it and bring that into my home and to my car. I’m adding all these additional conduits for hackers to target myself, my company, my family.

So I’m always trying to think of ways. How do I prevent this from becoming a conduit from a hacker getting into my world? And it’s hard because with IoT products in general, they don’t bake the security in in the beginning because they’re focused on cost. Keep the cost down, not going to worry about firmware upgrades later. Make it secure when a vulnerability is discovered a year later in my Nest Thermostat or my Wyze camera or whatever else. So it’s hard to stay on top of those things and keep it secure.

So that’s kind of toward the top of my list. These IoT things. I have probably another ten items that follow, and I have some paranoia with some of the new smart cars of all 50 plus automobile manufacturers globally. They all put cellular modems in there.


A cellular modem is a great conduit to download malware into a car. And the average new car off the lot has over 100 ECUs in it. Engine control units that could then be used if they could commandeer and take over.

That scares me to death when you’re realizing that there’s the capability to do that. And only because I know researchers and I’ve talked to them, interviewed them and heard how they’ve actually manipulated or found back doors to some of these very secure smart vehicles. Those type of things are the things I think that keep me up at night. I don’t think I can solve them all. Some of the tools and technology that we do develop within my company is putting a dent in it, and I’m proud of that.

And I’m excited with that. And when it changes people’s lives, I’ll share a really brief story because I’m always very proud of this. This happened earlier this year. We develop one tool it’s used for hunting down cell phones not tied directly to cybersecurity, but security and really life and safety more toward. And we still sell these around the globe for various things, getting contraband cell phones out of prison, securing government facilities. But more recently, search and rescue because everybody carries a phone on us. We’re glued to our phone while in France earlier this year, French Alps at the base of it, there was a terrible avalanche.

Family escaped from it except the father. He got trapped and he was pinned up against a tree, had enough airspace to breathe for a while and had his mobile phone on. So he was safe, partially injured, but he had 2.5 meters of snow on top of him. They sent out a rescue team, 130 people in the village with sticks and calling and trying to find them in the ground. They searched for two and a half hours and couldn’t find him. They sent out search dogs to sniff.

Snow pack was too thick. They couldn’t pick the scent up through that deep thing. They walked right past the guy, through the whole area that was under avalanche. Somebody had the smarts to pull our tool out and said, hey, I got one of these Wolfhound-PRO used for search and rescue. Let’s try it, lit it up and right away. Boom signal. Pick up the guy’s phone, hunted it down with a direction finding antenna, called everyone back. The guys over here, dig, dig. They dug him. Miraculously, they found the guy, saved his life.

And it was a wonderful story. So sometimes when you hear about technology being used for good to stop the problems and tragedies that happen in life, it makes you feel good. Same thing about skimmers technology. We were talking about that earlier. A couple of years ago, I started investigating and reading articles. Brian Krebs does a great job, a reporter talking about a lot of the skimmers and how they get into gas pumps and ATMs. So I really took it on as a passion and started doing research.

And one thing I came across was all these problems are reported on and talked about, but nobody seems to have a solution for it. I sat there and said, this is frustrating. There’s got to be something. So we started developing and getting the engineer team involved here and did a lot of trial and error and research and different tests and things and then getting educated with National Weights and Measurements group, local law enforcement, Secret Service FBI and kind of brainstorming all that together. And I came up with a couple of different solutions we developed that are now we’re selling as tools.

And one of them is a simple tool called a Skim Scan. It’s a few hundred dollars. You slide it down the neck of a point of sale terminal that reads your debit card or credit card. And we simply look, if there’s a second read head in there. Green light, red light. Simple beeps and let you know, second head in there. Stop. Don’t use that ATM machine because there’s a skimmer in there. Same thing with a gas pump. So as I start to learn and investigate, I find out not just the vulnerabilities and weaknesses, but how to counter them with tools, sometimes, that are effective.

Same thing in the world of gas pumps. As I got educated on this, I realized how easy it is to be a cyber criminal. You buy a Bluetooth skimmer for very little price. You go on eBay, and then there’s six keys to open up a generic lock on the millions of gas pumps throughout the United States. You take the simple Bluetooth skimmer, plug it into the top of where the point of sale terminal is. You lock the machine 20 seconds. You’re in business.

Now, every time somebody pulls up to the pump and search their card. A second read head reads off that information, stores it in a buffer. Bluetooth set to be within 75 foot proximity to the cyber criminal. Now they go home and hundreds of credit cards each day from each gas pump. At each gas station, they burn them, they sell them on dark web and so on and so forth. They’re in business. So when you understand the inner workings of these cyber criminal gangs, you quickly learn why it is a multi billion dollar industry stealing credit cards.

And instantly we go to the gas pump and put our card and we buy $50. A gas transaction goes through. We move on. We never think about guess what? That’s where the credit card was compromised. Most people I talk to and this is funny. They say, Well, Scott, no, you don’t know what you’re talking about. I’ve got a chip and pin card. Look, it’s secure. And I usually counter that and say, okay, when you go shopping and you stick your chip and pin in front of the terminal, it is more secure than just a mag stripe alone.

I agree with you there. However, how often do you enter a pin in? And out of a room of 100 people, one or two people say, I do at Walmart or Target, I enter an actual pin as another layer of security. But guess what? Most people don’t. And just about all our cards still have the mag stripe on them. So when you put a mag stripe into anything and there’s a second read head, they got the CVV data. They got the golden key to compromise our information.

So just because there’s a perceived security measure on their chip and pin, which again, it is more secure, but it’s not fully implemented. Instead, what we have in the United States, I call it chip and signature, right? Because what are we still doing? We stick it in. It makes the connection secure. Encrypted this and that, and we sign for it. I could sign Mickey Mouse and guess what transaction goes through. Nobody’s validating that signature. That’s a problem. Yet look over in Europe and other countries, ten years ago, they were properly implementing chip and pin credit cards.

We are not. Still slow. Why are we doing it now? It’s because of the legislation. It’s because of the rules, the point of sale terminals. It shifts the liability down to the actual processor of it if they don’t upgrade the chip and pin. And that’s why we have it now. So for all the wrong reasons, it was implemented and it really started the conversation in 2013 with who? Target. Irony of it is Target was the first to actually test chip and pin technology. They were also the first to abandon it years back. Why?

Because it took a little bit longer to check out at the lines. So again, they chose convenience over security. And then they were the first major data breach as a result. So it’s kind of funny when we look back full scale. And in hindsight, we learn a lot of things about security and the importance of using layers of security and not being so focused on speed because you may pay in the end and the result of a data breach, it costs you for years and a lot of money, a lot of time and a lot of rebuilding of your brand.

Yeah. If it’s inconvenient to use a chip and pin, how inconvenient is it to reopen bank accounts and cancel every credit card and reinitiate every auto pay every bill pay. My favorite thing of this one to pull the thread on that story, too, is I’m Canadian. And so we’ve had chip and pin for eons, and it’s been kind of natural prior to that, though, when it was just purely signature card.

I actually went into a place one time and I got a brand new card, and so I go and the cashier says, oh, sorry, we can’t take this because it’s not a signature. You need to sign it. And I said, you can’t take it because you can’t validate the signature that you’re going to watch me do. And then I’m going to sign the second piece of paper the same way. And that’s validating what exactly. So what I would actually write on my signature section of the card was ‘Show ID’.

Yeah, that’s what I do on mine, too. Show photo ID.

And they would get really weirded out. They’re like, this isn’t the signature. You’re right, because you have to validate by my photo ID. I worked at a police station when I was younger, so I learned about a lot of things of how easy it was to. And I worked in retail. And so I knew sort of the regulatory boundaries they’re under in and little tips and tricks. But this is great.

I tell you, Scott, thank you. It’s been a real pleasure. You are a pleasure to chat with, and it’s really great. You’re prolific in so many ways. So of course you do daily radio. You’ve got three books. You’re a CEO of a company. Your a keynote speaker. Hopefully, the world opens up a bit more. We can see you on a stage again soon. But if you want to actually give a shout out as well for your radio spots, because I’ll have a link as well. But just let people know what it is you do around that.

Yeah, absolutely. I’m on Cybercrime Radio. It’s 24/7, 365 days a year, constant updates in the world of cybersecurity security. And I do several different segments. But one of the main ones I do every morning is really just the headlines. I take one story that kind of stands out, and I simply break it down and just kind of give a short minute and a half blurb about what the headline is, and it can be anything from ransomware, crypto, cyber attacks and I slip in their little tips and stats here and there also so people can stay safe. And it’s really enjoyable and it’s fast paced and you can even listen to it in the background on your computer if you do Internet radio and things like that.

But it’s Cybercrime Radio. So I’m a host of that segment and I do about two or three other segments as well. So throughout the week you’re going to constantly hear my voice sharing different tips, knowledge, headlines, you name it. Anything in the world of cybersecurity.

That’s great, and especially for folks that are getting into it. And I find this is, there’s a lot of people that are obviously leaning into the industry. It’s a burgeoning area of technology, lots of employment opportunities and learning opportunities. So I wanted to call it out. It’s a great place for folks to get in and make it a part of the routine and sort of introduce the nomenclature and start to get tapped into what’s going on, and it, hopefully, will lead them to ultimately get into.

Like I said, maybe we can see them at a BSides or other things around. There’s lots of great community events. And actually, if you don’t mind, Scott, I’ll add one more question, what’s a great place for people to go or if they wanted to get started in the world of InfoSec and cybersecurity, what are some sort of freely available or community accessible resources that you’d recommend?

Tons and tons of, if I may encourage people if you want to just meet individuals, get a knowledge base. The headline Cybercrime Magazine, part of that on their CSO and chief media commentator. But there’s tons of information that you could download videos to watch radio segments that you can hear. It’s a really good educational part. I’m a part of a whole bunch of other shows. Also, I do a monthly show on Computer America where I spend 1 hour dissecting different cybersecurity breaches and discuss that. It’s over video so you can look back at past episodes, that’s Computer America.

I think there’s so many endless sites and a lot of the events I’m associated with FutureCon, SecureWorld. You name it. RSA, Black Hat. I go to those events, so hopefully our paths will cross somewhere we can meet in person somewhere. Great sources to learn things, and even some of the smaller shows like you mentioned. BSides, ShowMeCon. I’ve been to shows like that and I’ll do presentations there. I really enjoy it. Next week I have one out in Iowa. It’s called CornCon.

It’s a little strange name, but interesting. They do a lot of hacking events, their education for children starting at a young age. I think that’s really important, the math and science aspect that young ones early on learn that and especially for women. Women are really needed in the field of cybersecurity because we got a lot of great, brilliant women doing cybersecurity stuff, but it’s only a tiny portion of it. So I always shout out there and say, women, if you’re interested, looking for a great career that you really needed, you can do well financially, but especially the challenge.

Think about cybersecurity. There’s so many great niches there where you can actually lend a hand and actually make a huge difference in keeping this world safer.

Yeah, that’s a great point. And especially now, I think we’ve learned and we’re beginning to act better as a community. The technology community has not always been very welcoming, still challenging for folks, especially women, folks from underrepresented communities. But there’s so much that we’re doing to make that better, and we just have to keep on it. So as you said, great opportunity. Scott, thank you very much. And for folks that want to reach out directly to you, what’s the best way they can get in contact?

They can certainly check out the stuff we’re doing in my company. It’s simply our website, dvsystems.com or my name scottschober.com. In there, there’s tips that you can download for free. I have white papers there, information about books, speaking appearances, interviews, you name it, feel free to peruse that, and hopefully it’s helpful in keeping you safe and feel free to reach out to me. There’s a fill out form there. I do actually respond. It’s not a robot that responds. I actually respond in person and get tons of requests for advice on products, recommendations, good versus bad in the world of cybersecurity.

And I’m happy to share anything there at no cost. If I can be encouraging to people, I just put that out there. I’m used as a resource for many people and companies around the globe.

Excellent. Well, thank you very much. It’s been a real pleasure to share time.

Thank you so much, Eric. Stay safe, everyone.

Sponsored by our friends at Veeam Software! Make sure to click here and get the latest and greatest data protection platform for everything from containers to your cloud!

Sponsored by the Shift Group – Shift Group is turning athletes into sales professionals. Is your company looking to hire driven, competitive former athletes? Shift Group not only offers a large pool of diverse sales candidates from entry level to leadership – they help early stage companies in developing their hiring strategy, interview process and build strong sales cultures that attract the best talent for early stage companies.

Sponsored by the 4-Step Guide to Delivering Extraordinary Software Demos that Win DealsClick here and because we had such good response we have opened it up to make the eBook and Audiobook more accessible by offering it all for only 5$

Sponsored by Diabolical Coffee. Devilishly good coffee and diabolically awesome clothing

Does your startup need strategic technical content? The team at GTM Delta delivers SEO-optimized, compelling content that connects your company with technical users to help grow your credibility, and your pipeline.

Need Podcast gear? We are partnered up with Podcast Gear Pro to share tips, gear ideas and much more. Check it out at PodcastGearPro.com.

Ted Harrington is a best-selling auther of a book called HACKABLE: How to Do Application Security Right, and an Executive Partner at Independent Security Evaluators (ISE).

ISE is a company of ethical hackers most commonly known for our work hacking cars, medical devices, web applications, and password managers and they’ve helped hundreds of companies fix tens of thousands of security vulnerabilities, including Google, Amazon, and Netflix.

We discuss the challenges of security in every day tech, enterprise and personal infosec practices we can all embrace easily, and why it’s so easy to slip on security but equally easy to prevent hacking.

Follow Ted at https://tedharrington.com and check out ISE at https://ise.io