Why Is the Ecosystem Significant in Tech Purchases?
I'm Max Clark. This is 20 minutes max, and I'm gonna rant a little bit about cybersecurity and the psychology of buying cybersecurity. I this is something that I've been trying to figure out for years now. An interesting animal to deal with. First off, I've been helping companies with cybersecurity for over 25 years now.
Speaker 1:25 years ago, it was relatively easy. We were talking about a basic firewall, antivirus. You were dealing with, you know, mostly issues related to, you know, macros in in, office files that would just recomplete in total havoc, things that would take over your email. You you know, it was pretty straightforward stuff. Today, the threat vectors are just incredible.
Speaker 1:First off, everything. 25 years ago, we were helping companies get on the Internet. I mean, dial up modem kind of getting on the Internet. Today, everything is connected. Everything's connected 247.
Speaker 1:Everything has, you know, exposure. Everything is critical. Just just the used to cause the perimeter. The perimeter has become so expansive that the techniques required to actually deal with this have changed significantly as well. You meet anybody in the running and they tell you they're running antivirus software, for instance, you you know that their cybersecurity program is in the dark ages.
Speaker 1:You know, that's that's just pain waiting to happen. Okay. A question I've asked cybersecurity practitioners, and and these are, you know, people with all the facts fancy acronyms, the the CISOs, the, you know, the CISSPs, people working for MSSPs, people working for MDR and MTDR companies, you know, professional organizations, professional cybersecurity practitioners. The question I've asked is, you know, how do you sell cybersecurity inside an organization when they're not actively buying it? And and what I mean by this is if you're, you know, if you're in an IT department and you know that you need a stronger cybersecurity posture, how do you sell that to an executive team or to a board that isn't actively telling you to go out and purchase something?
Speaker 1:And what do you do? And and the answer really is is you can't. You know, usually the the counter and the reaction to this is you have to educate and you have to educate and you have to educate and you have to give them statistics. And you have to and you know what? It doesn't really matter.
Speaker 1:You know, it's just it's it's not providing an endless stream of statistics of of what percentage of companies are gonna have breach, and what the breach statistics are, and what the average cost for breaches, and all these different things make absolute no bearing on the psychology for people. This is one of those it's not gonna happen to me. We have you know, what do you what do you hear? Oh, it's not gonna happen to us. It hasn't happened to us yet.
Speaker 1:We don't have anything important. It's not really important that we deal with this. It's one of the best and worst things about, you know, the the human condition and people, you know, we have this overwhelming optimism that, you know, horrible things aren't gonna happen to us. We're not gonna have a heart attack. We're not gonna get into a car accident.
Speaker 1:You know, we're not our house isn't going to be broken into, you know go go down that list. Right? And and even providing somebody with statistics around, you know, this is a likelihood of you getting into a car accident doesn't necessarily elicit be I mean, that you can't you can't scare somebody into wearing a car seat. You know, you can enforce behaviors that get changed because if you're not wearing a car seat, you're gonna get a ticket. And then over a period of time, people just adopt car seats or you, you know, push a campaign down to kids, you know, wire a car seat, wear your car seat, wear your car seat, and it becomes automated.
Speaker 1:And then there you have an improvement. And so I've kinda wondered about these things with with the relation of cybersecurity for some time. And one of the first problems that we really deal with when you start talking about budgeting and and, acquisitions around, any any anything in the cybersecurity realm is there's no measurable ROI that comes with cybersecurity. Right? So return on investment, there's no there's no measurable ROI.
Speaker 1:There's no you know, you can you can get into, like, total cost of ownership. Like, what does it actually cost you to deploy the system? But in terms of, like, if I spend a $100,000 on fill in the blank cybersecurity tool, it's gonna make me this much money or it's gonna save me that much money. There there isn't that correlation between the 2. And this is part of the problem with with cybersecurity and budgeting and acquisition is just that there there's no there's no direct correlation with it.
Speaker 1:So usually what we find when we're helping clients go through this and deal with this is how do we repurpose existing budget or how do we solve other pain points at the same time, you know, roll out and improve a cybersecurity posture? So, you know, what's a good example of that? You know, usually it's related around hardware. Right? We've got firewalls deployed.
Speaker 1:We're having a problem managing our firewalls. Okay. Great. You know, let let's change the manufacturer. Let's change the infrastructure.
Speaker 1:Let's bring in a professional services company that can do this. Let's augment your staff with a 247 team and a SOC. You know, these things all and today, you know, normally, I I wouldn't I'm not gonna, you know, sing Gartner's praises. But, you know, this push towards SASE is wonderful because it it creates this thing where by nature of having devices now connecting you to the Internet, you would get security posture as a result as well. So it used to be that you have this firewall that anybody buying on premise firewalls thinking that they're gonna turn on UTM or DPI or these different things.
Speaker 1:It's just a waste of it's just you're not getting anything out of it. Right? But actually getting real next generation firewall capability or or cloud based, filtering or malicious inspection or these sorts of things are all really good for you. Now I'm gonna try to come back here and not get way way too off tangent. I say that there's no ROI in cybersecurity, a k a.
Speaker 1:There's there's no way for you to tell a CFO. If you spend a $100,000, you're gonna save $1,000,000. Or If you spend $100,000, you're gonna make $1,000,000. You can't tell your CRO that what you are talking about with cyber is it's not it's not a direct correlation and it's not like a linear is not the word, the correct word. But, you know, it's not like a one for 1 ratio.
Speaker 1:Right? It's not something where, you know, you're spending $1 to try to protect $1 spending $1 protect $10. It's an asymmetric, you know, ratio and protection. I mean, you're talking about extinction level events for a company. And what do I mean by that?
Speaker 1:A breach can put you out of business. I'm gonna let that hang there for a second. A breach can put you out of business. What is the ROI on that for a cybersecurity posture? We're not we're not again, this isn't like spend $100,000 save $1,000,000.
Speaker 1:It's spend spend a $100,000 and don't go out of business. And there's different scenarios for these things. We can talk about data loss, you know, if you're dealing what what's what's good examples? If you're dealing with motion picture, you know, pre release content and and you have prerelease content and that gets breached. This isn't a scenario where, you know, you you're gonna necessarily be sued out of existence.
Speaker 1:You're just not gonna have any customers anymore. People aren't gonna do business with you. So those kinda scenarios of data residency and what kind of data you have upstream, it is not worth it for a in a b to b relationship for a client of yours, for your customer, for your client to do business with you if it's risky to them. If it's too risky for them to do business with you because it's been demonstrated or they just don't feel safe, they're just not gonna do business with you. Your your revenue is gonna go to 0.
Speaker 1:It's gone. Right? So extinction level events. Other examples of these things. You know, we hear about all these ransomware attacks.
Speaker 1:You know, you see things like Colonial Pipeline or you see hospital systems, and they're completely locked out of their their computing infrastructure. They have no ability to do anything on their on their computers. So now we'll use extreme examples again. Right? So if you're a hospital and all of a sudden your computer you're you've completely gone into an EMR and you're completely digitized and you're completely dependent on that thing, and now all of a sudden none of your computers work, how do you do patient care?
Speaker 1:How do you do how do you intake? How do you do tests? How do you record, you know, orders from a physician? How do you maintain prescriptions? And literally everything.
Speaker 1:Right? Like, the whole entire I mean, you you know, your critical care infrastructure related to, like, you know, somebody's heart working, beating, you know, like, those kind of things in beds. That entire thing is now electronic this stuff, you know, the public perception as much as possible. But if you've taken and you start talking about turn on the news and see ambulances transferring patients out of an ICU on ventilators because the hospital shut down, massive critical issue. Colonial pipeline, you know, ransomware attack could not move oil and fuel along the pipeline on the eastern seaboard of the United States.
Speaker 1:And you see video and footage of people at gas stations, like, pumping gas into, like, kiddie pools in the back of their trucks because they're, you know, there's no there's no gas anywhere. Right? That's that's where I say these things are asymmetric. Now colonial pipeline ended up spending $50,000,000 in ransomware to try to get this. And and the other thing that's been going on for a while now is this this idea of, oh, we've got insurance and insurance is gonna take care of it.
Speaker 1:Listen. That's just not what happened. You know, that's that's not reality anymore. First off, insurance companies are moving away from paying out on cybersecurity incidents. And, you know, one of the first shots across the bow was this idea of, like, any nation state sponsored hacking is gonna be excluded from policy.
Speaker 1:Well, what's nation state sponsored hacking and who defines that? Well, if the insurance carrier is defining that, you know, you're SOL. Right? Because now everything is gonna be nation state sponsored hacking. You get a ransomware attack and a breach, and your entire system's offline, and you're gonna call up your insurance company and be like, okay.
Speaker 1:You know, we need $10,000,000 from you in order to wire this money. You know, like, that's just not it's not gonna happen. They're gonna activate your incident response plan. Hopefully, you have one. Right?
Speaker 1:Which is basically, like, you know, hopefully, it's more than just, like, run around in circles, screaming you and panic. Right? But how many days can your business can your can your company be off? Completely shut down. Completely off.
Speaker 1:How many days do you have? One day, 2 day, 3 days, 5 days, 2 weeks. At what point does your business cease to exist because your customers are making other decisions because they're forced to because their business is now at risk. This is a really curious thing for me with cybersecurity is it's not is we're not talking about, you know, spend $1 to protect 10 or spend $1 to protect a 100 or spend $1 to protect a1000. We're talking about spend $1 to protect all the dollars.
Speaker 1:Everything. Because the scenarios are so scary on the outside of it that, you know, you you just you're just dealing with something completely different for your business. Now, the second part of this that we get into is, like, oh, I'm not a target. You were 100% a target. You might not be, like, you know, some some other country is trying to hack in to steal your intellectual property target, but you have two things that people want.
Speaker 1:You have money and you have resources and here's what I mean by that. You have money in bank accounts which means that that's valuable. You don't have to be a bank to have money in your bank account. Right? So if you have money in bank accounts you are now a target because if somebody gains access to that money that's what they want.
Speaker 1:You have resources that people want. Common resources that people can make money off of. Right? You know, if your phone system is vulnerable and gets hacked and people can send phone calls through it, they can sell that phone call to other people. And you come back into you know, and you find out 30 days later that you've got a several $100,000 bill because somebody was running call traffic to Nigeria through you or, you know, other African states or Eastern European or whatever it actually is.
Speaker 1:And by the way, again, this is not a fantasy. This has happened and this is in case law because people have been sued their phone company trying to say they don't need to pay it. And guess who lost? Them. Because it was their phone system.
Speaker 1:They sent the calls to the phone company. The phone company delivered the calls. The phone company is not obligated to block calls from you for any reason what so, you know, whatsoever. You know, there's a good example, you know, locking you out. Okay.
Speaker 1:Hacking into your computers to run cryptocurrency mining. K. That happens. Hacking into your website, you know, to put stuff on your website to then, you know, launch attacks to other people. That happens.
Speaker 1:Hacking into your email then to try to go hack other I mean, that happens. Locking you out of your computers, classic ransomware. Right? You know? What's the resource?
Speaker 1:Well, they don't necessarily want the resource. They wanna prevent you from having access to the resource, and then you'll pay them to get access back to your resource. Right? Like, your your company can't function without its computers, pay the ransom, or don't work. Right?
Speaker 1:You know? So now we we talk about it. We can talk about it, and we can get into these things in terms of, like, levels and, like, what levels are appropriate for you in terms of, like, protecting yourself and and being reasonable. So if you take outside of the you're actually actually a bank and people are actively trying to hack you every moment of every day because there's lots and lots of money there, or if you're some sort of, you know, we can we can argue whether or not you're you're chemical manufacturing or you have scattered control systems or something that if somebody gets into, we're talking about, you know, massive, like, terrorism level event. But if you're just, like, let's just say you're you're just a normal business.
Speaker 1:You're just, you know, you're you're a professional services company. You're man you know, you're just you're just a normal business. You don't need to go to nation state level protection. You need to go to reasonable protection. You need to block 99.9% of the noise.
Speaker 1:It's just on the Internet because you're connected to the Internet. A second you plug yourself into the Internet, now you are being attacked. You're being attacked every day. The second you have an email address, you're being attacked. You're being attacked every day.
Speaker 1:So take appropriate measured steps to protect yourself from what is occurring. Don't don't learn this lesson because it's it happens to you. We have locks on our doors in our houses because we don't want to be victims of easy crime. You lock your car when you park at a mall because you don't wanna be a victim of easy crime. So the same thing is true for a cybersecurity infrastructure and what you need to have.
Speaker 1:You need to have identity access management. You need to have single sign on. You need to have multifactor authentication. By the way, those things are really good for you also because it makes your IT team's life easier and it also makes your users team you know, your user lives easier. It is easier for your users to not have to remember passwords to log in to 57,000 different websites.
Speaker 1:The average company is dealing with a 110 different SaaS platforms today. So not having to have your users remember passwords to a 110 different websites or provision them or deprovision them is good for you. Right? So you have to have that. By the way, having something having a MDM or UEM is good for you.
Speaker 1:It makes it easier for you guys to roll out software. It makes it easier for your IT team to manage your your competing assets, to roll out laptops, to update software, all these different things. It's a good thing. Now you get extra benefits out of it. By having an MDM and UEM, you can leverage that into a cybersecurity plan.
Speaker 1:You should have an EDR point detection and result response. We talked about beforehand. Like, antivirus is tore terrible. If you're running antivirus, just just assume you have nothing. Going to a real EDR platform, and it really you know what?
Speaker 1:I mean, we may have to argue which one. Right? It doesn't matter. Just pick 1 and run it. Run an EDR.
Speaker 1:You want an EDR. The EDR is going to help you prevent things from happening. It's gonna help you detect when something's happened and respond to it and remediate it faster. You want an EDR. Now from the EDR standpoint and going from here, we can get into a lot of arguments and conversations about what you do next and what's appropriate and what's not.
Speaker 1:You know, we can talk about whether or not a SIEM is appropriate for you or not and talk about whether an MDR service or MTDR service is good for you or not. We can talk about web filtering, whether it's a secure web gateway, what you're doing for remote access like with z t n a. All these things are good for you. But think about it from you need to you need to come to the table with table stakes. You need to come with identity access management, single sign on, multi factor authentication.
Speaker 1:You should have an MDM or UEM and you absolutely have to have an EDR. And at some point, my belief is you should have something that can do web filtering for you that can do malicious URL inspection and blocking, that can do and give you functions around CASB, DLP, and zTNA. And again, we're not talking about spending 1,000,000, 1,000,000 of dollars. In a lot of cases, we're talking about even at the very high end, you're you're into this for less than $10 a month per user. So it's not this isn't like compared to what you're spending on your CRM licensing, this is a drop in the bucket.
Speaker 1:And what it will save you and not mean this isn't about keeping you from being a headline. In order to be a headline, you have to be a big company. If you're, you know, you have to it has to be big enough at this point that it affects enough people or people already know your name that you're gonna be a headline. You're not gonna be a headline. Chances are you're not one of these big names.
Speaker 1:You're just gonna disappear in the middle of the night with a whimper, and nobody's gonna know. Cybersecurity is not about ROI. It's not about capturing ROI. It's not about spending a dollar to save $10 or spending a dollar to save a $100 or make a make $10. It is about dealing with the fact that a breach will injure your business and what you're really protecting is from an extinction event.
Speaker 1:I'm Max Clark. That was 20 minutes.
