Talk With a Friendly Human
Attila: What are we in, 1900s here?
Matt: No, I'm allergic, I get hives.
Attila: Yeah, like every time I get a receipt, I'm like, why are you giving me a receipt?
Attila: Just email to me, right?
Matt: Right, stop cutting down trees.
You're listening to the Cyber Secured Podcast, helping you become safer in every way.
Now your hosts, Matt and Attila.
Attila: Awesome, well thanks for tuning in.
Attila: My name is Attila.
Matt: And my name is Matt.
Attila: Welcome to the Cyber Secured Podcast.
Attila: We're going to talk about a very interesting topic today, and it has to do with a project that we're working on here at Cypac to help specifically IT managers and those in leadership positions make better choices about their security and why.
Attila: This can all start with a story.
Attila: So some years ago, I was meeting with a lot of companies, and those companies had breaches.
Attila: And every single time there was a breach, it seemed like management was surprised, shocked.
Attila: Like, why didn't the IT guy?
Attila: Yeah, exactly.
Attila: Like, how did this happen?
Attila: I thought we had an IT guy.
Attila: We just bought this thing called Symantec, you know, for our network, and I don't understand why the IT guy wasn't able to stop it.
Attila: And the IT guy would just literally tear his hair out because he'd be telling management for months, if not years, that they really need to invest in better security.
Attila: It was blind to the kind of incidents or things that were going on in the network, and he couldn't get buy-in from management.
Attila: And that told me that there's probably an opportunity here for education, for improvement, in the form of a book and some other tools that might help the IT manager better communicate with management and others at the company, other employees, about the importance of cybersecurity and what that means.
Attila: And Matt, let me ask you, when you hear the word cybersecurity, what do you think of?
Matt: From my perspective as a cybersecurity professional, I think of the tools that we use, you know, monitoring, going through logs, looking at the infrastructure and doing segmentation and networks.
Matt: But I know from the perspective of someone like my mom or any of my aunties, that cybersecurity is just kind of this nebulous term that involves a bunch of magic and a computer screen and people saying things that they don't understand.
Attila: Yeah, it's like it's really scary.
Attila: It's like this nebulous kind of thing.
Attila: It's like saying to someone, hey, I'm in medicine.
Attila: Yeah, like what does that mean?
Attila: Are you a dentist?
Attila: Are you a surgeon?
Attila: Are you a chiropractor?
Attila: Are you a physical therapist?
Attila: It's a huge field.
Attila: And you've hit, I think, something really important on the head, which is from a practitioner's point of view, cybersecurity means tools, activities, hands-on research.
Attila: It involves learning attack patterns and adjusting physical hardware and reconfiguring equipment.
Matt: I always laugh too when, like, your example of, like, you know, managers at a company, like, getting all up in arms and not understanding how the IT manager doesn't know how the bad guys got in.
Matt: Like, to me, that's equivalent to, like, yelling at the construction worker who built the house about the break-ins in the house and the fact that they didn't prevent it and don't know how the guys broke in.
Attila: There's no understanding.
Attila: Right, I mean, and so that's, so when you're a homeowner, I mean, you live in a home, and you understand that there's people outside, they're trying to break in, we got it, right?
Attila: But when we're talking about IT security itself, the business owners, and pretty much anyone outside the IT department or the IT guy even knows what the heck is going on.
Attila: They're focused on payroll, insurance, marketing, managing projects, all these kind of really important day-to-day business tasks.
Attila: As far as they are concerned, they press the button on that magic box, it turns on, lights up the screen, and we're good, right?
Matt: Right.
Attila: And so there's a huge, huge disconnect, because you and I both know, because we're on the practitioner side, what needs to be done to secure a network, to secure a business, and from the owner side, they don't.
Attila: They just say, okay, well, how much is this going to cost?
Attila: Because they look at it as an expense rather than an investment.
Attila: And part of the reason that we...
Attila: So, kind of going back to my original story, which is, I saw this opportunity some years back that there needs to be a better communication bridge between the practitioner, the IT person, who's maybe using the word cybersecurity.
Attila: And when you say the word cybersecurity, it's like pretentious, it's nebulous, it's like, oh, I'm better than everyone.
Attila: No, let's call it IT security, just in general.
Attila: Because I think everyone understands what the word IT means by now.
Attila: It's been in enough popular media and movies, et cetera.
Attila: So let's bridge the gap between security, right, IT security and management.
Attila: And so what I started doing in this book is I started interviewing both the business owners, right, so those that are steering the ship, and those that are in IT that were successful in implementing proper security measures to protect themselves.
Attila: And it's a fascinating story and trend that I'm starting to see in these interviews.
Attila: And the big thing, the big thing, Matt, and this is so critical, is communication.
Matt: Right, yep.
Attila: Critical, critical, critical, because what happens is that when the communication doesn't exist and there is an incident, there's zero understanding.
Attila: It's just finger pointing and firing, which I see happen, right?
Attila: You know, IT, they're all fired.
Attila: They don't know what they're doing.
Attila: No, they knew what they were doing, but they weren't good communicators.
Attila: So the communication has to happen, ha ha, from the IT practitioner's perspective.
Attila: And the only way that they're going to get any sort of traction on these much needed ideas is by listening and asking what is going on at the organizational level, so that way when they go to management asking for better protections or a solution to their problems, they can speak the same language as management.
Attila: Does that make sense?
Matt: Yeah, absolutely.
Attila: So one of the things that I heard was that when the IT manager got excited about a product that maybe a vendor had shown him, like, wow, we have this better way of solving this problem, we're securing your network, and think about all the visibility we're going to get by installing this software or in this solution, whatever, right?
Attila: Because there's always something new as IT managers were getting hit by every vendor you can think of.
Attila: They're sending us iPads and Legos and anything they can do to get our attention.
Matt: There's certain wolf out there I've heard of that gives free things away, too.
Matt: I'm not going to say which one.
Attila: You know, they're not the only ones, though.
Attila: They're not the only ones.
Attila: Over the years, it's a common strategy.
Attila: They do anything.
Attila: They'll buy you lunch, whatever, because they understand that if they can get the IT manager to buy their solution, they're locked in for years.
Attila: Because it's difficult to change, and once you learn the platform, it's difficult to relearn something else.
Attila: And what happens is that they get all excited, and then they go to management, right?
Attila: They're like, oh, you wouldn't believe it.
Attila: I just got off this call.
Attila: There's a wonderful new product.
Attila: It'll do 50 of these things, and they're highly technical, and it's going to cost some money.
Attila: But, you know, and of course, from the business owner's perspective, they're thinking about the other fires that are happening, right?
Attila: The insurance cost has just went up, the payroll cost, which is high, and all these other kind of stressors on the business.
Attila: So that kind of gets pushed to the background.
Attila: So instead, and I'm going to speak to those that are listening that are IT directors, IT practitioners, those that are in charge of the network and have to convey what they do to others.
Attila: Is instead of going directly to the manager, the decision maker, the CFO, talk to fellow employees and ask them, what are they doing?
Attila: What are they doing, right?
Attila: A perfect example is if you walk up to an employee and say, hey, what do you do?
Attila: He says, oh, I take orders.
Attila: Great, how do you take orders?
Attila: Well, they call in by phone, and I write the order down on a piece of paper.
Attila: Piece of paper.
Attila: Of course, we're IT guys, right?
Attila: So paper is like, oh, what are we in, the 1900s here?
Matt: Yeah, I'm allergic.
Matt: I get hives.
Attila: Yeah, like every time I get a receipt, I'm like, why are you giving me a receipt?
Attila: Just email it to me, right?
Matt: Right, stop cutting on trees.
Attila: So the IT practitioner, you as the IT practitioner, you walk up to a fellow employee, you're taking orders by phone on a piece of paper.
Attila: Well, what then?
Attila: Well, then we take all the orders, we put them in this big pile here, and at the end of the day, we spend four hours.
Attila: This is real, like today, this exists.
Attila: We spend hours transferring the contents of those papers into this spreadsheet or online system, whatever, right?
Attila: So it's a three-step process.
Attila: So you as the IT practitioner say, okay, I understand why this exists.
Attila: It's because maybe they take a high volume of calls, stressful situations can lead to having to learn a new system, doing things electronically, when people are not used to doing things electronically.
Attila: That's a real roadblock.
Attila: So as the IT practitioner, now you can say, okay, look, security-wise, we got a problem, right?
Attila: Because we got paper, it has credit card numbers on there, whatever.
Attila: Not a good place to be.
Attila: Instead of finding a vendor that maybe has solicited you about something that's similar, you can go out and find a solution and say, look, I got a real easy-to-use, tablet-based way of doing this, same task, faster, and cuts out four hours of data entry time at the end of the day for every employee.
Attila: Yes, it's going to cost something, but the net gain, the next savings, huge.
Attila: Huge.
Attila: Then they will buy into it.
Attila: But I'll tell you, here's a story I heard from an old boss of mine.
Attila: And an old boss of mine, he used to work for AT&T.
Attila: And this story illustrates how people are, how people get stuck in their ways and are very resistant to new technology and to new change.
Attila: He was working at the time for AT&T.
Attila: And this was probably the 1980s.
Attila: I know, as my son calls it, the ancient 80s.
Attila: It's the old 90s and the ancient 80s in his mind.
Attila: And in the 1980s, there were these things called 911 Operative Dispatch Centers.
Attila: And in particular, AT&T was swapping out the 911 Dispatch Center for New York's 911 Service.
Attila: And I don't know if you know anything about New York, but there's a lot of crime.
Attila: The Teenage Mutant Ninja Turtles are very busy.
Attila: And he swapped out the AT&T 911 Dispatch Service, and they spent weeks, months training the 911 staff.
Attila: There were like 30 guys and gals.
Attila: They were all trained up on how to use the new system.
Attila: He was there for the day of the cut, and the day of the cut was stressful.
Attila: The calls were coming in.
Attila: They were used to the old system.
Attila: They'd been using it for decades.
Attila: These people had been very resistant to change, but they understood that the old system was gone, the new system was here.
Attila: And he was there.
Attila: Everything went well.
Attila: Okay, they made it through the first day.
Attila: Second day, still stressful.
Attila: Stressful, stressful, stressful.
Attila: But got a little bit better.
Attila: Day three, he walks in, and he's there nice and early.
Attila: Coffee, donuts, the whole thing.
Attila: This is the 80s.
Attila: Coffee and donuts was okay.
Attila: That was not.
Matt: Still politically correct back then.
Attila: Still politically, yeah.
Attila: Cops, donuts, it's New York.
Attila: It's New York.
Attila: What are you gonna do?
Attila: And he notices when he walks in on day three, that a few of the chairs were empty.
Attila: Hmm, I didn't think much of it.
Attila: Maybe it was just a little, maybe somebody got sick, who knows.
Attila: Day four, notices one or two extra chairs are empty.
Attila: And he says, you know, this is kind of unusual.
Attila: So he walks over to the manager and says, hey, just noticed that you have a couple of empty chairs.
Attila: Everything okay?
Attila: The manager says to him, close the door behind you.
Attila: Closes the door.
Attila: Manager says, sit down.
Attila: He sits down.
Attila: Manager says, this has been a very stressful situation here.
Attila: We have a new system.
Attila: We have the 911 dispatch operator center of New York City.
Attila: Obviously, very stressful environment.
Attila: Some people could not handle it.
Attila: And we had a few suicides.
Matt: Whoa.
Attila: True story.
Attila: That should tell you the degree of resistance people have to change when it comes to technology.
Attila: That's a real story from a time when we haven't changed all that much.
Attila: We haven't changed our human beings, our brains, everything else.
Attila: And still, we have the same operating system we've been operating on for thousands of years.
Matt: Right, right.
Attila: Change, especially technology, learning something new.
Attila: Some people just can't handle it in certain circumstances.
Attila: And that's what happened at this 911 dispatch.
Attila: So speaking again to the IT managers out there, just know that what's easy for you and me to learn a new system or figure out a new interface, case in point Windows 10 and Windows 11, not a big deal for most people who are familiar with IT.
Attila: But those that have spent decades in older systems or different systems and they're in a high-stressed environment, there's a lot of responsibility on their shoulders, there's lives on the line, they're not gonna be able to switch over that easily.
Matt: Right, yeah, you always gotta look at what things look like from the other person's perspective, the non-practitioner, the regular user.
Attila: And that's just the tip of the iceberg.
Attila: You can communicate very well and have a fabulous product, but still, then, when you walk up to management and say, look, I found this problem with the employee's workflow, I have a solution for you, I know it's gonna cost something, but it's gonna save us time, effort, and energy in the end, they may still shoot you down.
Attila: What do you do then?
Attila: Very interesting, right?
Matt: I see it every day that we get alerts for clients that have users that are opening documents, and the documents have passwords in them, and that's their password manager, is these documents that are in their folders, or on their desktop that they open, and luckily our systems alert us to it.
Matt: But we see it over and over again, and to change that behavior is difficult.
Attila: Well, I have an answer.
Attila: I thought you might find it interesting.
Attila: So, I told you about the perspective of the practitioner, and how a practitioner can better communicate with management, and still get shot down.
Attila: Then it's a good idea to maybe switch the perspective now.
Attila: So, as I mentioned in the beginning for this book, I'm interviewing practitioners, so those that have been successful in IT, deploying proper security solutions at their company, as well as those that are on the other side of the table.
Attila: And I know this is a very different perspective with different business owners.
Attila: There seems to be two kinds.
Attila: One kind is more interested in the protection of the business.
Attila: They operate out of a state of fear, but not fear in the same way.
Attila: They're more nervous because they want to protect what they've built to this point.
Attila: One way to put it might be status quo.
Attila: And so if you come to them with a big ask, like, you know, I'm going to spend thousands of dollars on this solution, this service that will keep us protected.
Attila: The question in their mind is going to be, well, we've lasted this long without it.
Attila: If I spend this money on this service, will this be putting my business into a risky area where it wasn't before, where it's not today?
Attila: Because we're spending money that we don't have to.
Attila: That's the first area, is to think about that kind of person.
Attila: We're going to call them the Type B.
Attila: The Type B person is a lot more conservative because they're more interested in the protection of the organization.
Attila: Now, an organization like that may be operating at a different maturity level, where they've been in the industry a long time, and they're not really focused as much on innovation as much as service delivery and service excellence.
Attila: There's nothing wrong with that.
Attila: But understand that in today's world, there does need to be some emphasis and focus on innovation, on research and development, on updating products, branding, service delivery functions, that kind of thing.
Attila: This is why I call it Type B.
Attila: The Type B owner or manager or decision maker has a more protectionist mentality in mind.
Attila: That goes contrary to the Type A business manager, owner, decision maker.
Attila: The Type A is very different.
Attila: And by the way, we're not talking about a C-level title.
Attila: The folks that I was interviewing, everywhere from presidents, CEOs, general managers, regional managers, it's not necessarily tied to their position, it's tied to their mindset.
Attila: And in growth mindset, Type A, it has a very different motive for investing in any sort of cybersecurity measures.
Attila: So the Type A owner, they're more interested in expansion, taking advantage of new market opportunities, using their experience as leverage, or using their company's background, or the company's expertise as leverage to enter into new businesses, new lines of revenue.
Attila: If they're a service business, maybe they want to sell things in addition to that.
Attila: You see that in every single super cuts in hair salon.
Attila: They're in the service business of cutting your hair, but they're also in the product selling business after you try to walk out the door.
Attila: They want to sell you some hair gel or product or something like that.
Attila: So they're more entrepreneurial.
Attila: Now, for those type of type A owners, very different conversation.
Attila: You're not showing up to say like, hey, I want to have this solution that will keep us safe.
Attila: What they're hearing is that all these innovations, all these things I'm trying to do, all these new business avenues, opportunities that I'm trying to take advantage of, cannot be protected without this solution.
Attila: So, it's more about protecting their ability to go out and get new clients, new opportunities, and new business.
Attila: Does that make sense?
Matt: Yeah, yeah.
Attila: So, the type A is hearing a totally different conversation than the type B owner.
Attila: And the type B could be a board, by the way.
Attila: It's not just one person.
Attila: The type A may be a board also.
Attila: And in fact, many of these type A owners that I spoke to, they do have a board to report to.
Attila: And they have to convey the same value proposition as the IT guy, right?
Attila: They have to tell the board, look, I want to address this new market, this new opportunity.
Attila: In order to do that, we need to do A, B, and C.
Attila: And part of A, B, and C is protecting that hard work, protecting that investment.
Attila: And the only way we're going to do that is through putting in some cybersecurity measures, because it costs too much for us to be down.
Attila: It costs too much for us to have to buy all new stuff, because everything got ransomware.
Attila: It costs too much to be lackadaisical about these things.
Attila: So that type A and the type B are the kind of people that the IT directors are talking to.
Attila: Now, there could be a type C.
Attila: I'm still in the interview process, so we don't know.
Attila: It might be there.
Attila: But I can tell you right now, there is a type A and there is a type B.
Attila: And knowing who you're talking to, it's going to dictate your conversation.
Attila: But at the end of the day, there is one key thing that you can not do as the IT manager.
Attila: You cannot use fear, because there is enough fear from the business owner's perspective, from the manager's perspective.
Matt: And it's an easy go-to.
Attila: It's not sustainable.
Attila: I don't think it is.
Attila: I don't think you can come up and say, like, look, we need to buy this right now, because if you don't, everything is going to burn to the ground.
Attila: No one wants to hear that.
Attila: No one believes it.
Attila: It's not realistic.
Attila: But if they're talking, obviously, if we're talking about cybersecurity at all, or any sort of IT security at all, it's because you heard about it from somewhere.
Attila: Maybe the business owner's mom got scammed out of a few hundred thousand dollars.
Attila: It happens.
Attila: Heard it firsthand.
Attila: You have too.
Matt: Yeah, absolutely.
Attila: It may be that they're, like what I was hearing is that their others in their industry are getting hit, and they're having to spend tens of thousands, if not hundreds of thousands of dollars to get back up and running.
Attila: Meanwhile, the operations are down, projects are behind, all these problems are happening.
Attila: So now they're freaked out.
Attila: They're like, oh no, it hasn't happened to us, but is it a matter of time?
Attila: Maybe.
Attila: There isn't a simple fix to a lot of this.
Attila: And unfortunately, this is the biggest problem when it comes to IT security in general.
Attila: It's a moving target.
Attila: You can patch one hole and then three more pop up.
Attila: So, how much money can you afford to spend on it?
Attila: And that's where it comes to the real value of investing in Cyber, or any sort of security solution.
Attila: It's how fast you can catch it, stop it, and keep running.
Attila: You're going to drive your car.
Attila: Guess what's going to happen?
Attila: You're going to get an accident.
Attila: You're going to get a flat tire.
Attila: You're going to get a ticket.
Attila: But how quickly you can get back on the road after a flat tire?
Attila: How quickly you can get a replacement vehicle if your car is in the shop after an accident?
Attila: These are the things that you can focus on.
Attila: You can't stop the rest of it.
Attila: You can't stop the nail in the road from puncturing your tire.
Attila: It's going to happen, guys.
Attila: Just try not to do it at high speeds.
Attila: So this is where these security solutions are really coming down to how fast can we get back to work with as little disruption as possible.
Attila: That should really be the focus of your conversations.
Attila: Mr.
Attila: IT Director, sir, who's listening to this.
Attila: Have I lost you?
Matt: No, I'm here.
Matt: Yeah, no, absolutely.
Matt: That's, you know, knowing what the cost is of your business if it goes down.
Matt: You don't want to live in fear of margarine and just kind of play on that because otherwise you're just going to come off as a chicken little.
Matt: I mean, I've seen plenty of situations where, you know, you give warning after warning after warning and you know, you tell stories and it doesn't change anything.
Matt: But then once they're hit, then, you know, that's when they kind of conform.
Matt: I don't know.
Matt: It's a definitely culture thing.
Matt: I feel like folks in the personality B camp, there's a lot of handholding that has to happen to get them to come on board having better security.
Matt: And that goes back to what you're talking about with just, you know, good communication.
Matt: One of the aspects that I see when it comes to cybersecurity versus real life security is when it comes to real life security, you can walk into an office and you can see the security in action.
Matt: You can see the monitoring on screens and the security cameras and what's going on in the parameters.
Matt: You can physically show someone what's happening.
Matt: And when it comes to cybersecurity, all that stuff is fairly invisible and hard to communicate.
Matt: But I think in this industry, that's the real key to getting buy-in.
Matt: And that's why we have this podcast, and that's why we're talking about this stuff.
Attila: And you're absolutely right about culture.
Attila: I mean, that was kind of the whole impetus for the Riscara 360, is that it's an employee behavioral risk assessment.
Attila: And what is behavior?
Attila: Behavior is what dictates culture.
Attila: If you look at any sort of cultural activities, any sort of small culture sets, by the way, culture has a root word.
Attila: The root word is cult.
Matt: Oh boy.
Attila: Yeah, isn't that interesting?
Attila: Yeah, so, I mean, it's a toned down version, but it's all about degree, not kind, right?
Attila: So, many of the companies I talked to, they really did put a huge emphasis on culture, as in the things that they do together when they're outside of work, the things that they do to celebrate, things that they do to try and figure out problems.
Attila: The way that they speak, the acronyms, the dress, right?
Attila: When, you know, the kind of activities and behaviors that are considered acceptable and not acceptable, right?
Attila: Shorts, flip-flops, how do we, how do we, you know, show up to work?
Attila: These are all key points of culture.
Attila: And is IT security part of that culture?
Attila: I don't know.
Attila: That's why the Riscara 360 exists.
Attila: So, any of you listening, you can check it out at riscara.com.
Attila: And if you use the word Cyber Secured, all one word, it's the name of this podcast, so C-Y-B-E-R-S-E-C-U-R-E-D, you can take the assessment for free.
Attila: So, my gift to you, the listener, for listening this long into the podcast.
Attila: But we are running out of time.
Attila: Do want to talk about this some more.
Attila: So, feel free to check it out, riscara.com.
Attila: Cyber Secured is your code.
Attila: And if you do have any questions or topics that you'd like us to cover in the future, feel free to put a note into this podcast, or you can reach out to us directly.
Attila: Now, we're at cypac.com.
Attila: That's cypac.com.
Attila: And we're available to chat, talk about things that maybe you've come across in your own journey of life that are IT security related.
Attila: And perhaps we'll be able to help you out in a pickle.
Attila: And on that pickle, I think we're good with this podcast.
Attila: What do you say, Matt?
Matt: Yeah, I think so.
Matt: We hit a record for today, for our time.
Matt: So thank you for sticking with us if you're still listening.
Attila: Yeah, I definitely got to talk more than usual.
Matt: Yeah.
Attila: Awesome.
Attila: All right, thanks guys.
Attila: Well, stay safe out there.
Matt: Thank you for listening, everybody.
This episode was brought to you by Cypac.
To learn more about keeping your business safe from threat, crime, and disaster, visit Cypac.com.