Recorded Sept 29, 2020
Today, Jeff, John, Josh, and Scott talk to Liam Downward – CEO of Cyrisma.
Visit https://securityweekly.com/cyrisma for more information!
Do we know where our sensitive data is located? Is the system that hosts this data free from vulnerabilities, and is it securely configured? How do we assign accountability through mitigation plans to meet compliance mandates?
This segment is sponsored by CYRISMA.
Visit https://securityweekly.com/cyrisma to learn more about them!
Jeff Man 0:01
Welcome to Security and Compliance Weekly. We have a great show planned for you today. In our first segment, we’re talking to Liam Downward who’s CEO of today’s sponsor, Cyrisma. We’re going to talk about Cyrismas Software as a Service solution that’s attempting to help small and medium sized businesses tackles security compliance issues without eating up a huge budget, relying on a huge security staff or taking up too much time. In our second segment, we’re going to take up a discussion that actually began on our Discord server during last week’s episode, and we’ve already taken it up for like the last 10 minutes on Discord. So if you’re not there, join the party. The general question that was asked was why there seems to be no empirical, scientifically based standards that address key aspects of vulnerability management. Things like remediation, timing, prioritization, and the degree to which compensating controls and or PCI can be used to offset the impact of vulnerabilities that remain in your environment. So with all that, about to happen, join us as we continue our journey of tearing down silos and building bridges on Security and Compliance Weekly.
This, is a Security weekly production and now it’s the show that bridges the requirements of regulations compliance and privacy with those of security, your trusted source for complying with various mandates building effective programs and current compliance news. It’s time for Security and Compliance Weekly. The average cost to respond to an insider threat is 11.4 or $5 million. That’s a lot of reasons why a functional insider threat program must be a core part of any modern cybersecurity strategy to protect your organization sensitive data and meet compliance requirements. Unique controls in place to deter, detect and disrupt insider threats. With Ekran system you can meet control requirements imposed by compliance mandates all within one Insider Threat Management Platform, get your free 30 day trial at securityweekly.com/Ekran, that’s e-k-r-a-n and fulfill your compliance requirements.
It’s the end of the quarter, you’ve got a mountain of compliance tasks to complete daily requests from sales for security documentation, and an upcoming audit. You’re waiting on evidence requests and you can’t find the policy you wrote last week. compliance management is hard after both comply makes it simple comply is an end to end purpose built GRC platform to manage compliance from automating evidence collection to integrating with your existing SaaS tools complies simplifies the hardest parts of managing compliance, reduce manual processes and build trust with your customers. Visit securityweekly.com/Aptible to learn more.
The question is simple. Have any of the systems on my network been compromised? The answer is harder than it should be. Enter AI hunter active countermeasures has automated in streamlined techniques used by the best pen testers and threat hunters in the industry to create AI hunter a network threat hunting solution that does the first pass of a hunt for you to identify systems that are most likely to be compromised and scores the results on a scale from 0 to a 100. You can then research those systems in depth with air hunter focus your valuable time on the systems that need your expertise with AI hunter sign up for a personal demo today at securityweekly.com/ACF.
Jeff Man 3:31
Welcome to episode number 45 of Security and Compliance Weekly, recorded on September 29 2020. I’m your host, Mr. Jeff Mann and joining me today are my illustrious co-hosts socially distant and a tad socially awkward if I might add Mr. Josh Marpet. Mr. Scott Lyons and Mr. John Snyder, Esquire. Welcome, gentlemen.
Scott Lyons 3:53
Hey, we’re IT people of course, were socially awkward.
Jeff Man 3:57
Hey, it’s a badge of honor.
Josh Marpet 3:59
I’m not socially awkward. Everybody else is just better.
Jeff Man 4:03
Hey, before we jump into it, I do have a few announcements. Would you like to have all of your favorite security weekly content at your fingertips? Do you want to hear from Sam and Andrea when we have upcoming webcasts and technical training? Do you have a question for one of our illustrious hosts? We’re Josh, someone from the screwed weekly team or wish you could hang out with the security weekly crew and community. Subscribe on your favorite podcast catchers sign up for our mailing list or join our Discord server I would have said and join our Discord server to stay in the loop on all things security weekly. You can start by visiting securityweekly.com/subscribe. Also, while you’re there on our website if you have specific guest or topic suggestions that you want us to cover on a future show, you can do so by going to securityweekly.com/guests and filling out the form. We review suggestions monthly and we’ll reach out to you once we’ve reviewed your record Okay, let’s get into it. We are joined today by Liam Downward. Liam is the CEO of a company called Cyrisma. Also one of our sponsors for today’s show, I’ll let Liam tell his own interesting story and journey of how he got to where he is today running this company called Cyrisma. But first, Liam, welcome.
Liam Downward 5:25
Thank you. I look forward to talk to you guys.
Jeff Man 5:28
Well, we’re looking forward. Looking forward to talking to you. We had a good time on our prep call the other week, we’d like to start the show with asking our guests the what we call the hot seat questions. So let’s get that out of the way right off the bat, and then I’ll let you tell about yourself. So in with respect to security and compliance, we like to ask the question, Where do you fall? Where do you stand on what we like to call the security versus compliance continuum?
Liam Downward 5:56
Well, that’s actually a pretty good question. my whole career I’ve been told up till about five years ago, it was told that compliance and security was a process, not a product. And over the last safe, probably five years, I’ve been thinking that it’s a cross between product and policy and process. The reason why that is, one of the things that you mentioned earlier in the prep talk, is that compensating controls. So if we can’t put a policy or process in place, what can we do to mitigate it by having a compensating control, which then you could use technology, or a product to actually reduce that risk until you get your process in place. So I’m kind of like, caught in between that realm, in that kind of like mantra mindset.
Jeff Man 6:41
So so I’m just reading on the discord, how I’m out of sync with my audio and video, which is normal for me, I’m always out of sync. So Liam, share with us a little bit of your story, how you got into cybersecurity. And tell us a little bit about your journey that got you to the point where you wanted to start this company called servers.
Liam Downward 7:08
Yeah, so actually, to be honest, when I first started in it, I hated computers, right. And that’s, let me take a step back, I hated computers. So I finished college, I went back to live at my grandmother in Ireland. And you know, being traditional Irish, my mom and my grandmother says, You got to go and get a job, you know, staying out all summer doing all the things that you’d want to do, which is you hang out with your friends, have parties and have fun. So I’m at my cousin’s store and open up this centerfold of a, of a newspaper on a Sunday, and I was a big advertisement for a time, this is 1998 for gateway computers, which, with the mu TV and the whole cow look and feel, um, I applied for a job there, got it. And that’s when I started my love for it. And cybersecurity didn’t happen until I moved to the US. I met my wife. And then I came to Rochester. And then I got introduced to information security, and I fell in love with it. Because I always had a kind of an affinity to kind of like law enforcement and so forth. And it was kind of like my way of getting close to it. And I progressed through get my CISSP all the different types of certifications of the up the wazoo so forth. And then I had an opportunity…..
Josh Marpet 8:19
Where did you get your certifications? Up your Wazoo?
Liam Downward 8:24
Josh Marpet 8:25
Dude, you’re doing it wrong.
Liam Downward 8:26
Like, they’re coming.
Scott Lyons 8:27
It’s only where the lemons go. Come on.
Liam Downward 8:30
So some of the CISSP say, I sent him the whole, the whole gamut, right. So I’ve got them coming out of out of my ear. So I kind of took a step back and decided to go into consulting rather than doing security engineering. And I started loving the executive interaction and leadership thought process around, you know, compliance around PCI SOC, GLBA, at the time was SSA16, those type of pre audits. And then I started a company in 2005, cold, pervasive solutions primarily on security. And then I kind of got like, a little burnt out and decided to go into corporate America, and I was working in corporate. And, you know, the grass is not always greener on the other side. But it gave me a different perspective of how corporate sees Information Security compared to a consultancy. And then I had an opportunity to have side work with previous customers to do security assessments. And I started seeing the pattern. So when we were doing assessments, we would say, hey, you need to do a data classification. You need to put this in place, you put that in place. And we’ll come back and do a follow up to say, Hey, we can’t do it when we can’t afford it. We don’t have the people and we don’t have the time. And I’m like when I sat down with a lot of them and said, Okay, can you tell me why? And they’re saying well start off with we’re looking for a solution that we definitely need because certain requirements that are internally but also it’s in our best interest for compliance for like data classification. We can’t afford the solutions out there. And plus, we don’t have the manpower to think, Hey, we got to go and augment our staff and get new staff. So we actually, I thought of the idea says, hey, there’s a potential opportunity here to actually build a simplified solution that SaaS base doesn’t have the hardware training is easy. And then in 2018, we actually formed a company, which originally called Data spotlight. And then we started building for about 14 months of the baseline of the software. And then we went live this year. And it’s been very, it’s been, it’s been an awesome ride, to be able to have a solution that we take 10% of what everybody utilizes and other products. And I’ve incorporated that into an ecosystem. And the response that we’re getting from people is that, hey, I can get this up and running in a couple of hours. It’s very intuitive, it’s very easy. I don’t feel overwhelmed with the whole shelfwear concept of bringing some tactical security to their overall strategic aspects for compliance, where the term NIST whether it’s on PCI, whether it’s HIPAA, and so forth. So it’s been kind of exciting, right?
Jeff Man 11:04
Yeah, I love a guest that brings up PCI yay,
Liam Downward 11:07
Scott Lyons 11:09
Jeff Man 11:09
So yeah, I’m putting it in front of me so people can see. So, in looking at your website, Cyrisma is obviously Well, it’s all over your front page that you’re about cybersecurity, and you’re talking about managing risk, I love it, that you’re talking about doing it for, you know, small, mid-sized companies, or frankly, companies that just don’t have the budget and the people and the time and the resources for all your mention of managing cyber risk, and so on and so forth. It does beg the question, and I love the level set when we have these conversations, but could you first give us a definition is not a pop quiz, just wanting to know, you know, how you define it? Simply the word risk? And then overall, obviously, cyber risk.
Liam Downward 12:01
Yeah. So once we Well, obviously, there’s the we call it cybersecurity risk, once we identify a risk, whether that is we identify sensitive data that’s in multiple different locations, whether that’s in personal drives in the cloud and email, what do we want to do with that data, we don’t want to have that large footprint we want to get we want to consolidate that and have only what we need to be functional rather than having it were spaces. So and in what we thought was everybody is data, what we want to do is that everybody’s focused on the defense in depth scenario. So what we want to do is to flip that and say, Okay, let’s focus on the data First, find out where the risks are around data, who has access to as in, is there everyone access? Is there files in places where the show them be? What kind of data? Should we have that kind of thing? Then is that system that houses that data vulnerable from a, okay, are they patching it, and so forth in other patches being applied correctly? And then is it securely configured against security best practices cis to know if your government to DoD, DISA STIGs? And then we wrap that up and say, Hey, once we’ve defined these risks, and how do we track the mitigation, and that’s where we bring in the level of accountability. So you can have your artifacts, or you can have some level of attestation, to say that, hey, we found a risk over here of data sensitivity, we’ve assigned that to somebody would give them a timeframe, we can track progress. And when we can actually have accountability, because then at that point, we can roll that into risk grades, if they don’t complete it, it affects your overall potential exposure, and so forth. So we kind of started taking some of the tactical stuff, and rolling that up into like a security scorecard so they can align that to levels of different compliance with the mitigation engine.
Jeff Man 13:43
I don’t know about anybody else. And this is not meant to be a slam on you personally, it’s just more of a statement about our industry as a whole. But when companies start talking about trying to take a new approach by focusing on data, I kind of scratched my head, because, you know, I started in this field almost 40 years ago, where it was all about the data. It happened to be protecting data is as it was being transmitted primarily and you know, I was involved in communication security, but I’m baffled at how sort of a fundamental principle of security which is to, to quote the Ben Kingsley Kant character in the 1992. Movies, sneakers, it’s all about the information. How, what’s your take, how did that concept get lost in our community in our industry? Why did so many other gee whiz bang, things take over? And now we’re coming back to? I mean, essentially, the basics, you’re offering a product that is helping people tackle the basics of security?
Liam Downward 14:50
Absolutely. Because everybody did the whole buzzwords, right. You got AI, Zero Trust, right. And you think about the old day days of thinking, hey, I’ve got a firewall and antivirus right because Everybody started to have you got this glass tank. And all you’re doing is you’re driving down your freeway. But you if you get hit with anything, you’re basically you’re the glass tank is broken. But if you start putting different things in front of which is what everybody started doing is thinking, I can augment my thought process around security, and put that into technology, then I can focus on my day job, which is focusing on availability. And I think that’s what happened. And then all of a sudden, the whole because every time of viruses, that’s breaking down, destruction of data, but now with the ransomware aspect that’s coming in, it’s starting to have that that full cycle life cycle coming back again, to say, Hey, we need to focus on the data. Because if we have a huge amount of data that is secured, that’s that’s potentially sensitive, what’s the likelihood of a big impact for us, if we get hit with a ransomware, which means, you know, shuts shut down, you just seen what the latest one from yesterday with the healthcare entity, that, you know, potentially there’s a ransomware are those. And that’s because they have sensitive data. And that’s what we got to focus on. So it’s kind of gone through the whole process, when we circle back like fashion, right? Security is the same way, again, goes through cycles, and then we go back to something that happened 10-15 years ago, because everything’s it’s cool. But right now, I think we need to look at data sensitivity as a major component and how we protect our organization and then build out that way, which means we can build both tactical approaches, as well as strategic approaches to mitigate it and bring in the data owners of individual components, whether that is systems, whether it’s data, whether that is, you know, process in the you know, the security operation center, and so forth.
Scott Lyons 16:35
So, when we’re talking about PCI and ransomware, you bring up a really good point that we said in the past, which is Nope, that’s only if Jeff says it, um, which we’ve mirrored in previous conversation to say that there’s really been two events that have pushed the needle of security, and those two events are PCI. And the other event is ransomware. But unfortunately, we’re starting to look at ransomware is the new PCI right? In driving what people are doing. Right?
Liam Downward 17:09
Yep. It’s the reactive aspect of it, right? So it’s kind of looking at it and saying, Hey, I can look at it two ways. I can be reactive in on having a Oh, no, this has happened to me, let’s fix it, what’s been reactive, or I can be proactive. And I can look at it as two ways. One is, I can look at it from a marketing standpoint, to say that I’m being proactive around my security and around my elements that when I engage with my clients, or customers, I can actually tell them, this is what we’re doing to protect your data. But at the same time, I can look at and see what’s happening to my other competitors, or other people in the area that’s been affected by ransomware. But there’s that whole kind of business worry now to say, Okay, if I do get hit with a ransom, is my cyber liability insurance going to be covering it? Or do I have to pay out of pocket, which is what so many companies are doing right now? Because one, their backup is not adequate enough. There’s other things to follow on from that process that I think a lot of people don’t do any tabletop sessions around ransomware, to saying, okay, where do we have potential single points of failure that if we get hit with ransomware? What actually will happen? Potentially? And what do we need to shore that up and be proactive? And then let’s not be reactive, it’s kind of like, you know, what was my budget before a breach? Right? That’s the equation. That’s the equation when it comes to, you know, understanding risk, is it okay, before a breach, it’s kind of like buying a life insurance policy. I may or may not die in the next five years. So I don’t think I need it. But then all of a sudden, something happens. And the rest of the, you know, had some morbid analogy, but it’s the same thing with you know, your security. Yeah, put my head in the sand. Ignorance is bliss. Nothing’s happening right now. But now you see it more and more with media sensationalism, that cybersecurity attacks are happening more and more, now. They’re becoming more, you know, you know, more, have more intellect behind them. They’re, they’re higher than organized crimes, hiring, you know, PhD students and so forth to be able to do all this stuff, because money is big. It’s no longer that 15 year old kind of potential stereotype sitting behind a computer hacking away. It’s people that actually have experience, understand code, and different things. And I think that’s where people start realizing this thinks that getting involved in business, rather than just focusing security being an IT function.
Scott Lyons 19:17
So away from if I stay away from cyber insurance, because if you’re a fan of the show, you know that like that’s a rant button for a couple of people that are here. Yeah, okay. What I want to I want to focus in What is Cyrisma’s approach to mitigating all of this right,
Liam Downward 19:41
well, yeah approaches is to look at organized help to organizations, right to be able to understand that security is not a big major burden to you to be able to become proactive. Because when we sit down and we talk to it entities or talk to organizations, the first thing that comes down is I don’t have time. I don’t have the resources don’t have money. Because when you have all these large cybersecurity solutions out there costing a lot of money, the complexity comes into it. And then they’re thinking, ramp up time Is it is it two months, six months is a year, I need dedicated people. So then I got to get approval for that. So we wanted to kind of make it as simple as possible to get in that they can start collecting data. And they can see how easy it is to actually have, you know, qualitative approach. But again, to have some level of substance to say, hey, I’ve shown I’ve got a mitigating something, whether that’s data with the system, and then rolling and showing my executive leadership very quickly, that we can actually tackle this in a short period of time without having to throw so much money at it, let’s throw resources at it. And then we are good. And then we have a risk assessment comes along with good, then we just basically stop what we’re doing, and then wait for the next next risk assessment or when the next reach potentially happens. Right?
Scott Lyons 20:56
Right, so when you’re in this space, right? You guys are new, right? Let’s be honest, Who who are you mainline competing against? If I wanted to say, hey, I want to go and check out Cyrisma. Right? Who in my justification for purchase would I be looking to compare you guys against in the market?
Liam Downward 21:23
Right. So if you look at it from a holistic standpoint, we are kind of like five products in one, right? So you’ve got mitigation engine solutions out there. We have vulnerability solutions out there, you have, you know, secure configuration solutions out there. And then you have security rating solutions. So what we want to do is to say, Hey, we wanted to create a new kind of way of an ecosystem, right, which means we grow with new tech, new stuff that we put in that means it gives it directly to the fingertips of the actual security person that’s being designated as in an organization. But ultimately, what we want to do is to kind of make it that they have one stop shop, right, which basically gives them the basic tools they need today and for the future to be the start the access of being proactive. Right, let’s give you an example. You know, every talks about being you know, working with an MSSP right most msps will focus on not MSSP, sorry, MSP a mis misspoke. They say that they do security, but what’s the basis of their security, firewall management antivirus and patch management? Right, which in essence, most small to medium sized companies thinking hey, my IT service providers providing me cybersecurity, you know, capabilities. But really, are they looking at the bigger picture? Right? Are you? Where’s your? Where is your sensitive data? Who has access to it? You know, are you..
Scott Lyons 22:41
Do they know where it is?
Josh Marpet 22:42
Infection control? injection controls? What are your days lagging? Your data classification?
Liam Downward 22:48
Josh Marpet 22:48
Where you’re sharing data from where you’re sharing data to? Right, just in the data realm? Just in the data realm.
Yeah, there’s a massive amounts of things that most MSSPs and some of them, please don’t take this as a general sort of declaration that MSSPs suck. Some of them are amazing.
Liam Downward 23:07
Josh Marpet 23:07
Most of them, most of them are glorified MSPs who have taken some courses. And I’m not saying that’s bad, too. You’ve got to have your firewall taken care of, you’ve got to have your perimeter such as it is these days taken care of your cloud enclaves backed up and snapshotted. You these things are necessary, don’t get me wrong. But the big problem is, is that that is not the totality of security?
Liam Downward 23:30
No, it’s not. And that’s yet obviously sorry, to interrupt you there. But you hit the nail on the head there, because that’s one of the reasons why the beginning of the year we were going direct, right and I give you an example of what made us shift to go to start creating a channel and focusing on focusing our software to MSPs and MSSPs. Is because at the beginning, we were going direct and then we were getting everything was going great, then, you know, the whole COVID scenario happened. But what we were hearing was, hey, we like your product, we want your product, but our powers to be of saying hey, we can’t bring any new vendors on. Well, let’s go and have a comp we should have a conversation with is our MSP and our MSSP because they’re grandfathered in this whole process. So when we started looking at their solutions, we found that especially in the MSP realm, there’s over 40 I didn’t realize this is over 44,000 MSPs in the US alone, and which equates to about 2.2 million organizations have their it and cybersecurity under management from an MSP and or an MSSP. So when we started looking at evaluating it, that’s where we started seeing some traction were okay, people are starting to realize that, hey, they’re asking a little bit more of their cyber, cyber security from the their MSP because they’re seeing stuff in the newspaper, the continual breaches, especially when it affects them and they get a letter in the mail, obviously, people will start becoming, you know, desensitized to the whole thing, but if it’s happens to that business, then it’s a different thing altogether. So now they’re starting to ask more questions. And we’re actually getting good traction interaction with the MSP and mssps. to want to look at what we’re doing. And one of the key factors is not whether we do vulnerability or secure configuration is the focus around that we did around data sensitivity. And that’s where they’re focusing primarily on that, to say, Hey, we’re not doing that right now. All we have a tool, but it’s not that great. But we definitely want to have a conversation with you, let’s do a test drive and some of our clients, and they just did just the ease of what they see of how point and click and they get results. And then we can have actual live interaction with their clients about here’s the data, here’s where it’s located. Here’s the context, what do you want to do with the data, encrypt, delete, change permissions, that kind of thing directly within our web interface, or assignment to them. And it’s been, it’s been an actually, it’s been nice, because like, it’s nice to see your baby be actually appreciated, right for what it does. But at the same time, we see that there’s a value of why we created sire ism enough for the mere sake of Hey, we wanted to create a whole new disruption, we wanted to be able to say, Hey, you know what, the backbone of the US economy is the small to medium-sized business. And I think they get left behind. When large organizations look for those big whales that can pick spend five, three, you know, 300 $500,000, a million dollars a year, but then you got all these entities that get forgotten about. And I think that’s where now organized crime goes to the path of least resistance, right? So that’s what they’ll start focusing on that. And if they get in there, there’s a potential for them to have a connection to a bigger fish, and then the connectivity just goes from there. So it just allowed us to be able to say, hey, it’s an opportunity for us to be able to give something to that, to that market space, and so can be feel confident about.
Scott Lyons 26:40
So what you’re saying is, it’s more of like supply chain attack, because, you know, MSPs, MSSPs, they do all these great things for all these businesses. Right, but the margin of revenue for MSPs. And MSSPs is so low that when they’re adding new stuff to clients that often or to their services, it often knocks the CapEx, OPex spend of the clients out of the water. So how, how do you? How do you help ease that pain?
Liam Downward 27:11
Well, I ease the pain is that it’s like you take like most MSPs do a per user price right for their product, or their services, doing it there. And then they wrap that up with the CEO or the CFO, because they should have a cost of their employees write the cost per hour cost per day, whatever. And you can compare to say, hey, if we did this, this, this and this, but then if you tap on on top of that, add on to that and say, hey, I want to do cybersecurity, and here’s the things that we can do for you. Now, whatever they charge, they can’t hire a cybersecurity expert, whether that is a CISO level down to somebody that can actually also do some tactical security, analytical to security engineering, for you know, less than, you know, for you currently can’t hire anybody less than $70,000. In certain cases, or even more, depending on if it’s a VSO, you’re 70,000 or more a year, those kind of things. So as you bring our services in, it ends up being a lot cheaper for them. So they’ve actually been successful to actually add on because they’ve been able to play that, that route to say, Hey, you know, for X amount of dollars additional to your monthly service, you’ll be able to get this. And here’s the cost savings that you would have without you having to go out and hire and bring somebody in to focus on their data being dedicated. So it actually has been an eye-opener for a lot of organizations, because some of them have come back and said, Hey, you know, I want to go and find that out. And let me go to Glassdoor let me go to these other places and find out exactly how much it costs for at least an entry point, you know, security analysts coming in through the door, you know, it’s fully loaded, that can be over $50,000, right, especially straight out of college, depending on what they’re doing. And again, a lot of small, medium-sized businesses think, well, I can’t really afford that. So okay, if I can do something for like half of that price, I can get all these services already wrapped in and managed because I’m already paying the mssp as well as part of that. So then, in their mind, that’s like a win-win scenario. And for us, it’s the DSL.
Scott Lyons 28:58
And people at those levels, I want to add to what you’re saying people at those levels are charged with not only ensuring the cultivation inside of the business, but also ensuring that people are sticking to the process of how things are done to the procedures that have been set up, right for scale and growth and flexibility across the environment.
Liam Downward 29:18
Scott Lyons 29:19
Alright, how many? Let me ask you this. I want to I want to switch gears just a little bit. How many times have you thrown this at somebody and gotten adverse feedback? I want to talk about the ugly first for a second. Write somebody that says, well, we’re good. We don’t need anything, right? You guys can help us like can you walk through like a scenario where somebody may have their thinking twisted in such an arrogant automatic fashion for lack of better words. I know that’s really bad terminology. But in there, they’re there so twisted with their thinking about their environment that they can’t see the forest through the trees. Can you walk through that?
Liam Downward 29:54
Yeah, absolutely. We get that a lot during the time of conversations with people so say we’re great. We’re like okay, What are you doing? That’s great. That’s one of the first questions that would say we asked them and say, they’ll say, Oh, well, we’ve got this in place. We got a process around here. And it’s okay, how many hours? Are you actually spending doing that? Now? Think about it, you may have five security systems in place from a vulnerability management solution to a Patch Manager solution, this solution, that solution. Now, how many hours are you spending that you are being designated the security person after hours to correlate all that information to come up with a mitigation plan? And as soon as we go down that path, they start thinking and they stopped, they pause, and they’re thinking and they go, hang on? So can we go back to what Cybrisma, because you’re telling me I can save time and money? Because okay, but I’m coming up for this change, or that new and I got this meeting. So I’m going to spend another 20 hours on top of what I’m already doing after hours to be able to take all that data. So we kind of asked them more pointed questions at that point said, hey, how much time are you spending? You got a meeting next month with your leadership? How many hours do you have to spend to get all the information to put into a nice PowerPoint presentation to say we’ve got this information is a trend is a risk? In most cases, they’ll say we’ll spend 20 to 30 hours just collecting and correlating that information to boil it down to your hourly rate. Exactly. And then why of your hourly rate is then you’re on top of that. So Dennis starts asking the questions, and then it’s kind of like, okay, hang on a second. Let me go. So what I’m gonna do for me, how’s it going to help me? Well, we then we go down the path and say, Hey, how about if we just show you a quick visual of our dashboard that you can actually sit right there in the first two minutes actually present that you don’t have to collect any data when you’re presenting. So you can actually continue doing your job right up to the moment of you’re actually going into that room, you log in, and there’s your dashboard, and you can actually have a conversation with that with your executives right away. And that right there is a totally different conversation. For most for most people, but other people, yes, they will be staunch because they don’t like change. And they’re used to what they’re doing, because they built up a process that’s now ingrained in a lot of people. So it’s, then it becomes a cultural change. But again, over over time, those things will start changing as we start building relationships with people that are in the lower on the totem pole. And as it goes up, we’ll we’ll just chip away at it. But right now, we just have those we have those hard conversations, we just flip it and say, Okay, how many hours are you spending? What Who are you engaging with? How are you working, you know, a full 40 hours, you work in more than 40 hours? Right? What are you spending the time Additionally, so you know, those kind of things, we kind of make it more like personal aspect around it, because people don’t realize that, hey, if I do my it, and I have the security hat, you know, availability always comes first. But then the confidentiality, integrity gets thrown to the wayside. But I have to think that the afterthought because I have to meet level of compliance, then I have to go this 1000 mile way round instead of just taking that one-mile shortcut, right, which is what we will provide to them.
Jeff Man 32:52
Liam, that sounds really great. I wish we could continue talking. But alas, our time, our time is up. I do want to invite you to stick around for our second segment today because we’re going to be having a discussion about vulnerability management, risk and vulnerability prioritization. I kind of think it might be right up your alley. So please, you know, feel free to stick around with this Hangout. Yeah, hang out in the discord server. For our listeners, if you want to learn more about cyber asthma, you can visit securityweekly.com/Cyrisma. While you’re there, you can even sign up for a seven-day evaluation test drive of their SaaS solution. That’s going to wrap us for episode one. We’re gonna take a quick break and come back and talk vulnerability management