Cyber Threat Alliance President and CEO Michael Daniel, who served four-plus years as Cybersecurity Coordinator for the U.S. Government, discusses what cyber-threat trends you know about and which ones pose the greatest risk. Michael explains how the Cyber Threat Alliance enables organizations to prioritize risk management based on aggregated threat intelligence from numerous vendors. The interview with Michael also covers cyber incidents and risk during the Russian-Ukraine War, lessons learned when he served as the U.S. Cybersecurity Coordinator, how the federal government is evolving to address rogue nation-state bad actors, and adoption of zero-trust security.
For more information on the Cyber Threat Alliance, visit https://www.cyberthreatalliance.org.
Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
Cyber Threat Alliance President and CEO Michael Daniel, who served four-plus years as Cybersecurity Coordinator for the U.S. Government, discusses what cyber-threat trends you know about and which ones pose the greatest risk. Michael explains how the Cyber Threat Alliance enables organizations to prioritize risk management based on aggregated threat intelligence from numerous vendors. The interview with Michael also covers cyber incidents and risk during the Russian-Ukraine War, lessons learned when he served as the U.S. Cybersecurity Coordinator, how the federal government is evolving to address rogue nation-state bad actors, and adoption of zero-trust security.
For more information on the Cyber Threat Alliance, visit https://www.cyberthreatalliance.org.
Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
Patrick Spencer 0:24
Everybody welcome back to a Kitecast episode. I’m here with my cohost, Tim Freestone. Hey, Tim, how are you doing?
Tim Freestone 0:30
Good, how you doing, Patrick?
Patrick Spencer 0:31
Just fine. We have a real treat today for our listeners, we’re joined by a longtime friend of mine from Boulder, Colorado, Josh Horwitz, he has done a number of things. He’s sort of a serial entrepreneur, so we’re going to get a different perspective in terms of how do you evolve your career from a cybersecurity software leadership standpoint, but then, you know, he has built a couple of very, very successful startups from the ground up and sold one. And he’s working on another one right now. Josh currently is the CEO and co-founder over at Enzoic, which is a Boulder based company. And I’m going to let him talk about what they do. And we’re going to delve into some of the things that they do around the dark web, just to set expectations for our listeners. And I suspect we’re going to learn some things that we don’t know about the dark web. Josh, before we dive into those details, let’s talk a little bit about your background. Because it’s really is quite fascinating. I first met you, I think it was back in 2003. You had recently started a company called Boulder Logic, you’d come over there from a lengthy successful career at IBM, what made you want to leave IBM and go into the startup realm? And why did you pick the realm of customer marking your customer reference database marketing?
Josh Horwitz 1:53
Sure, yeah. So, I kind of always knew that I was entrepreneurial minded. When I did my MBA, it was very focused on entrepreneurship. And the next thing I know, I’m working for big blue, and so that’s a discord eventually I needed to resolve. But one of the things that I saw in working for IBM, and then a couple of companies after that was that the most valuable thing that you could do to support sales and marketing was to have happy customers that would speak to your prospects. And yet each place I went was sort of reinventing the wheel in terms of how do you kind of make that happen? How do you build an army of customers that are willing to provide testimonials? And so that was really what the driver was, and, you know, I have feeling that if I could kind of put a package or program in a box that was focused on building a reference program, it would be successful. And, and, and it was, so that’s, that’s how I got into that.
Patrick Spencer 2:55
When I remember the days of load of database to date myself. I used it back in the day, and it was painful, you know, it got the job done. And back then it was probably a pretty powerful tool. But to go from Lotus database into what you did with boulder logic was like from a Ford Pinto to a Lamborghini, I think at the time. Thank you very much. So, you sold the company, to talk a little bit about how you evolved, you grew the company, then you sold it, and we’ll talk about your little road trip as well, because I find that quite interesting.
Josh Horwitz 3:32
It’s so after someone in the company, I was taking some time off, and I did some traveling, we purchased a Euro van camper and kind of went all around the country and up into Canada. So that was nice to have that opportunity. And otherwise, you know, to be able to split up that in a career is quite nice, but I certainly wasn’t ready to retire. I connected with someone that I had done some work for and with previously actually, during the time that I was getting voted logic off the ground, I was doing some consulting work and one of the clients was Webroot. So, in the cybersecurity space, and the one of the senior architects and developers over there had kind of branched off on his own with an idea around authentication security, but it was really just, you know, in the very earliest stages, and he was looking for somebody that would help on the business side of the equation. So, I connected with him and we kind of got the company off the ground from there, really bootstrapping it and I basically came in to bring sales and marketing and operations and kind of finance and bookkeeping and pretty much everything else that that is associated with kind of a day one startup and we have a And, you know, that was back in 2016. So, we’ve done well, since then growing the company to a good size, which was profitable from, from early on, we’ve shifted kind of the focus a little bit from what was originally a tool focus towards API’s and software development, security of login forms to something that’s really more of a full enterprise authentication security product, and I’d be happy to talk more about them.
Tim Freestone 5:32
So, you said something very interesting there, you bootstrapped this cybersecurity, yeah, company, no investments, you’re like a unicorn.
Josh Horwitz 5:43
Like that, you know, we brought some, you know, I brought some of own capital, and certainly didn’t need to rush to have a lot of, you know, immediate funding on it. But I think that’s a little bit around kind of my approach to, to entrepreneurship is really want to get that product market fit, right. And when you get it right, then all of a sudden, you’ve got deals and customers and, and revenue coming in. And then it’s just a question of, you know, what kind of growth trajectory you’re trying to accomplish. And we agreed, as a company that we would take it to bootstrapping as long as far as we could. And that’s the path that we’re still on today.
Patrick Spencer 6:30
How long did it take to like decide what that market was, and that rejiggering? Course it’s an ongoing process? But before? How do you start? I think you start with the work back in 2017, on this new endeavor, so six years old?
Josh Horwitz 6:44
Yeah, we’ve been doing it for some time. Um, you know, it didn’t take that long. I mean, you know, certainly under a year of basically, it really talking to customers, prospective customers and understanding, kind of, you know, how they thought about what we were doing. As I said, the initial iteration of it was API based. And we had also a component that could be overlaid client side to validate passwords at the time they’re being created or reset. And so, the idea, fundamentally, is, there are a gazillion, you can quote me on that have passwords that have been compromised, and previous data breaches. And hackers know that they can use those passwords reliably to log in, either through password spraying or credential stuffing, because people reuse the same credentials so often. So, if I can get credentials from a third-party breach, there’s a high probability that I have your credentials that you’re using today, not you, Tim or Patrick, but to the on average, that absolutely still Tim never reuses his password.
Tim Freestone 7:57
It’s always got special characters at the end
Josh Horwitz 8:00
An exclamation point. So that I mean, that was the idea was 100%. How do you turn the ammunition used by attackers into a tool for defense and the event with the API and that client-side JavaScript, open login, or password reset overlay, we were able to check against a massive database of compromised passwords? And but as we talked to more, to more prospective customers and companies, there were a couple of different ways that we could take it. And, you know, what we determined was trying to talk to developers was great, but you know, really, the decisions about security are happening in other parts of the organization. And so, making it more appropriate to a CISO based audience, also, making it really easy to deploy. So really, our flagship product at this point is an integration with Windows Active Directory. So, it doesn’t require, you know, actually using our API’s, and it basically picks up where it’s pretty low bar, but where Microsoft leaves off in terms of password security. And so that’s it that was basically the journey of taking it from point A to point B. There’s other we’ve productized it in other ways, and the APIs are still a substantial portion of the business but the majority of the business is making really easy to integrate into your identity and access management system and basically keep unsafe passwords from getting into your organization and detecting when good passwords become compromised. And resolving that when it occurs.
Tim Freestone 9:53
When you were getting into this five or six years ago, did you and your partners to sort of look at market trends through, you know, other agencies like Gartner or data analysis to know that the future is in password security, that there was going to be a market or a market was blooming, or do you just that happen to be the technology that you guys knew, and hopefully it worked out?
Josh Horwitz 10:20
Well, so it was the kind of the technology that we knew. And there was just a clear problem like the, you know, the findings came through the Verizon data breach investigation report and put them in and other research that was done that just showed that the top cause of hacking related data breaches, and it remains to this day, stolen credentials, right. And so, it was kind of a, you know, aha type of or, you know, pretty, pretty basic type of solution to address that. The other thing that that happened pretty early on, so this was, would have been in 2017, the National Institute of Standards and Technologies completely rewrote their book on what a password policy needs to be. So NIST is basically the government organization that sets policy and process recommendations around cybersecurity. What they have been saying for decades was, you need a password that has a mix of uppercase and lowercase and symbols, and you need to require that to be changed every 60 or 90 days. And in 2017, they said, you know what, forget all that we have to change that. And you don’t have to worry about you actually shouldn’t worry about uppercase symbols love lowercase character composition that went out, because what they found was that when people are required to follow certain Well, I was going to say patterns, but it really ends up being patterns when they’re required to use certain characters. How they do that is very predictable. Like we talked about, you mentioned before, you know, the symbol to the end, it’s an exclamation mark, aha. Right. So, you think that you’re going to get some randomization with character mixture, but it actually makes it easier to predict what you’re going to use. And the same thing for password expiration, which is, if you tell somebody that they’re going to have to change your password every 60 days or 90 days, they just don’t try that hard, or they follow incrementing, that password character. And so those changes through NIST gave us tremendous third-party validation. It wasn’t us as a cyber security company saying, this is the future and the way to do things. It made it very easy for us to say, you know, look at when this to say, look, you know, what you’re seeing from these other groups, and it really has trickled down to other standards bodies, and, you know, had people calling us who had been in audits and you know, they’re being specifically told that they need to check passwords against and credentials against a black list of unsafe, previously compromised credentials. To log in the question.
Tim Freestone 13:15
No, it’s good one, though, but you brought up because something I noticed, too, in the recent Verizon report, that stolen credentials is still number one. But by a very large margin, it’s not even a little bit, right. It’s, it’s tremendous. And when you look at, you know, what do they use them for, obviously, to break into web applications. But there’s a there’s a giant market that’s exploding around vulnerability, patching and vulnerability management and web applications. But that’s, that’s like 10%. And, and stolen credentials is like 90%. So, are you getting is your market just exploding? Is it just flooded with vendors now, because you see something like that in a report? And you got to think well, that’s where the money is going to, you know, that’s where the budget is going to go. Right. And so, all these companies start jumping into it,
Josh Horwitz 14:11
It makes it a pretty easy sales cycle, because it’s like, when we make our pitch, nobody is like, yeah, I don’t really get it, everyone. I think in some cases, it’s disappointing to the director of cybersecurity and see so because, you know, it’s not necessarily the cooler, sexy, it’s like passwords, and, you know, they’re looking for, you know, give me AI that’s doing this and, you know, and, and so, you know, there’s some element of that, and I think applies to vendors. Also, I think, you know, vendors are more interested or many vendors are more interested in you know, how can I use something really advanced technology to be able to do that. So, we have a There’s a handful of competitors that we compete with every day, Microsoft does offer something related to unsafe passwords and particularly in Azure. But you know, real limitations to it and doesn’t even address what NIST and others are recommending, in fact, doesn’t even address some of their own internal and external recommendations around checking credentials and rechecking them and resetting passwords. But I could get into a whole thing around that. So long story short, you know, it’s still a relatively you know, we’ve established a nice place in the market. You know, we compete with MFA and other types of, you know, biometric or other authentication, security methods. But, you know, even when you use MFA, you know, the whole purpose of it is multi factor authentication. So, if you’re using token or some other, you know, one time password that’s going over another channel, you’re still supposed to secure the memorize secret, which is the past year. And so, for MFA to really realize its promise, it needs to be the hardest, to most secure, what, you know, layer, the password, and the what you have layer the token or whatever device that you’re talking about. And so, it’s been, you know, I think, you know, if we talk about trends, you know, we believe that eventually the password will become less important as some of these other technologies take prominence. But there’s such a long tail, and it’s going to be so long before you’re able to really get rid of passwords. And frankly, until you can actually say, I have no passwords in my system, I know, passwords in our environment. It just as like, you know, it’s crazy to allow folks to create a password that is floating around on the dark web and somebody can grab onto with be an employee many minutes of effort.
Patrick Spencer 17:02
Is it still your recommendations for them to use your solution in concert with MFA, or can they just use your solution as a standalone?
Josh Horwitz 17:09
Um, you know, we short answer is we absolutely advocate MFA. You know, and we’re big proponents of, don’t listen to us listen to this, listen to these other groups. And basically, the message there is, MFA absolutely helps multiple layers absolutely helps. It’s all about having multiple strong layers. You can’t have any. Yeah. And so yeah, we absolutely believe in it. The problem with MFA is, it’s tough, it’s costly, it doesn’t work with every device, it’s hard to drive to get actual adoption of it. So, you know, until you can really assure that you have 100%, you really are relying on the password anyway. So short answer is we absolutely recommend both. We’re just here to secure the layer that you’ve already using. And I’ve already invested in,
Tim Freestone 18:03
I might press you a little bit on something you brought up just because it’s interesting to me. And I don’t know a lot about it. Not sure if you do but the whole market of password less authentication and kind of what’s happening there. And how do you see fitting into that? And, you know, why is it such a long to all the all that fun stuff around it. Because if you look at Gartner, they have this Trends report, the impact report, and these little circles on the propensity for people to buy that and the timeframe. And I think password less was five to 10 years out, but a pretty high propensity to buy, which to me thinks, you know, the markets really early, but there’s a lot of money for it flooding into that. So
Josh Horwitz 18:41
It’s frankly, it’s five to 10 years ago, also, people have been talking about getting rid of passwords for a very long time. It’s just not as easy to do. There’s a lot of complexity in it. There’s some great work being done with Fido to and other standards to help bring sort of in touch and biometric and other things to websites and other elements, other technologies that that will allow for a password less approach. And so, we absolutely see those and encourage them. It’s an it’s just in a lot of cases, well, there’s a few things to think about it. In a lot of cases. It’s an it’s a way of introducing convenience. But if you change your device, or if you lose, you know, like you end up falling back to a password, they actually haven’t gotten rid of the password. It’s still there. It’s just you know, if you can authenticate in through a touch, it says okay, that’s the right person. But if you actually look behind the scenes, there are a lot of cases where password less is still kind of a, you know, marketing message and not all the complexities that I mentioned in terms of, you know, actually getting devices and consistent usage and all the rest of that. But yeah, we definitely agree that it’s there are, while there’s some really nice things about passwords in terms of being low cost, you know, simple allowing, you know, like, device independent, like, all those attributes will kind of drive decisions to keep passwords around even longer. They’ll definitely be for the companies that are, you know, want to get right on the leading edge, and
Patrick Spencer 20:43
They will remain in business for some time. Yeah.
Josh Horwitz 20:48
We’re not really losing sleep over that at this point
Patrick Spencer 20:50
But if you know, you and I had a prior conversation, Josh, where I understand that someone puts in a password, it will actually check which is built on your database via the dark web to ascertain if that password has been compromised, or it’s listed somewhere on the dark web. And if it is that it notifies the user that it is compromised, and thus will prompt them, force them to use a different password or come up with a different password combination. And then if you don’t say Tim’s along his passwords perfectly fine today, but he goes to login and say two weeks from now. And suddenly that password has been compromised, it notifies him. And it sets up a time limit that within 24 hours of using the system, he has to enter a new password it forces him to do so that’s my understanding in terms of how it works with the Active Directory.
Josh Horwitz 21:36
Yeah, there are two use cases. And it’s sort of hidden both. One is when you’re creating a password, we want to make sure that the password that you’re creating is not showing up in a cracking dictionary are floating around on the dark web. And if you try to propose a new password, we’ll tell you that password is I’m saying if it’s been compromised, pick another password that that keeps unsafe passwords for getting into Active Directory. But once that password is in there, particularly if you follow NIST or Microsoft or SANS or other guidelines that say extend or get rid of password expiration, how do you know whether that password is becomes compromised, it might show up in a data breach tomorrow. And so, we do a continuous reevaluation. And that really helps to determine whether a password has become compromised. And if it has become compromised, we entirely automate the process of notification remediation requiring a password reset. So, it’s really the thing that folks like about it is unlike other forms of threat intelligence where something might be searched for some the dark web and you say, Well, okay, that’s out there. What do we do about it? This is very clear, actionable and solves the problem of keeping unsafe passwords out of your environment. And that’s what we do. And this
Patrick Spencer 22:58
Is B2B the focus in terms of your business today. But it could be applicable to B2C as well as their thoughts to make it available maybe through some of the businesses that are out there that actually have passwords, so it becomes part of their solution, if you’re doing that already.
Josh Horwitz 23:15
Oh, so yeah, we absolutely have OEM partnerships with some of the identity and access management providers. One of our customers that gets a ton of good money is LastPass. So, while that’s not a pure identity and access management platform as a password manager, they want to make sure that the passwords that their users are creating and adding to the vault are not compromised, we can help to also surface additional information about the exposures that are given user name that has been part of a breach, what basically reporting that out. So, we definitely have looked at, if you call it b2b, to be b2b, or b2b to see types of partnerships, pure b2c, meaning US selling to my mom, is not something that we’re really looking to pursue at this time. I think there’s definitely a need for it. There are actually some things in some of the browsers that do some parts of that. But our aim is to help the IT manager or security, somebody who’s responsible for security, to know that the passwords that their employees are using are saved. And that’s really difficult for them to otherwise do because the whole concept of passwords is the employee is supposed to be able to come up with their own gas and the organization is not really supposed to know it. So, we helped to step in the middle there and say, well, we’re showing allow the employee to come up with whatever they want and have all the benefits that passwords offer. And I can list them out but the key is we’re going to help the user to know when they’re using an unsafe password and we’re going to help the organization know that too, because otherwise they don’t really have any way to know it.
Tim Freestone 25:06
So, as a as a founder and CEO and entrepreneur, you’re always thinking about the next issue or problem or what, what’s the next wall that and zoic has to climb over to reach its next stage in business growth? There’s what’s keeping you up at night, Josh?
Josh Horwitz 25:25
You know, we’re we’ve got a number of new projects, you know, some still in stealth, and some, you know, that are further along to expand the scope of the services that we provide. You know, for the purposes of this conversation, we’ve really been talking about that Active Directory and corporate authentication or enterprise security, we do quite a bit and you’ll see more with integration into other types of systems and E commerce and other platforms, and better intelligence and more expanded intelligence that can help with broader threat research types of use cases that tie back to what other information that’s available on the dark web. So, our initial focus was, how do we make this very precise, very actionable solve a very binary problem? Are your passwords safe or not safe? And I think we’ve done that really well. There’s a whole lot more on the dark web, that opens up a whole host of different use cases. And our aim is to take off other very actionable ways of helping organizations use that, as opposed to sort of broader base threat intelligence data collection, that kind of leaves the, the use case and the actions to the to the, to the customer to the organization, we see the value in being very, honestly prescriptive, but just making it easy. I mean, that’s a big piece of what is, okay is how do you make this as easy.
Patrick Spencer 27:09
Your solution is super easy to deploy, it doesn’t require a lot of time on the part of the user.
Josh Horwitz 27:14
It’s, you know, 15 minutes type of type of thing, if you’ve got a, you know, we’ve got some clients that have 10s of 1000s of users, and they’ll take it through all their different staging environments, but the actual process of setting it up is extremely quick.
Patrick Spencer 27:30
And that’s by design. And pre sales, I assume is just as easy. If you connect to their system, you can tell them what percentage of passwords in their system right now are actually compromised. How does that work,
Josh Horwitz 27:41
We have an auditor tool that’s free, anyone can run it. It’s super, super lightweight. It does a scan and Active Directory to look at and to identify those passwords that are compromised and part of data breaches. So, it’s, it’s answering that question of which of your employees were vulnerable, we use it very much as a proof point of you kind of know you have this problem, let us show you how big it is. And so, it can help establish a justification for those folks that need to get budget approval and the rest of it. But it’s really very valuable in its own right to be able to know that, you know, what it doesn’t do is the tedious things that I defined checking at the time that they’re creating the password, and the continuous monitoring, you could run the audit tool every week if you wanted to. And it does use against our most current data, which changes every single day. But at some point, if you’ve been running this on a daily basis, a weekly basis, you’re going to realize that we can fully automate that whole process and it makes it a much simpler experience.
Patrick Spencer 28:53
Compromise typically higher than what your prospect thinks, do. They think, oh, we’re like two 3%, you, Tom, actually 15% of your passwords are compromised.
Josh Horwitz 29:02
On average, it’s 20% or more. And that usually gives a little jaw drop. I think they kind of know, but they don’t really want to know, in some cases, how bad the issue is, they know it’s a problem they know needed to do something about it. But, you know, it can be it can be quite revealing. But you know, look, at the end of the day, it takes only a single compromised account, particularly if someone’s going to do a password spraying or attack a targeted attack, you know, it just takes one account that they’re able to get a foothold in, to put your whole organization at risk. And so, you know, in some respects, whether it’s, you know, five accounts that are compromised or, you know, 50% of your accounts that are there currently flooding on the dark web, they’re really both problems. You know, a smaller number is not necessarily an indication that you’re safe.
Tim Freestone 29:59
One of the biggest challenges that we have a Kiteworks is at least going to market is convincing our prospects that Microsoft isn’t good enough meaning like they keep building, you know, Microsoft keeps building cybersecurity solutions across everything. Right. And so, it’s almost like everyone in cybersecurity right now is biggest competition is convincing the customer that Microsoft isn’t quite there yet in this particular domain or this particular domain, and you mentioned them in the beginning. Could you elaborate on that? They’re probably like, sort of a friend of me with you.
Josh Horwitz 30:36
Yeah, I mean, the fact that they have put energy and intention into this is a, you know, it’s a good validation that they understand it see the problem. And as I mentioned before, if you look at their, you know, the was at the baseline configuration and recommendation recommendations, you know, they’re very vocal about having eliminated password expiration. In fact, if you did the, I forget exactly the name of it, there’s a an audit that you can run, it just kind of goes through your security settings and sort of gives you a score based on how you’ve set it up, they actually decrease your score, if you have a password expiration policy, because they know that the having a password policy expiration policy leads to those poor choices on user basis, the issue is what they’ve introduced, and it’s really only an Azure, it’s not an on prem ad, is ability to check passwords at the time they’re created. So that doesn’t do anything to address the fact if you’ve disabled your password expiration policy, you need a way to determine whether that password becomes compromised. So that’s one big hole that they have left. Other one is, you know, they’ve acknowledged that they really aren’t trying to go out and collect compromised passwords, their blacklist is based on their own telemetry, so folks that are doing attacks against their own infrastructure, they’re taking those passwords that they know to be used in those types of attacks, and creating a blacklist based on that, well, that’s great, you can get a good starting list based on that. But, you know, that doesn’t address regional differences. I mean, it’s only kind of their stuff, it doesn’t actually even include compromised passwords. So we have a team that goes out and collects passwords from and really data breach information from the latest data breaches, and I’m sure you’re aware, you know, there are 1000s of data breaches every year, in order to be able to say, hey, we found him your password, and this, and this username, combination in this particular location, you know, we need to get pretty deep, it’s we’re not just going to getting the low hanging fruit or a free database, or like in Microsoft’s case, you know, just kind of a snapshot that they can automate from their own telemetry, we’re going much deeper with a real threat research effort, you know, human intelligence to, to get early access to things. And that means the breadth of what we’re providing is much bigger, and it’s much more current. So, if you really want to follow NIST, or even Microsoft’s own recommendations, you know, they’re, they’re really not offering that and I, you know, it’ll be interesting to see, I mean, Microsoft rate at things that they can, they can build, if it’s going to be fully automated, there’s a human component of that threat research. And I don’t know whether Microsoft wants to be in the threat research business in this respect. So, you know, we’ll see, but for the time being, it really just is, allows the conversation to start with folks that are actually trying to keep unsafe passwords out of their organization.
Patrick Spencer 33:49
Sure. Your data comes from the dark web as well as these incidents. So, you’re combining resources or data from multiple sources? If I understand correctly, it’s a bit ironic that you built a business based on data that’s coming from the dark web to combat the dark web.
Josh Horwitz 34:08
Exactly. We we’d like that. That position where we can basically foil hacker’s efforts by basically using their own tools against them, in this case their own data against them. We Yes, you’re right. We are threat research includes both actors infiltrating places to get access to this information. We also use honeypot and our own telemetry, so that same technique that that we just described that Microsoft is using, we just go a lot deeper.
Tim Freestone 34:45
As a marketer, I think I just have one more question for you. How are you getting the market’s attention? What? What is your message that because you’re one of let’s say, 10,000 security vendors out there, there’s a limited pool of IT security professionals? Have you have you found that message that that just hits it every time once you can have the conversation? Or is it always an adjustment?
Josh Horwitz 35:13
We do quite a bit of inbound marketing to try to catch people when this is something that they’re thinking about. A big driver for us is, frankly, folks that have audits that have been flagged as something that they need to address, whether it because they’re required to comply with NIST. And so, you know, that aligns well with the inbound marketing. The message in terms of resonance is, is pretty simple. It’s like, you know, have you ever reused a password? And the answer is even, you know, the most vigilant is it will say, yes, and they certainly understand that their employees do just a question of what they want to do about it. And, and, and how quickly, because we’re relatively low cost and relatively low friction to put in place, sales cycles tend to be pretty short. And but yeah, we’re always looking for new ways to grow awareness and, and broaden the market that we reach.
Patrick Spencer 36:23
One thing I find fascinating about your business, and this is an outside conversation that you and I had is you’re the 100%, US based business, you don’t outsource any of these tasks, or activities or development offshore. It’s all onshore, that’s rare in today’s economy. How did you do that? And is there a reason why you decided to build a 100% US based business.
Josh Horwitz 36:49
So, you know, I briefly mentioned the CTO when I started and explained how I kind of got to know him, but I hold him in very, very high respect. And this is, you know, he was very clear that he wanted to keep very tight control. We’re, like many identity-related, and cybersecurity companies generally, you know, we are there’s, there’s a target on our back. Hackers would love to get access to what we have. And a big piece of what we do is value associated with the data that we’ve created and other things that we want to just have a really tight control over that. To his credit, he has been able to build a very efficient team of people that he’s worked with and have long experience in cybersecurity and threat related research. You know, we don’t we don’t have something that’s hard and fast that we might never expand beyond that. But we found it to work very well. And, and so yes, we are 100%. US based.
Patrick Spencer 38:00
That’s great. That’s a feather in your cap and a huge success. So how can folks who are listening to this podcast, find out more on Enzoic, or to get in touch with you for a demo, or for one of those audits that we discussed? Yeah,
Josh Horwitz 38:15
I mean, our website is absolutely the easiest place and Enzoic.com You’ll see right kind of off the main net, now have access to the auditor tool, which we call an Enzoic for Active Directory Light. And that’s free and very easy to use, there’s no nothing required with that. We also have a startup plan of the Full Active Directory product. So, if you have under 20 users in your organization, then you don’t have to pay us you’ve just welcome to start to use it. And even for large organizations, that can be a nice way to start to roll it out or get a sense of it in a real environment. We have we also have some nice demo recordings. So, there’s like a really short one that I think gives the kind of the major points in two minutes. And we can actually do a full walkthrough of the product in about six minutes. If you want to jump on the phone. We’re happy to spend the full half an hour with your answer specific questions. But there’s quite a bit on the website that this helped to allow folks to evaluate themselves without, you know, I’ve kind of given over their birth certificates and other details before working with us. But I would start on the website is a great place and you’ll see ways to contact us there as well.
Patrick Spencer 39:42
This is a product I think a marketer dies to market. It’s so easy, right? But this is pretty
Josh Horwitz 39:49
value. It’s yeah, it definitely has some nice attributes from a marketer’s perspective. So, I always I do feel fortunate that way.
Patrick Spencer 39:58
Well, Josh, we really appreciate your time. This has been a fascinating conversation. I’ve learned a lot about the dark web and passwords, among other things, and it’s always great to reconnect with you. So, thanks for joining us.
Josh Horwitz 40:10
Thanks. It’s nice to spend time
Patrick Spencer 40:14