Kitecast

Bryan Hadzik: The Intertwining of Cybersecurity and Compliance

December 21, 2022 Tim Freestone and Patrick Spencer Season 1 Episode 7
Kitecast
Bryan Hadzik: The Intertwining of Cybersecurity and Compliance
Show Notes Transcript

NCSi CTO Bryan Hadzik has spent over two decades with the Utah-based security and operations service provider. As cybercriminals and rogue nation-states focus their attention on hacking critical information, government and industry groups have responded by passing different compliance regulations, such as GDPR, FERPA, GBLA, PIPEDA, and others, and cybersecurity frameworks that include NIST CSF, ISO 27001, and SOC 2. Hadzik discusses how this has led to an intertwining of cybersecurity and compliance that organizations must address in order to manage private content and compliance risks effectively. He points out that insurance companies rate insurance policies based on an organization's adherence to these cybersecurity frameworks and ability to ensure compliance with data privacy regulations. 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Kitecast Episode 07: The Intertwining of Security and Compliance 

Patrick Spencer 0:24  

Everybody, welcome back to another Kitecast. Patrick Spencer. I'm here with my cohost, Tim Freestone.

Tim, how are you doing?

Tim Freestone 0:31  

Good? Okay, good Thanksgiving, Patrick.

Patrick Spencer 0:33  

Ready for another 25 days until the next holidays. So, we're joined by Bryan Hadzik, the CTO over at NCSi, how are things out in Utah snow season start yet, Bryan

 

Bryan Hadzik 0:51  

Sure, has matter of fact, snowing outside right now Winter Weather Advisory. So, looking forward to putting on those skis and showing that we really do have the greatest snow on Earth. So, thanks for having me here on the podcast today. Appreciate it.

 

Patrick Spencer 1:03  

Well, we're looking forward to this conversation. Just as an introduction, Brian is an anomaly in the technology space. Anyway, he has been with NCSi since 2004. So, Brian, a good starting point is what in the world has kept you there for 18 plus years?

 

Bryan Hadzik 1:21  

Oh, that's a good question. So, I usually tell everyone, I've got dirt on the boss, and now he can't get rid of me. But no, really, we, you know, we have a unique culture and a unique process here in NCSi, we, you know, everyone tries to say they do it just a little bit differently. But we are a very, you know, family-oriented organization, a lot organizations say that, but we really believe that we follow through with that. And so, it has enabled me to, you know, meet with hundreds or even 1000s of customers at this point, and really understand the challenges that are out there. I really do love meeting new organizations understanding what kind of issues and problems they have with technology, and then trying to find ways to solve it. And so, you know, I've got the best job in the world, I don't need to go anywhere. So very happy to be here. And hope to continue that with, you know, many future years, with NCSi, you know, understanding more about those customers, and hopefully helping them achieve their goals.

 

Patrick Spencer 2:17  

Now, what you guys were addressing from a problem standpoint, in 2004, is dramatically different today. How have you evolved in it was dramatically different back in 2010, and 2016, even 2018? How have you evolved the business to essentially evolve and transition transform with problems that your customers are trying to solve in the marketplace?

 

Bryan Hadzik 2:42  

Yeah, that's a good question. And when you when you look back that far, you realize really how far we have come, you know, it doesn't seem like ancient history, you know, in the 2000s. But, but from a technology perspective, it really is. So much of the landscape has changed. And you know, what, so much of it has stayed consistent, you know, we still have some of the same problems and issues that we have, but they crop up in different ways. And we have to try and solve them in different ways. Probably the biggest thing that I see, has to do with the way that we interact with our consumers of our services. So, you know, I come from a little bit of an IT background. And so, the concept of a service that we provide to our end users, you know, be an email service or, you know, a printing service or something like that, you know, that's really changed our user's perception on technology. Think about let's call it about 20 years ago, 25 years ago, we were we were the innovators. We brought technology to the user, you know, can you remember the first time we were approached someone say, hey, we got this cool thing. It's called email, you know, you don't have to have memos or call people anymore, you can compose a message on this computer and send them that message, and they can reply to it. You know, we, we helped innovate, that we helped create that. And, you know, something changed. We were the innovators. And we changed over time to maybe not be the ones dragging the company along. But the company sometimes feel like it's dragging the technology behind. And really, I blame this, this this device right here, the consumerization of technology, and in this case, the iPhone, and devices like it, it really transformed what users expect. So, think about that. 25 years ago, if you wanted a piece of software, you wanted to, you know, install something, it was difficult, you had to drive to the store, you had to purchase that software, you had to put it in the computer, you had to understand the mechanics on how this works. Now I open up the app store and I click download. It's as simple as that. And so, if a user to us comes in and says, you know, I want to synchronize my files from home, maybe I want to work from home. I want to synchronize my files there. What do we say? Well, we say no. And that's unfortunately branded us as the Department of No, that we are led by the CI No. And we know why we all know why on, you know, on this conversation here, take your regulatory concerns, we got security concerns, we've got productivity concerns. There's lots of reasons we don't just want to go turn that on. But the user doesn't know or care about that. all they hear is no, you can't do that. And so, we shifted, we did this flip from we were the enablers, and we were dragging technology along to where now the user thinks that we're holding them back. Well, if they would just let me synchronize my files with Dropbox, I can install Dropbox on my phone, I can install it at home, super easy to set up. What about the regulatory reasons? What about security reasons, we know why, but they just don't want to hear that. So, I think our biggest problem in technology today is that shift from us being the innovators to where our users do not believe that they are the innovators are that we're not innovating anymore, and we're holding them back. So, we've got to change the way that we interact with our users, we need to give them very easy to use solutions, we need to enable them to work from wherever they want to. But on the flip side, we need to provide those protections that are in place, right? You know, right? You can send our content wherever you want, but it needs to be sent through a controlled manner that we have a great audit trail, and we can prove that we're complying with these various things. So that's kind of what I think has changed so dramatically over the years. You know, it's kind of joke. It's like, we had a war with the end user. And we didn't even know that it happened. And worse, yet, we've already lost it, you know, get your average user for a company, and have the CEO ask them, well, how is your technology working? And what's going on? You know, especially in like the days of COVID, like we're having right now everyone works from home? What if their Wi-Fi sucks, and they're having issues with it? Are they going to say that's the problem? No, they're going to come back and say, well, yeah, our IT department just is not that great, because everything I do is very slow. And so, we've got to change our perception of that. And really focus on what those user drivers are, and see if we can meet in the middle, like we were describing, with sure you can have your cake and eat it too, you know, with our compliance.

 

Tim Freestone 7:07  

Yeah. And I can imagine, that's all very fascinating, actually. And I was thinking a little bit more about the user. So, the user is changing as fast as everything. He's the type of user right. So yeah, you have the dinosaurs, like me and Patrick, right. And then there's the Gen Y, and Gen, Z, and millennials, and every single generation has a different expectation of how they get through their day, and how they allow technology to interact. So, you're keeping up with business innovation, and trying to keep up with user innovation and user expectations. And they're both changing very, very fast. I don't envy you. How are you tackling that? You know, what, what are you putting in place? Or what strategies, especially from the user side with you who's becoming even more and more innovative in their own day to day life? Right?

 

Bryan Hadzik 7:57  

Yeah, absolutely. And then, you know, obviously, COVID, threw that all out the window, when suddenly the way that they work is just so fundamentally changed as well. So really, I like to talk to my customers about, you know, bringing up the problem, we don't talk about it enough to tell you the truth. We are sometimes in the ivory tower thinking, oh, well, we're doing a fabulous job here and all complaints that the user is talking about, yeah, that's just the peasant stuff, we're not going to go worry about that. So really shifting the focus, getting down on their level, you know, I have a customer that is a relatively famous chicken fried chicken, fast food organization. You know, when they open up a new one, they opened up one here in Utah recently, and the line was around the block for a month. You know, when I met someone from the IT department one time, you know, they're wearing a logo chair like I am, and it says, you know, the name of the organization said, Oh, they're an IT operation or whatever. And then below it, it said fry cook. And I said, it's kind of funny, it says fry cook on there. Why does it say that? And they said, well, what they do is they send their employees out to the actual restaurants themselves to learn about the business. Well, how do the fry cooks actually work? You know, what is the technology that's being used? Right? They're out at the edge, getting out of the ivory tower, driving down to the user and watching what the user is doing, how they're interacting with the technology. So, getting down on their level and trying to get out of that kind of high point that a lot of people are and watching them do it. Oftentimes you can find fixes, right, then oh, you're doing it totally the wrong way. How come? No one told you, you could go and send it out this via this method. Oh, we don't have a knowledge base article for that. It's just all tribal knowledge. Okay, let's maybe try and solve that and write that down as part of a procedure or something. So, getting down on that user's level is also a very helpful way to understand what they're doing.

 

Patrick Spencer 9:47  

How that's an interesting point, right? How does that inform how you measure risk at the end of the day, being able to get down and understand how the actual users are doing thing rather than up in the ivory tower like you just described? You're getting down in the weeds, I assume that helps inform how you measure risk and help how you work with your clients and collaborate with them. So, they can actually determine how to measure risk down to that fright cook

 

Bryan Hadzik 10:12  

level. Yeah, absolutely. And, and that is really just understanding the business drivers behind the decision are the actions that the user is going to make? What? Why are they doing it that way? So, the user opened up an email and just sent, you know, communications with sensitive PII out across an unencrypted session, you know, why did they do that getting down on their level, you know, most of the time, it's not malice or anything like that, it's that they've been tasked with, well, this is just how I've been taught to do my job, or, you know, how, you know, I thought it was supposed to be done. And so, you know, they're not necessarily doing it from a malicious perspective, us watching that business process and realizing that we thought everyone was doing it this way. But in reality, they're doing it that way. You know, simply just watching and interviewing them, is important. And you're going to hear a lot more about things like the DEX logic. So, DEX is digital experience. And so, understanding what the, you know, maybe what latency for the user is, like, what their day-to-day impact when services are outed, their service outages, you know, how many tickets they've been opening? What is their bandwidth, you know, measuring all these data points of the hard data points that we can measure? And then the soft data points, like actually talking to people and asking them about it, you know, are a big part of kind of improving that. So hard data and that kind of soft data, bring that together to try and, you know, see why the drivers behind that decision?

 

Tim Freestone 11:43  

Yeah, and the you call it DEX, Digital Experience

 

Bryan Hadzik 11:48  

DEX, digital experience, and there's a lot of vendors doing more and more with it these days. Yeah,

 

Tim Freestone 11:52  

but I can imagine when you get down to that user level, and their digital experience, a lot of the while not meaningfully harmful activities. Ultimately, harmful activities aren't always didn't know about it, but knew about it, it's such a bad experience, I'm going to go around it anyway. Because I don't want me as an as a user, I don't want the user on the other side that I'm trying to use all of this with, to have problems. And then we're in a productivity stall, because we're trying to troubleshoot, for instance, what you said the encryption, experienced, from a decryption, do an encryption and, you know, start talking about S/MIME and TLS and PGP, and everybody's eyes roll over, and they start going to Google and sending stuff, right? 

 

Bryan Hadzik 12:37  

Anything that causes friction for the end user to do what is in their mind, their job, you know, is going to be a struggle. And, you know, back to that department of No, the where's the blame, going to lie, it's, it's going to fall back on us that we didn't provide a frictionless experience for them. That's why they went to their personal Gmail and email that document out, because they needed to get the job done, their boss is after them to solve the problem. And so, you know, deconstructing those parts, usually, we can help try and find those inconsistencies in our business process, hopefully tune and tweak them to improve.

 

Tim Freestone 13:15  

So, spring boarding off that a little bit in terms of the biggest, that being a challenge. And other than just data breaches and information leaking being a challenge. What are you hearing from your customers as being the absolute top of mind got to solve this in the next 16 months? Is there a, is there a theme there that, you know, changes every 16 months, and now we're in this this theme of 16 months, right? Anything, you see that the threads itself throughout most of your customers that you can say, here's the here's the next 16 months of challenges?

 

Bryan Hadzik 13:51  

You know, I'd say it's probably not one thing, I'd kind of put it in two things. The first is the recovery from, you know, the, the concept of, you know, what was COVID? You know, what does the new world look like? Gone are the days of before COVID, you know, BC it, we need to change the way that everyone operates from a business perspective, because Gone are the days of everyone coming into the office for the most part and doing it the way that we did in the past, you know, so that shift to a permanent hybrid model, I think, is kind of a sticking point for a lot of organizations, because they don't know if they're going to be permanently remote permanently back in the office to kind of waffle back and forth. And, you know, our lock downs and stuff going to come back. We just don't know any of those questions. So, making it so that they can say we want to enable that hybrid, that new world of hybrid where I don't know where you're working, you might be in the office, you might not be and kind of enabling that. I think that's probably the one of the biggest challenges that organizations are coming up with. And then the next one is, you know, just Security never goes away. It is something that we are only getting more and more regulations. I mean, that's a good thing. And it's a bad thing, you know, look at, you know, California just passed their new Consumer Privacy Act. So, it's for those that aren't aware of it, it's, it's not exactly like GDPR. So GDPR is a governance law that the EU enacted, three or four years ago, that gives the consumer lots of privacy controls over their data. An example of that is like the right to delete, if I want to go delete my account, you have to prove to me that you erased all of the data. And you're not just deactivating, and kind of hiding it over here. So, California just passed a sort of equivalent law that's very similar to that. And so, we've got to match those regulations. We got things like the you know, the CMMC, from the Department of Defense, we've got HIPAA regulations, all these regulations. So, I now need to compete with not only laws, but also Oh, man. Yeah, and that the hackers haven't gone anywhere. They're just as aggressive as ever. What are we going to do about that kind of side? So, from a security perspective, that's always very, very top of mind, for our customers. So, I would say, you know, security, and figuring out what the hybrid world looks like, are the two biggest challenges customers are talking about kind of over the next, you know, 12 to 16.

 

Tim Freestone 16:14  

Yeah. started talking about the new calendar, like you said, BC was before COVID. And AD is After Delta, right. That's how we how we live now, everything's anchored on that. With the other challenge with security than the two sides, I often say, I just I don't envy people in the security profession. There's just because as if hackers weren't difficult enough, now it's regulations. And I was having a conversation with a CISO, who had left his job in a large financial institution and went to Carnival cruises. And why did you do that is quickly as they could regulations, there's just too much it was, we just could not keep up, we're constantly fighting fires. And basically, all in his mind was that security taken or you know, protection against the hackers have taken a backseat, whereas in, you know, less highly regulated arena, he could focus on what he enjoyed, which was protecting the organization from, you know, the leaking of data. So, with all these new regulations coming out, I can imagine there are a lot of professionals are looking for how do I streamline auditing and reporting and all that, that piece of it so I can get back to? And focus on what's ultimately the biggest problem, which is data in breaches and breaches, right?

 

Bryan Hadzik 17:47  

Yeah, and that's a good thing to kind of point out that those regulations, they're, they're good, and they serve a good purpose. And they, they're well intended. But in reality, far too many times, they become checkboxes, where, well, I just got to check that box, I got to get that order off my back. I don't care what it is what it does, I just want to check that box. Whereas we need to shift our focus on that to say, well, we want you know, compliance driven security that, you know, instead of security driven compliance, you know, we want to make sure that what our security goals are driving to where, well, we'll just deliberately check the box anyway, because we are complying with the product to begin with, I can't tell you how many times I've dealt with customers and, you know, go through a big implementation of some security product. And at the end of the day, they're like, okay, great. Alright, when are we meeting next? Why don't we get a digest these reports, what are we going to dive into next? Oh, no, this project done, we check that box. Now we can say we comply with it. Well, hang on. Hang on, Becca. Well, are you going to continue monitoring that? Are you going to focus on it? Now we're just going to check the box. So, you know, taking a step back and saying, instead of reading through the guidance and saying, okay, here's what the compliance, I need to work on, kind of going in the opposite direction and say, well, hey, I need to comply with this. But let's take a step back. And what should we be doing for this from a security perspective? Oh, let's go and get a product or solution or policy that solves these. And just make sure it happens to line up with that checkbox that we need. So, at the end of the day, we kind of get the best of both worlds. Yes, we're compliant. But then also, we're actually using it and getting value out of the product, instead of just saying, wow, we checked the box and now work. 

 

Tim Freestone 19:19  

There's probably a tangent here at the risk of going down it. But I imagine a lot of the drivers are behind checkbox strategies. It's just a lack of human resources to go further, because they've got seven more checkboxes ahead of them that they need to, you know, so we're into that whole resource problem and insecurity. I'm not going to ask you how to solve it. But just think, again, back to the CISO I was talking about it just all he was doing was chasing checkboxes. And I'm sure he didn't want to it's just he had only so many resources and a whole mountain of checkboxes ahead of him. You Even now with the third-party risk industry, you know, I sat with a couple analysts who were focused on third party risk. And they were frustrated because of almost exact same thing you'd said was, they would get through, like, where's the data? How secure is the data in your third party? What you know, how do they protect it? What are all of the technologies they have in place, get all of your checkboxes, get the report, pass the regulation, and you're done. So no, you're not done. Once the data starts to move into that third party, you you're going to assume breach, you're going to assume that even though they've gone through your check mark, or your checklist of third-party risks, that you still need to protect the data, you still need to control it, because it's yours. They're just on loan that is just on loan. Right. So, I think that, you know, just again, what's the how do you go past the checkbox of regulation and into proactively managing risk? Because of, right?

 

Bryan Hadzik 21:00  

It's also a difficult problem when we start talking about things like staffing. So staffing is still a concern. And most of the customers I talk with, you know, the job market is still very tight. And security is kind of a special unit in and of itself. And a lot of people that want to get into security, they love the, you know, the deep technical, and, you know, the real nuts and bolts of what's going on. They don't care about regulations, that's not their jam, they didn't get into it, because, you know, they're like, oh, I can't wait till I can fill out this form for our compliance and talked to auditors. That's not what they got into it. They said, you know, I saw the movie from the 90s hackers, and I want to be like that, you know, so the people that get into it also are not what I would consider very audit, compliance driven. They're driven for the exciting technical reasons of it. So, you know, another reason when you hand it to an end user or your security team, there's going to prioritize kind of the more exciting things versus some of the more meat and potatoes or you know, the basics blocking and tackling that we need to focus on. We're skipping over that to get to the exciting stuff. So no, I don't have a magic answer for that. If I did, I'd write a book and, you know, be a millionaire. But, you know, I think our bigger concern and what we need to do is take one step back from those regulations, and see how we could drive the business drivers towards those regulations, instead of just putting the regulations on top and checking the one box. But that's, that's a difficult task to accomplish, because it requires a lot more foresight. And it's not just, well, I got this regulation for CMMC. How do I check that box? It's no, let's really read through it. I mean, how many people have read through these Have you ever read through the PCI or HIPAA laws? They're dozens and dozens of pages, the most boring legal, technobabble ever, they're difficult to understand. But taking a step back, and, you know, understanding what the bigger picture looks like, is usually a way to help try and solve them.

 

Patrick Spencer 22:59  

Now, where do you build the compliance conversation into the customer journey methodology that you have, as an organization? IT service management approach, managed service, when do you strike up, they probably are coming to you, in most instances, trying to talk about cybersecurity, when do you introduce the compliance angle? Or is the compliance angle coming up initially, and then the cybersecurity conversation follows afterwards?

 

Bryan Hadzik 23:25  

Yeah, that's a good question. Specifically, that customer journey, at least that we talked about, is this concept that we've unfortunately gotten maybe a little bit too crass in specific, like the reseller space, where, you know, the important part is evaluate, you know, having a problem evaluating solutions, purchasing that solution and then riding off into the sunset, right? Well, we don't see that as the journey, we see the customer journey as the understanding of the problem, and the adapting of a tool to help solve that problem. That's just the very start, you know, the concept of reevaluating over time and seeing if it still meets our business drivers, you know, going through continuous improvement? Well, yeah, we've got it installed, we've got it configured, but you know, what, adding this process or controlling that process? Would it be better to, you know, meet this particular audit requirement or, you know, understand this particular about the regulation, you know, going through that continual improvement and putting it back in production and figuring out what you can do to improve upon that process and putting it through UA T and testing and then putting that into production? Again, you know, it's always kind of a continuous lifecycle of our various solutions that we have out there. Most of our customers are thinking about regulation right at the start, you know, they don't usually come up with that after the fact. And that's because we're all kind of stuck in the way that we've been talking about for a while now that those regulations are huge drivers for us. They come from a pie they come from the CIO from our legal counsel, etc. And tell us that we need to meet these particular requirements. And the very first thing is, well, let me just go this CMMC thing as an example and see what vendors can help me provide that. I wish that we could get our customers to, you know, again, take a step back. And I know it sounds crazy, but read through the thing and understand a little bit more about what's going on. Don't just take some vendors word for it, but actually read what it says, even though it's full of legalese and so forth, we can parse through it better understand what, you know, potentially what the goals behind that are, you know, you don't read that in the headline of the regulation. You read that, you know, online item number 426, saying, here's why we're trying to accomplish this particular problem. And what it's attempting to solve, understanding that problem mapping that problem to what our business looks like, do we have that problem? Is that particular issue happening? Do we need to comply with it? You know, as crazy as it sounds, maybe stop doing it that way if your problem is that you're not sending secure faxes, which fax machines I wish we could kill off but the technology won't go away. Fax machines? Yeah. So, we can't kill them off? And if the answer is, well, you're not sending secure sat fax machines, I don't want you to see going and buying a secure fax machine product, take a step back, evaluate why you're sending out fax messages and see if we can realign the way that we do business instead. So that we can just ignore that regulation say not applicable. Not Applicable is a Get Out of Jail Free card, when it comes to regulations, there's no reason we can't slightly change our business processes. In order to fix that. Now, you got to be careful with that. You don't want to you want a bank that's not can't be robbed, you know, bolt the door shot brick in all the windows and never let anyone inside the building. Now, we can't do that you can't operate a bank if you've never let customers inside. So, we have to accept that risk. Let's just try and understand what that risk is, and maybe, you know, change the way that it behaves. And so purely understanding what those regulations are asking for seeing what our business processes first, then arriving at okay, maybe let's look to see if there's a piece of software or a vendor out there that solves this problem. Instead of jumping straight to that they read through the regulations, they Google that regulation, there's an ad at the top that says we fix this problem. Okay, show me what it looks like? Well, no, take a step back. evaluate what your business processes,

 

Tim Freestone 27:24  

the that risk problem, the that's kind of that's got to be the most complex, because every customer is different, right? What's your threshold? For risk? Is it here? Is it here? What are the elements that increased risk, decreased risk to get to your threshold? You start out a lot with defining, trying to artic, get a customer to articulate their risk threshold, and then architecting around getting them to that point, because you can't secure security being secure isn't the thing. There's always going to be there just always going to be a hacker or a pen test or somebody that can get through. It's why that whole industry exists. So, it's all about what's the risk threshold that you're trying to accomplish? You would you agree with that sort of getting at like, project management one on one, what's the goal? How do we get there? It? So, if you can't align on the goal, then for me, I just I can't find any other answer besides your risk threshold as a company, then you can't work, you know, roadmap to it. It's just more of like, would you agree with that kind of statement?

 

Bryan Hadzik 28:34  

Yeah, yeah, absolutely. And understanding that risk is something that is not well enough thought out, when organizations are looking at technologies.

 

Tim Freestone 28:45  

Yes. Like, they just go right to the I need this text deck. Now. Yeah, absolutely. First, right,

 

Bryan Hadzik 28:53  

I need this regulation covered. Let me buy this software, problem solved. But you're absolutely right, getting them to understand that they have to be able to calculate it. And, and I love going through thought exercises, I think that gets people really thinking about it quite a bit. So, I love to bring them up in my conversations with customers and just say, hey, let's do a thought exercise. Let's think about it for a second. One of my favorites to do is things like as it deals with data breaches. Let's pretend for a second that your organization has a data breach and you've got 500,000 customers, you've got a million customers or you know, whatever it ends up being. I want you to pretend for a second, how much are you going to pay in stamps? To send a letter to a million people that you lost their data, just the stamp? No, I'm not talking about the envelope or the printing or anything like that. What's the postal stamp these days I don't even know is 60 cents for?

 

Patrick Spencer 29:46  

as long as we can a lot.

 

Bryan Hadzik 29:49  

So now you have to buy a million of them because you just had a data breach. How much is there 60 cent stamp times a million dollars. So, when you go through exercises like that have a Thought exercises, I think you can start to get the gears turning with our customers and with employees inside the organization that don't want to think about risk and security, it's, you know, it's like, I don't know, death and taxes, people don't want to talk about those, either or maybe religion or politics, you don't want to bring it up, you don't want to talk about it. That's a real bummer. Right? Now we've got to talk about it. And let's bring in those maybe a little bit more casual conversations to get everyone talking about it. I want 10 people in a room, and I want to go through that thought exercise with them. I don't want the one risk person there to think about it. I want everyone to be thinking about that. Then everyone can say, oh, wait, yeah, you're right, that'd be $60 million in stamps that we'd have to buy. That makes a lot more sense. While we're putting in a system that's going to help protect our data, or, you know, what about the reputational impact that would be associated with it, let's pretend for a second that all of our user data was posted onto the internet, what's going to happen to us as an organization? And what are the ramifications associated with that? So instead of trying to get all these really complicated risk terms around it, I find that this kind of thought exercises, bring a little more casual attitude to it and get everyone thinking about it. And hopefully, we can come to a little bit more correct assumption or correct decisions, because we got everyone thinking about those risk calculations. But yeah, most organizations don't do a great job. They skip that over that. And they go straight to, you know, how do I solve this problem? Or they kind of flip flop it, they say, well, risk management is absolutely part of our decision-making capabilities. We have a problem, we interview vendors, we decide on which one we're going to purchase, then we run it through this risk calculation just to make sure that the vendor is valid, and they follow all the rules and regulations and so forth. Take a step back risk is not just at that point, it needs to happen before you pick up the phone and call your first thing.

 

Tim Freestone 31:52  

Yeah, yeah, then a lot, a lot of to what degree do you see like technology of the month playing into people in the IT security professionals’ strategy? So, zero trust, for instance, you know, it's an I wouldn't say it's the month of the decade, because it seems isn't just like not going anywhere, although it did evolve to some degree from a marketing buzzword to an actual strategy. But do you see companies and customers saying I need this, because this is what the market is telling me to do, in order to better improve my security posture and lower my risk? You know, in using zero trust as a as a specific there, right? Do you see that happening?

 

Bryan Hadzik 32:37  

Yeah, unfortunately, I do. And really, it, it boils down to the fact that, you know, most of our customers, they have a full-time job, they've got to work 40 hours a week, you know, doing whatever it is in it that they're doing, keeping the wheels turning and keeping the, you know, the bus moving along. They don't have time to read books, they don't have time to research, do read research papers, and things like that. And so, they don't get a great way to step back and say, I want to understand what's changing in the world. You know, zero trust, you pointed out, it's just such a big buzzword, every other call I get on with a customer, they bring up zero trust. And I put it right back on them. What does that mean to you? What, what does zero trust that's more of a philosophy than it is a product? And don't get me wrong? I like it. I like the concept of zero trust. You know, there's just we need to stop trusting things that we inherently trusted before when you stop trusting our users. And what they do with our data that they are inherently correct when they are maybe not. But yes, you're absolutely right that it is the buzzword of the month or the year or, you know, jays were probably four or five years into zero trust, and it's probably going to hang on for another couple of years. And then AI or something will come up machine learning was that for a while AI machine learning, everyone asked about it. But no one can even describe what that meant, or what they were trying to do with it kind of fizzled away a little bit and we switched over to zero trust. So yes, I agree that that is a pretty big problem, that we're falling into the marketing too much. Zero trust. I didn't see it exist as a product or even as a grouping of products. And then people just started kind of pushing it and taking product X and bringing it oh, that's zero trust Oh, product, why that's zero trust? Well, why? Because you named it that? Or was it truly trying to tackle the tenants of that philosophy, philosophy that says, you know, we don't trust even our own employees, with their information or with their data, we are going to segregate and you know, make sure that they are you know, not just given carte blanche access to everything so I agree with the philosophies that things like zero trust in principle, but yes, marketing just got a hold of that and just is now shoving it down everyone's throat and it's not necessarily the right. The even the right answer for a lot

 

Patrick Spencer 34:59  

Do you think zero trust applies to how you control and manage your content? Is that applicable?

 

Bryan Hadzik 35:06  

Well, I believe it does. Zero trust, oftentimes, the majority of times, rather, is really applied to the connectivity for the most part, when a user or as a user VPN in, or are we sending them up to the cloud, and they have access to something up in the cloud, and then it tunnels back to our office, or, you know, gone are the days of when I turn on my VPN, or plug into the office, I get everything, every server, every IP address, it's just, you know, completely open to me, we're going to start segregating and firewalling that off. So, zero trust today. And in the past, most people associate with networking and networking related style activities, we need to take that same philosophy and that philosophy is we don't trust even people who we thought we may be trusted before. That's the philosophy of zero trust, we need to apply that to our data. And that's not where a lot of people are talking. A lot of people are talking about networking, I want to change it. So, they are talking about the data. Because how do we know that that user again, it doesn't have to be malicious, we don't always have to look at it from a malicious angle, it could be accidental, it could be just to get around our controls that we put in place, we'd have zero trust around data, I do not trust you with all of the data that our organization creates, because all of its a lot of its consumer-oriented data, right? I do not trust you to send that wherever you want, whenever you want, and have you the end user be the steward of the security of that data. We can't do that anymore. We need to have a zero-trust policy

 

Tim Freestone 36:39  

You're getting into our little bit into our stump speech, because I totally agree. It's that there's this you know zero trust access to the network, okay, check. Then within the network, there's applications zero trust that did the application. So, the network in the application layer still technology? Like, well, what about the data, that's the whole point of those two layers is lit, nobody breaks into applications for the application itself. Don't say nobody, I guess somebody could steal code, and then it'd be IP, but it's all about the data. So sure, apply it at the network and the application layer, but also the data, also the content. So, if the content gets out of the out of the applications out of the network, you still have zero trust around that piece of content, right? That fought, you know, for lack of better word follows it. And then you really, it's, again, back to reducing risk, reduce the risk to the level that you possibly can, right. 

 

Bryan Hadzik 37:42  

Our business drivers are we need to get that content out to the right people. In classic models, it's all up to the user, you know, please don't send our entire customer list with every security number out to someone's Gmail account, or you please don't know that that's our old model behind it, you know, now we can come back and say no, that the data is everything, you know, when we're talking about data breaches, and things like that, nobody cares how many workstations got malware installed, right. And whatever, it's the data, the data is everything. And so just like you described, I liked the concept of, you know, we're sending this data out into the world, but we're putting a shield around it, we're putting rules and controls and regulations and audit trails around that data. So, when it goes out, we can ensure never is it going to be perfect, just like you described, you know, making an unhackable system. You can unplug everything, that's pretty good step towards it. But we can't do that. So, you know, having to go out into the world and say we put his best controls

 

Patrick Spencer 38:41  

A lot of the compliance regulations you see are rising or wanting you to demonstrate proof that that actually happened. Are your clients coming to you and asking you not only to get those controls in place, to be able to demonstrate that they have them when they're audited for HIPAA? They're audited for GDPR. They're audited for CCPA. Or, you know, we're going to have one another for individual state laws go into effect this year, that are all related to data privacy, to be able to demonstrate compliance with each of those, you know, what, what, what's transpires when clients talk to you about these issues?

 

Bryan Hadzik 39:18  

Yeah. And you point out kind of a really terrible problem that we're having that now I have for one of them here in Utah, I was just reading up on those data privacy laws, we're going to get to the point where you're going to have to read through 50 of them and make sure you match them just in the United States. Now. They're all going to be different, of course, of course. So yeah, absolutely. And that really stems back to something when it comes to these kinds of regulations. It almost doesn't matter if we actually implemented the security. You know, I always talked about this back when we started to do a lot of full disk encryption on our laptops. You know, when we were talking to custom summers, we would make kind of a funny statement that was true. But unless you really thought about it, we didn't notice it. And, and the kind of the idea behind it is, it is irrelevant. If that hard drive is encrypted, doesn't matter, I don't care, it is irrelevant. It is incredibly important if you can prove that it was encrypted, because if it was encrypted, but you can't prove it, you're going to have to tell every regulator can't prove it, what it might as well be not effective. So that audit trail that we have is hugely important. It's not just Well, that's a nice log that I can spit out in the back end know the audit trail is essentially the reason that we're doing it, or we're the proof that we have done it. So, I really emphasize that with our customers. Not a lot of them start with that as a huge driver. And I hopefully help try and convince them of that. Say, you can again, those thought exercises, let's pretend for a second that you know, this drive wasn't encrypted, what do you How are you going to prove that it was encrypted? So, the audit trails are only a more important for more and more important thing in those kinds of regulations?

 

Patrick Spencer 41:03  

Does that apply when it comes to cyber insurance?

 

Bryan Hadzik 41:07  

Absolutely, yeah. When you're coming back, and you're getting your cybersecurity insurance, for those that haven't been paying attention, those rates have gone through the roof, I've heard as much as five to 10 times as expensive to get some shared insurance. And you have to prove to the insurance company, I mean, this, this wasn't something that was happening before insurance companies, you know, in the past, they're like, okay, how many employees do you have? And, you know, how many buildings do you own and things like that, they started kind of to wise up to it, that's Oh, if we're going to be proving, giving you cybersecurity insurance as an example, and you've got a big ransomware attack, we're going to have to pay out that ransom. That's what the insurance is therefore, right. So now, just like when you go get health insurance, they don't just say who you are, you need to get a blood test, you got to check your cholesterol levels or things like that. And that's going to adjust your rates. So, insurance vendors are starting to realize this. And they're asking questions of okay, do you have an EDR? Solution? What are you doing with secure email messaging? How does your backup work and it relates to air gapped? And so right now we're having to prove what we're doing as it relates to that. And a lot of people mighty don't care about that they insurance, who cares, whatever, that's not my department, not my job. But the rates are going to be astronomical, we need to partner with whoever deals with that risk management, or legal or whoever in our organization is dealing with that. And we need to say, hey, how can we help drive down this cost? You know, we've got some great examples of customers saving millions of dollars, on their insurance premiums, by buying technology that check some of those boxes that the insurance companies are asking.

 

Tim Freestone 42:45  

Well, I don't know if I have anything else, Patrick. So, if you've got any more up your sleeve, that was a very informative from my side.

 

Patrick Spencer 42:52  

I had one more question for Brian, we're here near the end of 2022. As you look out to 2023, you gave us two things that are top of mind for your clients today. What are some things that you think we're not talking that much about right now? As we go into 2023? There'll be more and more conversations around those items?

 

Bryan Hadzik 43:12  

Yeah, good question. So, you know, I know that there is a forecast report that you guys have been putting out, that talking about kind of some of the trends and so forth that are happening, and, and there was one thing on there that I think is really worth thinking about and talking about and bringing up more with customers and, and, you know, again, having those thought exercises about it and has to do with the concept that we deal with so many vendors, you know, you cannot be a business in today's economy and not use technology. You know, I went into my brother's cabinet business, so he built cabinets for a living, you know, builds wooden cabinets and put them in kitchens does a great job. And I went in and talked to he's like, well, why are all your guys standing around? Something was wrong. They didn't want you standing there. Oh, yeah. Our computer system that did handles the CNC machine for that is not working in the scheduling system over there. It's not working. You couldn't get it working for a couple of days. All of his guys were standing around there idle. And it really pinpointed the fact that he is not a cabinet maker. He's a technology company that happens to cut wood. You know, technology has permeated everything that we do. So, a business has to rely on technology, they call up Microsoft to host their office 365 they call VMware to host their or Amazon and I you know Google or Azure to host their virtual machines and things like that. We deal on vendors every single day all day. It's what somebody's been doing for the past, you know, everything in technology. But the problem is that gives you you're essentially handing your keys over to the vendor in a in a in a conceptual stance that they are now responsible for security. How do you secure office 365 I sure hope Microsoft is doing it. That's what I'm paying them. to do right, or they may be able to go read the manual or call it my Microsoft, you know, it's a complex problem. So, in that report, they talk about one thing specifically, and it has to deal with encryption keys. I think this is a really under the covers, no one's talking about it, and I want to bring it more to the forefront. And that's the concept of not completely trusting your vendors, zero trust, we do not trust our employees. But we have complete and utter trust in our vendors. Wait a minute. Now that's not right. So the concept of getting tools and things like that, that we can still have the encryption keys that we can actually guarantee that if one of our third party vendors has a breach or has an attack or something like that, that we are not thrown under the bus for what our vendor did, if we can control those encryption keys, fine, I don't care if their software was breached, they got on the server doesn't matter, everything's encrypted, and that vendor never had a key, so they cannot get our data back, I think you're going to see a lot of big push around things like that. So that when we send our data out into the world, and we interact with these vendors that we are paying large amounts of money to if they have a data breach, or if they have a problem like that, it's not going to negatively impact us because we say, hey, all the data was encrypted, and we stored the keys you didn't, you know, problem solved. So, I think that's going to be a big up and coming thing. A lot more people are going to be talking about.

 

Patrick Spencer 46:25  

We certainly agree with that. Well, we could go on for another 40 minutes. I suspect, Brian, but time is up. We'll let you go check out the slopes.

 

Bryan Hadzik 46:35  

Appreciate that. Thanks again for your time, guys. Great conversation.

 

Patrick Spencer 46:38  

Yeah, thanks. We appreciate it. Have a great day. Thank you for joining us. 

 

For anyone who would like to check out other Kitecast episodes, you can do so at kiteworks.com/Kitecast.