Mark Lynd: Connecting GRC With DRM

Show Notes

Mark Lynd is a former CEO, CIO, CTO, and CISO and currently serves as the Head of Digital Business at Netsync that employs a consultative and collaborative approach to help organizations architect innovative technology solutions that meet business needs. He is an author, frequent speaker on topics related to AI, IoT, and cybersecurity, is ranked in the Top 1 Globally for Security by Thinkers360, was named an Ernst & Young Entrepreneur of the Year for the Southwest Region, and is frequently interviewed by and quoted in publications such as The Wall Street Journal, InformationWeek, and others. Before his time in the private sector, Mark served in the U.S. Army’s 3rd Ranger Battalion and 82nd Airborne Division.

In this Kitecast episode, Mark discusses the significance of GRC (Governance, Risk Management, and Compliance) in today’s technology landscape, which is being propelled by accelerated evolution in cyber threats, third-party risks, and data security issues in the cloud. One outcome is that organizations must prioritize GRC strategies rather than making them an afterthought. In addition, Mark argues that Digital Rights Management (DRM) is critical when implementing a GRC strategy that addresses a zero-trust model focused on protecting sensitive content.  

Beyond connecting GRC with DRM, Mark also speaks about artificial intelligence (AI), why it is important to teach cybersecurity life skills to teenagers, what he will be covering in his next book, how lack of DRM governance in the higher education sector is exposing national secrets, and more. This is an insightful discussion for anyone interested in learning from a proven leader who is dedicated to digital transformation and cybersecurity.

LinkedIn Profile: www.linkedin.com/in/marklynd 

Netsync: www.netsync.com 

Published Book: Cyber Security Life Skills for Teens: Life Skills for the Digital Age 

 

 

 

 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Transcript

Patrick Spencer:
This is Patrick Spencer. Welcome back to another Kitecast episode. I'm joined here with my cohost, Tim Freestone. Tim, how are you doing this morning?

Tim Freestone:
Hey Patrick, how you doing?

Patrick Spencer:
Doing well. Excited about today's conversation with Mark Lin. Mark is currently the head of digital business over at NetSync. Uh, he's a top five globally ranked thought leader, strategist, keynote speaker for cybersecurity, artificial intelligence, internet of things, you name it, he can talk about it. He lives in Frisco, Texas. He's a former CIO, CTO, CISO. He's led various technology and sales teams in addition to his current role that have sold literally millions of dollars in software. He served and served at various, he served and serves on several corporate boards and has been interviewed by numerous publications like the Wall Street Journal, Information Week, e-Week, and so forth. Among other areas of expertise, Mark is a subject matter in compliance and governance, GDPR, HIPAA, CMMC, FedRAMP, you name it. He knows every acronym underneath the sun. Before Mark came into the public sector. and did all the stuff we just talked about. He served in the US Army, in the 3rd Ranger Battalion, and the 82nd Airborne. So Mark, first of all, thanks for your service, and thanks for joining us.

Mark:
Absolutely, thank you. I'm looking forward to it.

Patrick Spencer:
So Mark, after you stopped jumping out of airplanes, how did you get into the private sector?

Mark:
Well, interestingly enough, it was, um, it was one of those things where you kind of just know, um, it's one of those stories where you just felt it. I was in the, uh, I was in the Rangers and, uh, they said, uh, I had, I had hurt my knee and so I had to take like a month off, um, of duty and they're like, well, do you want to go to a school? Which is what they typically do because people get hurt all the time, right. Especially like in the Rangers when they sick at air, more, et cetera. And, uh, So I went to a school that taught people that use mortars how to do fire control. And we used grid boxes, right? Laptops, they were effectively like laptops, more like tablets maybe. And, but they're hardens, so you carry them in the field. And I'm telling you, the minute I started using it and started learning how to do it, I knew. I just felt it. I knew I was getting out of the military at that point. I still went and did the Delta Force run. I made the 26 miles, but I didn't make it the right time. 

I was thrilled and I feel very blessed that I was somehow given that insight. And I got right out, I went back to the University of Tulsa where I had been gone before. And they had a great computer science course. and MIS and I did it and then I started working for Amrata Hess and and Pro Systems and just kind of came up to that because I have a really big mouth and I like to talk they kept promoting me they didn't know what else to do so I ended up you know moving along and doing that but the security piece has always been part of it I think the military ingrained the security element in there and it still carries through today.

Patrick Spencer:
How do you go from that background and it's very entrepreneurial, if you look at your career history, plus the variety of roles that you held, right? Business development, CIO, CTO, CISO, that's a very unique background for the bulk of what we see in the marketplace today. How did that happen? That gives you a very unique perspective, I suspect.

Mark:
It does. I kind of look at it like I went through three very distinctive hype cycles and I'm going through another one right now. Um, you know, the internet in the nineties, early nineties, it was just, everybody was kind of like, ah, the internet, it's a fad. And, you know, nobody really took it seriously. And Amazon was a complete joke, right? Losing money, whatever. And You know, it was just all people thought it was all hype. And ultimately it did evolve and turn into something that had great bad value for both business and personal. Um, and had a great impact on society. So that was one hype cycle. The second one, you kind of look at what was going on and thinking about how the mobile phone thing took off in smart devices, et cetera. That really changed things a lot as well, how that was going to go. Then social media, they were very close to each other and actually probably highly dependent on each other. Now we have AI and I'm doing a lot in the AI space right now as well, especially the generative AI and how it works with security, et cetera. and pushing that out and evangelizing that. I think having the luck and timing to be able to ride in those hype cycles required a little bit of flexibility on what roles I was going to be part of, which organizations I was going to work with or be part of. And I think it's interesting. I think it's going to impact the way that our kids and the generations that are coming up now, how they're going to do that. Because I think they're going to aim back to be more collaborative with technology than we were.

Tim Freestone:
Yeah, I have a follow on question there. You mentioned the few hype cycles. How do you compare the current one to what you've gone through with mobile and the internet and the current one being AI? Same different, faster, stronger.

Mark:
Yeah, Tim, I think that's the question of the day really for a lot of people. I think a lot of people look up this morning and go, what happened at AI today? And it had to be like 15 things, you know, huge announcements. I think this in my mind, because of the validation of the other technology hype cycles and people realize that a lot of times when you, if you don't collaborate, if you don't take time and learn and invest yourself and learning about that and your organization, you'll find yourself on the opposite end of success. So this cycle, I think, is probably the most aggressive, the first fast-paced, probably has also the potential for the largest impact because it goes across all spectrums of our societal, political work. personal, you name it, it's involved in everything. And especially with the idea around co-pilots and AI assistance and all that. I mean, people are just really adapting to that very, very quickly. And I think the adoption cycle, usually it follows the bell curve. This is, I think it's accelerating. It's just amazing. I'm fascinated by it.

Tim Freestone:
Yeah, me too. And one of the things I'm fascinated by, and I live in a bubble, right? I'm in Silicon Valley. So I look around and for me, the whole world is paying attention. It's not the case. You know, I talk to people outside of the bubble and extended networks and they'll ask me, tell me what is chat GPT for again? Like, how does that, to your point, how are you not waking up every day and trying to assess how your life is going to change that day because of this, right? Um, and you know, you can get me on a soapbox here, Patrick knows this, but I fully agree with you, you know, and when we will get in your book here, but I think about my daughter, he's she's 13, right? What she has to deal with from a privacy perspective, from a her cybersecurity landscape and everything that she needs to do because of this. It's I'm looking for another book that says, do this, Tim, because

Mark:
Yeah.

Tim Freestone:
I don't, you know what I mean? It's incredible.

Mark:
Well, it's interesting. You think about when it starts, when these AI investments that are now starting to trickle into Microsoft Office and did Google Gmail into some of the social applications that are very prevalent for our teens, right? I have a 14 year old daughter, just turned 14 yesterday. And I'm a 16 year old and I have one that's out of college, I'm still on payroll. And you know, it's one of those things that you can kind of see the differences, but. When I go and I talk about what I do, because they know what I do, right? They even helped, they even looked at the book for me and told me, dad, don't use that, don't say that, you gotta put that in there and all this, which I appreciate. But their ability to use those tools and I think to be able to assimilate what's coming down the pike is gonna be amazing because they talk about it as if it's a foregone conclusion, not it's amazing. But you're right, there's this huge swath out there that has no clue what's going on, but they don't realize it's just like you go ask somebody, one of the greatest things I ever heard. I was at this amazing conference in Florida and it was a public center, it's called Flogiza, right? It's for government and all that for the state of Florida. And the speaker said, was sitting there talking about it. And he goes, I don't think people realize how many clouds they use in a day. And everybody, you can see it was kind of a little hum in the crowd. And he goes on average nine clouds a day. He goes, my daughter probably use it. He had a daughter as well as kind of one of the things that piqued me about the conversation. Uh, she was a little older. Uh, he said she probably uses 12 to 13 clouds a day. Cause I don't realize most of what's being served up to us through social, through, you know, your email, through your phone, all these apps, it's all cloud driven. And so they don't even know that. I'll bet it's going to be even more, this is just my humble personal opinion, I bet it'll be more with AI in the span of two, three years. I think they'll be using more AI than they are even clouds. And the cloud will be serving up those AI apps.

Tim Freestone:
so in a day, that question is not how many clouds, but how many AI large language models do you use in a day and it's gonna be like 25, something

Mark:
I mean, Yelp, I don't know if you saw that announcement, but Yelp is putting it in as far as helping people determine where they're gonna eat and all that, and it needed it. Yelp is a great app, but it has some very distinct issues when you don't know exactly what you want. If you just heard saying. I'm not sure there's five of us in the car. We don't know how do we do it? And to have AI be able to go out and look at the surrounding area, make those determinations, look at your past selections, right?

Tim Freestone:
Mm-hmm.

Mark:
And use machine learning and step through that and then use the genitor of AI to match that to that, and then flip those out to you in a second, microseconds, milliseconds, I'm sorry. That'd be fantastic. That's something I think a lot of people will like, because it's not so intrusive. the Siri scare that people have etc. Alexa listening. They're probably listening

Patrick Spencer:
It changes

Mark:
to that.

Patrick Spencer:
the one size fits all answer that you get to one that's highly personalized, uh,

Mark:
Yes.

Patrick Spencer:
by simply using the AI capabilities. I have a quick question or a couple of questions on your book, which I think our audience will be interested in hearing about one, you know, what prompted you to write the book and then the follow on question related to the conversation we just had now, when are you going to update it to include all the AI components? Cause I suspect that will. change some of the recommendations or the 200 pages, certainly it will become 300 pages once you have the AI elements in.

Mark:
Patrick, you busted me. You got

Tim Freestone:
Hahaha

Mark:
me on the front. You busted

Patrick Spencer:
Hahaha

Mark:
me on the back. No, that's exactly right. I'm currently working on one for seniors that's gonna have a similar flavor, but it's gonna have more online scams, war dialing, all this weird stuff that's going on because our seniors are very much at risk. I'm very concerned about that. And it'll kind of play into what I'm, how I'm going to describe how I got into the, doing the teen book and how, and people in Boston asked me, why didn't you choose children? Cause they're using all this or young adults. And I was very selective when I did it. It might've been like, you know, Tim was saying, I have teens. So it was kind of, you know, ingrained in me and I'm living it right now. But the reality of it is, is I advise lots of K-12s and higher eds, in fact, hundreds of them. That's what I do. I go spend time with their C levels and cities and counties as well. And what I hear over and over and over is that... our teens are at risk, right? You go to, if you go to the health and human services, right, and you're looking at kids that are being abused, right, a lot of that has to do with devices, how people do it, the strange father finds the kid through the life through 60 or something. I start hearing stories like that. Then one of my daughters, she was 13 at the time, one of her friends, was cyberbullied, moved to a different school, and it was brutal. I mean, it was really, really nasty stuff. And then I heard about another one where a 24-year-old guy was communicating with a teen, and they went to a party, and he showed up at the party, and they realized this guy's like 24. He tried to spike one of their drinks.

Tim Freestone:
Mm.

Mark:
And come to find out, he travels town to town and lives out of a car.

Tim Freestone:
Jesus.

Patrick Spencer:
Hmm.

Mark:
Yeah, and this is, these are just a few of the stories. And when I spend time with superintendents at the K-12s, or, you know, and I spend time with the CIOs and the CISOs or, you know, the campus, you know, provost, et cetera. The stories I hear and I usually ask, you know, hey, do you got a story to you? You want to share with me? Cause it's always of interest, right? That is what kicks that off. And then last but not least, and this is a very important piece, LA USD got hit. Everybody knows last September, right? It was

Tim Freestone:
Mm-hmm.

Mark:
all at the national news. The most brutal part of that from the people in the know in the back, and I don't want to pin it to one person, was that they couldn't pay the bus drivers, the hourly employees, they couldn't pay the security guards, couldn't pay the cafeteria workers, couldn't pay any of the people. And those are the people that could not afford to miss a check. They're living check to check, right? It impacted kids, lots of kids, thousands of kids. Imagine how big LAUSD is. I mean, it's massive. So that those pieces all kind of came together. And I was already writing the book and when the LA USD thing hit and I had a little, some back in insight and some other stories I heard, it just compelled me. I mean, it really just grabbed me and said, you have to do this, right? You have knowledge that others may not have access to. Um, and you need to do what's right because there is no ceiling on doing right. I tell, that's where I tell my folks all the time when we're out visiting our customers and we realize that we're going to impact kids, the, the, my quote to them all the time is there is no ceiling on doing right. ride. If you think that you need to do that to make the customer happy to be able to provide those services to those people in need to kids and hourly employees and that there is no ceiling. Do what's right. That's what you do and that's why

Tim Freestone:
Yeah,

Mark:
I wrote the book.

Tim Freestone:
that's, um, it's great motivation, obviously. And, and I was thinking about it this morning. Cause again, my, my daughter, she turned 13. She's my oldest couple months ago or a month ago. And, um, I was just thinking about, cause I told her what I did the other day. She had asked me, what do you do for a living? I said, well, I market, uh, cybersecurity companies to other businesses. And she said, well, what's cybersecurity? Like, oh man,

Mark:
I'm

Tim Freestone:
we

Mark:
going

Tim Freestone:
got.

Mark:
to go to bed.

Tim Freestone:
start from square one.

Patrick Spencer:
Hahaha

Tim Freestone:
So I actually think it's, we take it for granted, especially working in the industry, but I don't think that kids' minds are necessarily there in terms of, oh geez, did I use different passwords for all my accounts? Do I have the, did I review the privacy section of the app I just signed up for? Things like that. Obviously that would probably never happen, but it just... And that brings me to two layers, right? There's the cybersecurity layer, which is the, using different passwords and some of the basic hygiene you go through in your life. But there's also the privacy of your data. And with TikTok and all of these challenges that the government's facing with apps from less regulated countries, if you will, the cybersecurity extends beyond hygiene and into just who's got your data, right? And how kids can be just aware. of that so as they become adults, they're not susceptible. It's a really tough challenge.

Mark:
It is, and I think it's for kids, it's for adults, it's for seniors, it's also for organizations. One of the things that we often talk to them is if you're doing business with a SaaS company and you have compliance and governance, any kind of GRC, you need to look at what happens to your data if you switch services, right? Because most of them do not go out there and delete that data or if they do, it's at a much later time and whether they get it all or not is up to question. ability to not only request that but certify that and be able to that'll meet your compliance and any GRC you have that's a that's a critical element. I think it's even more impactful for kids because people take advantage of that information right they start to directly market to them and whether they're marketing something that's ethical you know and and a benefit to the kid is very questionable. I think that you made a great point that a lot of times you don't you don't know Kids sure doesn't know. Because how many kids do you know can read legalese? You think they don't know about AI or cybersecurity, what about legalese?

Tim Freestone:
Right.

Mark:
And

Tim Freestone:
Yeah.

Mark:
you made a great point, Tim. I think that's something I need to, boy, I got busted twice today. I need to add that into the book too, because I think that is very important. It's a very important thing. I mean, it's very important.

Tim Freestone:
Yeah, who's got your data and to your point, even at a company level and GRC, you mentioned that that's, you know, five, six years ago, Patrick and I were at, at Fortinet at the time we've been working together for a while, but, um, I don't ever remember hearing GRC that now I hear it all the time and third party risk and what happens to your data and, you know, things like security scorecard and What's your perspective on GRC? How are you incorporating it into your talk tracks, your business? Um, how important it, what are you hearing from the field and the organizations you work with on, especially in the relationship of your data, your company's data, not being in your, uh, network or in your perimeter and into the cloud and into third parties. How big of a

Mark:
Yeah.

Tim Freestone:
risk is this becoming?

Mark:
Well, it's obviously a big problem. And I think public sector is really feeling it because I think you look at, they don't have the money or the amount of people that you see commercial and enterprise have, right? So, um, they typically have to do more with less. They also typically are not as much, they don't spend as much on training. And, uh, because they don't have to go out and deal with the commercial and enterprise and things like that. Right. They're, uh, because they're understaffed too, they don't often have time to go to the training. Uh, they're also, and I think this is really critical. is they're unrecognized and overworked. And I think that's for a lot of security people, both public and private sector, but that where I think where that impact comes in is, when do you have time to do the GRC, right? You have time when they're breathing down your throats, you

Tim Freestone:
Mm-hmm.

Mark:
going through an audit, you've got the results and the results are not what they had hoped. And so leadership now wants to know, well, why didn't you get this done? And I hear this all the time. And even leadership will say, GRC regulations, all that don't have any teeth, we don't need to worry about that when we're gonna

Tim Freestone:
Right.

Mark:
do this. You know, I think that kind of dilutes it. So knowing that understanding that having a tool, you know, like archers or security scorecard or whatever you're using, where you can go in and make those determinations, have some level of automation to support that effort. And then followed up with an actual audit from a third party so you can validate your experience Those are things that we suggest to our clients all the time a lot of them we see are trying now to reach out and do zero trust and Do things along that lines. We got CMMC. We got all these things happening in the marketplace Some of them being driven by feds some of them being driven by other other market forces But you know, it's just it's really interesting How all to your point? It's now at top, one of the things at top of mind. I think cybersecurity itself probably, probably had a large hand in that.

Tim Freestone:
Yeah, we often talk about it in the context of infrastructure and cybersecurity right now are jointly in a new era, it's the compliance era. And everyone's being driven by regulators and auditors into action and, and, um, not, uh, not completely, sorry, less, uh, threat actors and more auditors. Why are you, why are you acting? Because the auditor is going to come and find us if we don't. versus, oh, there's going to be a man in the middle attack. Of course, that's all still on the table, but the amount of audit-driven decision-making from the board down has increased dramatically. Good for us at Kiteworks, but it's not going to stop. I think seven of 50 states have privacy regulations. There's like another 30 that are in legislation. Managing state and federal. Who knows someday maybe a county local is, um, is quite the task.

Mark:
It is, we have a whole group inside NetSync. That's all I do. We just follow them and presentations. And it's interesting, Tim, one of the things we do that's probably the most, most, requested thing we do, we do for free. And that is we do incident response tabletops, right? So in the idea of that, it's a murder mystery style. So you don't know if it's a, you kind of set something up a minute to spark that is, they don't know if it's a DDoS attack in this murder mystery. They don't know if it's a insider threat. They don't know if it's a man in the middle. They don't know if it's ransomware. They have no idea. So we actually take them through the whole process. We give them a, here's your current state. Here's the insertions. We have a... letter of declination from the insurance company because they didn't follow the reporting requirements, which is very common, declination.

Tim Freestone:
Yeah.

Mark:
It has a ransomware email, this is the ransomware one, an actual one. And it even has a newspaper clippings with their name on it that they didn't, you know, because it's at Mark, it's the old Mark Cuban saying, if you look around the room and you don't know who the scapegoat is, it's you.

Tim Freestone:
Right, yeah.

Mark:
It's you, you're the one. And we try to advise our clients, get Crisis PR, Connect it to your emergency response after you've all been in a lot of these shootings on campuses and other things. And really take it very, very seriously to your point versus just doing it because the regulation came down or you're getting audited. Actually look at what's the impact on your organization, on your employees and one of your community. And if that's something that's pretty severe, then you need to take action now. And I tell you, it's what's stunning. is, and I know you guys probably know this probably better than anybody, it's unbelievable how many organizations do not have an incident response plan.

Tim Freestone:
Yeah.

Mark:
And if they do have one, they haven't tested it or seen if it's actionable in over a year.

Tim Freestone:
Yeah. I mean, how much of that do you think is driven by just what you said earlier? Just don't have the time. I don't have the people or the time. I have it in place. Check.

Mark:
Yeah.

Tim Freestone:
You know, how do I...

Mark:
I think I hear the most.

Patrick Spencer:
And is it all, you know, it's something that's done in retrospect, right? You implement your cybersecurity and then you need to figure out what your GRC looks like, your incident response, rather than that's part of the conversation upfront, I assume that's probably what you're trying to prompt your clients to do is make it a proactive conversation so that it's built into that cybersecurity strategy rather than an afterthought that's just tacked on.

Mark:
Patrick, that's exactly the reason why, because you do not do your best work under pressure. We've gone in and helped them after they've been hit with ransomware, a bunch of organizations. We go in there, it's always more chaotic, it's more political. The reporters, the local reporters are trying to get to the data center manager's wife or spouse to find out what the real story is. She didn't get the real story. She got a portion of it and added a little flavor, and

Tim Freestone:
Yeah.

Mark:
it ends up in the press. realize you get caught up in this cycle of drama that you cannot get out and you're not going to do your best decision making and it often costs jobs and it hurts. It hurts those in need. I mean, we're talking about, you know, if you're talking public sector, you're talking about people in need and you know, you just got to spend a little time and pull thought to do it solely because you're being audited. I think my personal opinion, you know, just it's not the right call. Right call is due because it affects you or your community or your employees or your family. And, you know, do that thing. There is no ceiling to doing right. I mean, I truly believe that I apply to cybersecurity all the time. Because people always say to Tim's point. I'm too busy. I got too much going on. I don't have time for that. OK, but you're going to have to balance it one way or another. I promise you, you will look back, and you will find time, and you will find money in retrospect. And

Tim Freestone:
In

Mark:
yeah.

Tim Freestone:
retrospect, yeah. Yeah. Yeah. It's, it's almost, uh, pretend you're, you're in, uh, in a bad situation now. What would you do and do that? Uh, so you don't have to do it in the future.

Mark:
That is the

Patrick Spencer:
Some

Mark:
murder

Patrick Spencer:
of

Mark:
mystery.

Patrick Spencer:
you.

Mark:
That is the

Tim Freestone:
Yeah,

Mark:
essence of the murder

Tim Freestone:
I see.

Mark:
mystery.

Patrick Spencer:
Some of these regulations like CMMC for the DOD and then some of the executive orders that have come out over the past couple of years, EO, what is it? 14.028 around zero trust. Those are attempting to do some of the things you just discussed prompt a responsibility, a community responsibility around this third party supply chain for the DOD or how government departments operate within themselves, but also how they interact inter-departmentally. Can you speak about? that issue and what you're seeing, is we've seen progress or are we still in the status quo where we're trying to catch up there?

Mark:
I think we're seeing progress. I'm going to be at Dell Tech World here in three weeks. And I'll be speaking about Zero Trust with the CTO of Federal for Dell. Amazing guy named Herb, really knows his stuff. Been out there, fought the wars, and they have a really, really good approach to doing that and getting Zero Trust in place and let you start reaping those benefits, right? And... I really like the approach. There's a couple others out there that are also doing really good work around this, heavily in the Fed space, right? Because a lot of people follow the Fed when they get it rolled out, as you all know. It becomes really real, especially for state governments and some of the local governments. And so we're seeing huge drives towards zero trust. And I think the other thing that kind of is helping it is, you guys work for it at, Fortinet's one of our many partners. in zero trust right now. Now whether it's all fully zero trust or not is a whole another question because there's a little bit of hype around zero trust but the reality is is that customers see value in never trust always verified and Glenn when he did that at Forrester back in the day what what great insight that was looking back in retrospect and it does have real value. Our customers that have implemented zero trust type of environment and you know their posture and driven in controls and reporting that supports it have seen great benefits and I think when you know they look back it's that level of assurance that they feel that they can share with their leadership with their stakeholders with their community that's a big deal because when you have that you know when you're insecure it feel it's not a great feeling when I was in the Rangers we're down in El Salvador and I was sitting in San Salvador I didn't have a weapon I did not feel I was not assured Those are the days of the head squads and all that. I did not feel assured. When I do feel assured, it feels better. Everybody has their own personal example where they can look where they didn't feel secure, right? Whether it was with their family or whatever. And that's something that organizations can do. And that's how we frame it. So when we frame our discussions, we talk about assessing your risk. heading towards assurance if that includes zero trust, if it includes CMC, whatever it may be, there's all kinds of things under there, 800-53, there's tons of stuff out there. That, it's the one that you can afford, the one that your team can support and put in place in a time that you can do it so you can have assurance.

Tim Freestone:
They talk about zero trust and I'm glad you brought it up because this is another soap box of mine. I'm going to workshop something with you here real time.

Mark:
Okay.

Tim Freestone:
So, um, the, the, the

Patrick Spencer:
Free

Tim Freestone:
markets

Patrick Spencer:
consulting.

Tim Freestone:
per what's

Mark:
I'm

Tim Freestone:
that?

Mark:
sorry.

Patrick Spencer:
I said free consulting.

Tim Freestone:
Yeah, yeah. The market's perspective is zero trust, never trust, always verify, least privilege access, always on monitoring, all that stuff, at the application layer and the network layer, or application and cloud workload network layer. And so I wanna put it in the context, I believe there's a third peg to that stool. And in the context of the Pentagon, the leak of the Pentagon secrets, right? My sense is I don't have this is fact, but my sense is the gentleman, I can't remember his name, who leaked them. I would bet they had zero trust principles in place to some degree, and he had the right access to the network and the applications that had those secrets in it, based on his role. I would bet he had the least privileged access down to this guy, who in order to do his job, had to do this. So... But yet these documents leaked. So the third peg to the stool is zero trust access at the content layer itself. Those pieces of content, those documents should have never been able to be downloaded, taken anywhere. And if you bring that zero trust using technology like DRM to the asset, then you've completely reduced your risk as much as you can using zero trust principles. So. application access, network access, individual pieces of content access. I think those three things together are really, really strong and I just wanna see what you think about that perspective.

Mark:
I love that. I think DRM is the only way to handle that scenario, right? Because like you said, it was authorized privilege access, right? And hopefully it was least privilege access, but we all know that's not necessarily the truth.

Tim Freestone:
Truth, yeah.

Mark:
And it changes, you know, because people move roles, they leave, they come, they go, they come back. And I think that creates a lot of drama, even for zero, even for, even if you have the octas, the pings of the world, even if you have the delineas and the cyborgs and you have a full identity suite, the reality is there's still issues there that you have to work through. But DRM, as far as the documents and all that, absolutely, there's gotta be something to do that. And one of the other ones that I heard the other day, might have been a couple of months ago, was I was talking with a Fed employee and they were telling me that one of the things they're worried about is their hardening rooms so that the radio waves and all that and all these things can't get out because they're able to get that as well, turn

Tim Freestone:
Mm.

Mark:
that in and Zero Trust has no impact on that capability. The other one I heard was amazing is there was a whole lot of ransomware attacks that happened because of a service provider. Well, under the soft underbelly is the internet provider, it has an unlimited session that never ends and it authenticates only that first time.

Tim Freestone:
Mmm.

Mark:
So there's another one, Tim, where I think there's some gaps that still need to be filled and a good thing about zero trust, it's the living breathing, it's still evolving.

Tim Freestone:
Right.

Mark:
I think that's a benefit of it. you know, having that and limiting those sessions so that they have to re-authenticate. So then you can not authorize them if they no longer have that or their least privileged access has changed. And that includes organizations like service providers. Doing things like this, to me, and I love the way you put it, using DRM, there's some gaps, there's some work still to be done, there's great people out there trying to do it. I'll be very interested to see how that kind of evolves.

Tim Freestone:
Cool.

Patrick Spencer:
And

Tim Freestone:
At

Patrick Spencer:
on

Tim Freestone:
least

Patrick Spencer:
the federal

Tim Freestone:
I'm thinking,

Patrick Spencer:
side here.

Tim Freestone:
okay.

Mark:
I wouldn't take just my word. I mean, there's a lot, like you said, there's just a lot of good stuff going on out there. And I love having these types of conversations and getting other people's thoughts and inputs because it kind of helps you center yourself and for your opinion isn't one way or the other because you've only heard people say this, especially in something like Zero Trust where you walk in and everybody has an opinion on it. But whether it's a well-informed opinion or not is up for debate.

Patrick Spencer:
great insights. One more question here, sort of piggybacking on this conversation, you have the network infrastructure applications content, you need to be aware of all those. How do you work with your clients to help them implement a plan so they can actually measure what their risk posture looks like and do that on an ongoing basis? I assume that's one of the capabilities that you provide to your clients.

Mark:
It is and even when I was with other organizations prior to this, we always started off, if they haven't had a risk assessment, especially with the latest and greatest things, right, we talked about GRC, things change in a year, they just do. And also, you got to include your stakeholders, right? So if you're at a higher ed, you got to get your superintendent, you go chancellor, and you got to get the leadership involved. If you're, you know, K-12, you got to get your superintendent, your executive. cabinet and those principles involved. If you're out in a commercial, you're going to have to get the CEO and accounting and the others in there. And I think that really impacts what they're going to do. But we start with an assessment, we include stakeholders, and we try to help them. A lot of times it'll start off with an IR tabletop or a zero trust assessment. And we'll go in there, we look at them and I see our competitors and peers do this as well. And that is to determine the gaps are and then help them prioritize. What do you current projects that are currently funded do you have? We can start to make it in fact now. MFA for the last five, six, seven years, one of the very first things people do, because you hear stats like Microsoft says 91% of all attacks can be stopped if you get MFA in place. I don't know if it's 91 or 65, doesn't matter. It's still better than 50. And you know, that's, that's a great way to do it. MFA has had a massive impact, especially, uh, I'll give you one great example. Um, our universities are under fire. They are, they're under fire. Like nobody's ever seen. They have all these researchers from out of country. They come here and they're granted unbelievable access to our greatest secrets, right? R1 universities. that hundreds of millions of dollars funded a lot of times by the federal government. They have to follow the DOD or the federal government's rules, but a lot of times it's more of an attachment or a connection, right? Well, they're piping data out and they're sending it back to their country and there are the bad actors or to gangs that are associated with countries and it's really bad. It's happening all the time. They're very limited because it's an R1 and the research is king and the money coming in for research runs the show. And any chancellor will tell you that, that runs an R1 university, is, you know, those are things that we got to get better at. We got to figure out as a country, as a species, as a society, how we're going to deal with some of these hard questions that don't have great political answers, don't have great societal answers, but they impact a lot of people and very negatively. And so, that's, I think that's one of those things that kind of drives that piece and, you know, We find that in assessments and that's usually where we start. And unfortunately, a lot of times the findings are just not brilliant.

Patrick Spencer:
Now, there's a GAO report on that very subject that pinpoints it as a major gap that you probably read. It came out last year and indicated there's a lack of tracking and control when it comes to all this sensitive content that these international researchers have access to that they're actually working on. And it's leaking out of the country, to your point. It's a serious risk.

Mark:
Yes,

Patrick Spencer:
I think he's been

Mark:
and

Patrick Spencer:
reading some

Mark:
that's

Patrick Spencer:
of our

Mark:
why

Patrick Spencer:
messaging.

Mark:
you... Well, yeah, if you look at the fifth generation and the sixth generation fighters that are out there now, go look at those countries, look how close it looks to ours. It's unbelievable. I mean, it's very, very similar. There's a lot of technology and... look, if you're not willing to protect it, then that's what's gonna happen. And that's just the nature of the beast. We just gotta get better in a lot of areas. I think the manufacturers are largely doing a pretty good job of innovating. I think AI is gonna be a tremendous help, but it's also helping the bad actors. and we're starting to see that now. We've already started to see some of the things that AI can use, generative AI can do to bring that effect. I've posted it out there a few times, the good and the bad because it gets a little scary.

Patrick Spencer:
So Mark, for folks listening to this podcast, you want to know more about NetSync, tell us a little bit about the company and how they can reach out to you if they need to engage with you.

Mark:
Sure, yeah, Netsink's a very large VAR, international VAR, value-added reseller. We really focused, we have no quota, no quarter, very unusual. So, we're gonna go ahead and start with the Netsink. So, we're gonna start with the Netsink. and largely sled, but we do some commercial and enterprise as well, but we focus on the relationship. And that's one of the reasons I came here. In my previous life, I was the chief product officer at CISO for a manufacturer and I worked with all the parkers. And one of the things I really liked about it is that it kind of goes back to that there's no ceiling to doing good. If you're focused on the relationship of making them successful, not on quarters and quotas and all that other drama, you, we have found that you can produce a better outcome. And we're seeing that and I think that's been funded, the growth, you know, been kind of one of the rockets for this growth because this company's grown like crazy. And that and if they want to get a look at their, it's marklind.com, m-a-r-k-l-y-n-d.com, mclind on Twitter and, you know, marklind on LinkedIn. And those are really the areas I try to focus on and do that. And I'm in the midst of writing a book on seniors. So they'll be able to see that as well. That is a big focus. I really want to help those in need because. Those of us out there that have insight like the three of us about this particular piece that our subject matter experts, we've got to share it. We've got to help folks. That's my belief.

Patrick Spencer:
and updating your existing book after you get done writing this one, right?

Mark:
I absolutely say I when I get off here, I'm gonna have to take a couple of notes because by the way, those were I appreciate that those were fantastic additions to the book. And, you know, it's interesting, one of the things that drives this kind of thing is getting that feedback on Goodreads and on Amazon and all these some of the reviews have been really good. about you need to add this or you need to do that. And I think that's great. You know, you can't have too much pride in authorship. If you have too much pride in authorship, you won't be successful.



Patrick Spencer: so Mark, the book, educating teams and higher ed on cybersecurity best practices, uh, cybersecurity life skills for teens can be found on amazon.com. Uh, they can buy it on the Kindle or they can buy it in paperback. I.

Mark:
That's correct. Yes. Yes. Yeah, they can. We were also, uh, we'll be doing it for schools as well. We're going to have a bulk buy, uh, for schools. Um, and we're, and I have a group, they'll help me build a curriculum around that because I feel, I just feel like this is just too important. And all Tim does today is just verify that case for

Tim Freestone:
Yeah,

Mark:
me.

Tim Freestone:
no, it's really great. When I saw the book, I hadn't seen anything like that before. And it was just timely with some recent conversations I had with my daughter. So thanks for doing that. You're more ambitious than I am.

Mark:
I have a lot of help.

Tim Freestone:
Ruff.

Mark:
I have to hold my hand up and admit it. I have a lot of help and I'm very appreciative of the help. If you look at the acknowledgments in the back, it's two pages long.

Tim Freestone:
Okay.

Patrick Spencer:
Well, Mark, we really appreciate your time. You're extremely busy. This has been a very interesting conversation and we look forward to having a conversation with you again in the future. The audience, make sure you check out his profile, NetSync, as well as his new book. Let's redo that. Audience, make sure you check out Mark's profile. You check out the NetSync on their website and then make sure to take a read of. his book that's available on Amazon. We appreciate our audience's time. We look forward to having you on our next Kitecast episode. You can check out other Kitecast episodes at kiteworks.com slash kitecast.

Mark:
Thanks Patrick, thanks Tim, really appreciate it.