Scott McGrady: MSPs and Identity-first Security Artwork

Kitecast

Kitecast features interviews with security, IT, compliance, and risk management leaders and influencers, highlighting best practices, trends, and strategic analysis and insights.

All Episodes

Kitecast

Scott McGrady: MSPs and Identity-first Security

July 02, 2025 • Season 3 • Episode 45

Scott McGrady's path to becoming CEO of SolCyber started in the server rooms of the early 2000s. Back then, he was installing Nokia security appliances and building some of the first security operations centers for major corporations. McGrady spent years at companies like Symantec and FireEye, where he learned that keeping businesses safe requires more than just technical know-how. He built Symantec's security services across Asia Pacific, managing teams in multiple countries and learning how different businesses approach security challenges. Later at FireEye, he helped launch their partner strategy during the rise of nation-state attacks. Today, he runs SolCyber with a simple mission: help companies protect themselves from identity-based attacks that bypass traditional security tools.

McGrady explained something that might surprise you: hackers don't break into networks the way they used to. Twenty years ago, they looked for open ports and vulnerable servers. Ten years ago, they targeted employee laptops and phones. Today? They steal usernames and passwords, especially administrative accounts. Insurance companies tell McGrady that nine out of ten breaches happen because someone's login credentials got compromised. The problem gets worse because IT teams often give employees more system access than they need. Why? Because it's easier than figuring out the exact permissions each person requires. McGrady shared a real example: a company with 500 employees had over 70 administrative accounts. Some hadn't been used in nine months, then suddenly started browsing the internet—a clear sign that hackers had taken control.

McGrady works with organizations that can't answer simple questions like "Where are all our security logs stored?" or "Who can access our customer data?" These aren't startups or small businesses—these are established companies with IT departments and security budgets. They have data scattered across different systems, some going to one security vendor, some to another, and some not being monitored at all. While vendors push artificial intelligence and machine learning solutions, most businesses just need help organizing what they already have. As McGrady put it, they need to get their house in order before worrying about advanced threats.

So what actually works? McGrady keeps it simple with five must-haves. First, turn on multi-factor authentication everywhere, even though software companies charge extra for it. Second, add email security beyond what Microsoft or Google provides because business email compromise is how most attacks start. Third, install endpoint detection software that catches modern malware. Fourth, run security awareness training so employees recognize phishing emails (and to keep your cyber insurance valid). Fifth, buy cyber insurance now while it's affordable. McGrady's company, SolCyber, packages these essentials into what they call "foundational coverage"—basically, outsourced security for businesses that need protection but can't afford a full security team. For larger companies, they handle the complex stuff like managing security logs from dozens of systems and responding to attacks in real-time.

LinkedIn Profile: https://www.linkedin.com/in/scottmccrady/

SolCyber Website: https://solcyber.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Spencer (00:02.392)
Hey everyone, welcome back to another Kitecast episode. I'm Patrick Spencer, your host for today's show. Kitecast explores the latest trends and innovations in cybersecurity compliance as it relates to your private data. Today I'm joined by Scott McGrady, CEO of Sol Cyber, who's pioneering what he calls the first modern MSP. We'll talk about that in greater detail here in a moment.

Scott (00:17.203)
So.

Patrick Spencer (00:25.566)
Scott, just as a brief introduction, brings over two decades of experience transforming security operations globally from scaling semantics, manage security services across Asia Pacific. I remember those days because I was there to launching FireEyes global solution provider strategy. He's at the forefront of major shifts and how organizations defend themselves. Scott, thanks for joining me today. I'm looking forward to this conversation.

Scott (00:51.195)
Hey Patrick, thanks for having me. Always happy to join.

Patrick Spencer (00:52.878)
And you actually have your own podcast show as well. We'll give you a plug at the end, but tell us a little bit about your podcast and how you got started. Then we'll talk a bit about your background, but you're a podcaster yourself.

Scott (01:06.84)
Yeah, it's funny because I'm an engineer and so social media and just general marketing is sort of like, it's not endemic to my nature. And so we have a podcast called Security Shorts with Scott. And the whole idea is if you're Googling something and encryption, data security, whatever, if you want to get a five to seven minute most efficient understanding of that topic,

we tried to really dig into that in the security shorts with Scott. And so it's a place where we just did one on like cyber insurance. And so if somebody's like, hey, know, what's happening to cyber insurance in 2025, within five to seven minutes, they can get a real good sense of what's happening, what's important, what's not important. And so that's really the goal is just to be a place that people can land on topics that are relevant to the security space and can get a really quick understanding and a good overview of that specific topic.

Patrick Spencer (01:43.343)
typing.

Patrick Spencer (02:00.706)
Well, our friends at Google from a search standpoint, as well as all the search engines love those now. So you're in a sweet spot in terms of traffic reports. So tell us a little bit about your let's start with your latest role and then we'll cover a little bit about your background at Pyri and Sonic wall and then Symantec, which are most.

Scott (02:06.278)
Yes. Let's hope.

Patrick Spencer (02:21.132)
three most recent gigs, what are you doing now? You you started this company and you guys are growing rapidly. There's a lot of interest. You're very laser focused on a specific problem, believe, MSSP's as we talked about in the intro.

Scott (02:34.226)
Yeah, so it's been like all things, right? There's this journey and it's a little bit cliche, but it's true. So my background was I'm a security engineer by trading training. And I got into the space by setting up, like if anybody's been around for a minute, if you remember the old days, the Nokia appliances and you could go and you could hit one for checkpoint, you could hit two for ISS RealSecure. So I was deploying these boxes for EDS way back in the day. And at the time we had these beautiful network operating centers, like, know,

huge, you hit a button, the curtains drew back and you could see all the telecom switches and the links and which ones are red and yellow and green. Nobody knew what to do with the data for the security technology. And so I started building out what was essentially a security operations center for ODS. Because of that, I got hired away and what became Symantec, but the very first MSSP was a company called RipTek, got purchased by Symantec, ended up joining them.

and then building up their Asia Pacific and Japan business and then running the global business out of DC. And so at the time I left, I think we were the world's largest MSSP. It actually got bought by Accenture and I just saw some stats the other day. It's the second world's second largest MSSP in the world. So massive MSSP business. the theory and why this actually gets to SoulCyber, but there was essentially a first generation MSSP, which was

Patrick Spencer (03:46.348)
Wow.

Scott (03:57.042)
IP based correlation outbound to known malicious threat locations. That was really the core. so you'd say, okay, know, Scott's IP address is talking out to a known malicious location via the firewall data. And so the odds are very high that he's been breached. So we'd gather that run, you know, basic level machine learning against it. And we could tell when something bad was happening. We'd let customers know we were really good at it. That was gen one. The, was there about 12 or 13 years. We left.

I to go to FireEye Mandiant because the view, my view was that endpoint was going to be the next major location to land for MSSBs. This was pre-MDR. We sort of, we didn't know what to call it, but we knew that, you know, traditional AV wasn't stopping the nation state actors and the ability just to push a button to run scan wasn't finding anything. So we went to FireEye Mandiant, built their MSSB business over there. And we just never really landed on the fully.

visualized capability around the endpoint. FireEight, company, Mandiant, amazing company, but we really struggled to win at the endpoint. This was back when Carbon Black and Silentis for Sword coming out. Obviously CrowdStrike ended up becoming the winner. We had all the pieces. I mean, we had the Threatened Tell, we had the Service People, we had Mandiant, we had Network, we had Email, but we could never get this endpoint. And so what that endpoint vision eventually became was what

Patrick Spencer (05:12.268)
I remember.

Scott (05:21.148)
people see out there in the MDR service, right? So this ability around the ability to detect the endpoint and do some little response. SolCyber really to me is the third generation. And so our view when we started SolCyber was identity was going to become the major threat vector. So think about IP based correlation, endpoint based correlation, and now you get the identity. And so our view was that you have to consume those other two components into a third generation, which was really identity focused.

And so the idea around identity was bad actors are going to use privileged accounts, service accounts, admin accounts, hybrid accounts, user accounts, and escalate the privileges, but they're going to use identity as the primary threat vector. And that was really the genesis of SoulCyber. And then on top of that, our view was that customers were looking for better connectivity with their MSSP. So the days of like an arm's length relationship, which is like, we'll call you, don't call us.

We'll send you alerts. You do something with them. Maybe that's great for a super big bank, but for most companies out there, even companies with like 10 or 15,000 people and employees, and they want to call you. They want to say, Hey, you know, I've got a problem. got a problem. I don't know if it's my endpoint. I don't know if it's my machine. I don't know if it's, if it's the cloud. don't know where the problem sits, but security may be a part of that. So I want you to help me sort of solve that problem. So they want that level of connectivity outside of.

Patrick Spencer (06:27.906)
They don't have mature stocks and so forth to handle all that.

Scott (06:48.274)
just a traditional security. It's great to bop a bad actor on the head and kick him out of the network, but obviously they want to be able to talk to you. so really, if you take the core vision of SoulCyber, it's identity-based threat detection and response, identity-based services combined with a close relationship with the customer that allows them to call in and talk to us basically when they need to and help them with other things besides, hey, here's an alert. We threw over the fence that you're trying to catch.

Patrick Spencer (07:15.232)
Interesting. Now we would argue that, you know, that security perimeter at the network is important. The perimeter at the end points is important, but you also got to have the data security pieces. Do you see an evolution happening in terms of identity and access to data? Who has access where they're at, what they're doing activity wise, what levels of access they need to be granted, et cetera.

Scott (07:23.568)
Mm-hmm.

Scott (07:40.114)
Yes, the.

I think the most fundamental challenge that people have out there is managing identities is just a pain. It's just difficult. It's not easy. And the reason is, and this goes all the way back to like when I was setting things up, I remember 20 years ago, maybe more, configuring devices. And if you weren't using admin, you're like, okay, screw it. I'll just use admin because I'm having this problem. I don't know where the problem is. I'm in too much of a hurry.

So what happens is organizations overprivileged accounts on a consistent basis, consistently. And they overprivileged accounts to get access to the data or to have the data or the APIs that access the data do the things they want to do versus the troubleshooting of figuring out why it is that they're not being allowed to do it if they're not an overprivileged account. And so to me, and sort of where you guys sit is this, the data security is, you know, the whole shift left movement, data security, all that.

is in the DevSecOps, you've got to secure your data and the data moves to all these different locations. And so you have to do that. On the IT management and the security standpoint, they're just, they're not, they struggle. this is not a blame by the way, it's really hard to do, but they're struggling to say, okay, what are the right levels of permissions in order to be able to get access to these certain types of things, data, other accounts, APIs, whatever, in order to do that. So we just constantly.

C, a company that maybe has 500 employees, you know, they'll have 60, 70, 80 admin service accounts. This isn't even admin. This is just admin service accounts. And so if you're a bad actor, what are you going to do? You're going to go straight for those service accounts. see hybrids. So we see service accounts being used, browsing the web, like being used as like an actual, like, independent user. Yeah. Profile. mean, so, then organizations don't know this happens because it gets provisioned.

Patrick Spencer (09:20.573)
gosh.

Scott (09:43.032)
And, you know, to get something done. then of course, it never gets deprovisioned. And so in that whole space, you know, like we'll see things like, Hey, this service account or this admin hasn't been used in like nine months. Like this is, hard to do some of these detections, but hasn't been used nine months. Now it's being used and now it's being used to search the web too. so technically it's legal, but it's not typical. And so these are the things that we're like, Hey customer, by the way, this is what's happening. This doesn't seem like this should be allowed. Right.

Patrick Spencer (10:12.398)
Hmm.

Scott (10:12.764)
You know, we can't prove it's a threat actor per se. Sometimes we can, sometimes we can trace back what happened, but you get it. So that's really where you see this intersection between data security and identity-based security is the fact that people struggle to keep their identity directories clean and struggle to keep the over provisioning of access to either individuals or service accounts.

Patrick Spencer (10:35.628)
You see some of the compliance regulations that are popping up. know, you have the, well, there's a big focus on AI and we could spend a little time talking about that or a whole podcast if we want to do so. Right. But you see the, regulations that are popping up, know, the EU AI act, the EU act, NIST too, and so forth. They're, they have some teeth in them. CMMC on the defense sector side. Do you see that driving some behavior in this area around identity?

And does that impact MSSP's at all or it sounds like based on your reaction probably not right?

Scott (11:11.114)
No, the regular, like if you take, let's just take CMMC. and maybe it's, it's a very solid standard out of the government. You're probably going to see a lot of states, in other entities, government adjacent entities, take it up over time. what you're really trying to do there is say we're operating under essentially two, two, two methodologies.

One is we're operating inside of Secure Enclave. So this would be government approved cloud infrastructure, right? So GovCloud or something similar. And then the second piece is you're operating essentially under a NIST standard or something along those lines. CMMC is basically an extended NIST. And so that helps with things like segmentation of duty. So Patrick can't go, hey, I approve the changing of this account. Scott's got to approve it too.

But that doesn't really stop this problem of, they don't come in and say, you can only have 10 % over privileged accounts. There's no, know, only 10 service accounts, 10 % of service accounts can be admin. Like they don't have that, right? And so this proliferation of identities, and by the way, if you think about cloud and all the different accounts and what have you there, it's even more so. So what they're trying to do is get you inside of an enclave and inside of a process standard, right?

Patrick Spencer (12:17.454)
No rule.

Scott (12:37.874)
That helps 100 % helps. But even there, customers are struggling. We're seeing CMMC, most organizations with whom we speak are just late. They're late, late, late, late, late. They know they quote unquote got to get it done and they are not even, they haven't even started. They don't know where the boundaries are. They don't know what's data. It could be in CMMC, it's not. Are they going to put the whole company in CMMC? Are they going to take separate out a segment of the company and put it in CMMC? So even there, these regulations that have teeth,

the uptake is still challenging for most companies.

Patrick Spencer (13:10.574)
There seems to be an overconfidence on the part of most organizations that do the self-astestation. You've probably seen this with CMMC where, we were 95 % covered. And then they actually bring in a third party like yourselves and you do the audit and now you're 45, 35, 25 % compliant with the 110 controls. So that's certainly a problem. When you think about AI and this overprivileging of accounts,

Scott (13:20.274)
Mm-hmm.

Mm.

Scott (13:26.438)
Yep. Yep.

That's right.

Patrick Spencer (13:38.574)
You know, they have access to a lot more data than they should have access to, but then they have all these public LLMs or one click and you're off and running with them. There's actually a, a report I read this morning on Claude and some of the data leakage that's happening there, uh, which results in compliance violations, speaking of compliance violations at the same time. Yeah. Do you see, you know, that as an issue, a growing issue, particularly with the, know, the, the escalation and growth.

Scott (13:53.031)
Mm-hmm.

Patrick Spencer (14:08.43)
of organizations embracing AI, shadow AI even for that matter.

Scott (14:15.184)
I think in our experience, we run into, this is oversimplified, but for brevity's sake, you sort of get two types of customers. And so you have what I would call the sophisticated customers, think super large bank, know, 5,000 security employees, right? They're messing around with AI and they are going to sort of experts in AI directly and saying, how do I manage this thing?

We don't run into a lot of those customers. We run in, we talk to them, but they're not really our target market. Most of our customers are much less sophisticated. And I'm telling, they can be big by the way, that could be 20,000 employees by the way. But, you know, they are much less sophisticated and most of them are really struggling with like, you're going to be shocked Patrick, but we're talking like, we need to get all of our logging in one place. This is the stuff that like, they're like, you know, we don't have a, we don't have a consistent logging infrastructure.

We have some data going to this one SIM, we have some data going to this MSSP, you know, and then somebody built this other logging infrastructure for BI over here. And we just don't have a sense of what's actually happening inside of our organization. That could be 500 employees, that could be 20,000 employees. And so AI doesn't really come up on the security side. It comes up in a conversation like over lunch or something like, hey, we're thinking about an internal AI deployment.

But most of them are really trying to get their hands around the basics, which is probably why they're talking with us, right? Is they're trying to say, okay, I've got to like get a project on here that actually gets me a really clearly defined outcome of like, I need all my stuff reporting to this place. And then somebody doing something with it so that if something goes bump in the night, we actually know about it. Yeah, exactly. That's exactly it, right? Yeah.

Patrick Spencer (16:01.454)
One unified view. Weren't we talking about that at Man Tech 15 years ago?

Scott (16:09.114)
It never ends. never ends. It doesn't have to be the same tech, mean, and it's, you know, so they're, but they're just wanting, you know, they want to get their house in order. Yeah.

Patrick Spencer (16:18.254)
Yeah, very true. So what is a typical engagement with you guys look like? know, talk through, you have a customer who you talk to, you can put a problem, a project, know, I suspect there's different use cases you help them solve, but what does that usually look like for you?

Scott (16:34.268)
I would say again, there's two primary engagements. So we have this product, productized service called foundational coverage. It actually came out of a combination of sort of cyber insurance, smaller customers. When I say smaller, like under a thousand employees, generally speaking, we have customers six, seven thousand employees on it, but just generally speaking. Foundational coverage is essentially a drop in security program. It gets you your tooling, it gets your SIM, SOAR, UEBA, gets you your SOC.

It gets access to people that you can talk with problems. And so the first engagement is we get a lot of customers that are like, my customer is Mercedes. And Mercedes is saying that my security isn't nearly good enough and I got to get a security program in place ASAP. So what we call that supply chain compliance, which means that you have a big customer that sends you questionnaires.

Patrick Spencer (17:16.652)
I have to keep going.

Scott (17:30.224)
that says this is all the stuff you need to answer all this stuff on security. It also ties into cyber insurance. So that's one, and we call that foundational coverage. The other engagement is usually larger customers call it 10,000, 15,000 seats. And that tends to be logging, data pipeline management, logging, architecture, then obviously getting the data into chunks that make sense. So some of it's in storage and then some of it's analyzed and the analyzation.

The analyzing of it comes into with 24 seven SOP, the user behavioral analytics, the identity monitoring, you know, all that stuff. And that tends to be larger customers. It tends to be a starting point. Oftentimes they add components to that over time, but it tends to be more of like, Hey, I need, I need all my logging, my data, my intelligence, and I need somebody that can view that against modern threats and then do response on our behalf. So we'll do response for the customers, for all the systems that have access to.

Patrick Spencer (18:28.014)
Interesting. You brought up an interesting point around supply chain. You saw the latest Verizon report when it went up, it doubled 15 % to 30 % of all data breaches are attached to the third party. I wrote a blog post on another report a week ago or two weeks ago, I forgot. Recently, we'll put it that way, on a certain percentage, I think it's 5 % or more are now fourth party or more attacks from a data standpoint.

Scott (18:34.332)
Mm-hmm.

Scott (18:39.867)
Yep.

Scott (18:44.306)
.

Scott (18:53.232)
with

Patrick Spencer (18:56.782)
You know, how serious do you see it or do companies, guess, maybe this is a better question. Do companies really understand the severity of the risks that exist when it comes to the third parties that they exchange data with, they give network access to, and it could be individual contractors. could be multinational fortune 500 companies at the same time. you think we understand the risk?

Scott (19:22.226)
The larger companies, the larger organizations, I think they understand it. I think the problem is the enforcement mechanism and the pricing components. The problem is, okay, XYZ large corporate, XYZ Acme Corporation, and I'm 50 billion in revenue. Then I go to Patrick and say, hey, Patrick, you're one of three people bidding on my widget to be made, and you come in at $1.02 and somebody else comes in at $1.05. They go with you at $1.02.

And then at no point in that conversation was like Patrick able to go to the company and say, Hey, by the way, we have really, really good security in place. And so therefore I need to charge a buck four or buck five and recoup that that we don't see that conversation happen on a consistent basis. The only places we actually see it on a consistent basis would be like an entertainment, you know? So if, if Disney is outsourcing, media.

Patrick Spencer (20:08.206)
doesn't have it.

Scott (20:19.954)
the final sort of cuts in the media and CGI and whatever, they will pay for that extra value of security. But yeah, exactly. so because they get it, it's such a linear line between the data being stolen and them losing a lot of money on that particular piece of content. But so far, this tension between what's the lowest cost of getting my widget made

Patrick Spencer (20:27.79)
Interesting from a DRM standpoint.

Scott (20:49.018)
And then also providing security is not being, think most of the time it's very unintelligently done. It's like you win the business and then the supplier comes back and bops you over the head and says, Hey, here's your 50 questions. You need to do this in security. if they're one of our customers, we'll help them actually with that. but a lot of times, you know, the customer is like, okay, how do I do this as cheap as possible? Because I didn't really bid into the process. Like that fact that I've got to go buy an EDR, advanced email protection. I need phishing simulation security awareness training.

I need somebody to look at all this stuff. Like that just wasn't in the, you know, proposal. And some of these dollars are tiny. I'm paying me, Patrick, we'll come to customers and like, Hey, this is 70K a year. And they're like, yeah, that wasn't, can't, that wasn't, that, that, that takes away a lot of our margin. Right. So it's challenge. Yeah.

Patrick Spencer (21:30.69)
Hmm.

Well, the, I mean, we turn away people. look at technology tools, cool technology tool. We'd love to bring it in from a marketing standpoint or operational standpoint. Cells. You probably do the same thing. They're not sock too. they, can't use them because we have security standards in place. So simple things like that from a, security certification, validation standpoint are important. you, are you seeing more and more organizations using that to vet?

potential vendors, vet potential third parties. And I mean, that's baseline SOC. Do you see FedRAMP coming into play? FedRAMP moderate, FedRAMP high. We just got FedRAMP high actually earlier this year and we're seeing them come in, which is hard to do as you well know in our audience knows.

Scott (22:14.642)
Good for you guys.

Scott (22:18.994)
Very challenging. I think stock two, two type two is that's been around forever. I mean, we had a semantic, you know, all those years ago we did every year. It's, it's almost like we just, people just ask it, you know, and you know, some, some say, can you send it over? Yeah. Sort of table stakes. So I think it's one of those checkbox go, no go type things. I do think there is an aspect of liability that is offloaded from the customer.

Patrick Spencer (22:32.813)
Tablecloth.

Patrick Spencer (22:47.79)
Hmm.

Scott (22:47.92)
when the underlying technology service provider has SOC 2.0 Type 2, you're like, hey guys, like, you know, like we did our due diligence. These are all the things, plus, you know, they have this. So it is a helpful, I guess, gating function in a lot of ways. And now I think FedRAMP, that whole game is a completely different game. We are not seeing so far a customer saying, I'm going to go into FedRAMP, you know, medium, moderate.

or definitely high unless they're being driven there. The only people with whom we've spoken that matters is they're like, are trying to win this deal in government right now. We're only going to win it if we're FedRAMP high. And so we're going to either use you because you're FedRAMP high and they can slow down the rules, slow down the terms from you all. Or they're going...

with like an Anisian or somebody that can get them into FedRAMP high like as a cloud stack faster.

Patrick Spencer (23:49.676)
No. Are you finding, know, we've had this, we've both been in security for a long time. Organizations that claim we're FedRAMP equivalent. You know, does it, which means they haven't gone through the audit process. They probably had someone on their security team go through the control and check them off. Do you find, you know, those are, false advertisers or that's what we claim to be the case. It's not the same as being FedRAMP moderate or.

whatever the validation might be.

Scott (24:19.973)
No, I have not seen that. The closest thing I've seen is saying FedRAMP accepted, which means they've been accepted into the process to become FedRAMP, but they haven't, they haven't checked, you know, gotten all the boxes checked or, know, they have a sponsor. I've seen that. I haven't seen FedRAMP equivalent or magical FedRAMP or I don't know what you call it. I personally haven't seen that. No. Yeah, that's right.

Patrick Spencer (24:28.718)
Program. Yeah.

Patrick Spencer (24:38.958)
Hahaha

Stay away.

Shifting gears a little bit, on your website you advertise, you know, there's four or five, six different things that you recommend as a baseline when it comes to security to an organization. It might be a startup, might be an organization that just doesn't have the right security processes in place. What are those? You know, what do you recommend?

Scott (24:55.979)
Mm. Mm-hmm.

Scott (25:05.958)
So there's a couple of things that, listen, the Pareto principle is like undefeated, right? 80-20. So there's always like 20 % of the things you can do that will get you 80 % of the bang for the buck. You gotta turn on your multi-factor authentication. Like you just gotta do it. And if you don't wanna do it, hire somebody to come in and help you do it. But you really need to make sure it's turned on and it's as ubiquitous as you can get it. Now.

The downside, and I know why people don't do it, is all the SaaS companies have realized this. And so there's always an up-leveled tier for your SSO and MFA, right? So you're like, oh, you know, and it's a ton of money. So it's like, oh, you know, we, love Monday. Not we, but we're just saying a company says, I love monday.com. I guess, you know, it's whatever $12,000 a year. Like, well, if you want the SSO version, you know, now you're paying 30,000. Right. And so I get it. Like it's the surcharge you're paying, but

Patrick Spencer (25:41.816)
Yep, and it's a lot of money. It is.

Patrick Spencer (25:54.894)
warning.

Scott (26:02.394)
So it's, I, I really do get it, but you really, it's like the, the fastest way to sort of getting yourself into a better position. you know, session, a credential class session, session, high dacking, all that's doable, but it's, it's a lot, a lot more challenging, a lot more challenging. So MFA and then I would call, we call, we call it the triumvirate. You sort of got to do this. You got to have good endpoint detection in response. you have to have advanced email threats. No offense to our friends at Microsoft and Google. They're both great.

But you need something on top of that. That's really good at BECs and ATOs, business email compromise and account takeover. You want to be able to have visibility if a bad actor's inside of your email. And that's outside of traditional security provided by the large platform providers. And then this one is not sexy. You got to do it for insurance with your phishing simulation security awareness training. It's a checkbox exercise, but we call it the triumvirate. sort it, all three of those will always get asked if you're trying to get your cyber insurance.

which leads me to the fourth thing, which is you really should get your cyber insurance. There's no real reason why. I just did a podcast myself on cyber insurance. The pricing has come down. It's a buyer's market. Now's a good time to get into it. So you really want to look at something like that. And then last, mean, obviously I'm in this space, I'm preaching my book, but you really do need a partner. Like, do you really want to manage all this stuff? And obviously you need to be looking at it. Like all this stuff throws off data that tells you when something bad's happening. Like the ability to find

Patrick Spencer (27:15.266)
Interesting.

Scott (27:30.066)
Threat Actors, I mean, we use the best of the best. All the tools that we use are the best of the best. And we consistently find Threat Actors going around those tools and trying to get into organization. So you have to have some sort of provider that helps you with those. And so those would be the five things. You do those and you're off to a really good start.

Patrick Spencer (27:46.808)
That's right. We asked some questions with coal fire and our CMMC report we published a few months ago around engagement with third party and the maturity of security as well as compliance within those organizations. Those, guess what, had third party experts helping them were a lot more mature than the ones that are trying to do it in-house and do it themselves. That's no big surprise.

Scott (28:06.778)
And Patrick, get like, I don't, can't, can't, there's so many analogies, but I have this joke, like it's Friday afternoon, I need to clean my kitchen. But you know, all my buddies are like, Hey, I got a tee time at this really nice golf course. Right. Well, I'm not going to go, I sort of need to stay around and clean my kitchen. I want to go play the fricking golf course. And that's really security. Security gets consumed by the mandatory and the urgent. Right. And so

I tell everybody, I get it, you don't want spend the money, but just set the money aside and get a really good partner that can help you with this stuff. It's just going to get it off your plate. Get it off your plate so that you have somebody that can protect you and help you when you got problems. Get it off your plate and you're just going to be in a lot better spot. Have somebody clean your kitchen for you because then you know it's going to get done. You come home and you feel great.

Patrick Spencer (28:54.14)
That's right.

Scott (28:55.826)
I'm always trying to find an analogy for like, know, but I don't know, golfing on a Friday afternoon always sounds fun to me.

Patrick Spencer (29:01.55)
Honeygar Kitchen is recording now. On your website, you guys talk a bit about your kill chain services or the kill chain. Can you talk a bit about what you do in that area and how do you stop it before the private data gets breached or to ensure that as little of that leaks out of the organization? And moreover, you know what actually leaked at the end of the day as well.

Scott (29:27.802)
Yeah, think the core component is that what we do is well integrated. And so we talk about it all the time. There's not necessarily one thing that finds a bad actor. Now, I will say in today's world, identity is the number one threat vector. It's the number one. If you go and talk to insurance companies, like, yeah, 90 % of the breach has happened because somebody got hold of admin, right? That could be.

That can be actually admin, can be over provision service account. So the ability to have really advanced user identification, behavioral analytics, all those really help with these more esoteric type of threats. And so the first thing is, if the bad actor is going around EDR, which is not uncommon in today's world, then you got to able to find it. The second thing is, on the EDR side,

You have a lot of capabilities that really allow you to find things that are not typical. So we had a customer that kept having a problem. The EDR kept finding it. We kept removing it and then we find it again, removed it. And then we kept going, how does this keep getting reinfected? So we actually did a complete threat hunt through the entire company, found multiple machines where the endpoint detection, and again, think best of the best, the top two EDRs out there. So these are good tech. We found multiple machines that had been infected that the EDR never even fired, never even triggered.

So it's this ability to also have some level of like, OK, this is how threat actors think, and this is the patterns that we're seeing. So we're to be able to run ourselves different types of attacks against it. Now, when we find something, we actually do response on behalf of the customer. So we will stop a process, quarantine a process, quarantine a machine, we'll back a process, anything along those lines. And we're about to launch identity-based responses. So we could actually push in a password reset, MFA reset, things like that for the customers.

for identity-based attacks. So that's coming out soon too. And so it's those types of things where you're really trying to find the foothold and get it corralled before something really... We had a Zero Day in a customer. We did brand a Threat Hunts once we realized how the Zero Day was operating. Sure enough, they got popped and we were able to get it corralled really quickly for them and get it cleaned up before anything was really leaked. So it just happens.

Patrick Spencer (31:48.014)
So your security approach is going to be different if you're a global business versus a regional versus one that just operates within a locality if it's a startup.

Scott (31:58.022)
Mm-hmm.

Patrick Spencer (32:01.26)
What differences do you have when you're trying to implement a security program that makes sense for your business in those instances? How do you work around those parameters? how do you, your risk levels around data security probably vary based on that model as well.

Scott (32:19.666)
It's a really good question because

you can be, you could be like almost an entirely SaaS based company. So let's just say you're a hundred employees. You could literally be almost nothing that wasn't SaaS. And so really you're just trying to protect your access to into the SaaS platforms. Cause obviously you can't dictate to, you know, Salesforce how to, how to secure Salesforce. Right. So, so those particular cases, you actually have a relatively constrained domain with which you're trying to secure your organization.

Pretty easy to get cyber insurance. You're in a pretty good spot there. Obviously multinationals have all kinds of other things. So the problem we see with multinationals is they get, it's very easy for them to get caught up in a unprogrammatic approach. And so what happens is they're getting sort of yanked from fire to fire to fire and they're never able to really get their feet under them and say, okay, we're going to run an assessment, right? And so I say, where are all my major gaps, right? And we're going to try to get like fire.

know, lanes built in so that we can at least try to make sure that stuff is into control. And then we're going to take a programmatic approach to fixing, you know, the major problems. And that's really, when we talk to the multinationals, they're just not in a position where the ones that are having problems, they're not in a position where they've been able to programmatically address security across the organization. A lot of times somebody new has been brought in. get, we get, for whatever reason, we get a lot of like, I'm a new CIO. I'm a new CISO. We're really trying to get our hands around this, you know.

Patrick Spencer (33:42.766)
Never.

Scott (33:51.922)
The company grew, we bought a bunch of companies, whatever the reason is, and now they're, yeah, exactly. so it's, there's companies that tend to do well, you can ask them and they'll be like, yeah, you know, here's our program. Here's the stuff that we haven't done well. This is our, we've recognized it. Yeah, it's documented. I know where everything is. I know where the bodies are buried. We just can't uncover them all today. So we're just going through and picking which body and which location, and we're just making it consistent.

Patrick Spencer (33:54.402)
Yeah, analysis and assessment. Yeah.

Patrick Spencer (34:08.174)
Fully documented. Yeah.

Scott (34:19.858)
You know, pass those are easy customers for us to work with because they tend to know what they need. And if we, you know, and they're like, yeah, you guys provide it. So bang, let's go and then help me get these other things or not. Cause I'm going to go take care of those because you guys are taking this other stuff off my plate. The harder, candidly, the harder customers are the ones that are having more problems, but they're almost so overwhelmed that we can't really get them to like, okay, let's, let's walk through. Yeah. Stop for a second. Yeah, exactly. Yeah.

Patrick Spencer (34:33.325)
Interesting.

Patrick Spencer (34:40.878)
Stop and think.

Interesting. Now, you know, one last question here. I'm curious to hear your answer. Your background in cybersecurity is the route, the journey that you've had professionally is a bit different than the typical journey of the interviewee that we have on, on Kitecast. Usually they're a CISO. They maybe have started their own business, but they were formerly a CISO. That's not how you got to where you're at. So talk a bit about, you know, your journey, you know, and how you ended up where, where you're at and how you build a highly successful.

and cybersecurity.

Scott (35:16.154)
Yeah, I, some of it is, is it's still interesting the path that gets you to where you are. But one of the things it's hilarious. So when I get asked by like kids and what have you, like, what, does it take to be successful? I have this, I call it talent stacking, right? You want like, you either need to be the Michael Jordan, right? You need to be so good that people can't ignore you in this one thing I said, but for most mere mortals, you need what I call talent stacking. said, one of the luckiest things that happened to me is the university I went to.

mandated four years of speech course. It wasn't, and I hated it. It was like one of most, like the first speech is a three minute icebreaker. And I was terrified, Patrick, terrified, sweating, just, I mean, I was an introvert, right? I was an introverted engineer. and so, but probably one of the best things that happened to me. So when I came out, was deploying security networks and I kept getting asked to go see customers. And there wasn't really a sales engineer as a concept back then. So I was,

Patrick Spencer (35:51.992)
work.

Scott (36:14.77)
deployment, but when customers would ask about the security around the web infrastructure, I would get drug out there and I'd explain what we were doing. And so my background is probably is technical enough to these days to still understand obviously what's happening. But I spent so much time on the business side. And I think, you know, and then on the, I don't even want to call it sales. I don't view myself as a salesperson, but on something customers try to solve problems, right. And trying to

explained it in ways that they understand. And if you can do those two things well, then customers tend to buy it, right? And so I think that really was the path I got sent to Asia. And it was really a general manager role is set up security operations centers, help customers in region understand what managed security services is, and then obviously help them close and then deliver the capability. So it was a really nice fit for my skill set because I like the business.

Patrick Spencer (36:46.99)
Strategic versions.

Scott (37:10.802)
you know, the business aspects of a business, how they work, you know, I like helping customers, you know, one of the, one of the best things is to get a customer, have them installed and up and running. And then something happens like, Oh my God, thank God you guys are there. Like we would have never known that before. Like that is, that's one of the best things ever. And so that, the whole 360 is interesting to me. And so what I tell anybody out there, and even if you want to be a CISO and then go to CIO or whatever, if you can, if you can become a really good project manager or run a program well.

Like take that skill that you have natively in tech and then buffer it with one or two others and you become indispensable. And that really, I think is the secret sauce because most of us, there are very few people that are such a genius. I mean, there's some people like in communication, absolutely geniuses at the ability to articulate an intelligent thought. But most people are okay or bad. And then they have another skill, which is maybe good at security technology or technology in generalists, right?

I really do think that for most people, my journeys follow that, which is a subset of skills wrapped around technology that I find interesting that's allowed me to have success.

Patrick Spencer (38:20.622)
That was a great recommendation. Quite true and applicable across different occupations, just not cybersecurity, obviously.

Scott (38:26.724)
Absolutely. 100%. Yep.

Patrick Spencer (38:28.898)
Well, we need unfortunately about out of time, Scott, but before we do so, one, how can folks find out more information on your podcast, where they go? And then two, how do they engage or communicate with you? suspect LinkedIn is a good starting point. And then, you know, where do they find your company?

Scott (38:45.17)
All of the above are true. So SolCyber, S-O-L like a Spanish sons, solcyber.com. Find us there. Obviously I'm on LinkedIn, Security Shorts with Scott, LinkedIn on our website and on YouTube. And then obviously Scott at SolCyber.com. You can get me there. So happy to talk with anybody that wants to come over, has questions on MSSPs or cyber insurance, any of that stuff. Happy to engage and help out.

Patrick Spencer (39:13.048)
That's great. I really enjoyed today's conversation. It's good to reconnect after all these years of left semantics. So thanks for your time.

Scott (39:20.562)
Patrick, I appreciate it. Absolutely. It's funny that how the, do you remember James Mobley? You know, so he and I were emailing the other day. It's just, it's such a small world in the cyberspace. So it's super good to see you again and reconnect and chat.

Patrick Spencer (39:25.838)
Yeah, dude.

Patrick Spencer (39:33.998)
Yep, absolutely. Well, thanks to our audience. We appreciate you listening to another episode of Kitecast. You can check out other episodes at kiteworks.com slash Kitecast. Look forward to having you on our next show.

People on this episode

Patrick Spencer

Co-host

Tim Freestone

Co-host