HITT – Understanding Blast Radius and Cybersecurity Opportunities in Client Environments

ICYMI – Blast Radius: The Opportunity Inside Your Client’s Expanding Risk   

Sumera Riaz and Trevor Burnside unpacked “blast radius” (depth, breadth, duration) — how AI, cloud, edge and unmanaged SaaS expand risk faster than security. Use their quick discovery questions to open nonfearful security conversations and request an intro to new supplier Risk Cognizant (AIpowered security intelligence) in Telarus Hub.  

Action: Ask one discovery question on your next call and visit Telarus University for cybersecurity training.  

Transcript is auto-generated.

Let’s shift our focus from the future of our industry to one of the biggest conversations happening today. Please welcome Sumera Riaz, VP of cybersecurity, and Trevor Burnside, solution architect for today’s presentation. Sumera and Trevor, thank you for joining us. The floor is yours.

Thanks. Thanks, Cass. Hi, everybody. Hope you guys had a great fourth weekend. Fireworks were amazing this year.

I was in Frisco, Texas, and we had a whole drone show and then fireworks. It was absolutely amazing. Trevor, how was your fourth?

It was great. We I mean, a lot less fireworks this year. There’s a lot of fires going on in in Utah, but still great nonetheless.

Awesome. Yeah. Great to be back on the hit call.

Yeah. Same here.

Chandler, can I drive the there we go? Here we are. Alright, guys. Today, we’re gonna talk about the blast radius, the opportunity hiding inside your clients expanding risk.

In the next thirty minutes, you’re going to leave with questions that are gonna open security conversations and grow your book of business. Don’t worry. I know it’s called blast radius. It is not a doom session. We’re gonna have lots of fun today.

This session is about helping your clients find gaps before they find them the hard way. Right? So my name is Sumera Riaz, VP of security. My sidecar today is Trevor Burnside, our amazing security architect, and we’re gonna dive right in to slide one.

Let’s see if I can do that.

Here we are. Alright, guys. So our objective today is identify clients whose attack surface has grown faster than their security program and that open a conversation about exposure before an incident forces it. That’s it.

That is the whole session. Everything else from here is just evidence. Your clients, they didn’t do anything wrong. They grew their business.

They added tools. They moved fast. The security program just they didn’t get the memo. So that is where our opportunity is because the solutions today are scaling a lot faster than security for them is.

So that’s where we’re finding gaps and helping clients build a better security posture so they can protect what they’ve worked so hard to build.

So every tool, every AI tool that’s added into an environment, every cloud instance and edge device, it expands our it expands the risk. And a lot of times, CSOs or security leaders don’t really realize it because they have a perception of their environment, but it’s not really the reality. For example, you guys know I have a twelve year old son, Ethan. And when he was four, we took him, you know, first day of preschool.

Now Ethan has been in the school five times before. We walked through the class, met everybody. His first day of school shouldn’t be that hard, but we get there. We go through the front door.

There’s a sweet little receptionist lady sitting there, and she gets up to give him a hug, but she’s super pregnant.

And I’m an older mom, so he’s not really seen a lot of pregnant ladies or, you know, had had a lot of time with babies because most of my friends, their kids are older, out of the house.

So this is the first time he’s actually seeing a pregnant lady. So she comes out and she wants to give him a hug but she’s super pregnant and he’s just looking at her and I’m like, oh man, this is not gonna end well. And she goes and she’s like she’s very sweet. She goes, oh, honey.

It’s okay. There’s a baby in here. And Ethan screams, clings to me, and then runs for the door screaming, everybody get out. She eats babies.

And, yeah. The kids were yeah. It it was a mess. It took him a week to get I it took me a week to get him back in and, you know, that whole thing. But, man.

I anytime I think of perception versus reality, like, that is kind of that picture of that day just keeps popping back in my head.

And that is exactly kinda where your clients are today. You know? They see they have a perception of their environment today, but it’s not really the reality. They don’t have the context. And it’s because they can’t you can’t see which you can’t secure what you can’t see. Right?

What do you think, Trev, on perception versus Yeah.

A lot of I mean, this reflects a lot of what we’re talking about with clients, and I’ve I’ve been talking lately, you know, with CSOs, IT directors, you name it. Right? We we have these conversations every week, multiple times a week about if I’m adding you know, our organization is is expanding so fast into different technologies and the AI and they’re trying to adopt these different things That it’s faster than I can I can see the risk and mitigate the risk and know what’s going on? So sometimes they’ll bring up, I just don’t have visibility into this anymore.

I don’t I can’t see my network traffic anymore. I don’t know what’s going to you know, if I bring this in, it’s it’s gonna be a black box that I can’t see. Right? So that visibility is a big deal.

And and sometimes people especially when you’re talking to clients and decision makers, they’ll just say they have a lack of visibility rather than explaining their whole problem set. And so that’s really where we get involved is, okay. Let’s break that down and see where we can help, rather than it just be something that they feel like they don’t have, you know, any way to to fix or change. Right?

That that’s an area that we can certainly help.

Yeah. And, I mean, the stats prove it. Right? So this is from this is recently from Proofpoint and then the voice of CISOs twenty twenty five.

Again, twenty twenty five numbers are just coming in. It takes a few months for them to the the people who run the stats, the analysts, they take all the data from last year.

And then during the first h one of the next year, that’s when you’ll see the updated stats come out. And I thought this is so interesting that from twenty twenty five, fifty eight percent of CSOs feel unprepared to respond to a cyber attack. And it because in today’s day and age with AI expanding and cloud going to the edge, it’s become pretty interesting battleground that we haven’t seen before. And seventy six percent of them believe that it’s likely that they’re gonna get an attack in the next twelve months.

These these numbers haven’t been this high before, and that’s what kinda caught my eye. Like, five years ago, these numbers were very low. They were in the twenties or thirties. Right?

And now we’re seeing a spike in these numbers, which is very indicative of the market where it’s heading.

So very interesting. And what what is the good side of this is they have you guys, your advisers in in their environments already to help them. Right? Because that’s that’s the big thing right there.

You’re already selling them a voice solution. You’re already selling them network. Already selling them cloud. It’s just the next right thing to say, hey.

I know we’re adding we’re adding toolings. We’re adding new services into your environment. How do you plan to secure it? What does that plan look like?

And throughout this session today, throughout the next twenty five minutes today, we’re gonna dive into some discovery questions, just keeping it real. How do you open these conversations and prep you for your next client calls?

And something I’d say just real quick, you know, before we get we’re gonna get into some technical stuff. But, really, when we’re, you know, looking at those statistics, some of the things to consider I was actually talking to a CSO yesterday and started a call in the morning. We’ll say, know, hey. How’s it going?

He said, it’s Monday morning, and I work in cybersecurity. How do you think, you know, my day is going? Right? Like, it’s a stressful field.

And, know, when we’re selling security, we’re not selling email, you know, security. We’re not selling MDR. We’re not of of course, those are technical things that we have within our tool belt, but we’re selling is confidence in their security posture, waking up, not feeling dread that they’re going to work because they work in cybersecurity. That’s really what we’re trying to help people with is these business conversations that the technical controls can help with.

But, really, what we’re offering is confidence in their security posture. And I think if we focus on that, that’s where we really can be a trusted adviser.

It’s a hundred percent. And that’s you know, having sat on the other side of the of the table, your amygdala is hijacked. You’re in fight or flight mode every single day. You’re checking your phones at night, making sure, you know, everything is on the up and up.

It’s you you’re helping, like, to to your point, Trevor, so true. You’re actually helping the person and help their environment, you know, at macro level. So, yeah, there are email security solutions. There’s all these solutions, but we want you we want you to help your client help your clients take a breath.

Like, pull them out of the mess they’re in. Help them to see the bigger picture because that’s where good decisions are made. Right? So blast radius is very simple.

It’s borrowed the word is borrowed from basically physics. Right? When something detonates, damage doesn’t stay at the point of impact. It travels.

In security, how far it travels depends on what the attacker can reach from the first entry point. Think of it like a gas leak in a building. Right? The leak itself is not the disaster.

What matters is how far the gas travels before somebody lights the match. Nobody panics about the leak. They panic about the match.

See where I’m going with it? It’s it’s not the it’s really not the leak. It’s what can that leak cause. That’s the blast radius.

So the blast radius, basically, we’re gonna look at three different aspects of it. What is the depth of it? How depth basically means is, for the blast radius, how far can a a bad guy go if they’re in an environment? One credential to admin level access to everything.

It’s it’s like a very bad elevator. Right? Right? We went to Disney a couple weeks ago with Ethan and that if you guys ever been to that there’s this elevator.

What’s that called? The house of terror or something. It’s an elevator, and it just drops. It’s, you know, it’s like a cluster a person who’s claustrophobic is their worst nightmare.

So this is kinda like that, far and deep it can go in very bad elevator ride. Breath, how many systems kinda going wide? How many systems get touched with an attacker being in the being in in the environment? One breach that becomes many.

It’s like it’s a lot like telling one person a secret in the channel. That’s it. That’s the breath. How far is it gonna go?

It’s endless. It’s gonna it’s gonna go far.

And then the duration.

How long before somebody notices? Every day of dwell time so when attackers in an environment undetected undetected, it’s called dwell time. They’re dwelling in that environment. So every day of dwell time multiplies the damage.

The average attacker is inside a network for over two hundred days before in detection begins. And that is not just a breach. That is Trevor, that’s like a long term relationship nobody agreed to. Right?

Yep.

One one thing I like to think of, and this is an oversimplification, but I I explained it from, like, the layman’s term, right, of, like, when you think about risk or or blast radius, it’s like, what’s the worst case scenario? Like, what’s if, you know, this tool or something were to happen in the system and it can compromise other things, what is the worst case scenario that that can do? Right? What does it have access to, and then what’s the worst thing that could come from that system?

I see this on LinkedIn all the time actually of, like, agentic AI risk. Right? Of, like, you connect it to a database, and then that agent decides to do some simplification, and it deletes the database. That that could be the worst case scenario that you have.

Right? So then you work backwards and think about the mitigations. Well, can you back up that data? Can you back up the database?

Of course, you could.

Can you do it in a place that the AI doesn’t have access to?

Yes. So we’ll get into that a little bit as far as mitigation, things like that, but that’s kind of one layman term to think of it. Again, a little bit of an oversimplification, but a way to think of what what a blast radius is.

Yep. Exactly.

So oops. I wanna go back one. Let’s see if I can do that.

Chandler, can you help me go back a slide? There we are. Thank you. So why did the blast radius grow?

What we just define what it means. It’s kinda kinda where how far an attack and spread is basically your blast radius. But why did it grow actual in reality?

Why the business grew faster than the security program did. Right? That’s basically why it grew. My favorite saying I’ve been saying recently is the laws of our land have not caught up with innovation of man, which is, you know, it’s it’s been true in the last twenty years in security that we’ve seen. What do you think, Travis?

No. Absolutely true. And it’s going faster and faster, and I think that’s one of the things that’s unique right now when it comes to you looking at the the the risk and the blast radius of, you know it’s not just adding, you know, one or two things. It’s you you know, especially when you’re looking at agentic AI that you’re connecting multiple systems and also very you know, you’re in some cases, the crown jewels of the business.

Right? Your the data that that business is generating, creating, and then connecting AI to it. You know, sometimes people say, well, I I I don’t have the visibility. I can’t quantify the risk.

The or it’s too complex to even quantify.

And some I’ve had those conversations where where business leaders think the risk is too complex to even quantify that I can’t do anything about it. And then they get into analysis paralysis of I I’ve gotta do these things. I know I have to keep up with the market, but I can’t quantify my risks. So if I can’t do that, then I can’t move. And then it ends up being this kind of vicious cycle of, you know, the board saying we gotta do this, security can’t approve it, and no one’s really going anywhere. So and that’s really where we can inject.

Yep. And that’s so true. A hundred percent true. And so here with the AI risk, think about Copilot, ChatGPT, every shadow AI tool your clients’ employees adopted without the IT team knowing about Right? These tools are connected today to email, to CRM, to internal documents. It’s kinda like hiring a new employee, giving them all the access to everything, and skipping the background check entirely.

Nobody thought that was a problem until it was. Right?

So it’s it’s it’s that AI governance and security measures around this is so critical.

What do you think about the cloud risk?

Trev?

Is it when you look at well, from cloud risk historically, right, where when we everyone just kinda jumped to the cloud and security was an afterthought. I think we’re looking at AI differently in the sense that people we we’ve learned a little bit from that cloud jump that there is there is risk to that. And the AI side is not necessarily going the same way where everyone’s going to AI and then thinking about security as an afterthought. The the larger organizations are seriously putting security as a as a barrier to entry into some of these things, which is, again, an area that we can help.

On the cloud side, though, there’s some differences when it comes to enabling.

Because we have you know, the cloud’s been going on for over, you know, a long time now. We have security controls built in that can help on AI adoption. Whereas if you’re doing it yourself, you know, on prem, things like that, there’s still some things that we need to work out. Again, I don’t I don’t wanna get too technical there, but if for organizations that are already in the cloud and have addressed their cloud security, there’s some simpler ways that we can start building AI that can also address the security controls in place.

Awesome. There’s a great question in the chat as what solutions do does Telarus has for all the risk that we’re talking about?

There are so kind of a teaser going into it. Susana later is gonna share do a hub dot a hub demo for us.

You can get it through hub or email one of us. We have great security solution providers within our portfolio that can provide coverage for all the risks that we’re talking about today. So there are tooling, there’s security as a service. There’s so many solutions that exist now that can actually help CSO and the security team have a stronger program.

So lots there. Sally, to your to responding to your question there, and log in to the hub demo. Email one of us. We’d love to get you introduced to some of the providers who can help your clients out.

Yeah. We we are consistently adding new suppliers specifically in in the AI risk category to address certain things because not you know, there’s not one solution that’s gonna be a good fit for every customer. Customers, you know, based on size, scope, where they’re deployed, what they’re doing, their industry that they’re in. There’s there’s so many variables, and we have really tried to address that market and bring in a lot of vendors that can can do very specific things, whether that’s, hey.

I just want a platform because I’m a very mature organization. I can handle this. I just need to manage the platform. We can do a platform.

We can do professional services where someone can parachute in and identify the risks, give a report, and let that organization mitigate those risks. We can also do, you know, full migration into a compliant environment to be able to take advantage of certain things. Again, just depends on the the appetite of the organization, what they’re willing to do, what they can do, but we have solutions really across the entire spectrum at this point, and they get added literally weekly at this point. We’re adding solutions to this kind of portfolio to to address it.

Hundred percent. And then I love David’s question in there. Is this why the move to edge computing? The devices that are built without security.

Right? The edge devices. So what happened is when when cloud came on the scene about fifteen years ago, I think, it was around that time. Fifteen sixteen years ago, when cloud came on, it launched into the world.

We we were used to having a centralized location for our infrastructure. We had data centers. We had servers in a closet. We had, you know, in the basement, had servers.

We had server rooms. So it it went from on prem, and you could throw a firewall around it. We had DM ads. We went from that on prem into cloud where we can’t see our perimeter.

It became invisible. So we took our cloud compute, and we put it in we took our compute, put it in cloud. It’s still centralized. So centralized on prem.

It’s centralized in cloud.

And then a shift happened into edge devices where we took the cloud compute, and now we’ve moved it to the edge in many different devices like phones, like MRI machines, warehouse scanners, a building thermostat. It’s all sitting on the same network as the core business, and none of these devices can have CrowdStrike or Defender deployed on them because it’s too heavy of an endpoint agent. Right? So you can’t really deploy they can’t run these endpoint agents so that device then itself becomes a risk, and it’s running on pretty much the same it’s running on the same network, the primary as the core of the businesses.

So what security folks do is we we we put layers around it. Right? So defense in-depth, we layer it out. We have SASE.

We deploy on the network. We deploy zero trust access, identity better identity access management. So we try to try to hedge against that one one risk. But, again, it’s it’s it go it can go so far wide and deep.

If you just miss one thing, It’s kinda, you know, you’ve you’ve you’re opening yourself up to an attack at that point. That’s why this edge compute is becoming more of an issue than, you know, almost every call I’m on with clients. But that’s one of the things that they are talking about is how do we protect our environment from all these IoT, OT devices that we have today?

So very good question there, David. And, again, we do have suppliers within our portfolio that help manage that risk.

Anything you’d like to add there, Trevor, on the devices?

Yeah. I would just say, you know, it kinda to the point that we’re talking about that that, you know, these businesses’ needs are growing faster than the security program. A lot of times, people are I’ve been talking to customers that say we just redid our identity access management, you know, process. We’re happy with it now.

But now we’re adding AI agents into the mix, And a lot of these identity access management processes, workflows, tool sets are built around humans and human anticipating human action rather than these agents. So sometimes people, they’re just getting through adopting something and already, you know, things are changing because of of the business needs. So, you know, in all of these areas that we’re talking about, AI risk, cloud risk, IoT, OT environments, Everything is really up for grabs at this point. And if you’re not asking these questions with your class customers and clients of you know, even if you’re like, oh, they’ve got Okta.

They’re good. Well, they may not be good. They may have other the business might be moving in a different direction, and they may need to adapt and change.

So I I think sometimes I see too often that we make assumptions that, hey. They just did this or that, you know, they just got a CSO, or now they’ve got a, you know, a security analyst on staff now as a full time employee. They’re good. Right? And and that’s not necessarily the case.

Yep. And Thomas has a good point in there. With FTE, could you verify their own security? FDE is basically full disk encryption. It protects data at rest. Unfortunately, it doesn’t do much to verify the security controls that are working against an active threat, but it’s one of the layers that is used in order to kind of, you know, bolster your posture against an attack. So good point, Thomas.

So blast radius and action. There are three client so these are real examples that we’ve seen in the last month that we wanted to bring to life today. Three gaps and but one pattern throughout the whole thing. Right? So the first one, Trev, I’ll give a high overview on this, and I know you and I have worked on all three of these examples together, so I think this is so timely.

So the first one was a regional bank. Right? Four hundred employees with copilot and no data governance policy.

It’s I mean, I make light of it, but attacker basically came in wearing a visitor badge that said trusted employee, and nobody stopped them because nothing looked wrong. Deploying Copilot without guardrails, you know, can get gets companies in trouble all the time. So, Trevor, I’ll let you expound on that opportunity, and then let’s talk about the blast radius at that point.

Yeah. So Microsoft comes with some native tool sets, right, that can help with some of these things. Microsoft Purview, you know, the e five licensing includes a lot of these certain things, but they’re not fire and forget. They’re not just set up and and it works and and, you know, it it’s not necessarily easy.

Now these things can be done. And so, you know, a lot of people are paying for the things, but they don’t you’d be surprised the amount of people that we talk to that say, we’re all in on e five. And I say, okay. Do I you know, where are you at in Purview?

Well, we’ve started it. We’ve dabbled. You know, the there’s also certainly amount that are that are consistently using Purview, but it’s an area that if I’m an adviser, I would always be asking about because we do have options specifically around the Microsoft ecosystem. Lots and lots of options around Microsoft ecosystem that can help customers with their posture, with enabling the tool sets that they’ve already made an investment in, and this is certainly the case of that.

They were looking at Copilot. They’re looking to do it in a compliant manner, and we have to look at, okay. Is the way you have it set up, are your controls compliant to what you have to be held to, especially as a as a bank? Right? They they are held to certain rate compliance requirements.

And just because you’re you’re buying Microsoft doesn’t mean you’re automatically compliant. You have to make sure that it’s set up that way.

Yep. Hundred percent. I’m gonna pause right there. Kenneth Fryer has a great questions. How do we go back to customers that have already sold AI services and now talk to them about security without scaring them out of using AI?

What a great question, Kenneth. Top of mind for everybody, I’m sure, is AI isn’t scary. Right? AI is a great tool.

It’s the people who are who are managing the AI that can sometimes be not so good. Those are, like, our threat attacks, our attack the attackers that come into the environment. So very good point.

I usually lead with not fear, not doubt, not uncertainty when it comes to technology. Technology is simply away from getting to from point a to point b faster. Back in the day, everybody walked everywhere. Then the wheel was created, a wheel where people got to where they wanted to go faster with a horse buggy carriage, then we had cars.

It’s just that’s what technology is. It’s simply getting from point a to point b faster than we did yesterday. If you look at it that way, yes, you’re you’ve sold them AI tooling. You’ve sold them AI solutions, which is amazing.

Because you’ve done that, you have earned the right to ask for that security business, to have that security conversation. To say, hey. I was reading an article that, you know, on that Sumera wrote, a blog that she wrote about the risks that AI can bring. It does a lot of good things, and then we just gotta manage what’s what what it could bring in a possible risk into your environment and just go through that.

And, again, if you guys need help, call one of us. We’ll happy to jump on a client call with y’all and walk through that together. I hope that answers that question, Kenneth.

Scenario b. Yeah. Go ahead.

Yeah. I would I would just say every solution within technology, when you look at CX, you know, contact center, network, whatever it is, there is a security con consideration flip side of that conversation. Right? And even if you’ve already sold AI and you haven’t addressed the security side, there’s certainly a conversation we have that says, hey. I know you guys are forward thinking and and how you’re advancing.

I’d love to be part of that security conversation and make sure that, you know, if you guys have concerns or that you, you know, that you’re addressing your security risk as well, and we have solutions for that. It could be a really easy, light conversation to get into the door. It doesn’t have to disparage what you’ve already sold. Could just be complementary to it, and I would frame it that way. I know it’s probably easier said than done. Depends on what you sold, but happy to help there too.

Yeah. Hundred percent. So scenario b, the logistics company. Right? It’s that was was it eight SaaS applications that they have that their IT team did not manage?

And it wasn’t a technology problem. It was a prop it was a process. Right? Nobody told IT problem.

That’s what it was. And yet Finance had deployed eight different SaaS apps that we’re using. It’s a it’s a very common problem we see. Right, Trev?

Yeah. Absolutely.

A lot of what we’re accent or the the problems right now is from, like, hey. What applications are you actually connected to? And so we when I get involved, it’s very technical on actual getting into the blast radius. Okay.

This application does this, and it has access to this. What is the what is the implications of that? And that’s what a CISO is gonna be concerned with. That’s what an IT director and and decision makers are gonna be concerned with of if I connect my flawed coworker to HubSpot or to Salesforce or to whatever, what are the implications?

And that’s where we help on if there’s an issue here. And, actually, I’d say something that comes up quite a bit, this isn’t this scenario.

But, hey. I’m using this application, and it just came out with an AI tool inside its thing. If I connect it, what are what’s my visibility or what are what’s the the blast radius of using this third party application’s AI with my dataset? That’s somewhere we can help, and that that’s a conversation I’m having weekly.

Yeah. Hundred percent. And then the manufacturing company, three hundred connected devices on the same network, segmented as corporate IT. It’s a flat network, and it’s one hop from a domain controller.

It’s you know, that’s just a common thing we’re seeing. Right? Explain the blast radius on that one, Trev.

Yeah. A flat network is we run into this all the time. I I can guarantee you all are working with customers that have a flat network somewhere.

It it’s very, very common.

Network segmentation is one of the first things they should be doing. You know, you’re getting into all these, you know, crazy stuff with you lately, you know, of hey. We’ve gotta do this. We gotta not zero trust is not crazy, but we gotta do, you know, the most advanced thing, and yet sometimes people still have a flat network, and they really should be addressing some of the smallest stuff.

On the blast radius there, if I’m a if I’m a bad guy and I get into the network and it’s flat, I can see everybody. I can send out a message, you know, essentially, and and see all of the different devices, systems, and I have access to those. That’s that’s a bad day. Right?

We wanna make sure that they’re segmented and people only have access to the things that they need. And if I get into that network, I I can’t send out essentially a message and find all the other devices on the network.

Yep. There’s a great question in chat as well with from Isaac is can you can you route the IoT devices and all the edge devices through firewalls? Isn’t that a good security solution? Yes.

It is. And said, aren’t all Internet local services passed through a router firewall and access to a local network? Yes. We do.

The the issue that we’re you’re absolutely a hundred percent. Yes. You can route it through the firewall. The problem where it exists is encrypted traffic.

Right? So a firewall can is can’t inspect what it cannot see. If it’s got encryption, command, or control traffic from a compromised device, it bypasses that policy gets in unless the SSL inspection is deployed, which an endpoint cannot be deployed an endpoint agent can be deployed on that device, unfortunately. So that’s where the risk comes in.

A legitimate looking traffic or compromised device communicating on an allowed port and protocol looks normal and the firewall lets it through, and that’s where, you know, you can we deploy OT specific anomaly tools like Nozomi, Dragos, they can add value on top of the firewall. So those are the defense in-depth layers, which you can also find on our cybersecurity landing page where on the defense in-depth, well, how layers come together And that hopefully, that will expound on that. And then also if you, you know, reach out to me directly, we can put a call together, and I can kinda walk you through, the back end of it.

Alright. So, our give me one second here. Let’s go back to our questions, the discovery questions. There we are. So this is kinda where we wanna land at. These are the questions to ask your clients on your next five calls.

Awesome questions. Some of these are, you know, some of the favorite ones. Trevor and I use these almost in every calls nowadays. So question one is, when did you mister client, when did you last map employee access controls to data and tooling in your environment, including AI tools and cloud applications, your business units adopted without IT?

That is a great question because, one, it is it’s it’s surfacing ungoverned access across AI and cloud. Right? It’s not a hard question, but most clients will not know the answer because they genuinely they don’t know, and that’s where you’re gonna find the opportunity. Question two, Trevor, you wanna take that one?

Yeah. If one employee credential was compromised today, what is the furthest point in your environment an attacker reaches before you detect it? So that that’s a good indication, right, of, okay, of a scenario if I’m you know, where you can place your customer where they have to start thinking, okay. What do I got in place?

I’ve got email security. I’ve got this. I’ve got this. I’ve got this. If one of those credentials is compromised, how long is it gonna take, or what could they do until I know about it?

And it should be immediate. Right? Like, we should know, a, When credentials compromised so that we can remove remove access, post isolate, whatever you wanna do. But it’s gonna put your customer in a position to think, okay.

If I don’t ever know about that, that’s a problem. Right? And then you’ve you’ve Exactly. You’ve shown them they have a problem.

Yes. And my all time favorite question is the last one. If your environment looks differently today than it did eighteen months ago, how has your security program kept pace with that change?

That’s the one. That’s the client who looks at the ceiling at this point when you ask this question or who start listing things that they haven’t done yet, that’s the opportunity right there. So I would love to know from from you guys which one of these three is your favorite, which one of these three are you gonna try out this week, throw it up in chat, and I’d love to hear your feedback. And I’m getting the the eyes from Cassandra is, come on, lady. Move along.

So I always love listening to you both.

You guys have such a wonderful outlook when it comes to cybersecurity cybersecurity in a way that it makes it a lot more digestible than some other folks that we’ve, you know, seen talk about before. So I can from chat, you can see there’s a lot of folks that are absolutely going to be using all of these this week. Eduardo, he’s absolutely on it.

I know. Number three is my winner. Like, that’s the one I use a lot. And it that that question right there, you’re doing it’s doing a lot of work in the background in in their in the client minds. All you have to do is ask that question and just sit there. Just be silent and let let that do let your client do all the talking.

And here’s just an opener that you can use as you open conversations for you guys if you want it kind of a cheat sheet. We work with clients to understand where their exposure has grown before an incident, not after. Given what you have added in your environment in the last eighteen months, this is a conversation worth having. Right?

It works because it’s not fear based. It’s forward looking. It creates urgency through relevance to Kenneth’s point earlier. We’re not wanting to scare anybody.

We want them to have the warm and fuzzies to keep coming back to us, and it opens the door to, at the very least, an assessment conversation and, hopefully, going all the way to creating a good security posture through MRR, for them. So that’s our wrap up for today, guys. Can’t wait to see you guys in another four weeks.

Well, again, thank you guys so much for being on the call. And, also, to all of the advisers, remember, you don’t have to navigate those conversations alone. Whether it’s cybersecurity, compliance, risk management, or even AI, you can always utilize the solution engineering team to help. And, of course, don’t forget, if you would like to see, like, real world examples of our engineers helping, you can always check out inside the win case studies and our podcast for how, you know, Sumera and Trevor have obviously helped a lot of our TAs in the past.

In fact, if you’re actually looking to reinforce what you’ve learned today to kinda strengthen your cybersecurity, like, conversation even further, I’m gonna go ahead and post in chat. Be sure to check out our cybersecurity sales and our cybersecurity product and tech courses in in Telarus University. There’s a lot of information in there, especially if you aren’t familiar, but you wanna get more familiar. Those are the courses and the learning paths that you’ll wanna take.