Ep. 210 – Compliance Isn’t a Cost — It’s a Revenue Strategy with Dan Desko of Echelon

Jason Kaufman (00:05.994)
Welcome to the podcast that is designed to fuel your success in selling technology solutions. I’m your host Jason Kaufman, Principal Solutions Architect at Telarus and this is the Next Level Biz Tech.

Jason Kaufman (00:19.888)
All right, surprise everybody. We actually have a new host today. I’m here to keep things moving mostly in the right direction. Some of the ones that know me know 60 % of the time I’m right every time, but hopefully we’re here to stay for more podcasts, episodes in the future. And today we’re here to discuss compliance isn’t a cost, it’s a revenue strategy. I’m with Dan Desko here, CEO and managing partner at Echelon Risk and Cyber. Dan, thanks for joining us.

Daniel J Desko (00:29.954)
Man.

Daniel J Desko (00:44.552)
Jason love it man. So happy to be here. Love working with you and the Telarus team and Super excited that you have me on here today. So let’s get after it

Jason Kaufman (00:53.488)
Perfect. Perfect. Well, the first thing I want everybody to get, know, understand what we’re looking to take away from this episode. One is, you know, all these customers, C levels, owners, directors of infrastructure, all of them assume that cybersecurity is just a cost center. And we kind of want to flip the script on that and give another avenue on, hey, you’re actually doing more things than just paying for cybersecurity. There’s a lot of business enablement, revenue enablement to come out of that. So we really want to get into unpacking that. So.

When we when we’re advisors going in to talk to our clients we have something that we can flip that script on that You know confirmation bias and say hey have you actually thought about cyber security here? You know, we have multiple avenues that we could take this but before we get to that I do want to take a pause and get to the background of you Dan in the company that we get into So could you share a little bit your professional journey and how’d you venture in the field of cyber security? I’d love to hear more of that story because you have really impressive background

Daniel J Desko (01:48.118)
Yeah, yeah. Thank you for asking that. And I would be happy to dive into that. You know, it’s, I always like to say a little bit of luck, but sometimes you have to create your own luck along the way too. And, but also fortunate to be afforded great opportunities to put myself out there and succeed along the way. So also supported by a lot of great teams along the way. I’ll preface that, you know, having great teams, great people to work with, great mentors in your career.

means the world. but yeah, my background, I’m a Pittsburgh guy born and raised. I got an opportunity to work at US Steel, which is a quintessential Pittsburgh company. You know, when I was, geez, I was a junior at Duquesne University, they had a strong co-op program. And it just so happened, the straw that I drew for the co-op program was I was going to work in the data center in computer operations.

So I was studying IT in college, worked in computer operations at US Steel and that role was legit, right? Like I was sitting in the data center, working on network server issues, mainframe issues. I had to learn so much. had admin level, got access to everything. I was working shifts around.

Jason Kaufman (03:08.09)
And this was before Netflix, right? So you actually had stuff you had to do during the day and you didn’t have maybe Snake on your phone. That’s about it. So you actually had to do some work.

Daniel J Desko (03:15.598)
Yeah, man. And at nighttime, when I worked shifts at night, we had a TV that we would roll out with a VHS system on it. And we, think, had like three movies that we could watch to try to keep ourselves awake in the middle of the night. But it was really that opportunity that taught me a lot about client server networking, as well as mainframe and rack F security.

Jason Kaufman (03:23.344)
Remember those.

Daniel J Desko (03:40.526)
that made me a great candidate later on in life to get into the consulting world and actually start doing cybersecurity audits for banks back in like 2006, 2007. So literally about 20 years ago, bank security audits were starting to really ramp up with the onset of like GLBA and SOCs and those types of things.

So it was kind of that, that random experience pulled me into this budding field of information security. Cyber security really wasn’t a word yet. Right. So I got my career. Yeah, not, not yet. Not yet. Yeah. Some of some, some marketing professional created along the way, I think, but, uh, I got pulled into the wild world of bank security audits and I was going from bank to bank, auditing their, their mainframe and network systems.

Jason Kaufman (04:13.168)
It’s not an urban dictionary yet. Make its way into the real one.

Daniel J Desko (04:33.938)
and got my sort of taste of, cybersecurity consulting, you know, fast forward. joined another firm, where I eventually became a partner at a top 50 CPA firm helped lead and build their cybersecurity and, cyber attestation practice. So doing a lot of things like the first sock twos ever, right. They used to be called SAS seventies. so we were doing SAS seventies sock twos. So doing a lot of.

cyber attestation, but then also cyber consulting. and then, yeah, eventually I saw the need, right? Where a lot of clients that we were doing like SOC two audits at, they would have the same issues over and over again. and we noticed that, okay, these organizations need a partner to help them fix these things and actually help them level up their cyber programs, you know, versus just audit it. Right. It was a lot of.

IT people who were kind of moonlighting as cyber professionals trying to get through a SOC 2 exam in a lot of cases.

Jason Kaufman (05:38.51)
back in the day was it like yes you pass or fail and then if you fail it’s go back to the table and figure out what you did nobody would actually give you some pointers or assist you along the way there was none of that service or professional services that we see day in and day out today it was just here go guess and check and come back when you’re right when you think you’re ready to get

Daniel J Desko (05:55.426)
Yeah. And when you’re doing the out of station side of it, you really can’t give that much advice. Like you could give a recommendation and guide a little bit, but you can’t be hands on. Right. And I said to myself, I think there’s a big opportunity and being more hands on and being the embedded partner. Like, yes, being part of the out of station is great. And it taught me a lot, and really helped me break into the field in that way. But, being the trusted partner and having a great team here at Echelon.

was the idea all along, right? A great team of experts that can support businesses that can’t afford to have a team of 100 cyber professionals, but really could use the help on a more fractional basis.

Jason Kaufman (06:36.688)
That’s amazing. Like having that, you know, not only the ability to map out and help all these different mitigation of risks, if you’re doing assessment, but you’ve seen the other side. So like, you know exactly what that, that tester is asking for and what they’re looking for, how they’re going to perceive that data that they’re being reading out to make sure it’s a pass or a fail scenario. It’s really cool that you have that expertise over on the other side as well. It’s kind of like almost cheating on the test. So I mean, it’s, it’s something that’s actually a great value to have.

Daniel J Desko (07:04.846)
Yeah, I feel like I have the best of all worlds, right? Cause I was a practitioner for a while. So I’ve been on the side of like being the guy managing the systems and in dealing with issues, working in a data center, had time, you know, being the third party auditor, really diving in and asking all the hard questions and making organizations prove it. Um, and then also now on the side of, okay, how do we, how do we help you not only prove it, but improve your, your posture to a point where.

It gives you something that you’re proud of and that you can stand behind.

Jason Kaufman (07:38.834)
No, that’s awesome. And that kind of leads us into what I wanted to ask next is, so we’ve got your background and then next thing I know, you’re the managing partner at Echelon Risk. So you saw something there that needed to happen and you started it. So give us a little background of Echelon Risk. Like what do you guys do? Where do you guys specialize? I mean, obviously I know we use you guys all the time. So that’s a quick tidbit and insight for anybody listening around the world. Echelon Risk is awesome. But I want to hear it from your words.

Daniel J Desko (08:05.838)
Yeah. So just a quick overview of the firm. Kind of like to say we have four main pillars of delivery of what we do. We have our governance, risk and compliance pillar. So I know we’re going to talk a bit more about that today, but that’s all things governance, risk management, compliance. If there’s a three letter word, four letter word related to compliance, we probably cover it in some way. You know, things that are hot right now, CMMC, SOC 2, ISO 27,001, but also 42,001 on the AI risk management side.

We also do a lot of custom risk management in IR planning and preparation for our clients there. Think modernization of IR plans, playbooks, but also exercise and muscle memory through tabletop exercises. We have an offensive security group. So all things testing related, you you have a program and want to confirm how your controls are doing. There’s no better team than the Echelon Offensive Security Team to put the rigor and put that program to the test.

Everything from a simple network pen test all the way through adversarial emulation, red teaming, and purple teaming. We have a defensive engineering group that focuses on putting solutions in place or inherently hardening systems that already exist. Last but not least, we have a security team as a service model where we could take really all we do and put it in a package long-term for our clients for us to be their cyber partner and to be their sherpa on their journey.

Jason Kaufman (09:31.505)
That’s awesome. The one thing that caught my attention was the adversarial testing. like picking an actual nation state threat actor and mimicking the exact way that they would try to penetrate and breach a company’s or an organization. Can you expand on that just a tad? It sounds really interesting.

Daniel J Desko (09:48.716)
Yeah, no doubt. And what’s great and really cool is the types of organizations that need that are usually mature organizations and organizations that have high risk profiles too. And that’s really cool, right? Like we get to work with some really interesting organizations. And what I will say is our team loves the challenge of doing that as well. So we really like to take the aspect of looking at the entire kill chain.

thinking of what types of threats that that organization would be really defending against, what’s realistic. And then, taking to them a testing plan that really puts their defenses through its paces. Usually for a red team, many people at the organization have no idea that we’re gonna be executing that, which is also really cool, right? So it’s like their defenses…

They want to see how they do and how they react and how their, their team, you know, and tools react to what we want to try to do. So there’s an element of stealth to it as well, which is also really neat. But yeah, the difference is in a pen test, pen testers use pen tests, commercial tools in a lot of cases, maybe not all right. that, that, that’s a generality, but in, in red teams, we’re trying to use the specific tools and TTPs that

specific threat actors would use to target that type of business.

Jason Kaufman (11:17.072)
Can you expand on TTPs? I forgot to send you the dollar jar to where if we use any three-letter acronyms and don’t explain them, you got to throw a dollar in there. Can you expand on TTP?

Daniel J Desko (11:22.396)
I’ll donate to that.

Yeah, tactics, techniques and procedures, right? So there’s, there’s a taxonomy to what we do. and there’s a taxonomy in cybersecurity and, you know, the MITRE foundation has built, you know, a great framework of these threat actor tactics, techniques and procedures. And it’s, it’s a great sort of like periodic table of bad guy techniques, right? So we will use our threat Intel, we’re

We’re obviously huge partners and fans of CrowdStrike. We’re privy to a lot of great intel and information through our partnership with CrowdStrike and other sources that we leverage. But what we learn in the intel space, we’ll leverage that and say, okay, these are the types of TTPs that this type of organization would be concerned about. And we’re gonna use these TTPs in our testing.

Jason Kaufman (12:19.354)
So it really sounds like you can’t get more realistic scenario than using the TTPs of real life threat actors that are actively engaging. Okay.

Daniel J Desko (12:28.844)
We try hard. We try very, very hard, right? We try to make it as best of a simulation as possible.

Jason Kaufman (12:35.632)
Perfect. That’s really interesting. One thing I’d love to do is kind of unpacked. There’s a lot of assumptions with general cybersecurity and compliance, how they relate, how they differ. You know, they’re not really synonymous. So I’d love to get your take on that. Like what’s the difference between cybersecurity compliance? Where do they play well? And then in addition to the compliance side, how does that give an advantage to customers and clients? Like what start getting into that revenue conversation and that, you know, the main topic of this podcast.

You know, what is compliance versus cybersecurity and how does it help a customer when it comes to revenue?

Daniel J Desko (13:09.122)
Yeah, great question. and believe me, this, you know, this is something I wrestled with a lot, you know, back when I was, more on the attestation side, I would think to myself quite a bit like, man, yeah, like we helped them get sock to compliant and that has definitely propelled that client on a journey. But there were many times where I’m like, I will bet my bottom dollar that, you know, my red teamers could still find a way to own that, you know, client’s network, right? Like,

No doubt compliance does not equal we have a comfortable, secure environment.

Jason Kaufman (13:47.088)
It’s like bare minimum, right? you got these check boxes that follow this framework. And long as you hit those with some mild explanations, you could hit it.

Daniel J Desko (13:55.938)
Yeah. And look, compliance frameworks have evolved, right? And I love like where some of it’s going. CMMC is a great example of this. There’s like kind of good, better, best model where you know, CMMC level three are controls that are designed, you know, to combat advanced persistent threats or APTs. So they built that framework in mind that it was sort of like stepping stones, right? Like, okay, basic, you know, controls, you know, moderate level of like 110.

then there’s 130 some that are designed to combat advanced persistent threats. So some of the frameworks are evolving where it’s okay. It’s more than a checkbox approach, right? There, there’s a little bit of nuance to it. Um, but yeah, like those baseline controls that you typically will, will do through a compliance assessment or through a compliance framework. I like to think of that as a good starting point, right? Like that, that shows that you have the basic capabilities.

and can do the basic things around your cyber program and just gives you a sort of a basic benchmark and something to grade yourself against, right? It’s the primordial like ruler against the wall. Where do you measure up? Great, great starting point. But then from there you say, okay, now that we have the hood up, let’s really tune up this engine, right? Like hoods already up. We know where our baseline is. How do we actually make this thing better?

Jason Kaufman (15:24.368)
But it does sound like a lot of effort though, like when you’re communicating that to a customer on why they want to look at getting compliant and get the attestations of approval for NIST, ISO, any of the SOC 2 SOCs, any the ones that are relevant within their industry, why would you press that as being something that’s going to help drive revenue?

Daniel J Desko (15:44.162)
Yeah. So in a lot of industries now it is the price of poker, right? So, you know, there’s the ante when you show up to a game, right? To, to play, you just gotta throw 10 bucks into the pot, right? you know, there’s the buy-in, but there’s also the ante and then you have to start betting after that. I think compliance in a lot of industry industries now, and we keep seeing industries after industry just like falling into line. it’s, it’s, it’s going to keep happening, but,

It’s really the price of poker, you know, to be taking seriously in your industry. Right. So if you’re a SaaS company that does any B2B at all, right. Like SOC 2 is a must have, right. Back when I started doing SOC 2s, it was just kind of like, data centers and a couple like, you know, very obvious types of service organizations were getting SOC 2. And then

Suddenly it kind of like exploded, right? with SAS taking off every SAS organization that wanted to sell into the enterprise environment was getting asked for a sock too. Right? So you’re not even involved in the RFP or a pursuit for your business unless you have this sort of price of poker. You got to pay the ante.

Jason Kaufman (17:04.528)
Do you see that there’s some leeway with a timeframe? Like, you have six months if you’re down selected or if you’re chosen, or is it you can’t even submit a bid or a response unless you have the specific attestations that are required?

Daniel J Desko (17:19.802)
I think it’s dependent upon the buyer and also like what sort of moat do you have with your product or tool set or whatever your service offering is. So I’ve seen it go both ways, right? In a very competitive market where there’s lots of your choices and a selection for an enterprise buyer. They might just rule organizations out that don’t have their stuff together. It don’t have the sock too. They don’t have the ISO would have you. But if there’s maybe less.

a competitive nature involved, right? And you maybe someone really likes that solution in particular, and they’re willing to build in a little bit of leeway in time. We’ve seen that happen too, right? Where it’s like, okay, we make some promises. We say that we’re going to get SOC two by a certain date, show them the engagement letter of a firm like ours plus the auditors. And that buys you some time, right? But still at the end of the day, I would rather be on the front end of the curve.

and have that in hand to have that competitive advantage from day one rather than sort of you know, fighting from behind.

Jason Kaufman (18:25.264)
That makes sense. One of the big ones that we’re seeing, and you mentioned it was CMMC, it’s a heavy line in the sand. You can’t renew or you can’t bid on that government contract unless you have the CMMC level two or level three attestation, whatever the CUI requirements are. I’ve hopped on with customers that are like, we have this $28 million contract that we’re going to lose in eight months if we don’t get CMMC level two.

So mean there’s a driving factor in immediate ROI that we could tell there something that immediately gives the in business Hey this compliance investment is you know, we have a direct ROI if we do or we don’t get it We know we’re gonna lose. know we’re gonna gain or keep How do you guys communicate that or even think outside the box with customers on? Hey if you go out and get this compliance and follow this framework that will unleash you to these other customers as potential targets Like how do you guys have that conversation and what specific metrics? Do you guys generally get into to communicate that to the business?

Because not everybody speaks the same language.

Daniel J Desko (19:19.712)
Yeah, I like to get back to some of the first principles at times to help distill things down and communicate the why behind this. So, you know, being the founder of Echelon, I got to spend a lot of time in our mission statement, in the fact that we believe cybersecurity and privacy are basic human rights. Right? So when thinking about building this company, I was like, well, what really matters in cybersecurity? Like, why are we even doing the things that we’re doing? And it’s because somebody wants to steal our data.

steal the company’s intellectual property and take advantage of you, right? Extract value from the United States, from sovereign companies, sovereign nations. And when it comes to the CMMC, there is no clearer picture of like, okay, our adversaries want to sort of skip the line, you know, to finish products that, you know, are

our country is creating, whether it’s technology products, military products, things in the supply chain. And like, let me ask you this business owner that makes, you know, a widget for the U S Navy. Would you be okay if some foreign adversary stole your business model and stole your plans and schematics and just started making, you know, that widget in some far away land for,

one eighth of the price and undercuts you and puts you out of business? Well, no.

Jason Kaufman (20:51.48)
You ever hear anybody say yes to that? That sounds like one of those rhetorical questions. Take a lap.

Daniel J Desko (20:53.985)
Never.

Right? Well, guess what? That’s happening each and every day by cyber threat actors, right? That is their mission. And, you know, they are actually being hired and funded by the countries that support them. So it’s really a very difficult war that’s being waged in the shadows, right? They’re not always aware of.

And it’s easy when you’re in the sort of the throws of the day to day and you see like, Oh, I got to like follow all these cyber controls. What’s this all about? Well, it’s been proven that these controls will help you defend against someone trying to put you out of business and steal your competitive advantage. You know, skip to the front of the line. Chances are right. Decades of R and D have gone into making that thing that you’ve built. Why would you want it? You know, some threat actor to be able to steal that in.

you know, take that from you and, and, you know, really challenge your whole well being and way of life. So I think when you talk in terms like that versus, Hey, this is, know, you must do this cyber thing because you know, the department, department of defense says so like that’s all true. Right. But I think when you explain the why, really well and, show that you’re aligned on that and you care about that.

That’s when I think the progress starts to happen.

Jason Kaufman (22:20.816)
Yeah, great point. And, know, it’s not only just the CMMC, like I don’t want us to get pigeonholed down by that’s the only compliance framework that is revenue generation and tied directly to revenue. But we’ve also had many conversations. I’d love to get your take on this as well for third party risk mitigation. You know, those companies that where, hey, even though we’re a 15 to 20 person shop, we do something for a company that is a Fortune 100 or a Fortune 50 entity. They outsource something to us or we monitor something for them.

Daniel J Desko (22:32.035)
Yeah.

Jason Kaufman (22:49.552)
So we have to make sure that we are protecting our side. So we inherently protect them because they’re the big target, but we’re seen as the path of least resistance to get to their data. So by, you know, by area of how do we get in and get access, we look like the easy target. Do you ever have customers that come to you like that and be like, Hey, you know, we’re not, we’re not government contractors by any means, but we, we actually do some work for these larger entities that are massive targets and they’re requiring us to get ISO certified or NIST certified or something. Do you see yourself seeing those two?

Daniel J Desko (23:20.43)
We do. the first thing I’ll say to any tech advisors listening is you’d be surprised at the amount in different types of companies that have become in scope for CMMC. They don’t realize it, right? They’ve got like a small percentage of their business providing some service to a DoD contractor in some way, shape or form. And it’s like this flow down thing. And before you know it, it’s like, we are at scope.

Like it might be just because of the small part of our business, but this applies to us. So, I would challenge anyone out there to really dive deep with, with your clientele and see if there’s anything that they do to support, not the DOD specifically, but you know, contractors and manufacturers that support the DOD. Cause there’s complete flow down, in, sharing of, of that. but yeah, this is starting to apply elsewhere now. Right. So.

We’ve seen ISO 27,001 and TSACs, for example, with a lot of the automotive dealers. You have a lot of the OEMs and automotive manufacturers in Europe, for example, that are really pushing down and having anyone that does business with them in the States or anywhere worldwide adopt the ISO 27,001 standard or the TSACs standard, which is a

little bit of an offshoot of ISO 27,001 with some extra cherries on top. But this is starting to apply to industry after industry after industry, right? And we don’t see that stopping. There’s no industry that can’t be upended by a cyber attack. And the people that roll the economics in those industries are going to continue to press for safer and safer organizations.

So I would say a cyber resilient organization is just a better organization inside.

Jason Kaufman (25:20.657)
Yeah, the confidence knowing that your stuff’s protected because you’re doing all the work you need to make sure everybody else is too. Because yeah, definitely understand that one. So let’s talk about a scenario. Let’s take one of the, you got to do a ton of these engagements. So let’s say I want to take data from you and I want to be an expert now and go communicate to somebody else. Hey, this is how the process works. Here’s some lessons learned from some experts in the business. Give us that secret sauce. What is…

What’s something that you’ve learned like a lesson learned getting into this compliance strategy frameworks gap mitigation and all that stuff You know something that we could take away and say hey This is something that’s tried and true and we could take this I can establish media credibility as an advisor

Daniel J Desko (26:02.59)
Yeah, one thing I’ll say is in a lot of cases, organizations are doing a lot of the right things and have good intentions already. But when you get to the point where you need to prove it by going through an attestation and going through an audit eventually, that’s where things start to fall apart. Right? So it’s one thing to do the thing. It’s another thing to do it consistently and then a whole nother thing to do it and then prove it.

So.

I would consider our tech advisors to challenge their clients, challenge their customers to say, I’m sure you’re doing some great things around cyber. Have you ever thought about how you would prove it to an auditor? Or do you have the right systems, the right processes, the right governance in place, or the right advisors in your business to show you the right way to do that? Right. And that’s where we come in, right? We’re helping.

install GRC programs. We have our own cyber management portal that helps with a lot of these aspects. We put the organization, the guardrails, the proven process behind getting this stuff right. And by the way, we’re going to find issues along the way too, know, areas where an organization is not compliant. But that’s okay. I mean, that’s why you bring a firm like us in early before you’re called to the carpet, you know, to kind of show your dirty laundry.

So that would be my biggest advice is like there’s there’s usually that gap in saying like, yeah, I do this versus like, yeah, I do this, but I don’t know that I could prove it.

Jason Kaufman (27:40.186)
That I really like that though. So I mean as a a partner like I may not be a hundred percent confident in talking cybersecurity like I might not be able to prove it myself. But if I just ask that question on hey you know how would you how would you prove this and then you have expertise from Echelon risk or Teleris engineering to come in and help have that conversation on your behalf. All you did was open that door and add that little bit of doubt in order to have that conversation. That’s what we’re really asking for right.

Daniel J Desko (28:06.518)
Yeah, yeah, totally. It’s something to stoke a conversation that challenges politely and professionally, you know, your, your, your client, like, Hey, you know, I know you told me you think you’re good on this front and doing great things on the cyber perspective. Could you prove that like, you patch all high level vulnerabilities within a 24 hour period or within a, you know, X number of day period.

because that’s the best practice. Well, yeah, we do. But like, I don’t know that we have a system or a way or mechanism to track it, log it, you know, show an auditor that we do that. Well, you should get credit for the hard work you’re doing. Right? Like, and by the way, processes can break down. And if you don’t have a mechanism to like hold your people accountable to that, then how would you ever know if it’s operating effectively?

So that’s where these types of systems and engagements really come in handy.

Jason Kaufman (29:09.691)
So do you ever have somebody bring you an engagement where they’re like, Hey, I want you guys to pick up where I left off. All I did was ask the customer, Hey, do you have any revenue that you’re going to lose because you don’t have a specific compliance framework in place? Like talking back, bringing compliance back into the revenue conversation. Do you ever get like that and like just dropping your bucket? Hey, I just asked this one question. They said, yes, go.

Daniel J Desko (29:30.914)
Totally, right? And from there, we’re gonna talk to the TA, learn about that client’s business even before we’re brought into the conversation. We wanna understand the business drivers, what’s behind, what they’re trying to accomplish and achieve, what is the why? We’re talk about what’s the why. But that’s a perfect place to start and the perfect place to bring us in. We are great at teasing out what the issues are, learning their business quickly.

Chances are we’ve worked with someone like them before, right? We’ve served hundreds of clients to date. So chances are, you know, we’re not running into a purple unicorn. It’s something we’ve probably seen before in some way, or form. We have top people on the, on staff here in the firm that have been around the block. So we like to say, bring us in early and often, you know, we’re happy to have those initial conversations with our tech advisors.

as early as possible in the conversation and support through pre-sales. We want to make it as easy as possible to make sure that that client is thrilled with the service that they get. And the earlier we could be brought in to understand the why behind what they’re trying to accomplish and set it up correctly, the better.

Jason Kaufman (30:47.921)
Awesome. I do have one more question here and it’s whipping out that crystal ball, being able to tell the future. So in your opinion, we’re not going to hold you to this or we might, you know how it goes. We might hold you to it. What trends or developments in this field should partners be cognizant of in the coming 12 months or 18 or 24? And how will Epsilon impact those?

Daniel J Desko (31:12.398)
Yeah, one that we’re already starting to see play out maybe a little bit on the edges, right? There’s, there’s obviously tons and tons of companies rushing to use AI and AI tools or software that has AI embedded in it.

not as many organizations that are rushing to put acceptable use policies in place for AI and thinking about how we’re going to govern it. How are we going to make sure the wrong data doesn’t get dropped into these tools or LLMs and

It’s going to be so vast and so prevalent. A policy alone is not going to be a way to control this. This must be controlled by technical means, meaning your employees are going to have some level of optionality of like tools and systems they can use that have AI embedded in it. Agents are probably going to outnumber employees at some point for a lot of companies as well. So you’re going to have agentic workers.

you doing things, often running technical controls must be in place for these things. so we’re super excited about, you know, some of the partners we work with and some of the software that’s coming out to, put controls in around this, crowd strikes, AI detection and response is something that we’re, we’re POVing with a number of clients right now that actually hooks into the browser. There’s also SDK, bits where, you could hook into more fat.

you apps, as well as embedded apps to really get granular about what are my employees allowed to use? What sort of data can they put in? You know, is there any prompt, funniness that’s going on with my users? Right. so I really believe that there will be an explosion of, organizations looking to technically control what is happening with AI.

Daniel J Desko (33:13.426)
it is this whole new frontier that I don’t think we can comprehend yet, you know, how it will change so much. And we have to be out ahead of the governance, the risk and control to make sure it’s being used in the right way. Right. So I think in the next 12, 24 months, there’s going to be a massive need.

for cyber professionals like ours and yours and tech advisors really thinking through and providing solutions to our clients to demonstrate to them that AI use is not only being efficient and helping our company be successful, but we’re doing it in a safe manner. We can confidently say that we’re not uploading our PHI or PII or sensitive, you

government contract information, you know, to these large language models or to third party, you know, models. There’s a smart way, a controlled way, risk mitigated way to do

Jason Kaufman (34:21.425)
I think that’s gold right there. It sounds like we could take that to the bank. All right. Well, thanks, Dan. I really appreciate you joining. It’s a pleasure having you. lot of the content was great. I think everybody understood that you are a wealth of knowledge, you and your team, and we look forward to the continued growth that we have with that Chalon Risk.

Daniel J Desko (34:25.142)
Absolutely.

Daniel J Desko (34:41.592)
Thank you so much, Jason. We have such a tremendous team here and we wouldn’t be where we are without all of them. So they make up the bulk of what we do day in and day out. And they love working with Teleris and all the TAs and their clients. So thank you so much for having me and Echelon as part of this conversation.

Jason Kaufman (35:01.421)
Awesome. All right. For all the listeners around the world, just a reminder, episodes drop every Wednesday on Apple, Spotify, or wherever you listen to the best of the best podcasts. That’s where we sit.

Jason Kaufman (35:15.729)
Thank you for listening to this special episode. I’m your host, Jason Kaufman, Principal Solutions Architect at Telarus. This was about compliance isn’t a cost, it’s a revenue strategy. Please like and subscribe.