34. Security and Virtual CISO Part 1 – Jeff Hathcote

Podcast: Play in new window

Subscribe Apple Podcasts | Google Podcasts | Spotify | Amazon Music | Android | Pandora | iHeartRadio | Stitcher | Email | Deezer | RSS | More

This week we explore Security and Virtual CISO, with special guest Jeff Hathcote, Solution Architect of Telarus.

Transcription:

Josh Lupresto (00:02):

Welcome to the podcast that is designed to fuel your success in selling technology solutions. I’m your host, Josh Lupresto, SVP of sales engineering at Telarus. And this is Next level Biz-tech. Hey everybody. Welcome back. I’m your host, Josh Lupresto, SVP of sales engineering here at Telarus. And you’re back for another episode of next level biz-tech. So today we are talking security again and we are talking about virtual C I S O chief information security officer, and what all of that stuff means. First off, we have to welcome the man, the myth, the legend Telarus security solutions architect. Jeff Hathcote. Jeff, thanks for coming on, man.

Jeff Hathcote (00:58):

Hey, Josh. Appreciate it. Glad to be here.

Josh Lupresto (01:01):

Hey so we like to kick these off hearing people’s back stories. You know, I, I love it when people set out to do one thing and end up in some crazy path, if you’ve got a cool windy path story. Great. If you’ve known that you wanted to do security since you were five great. But I would love to hear it. How did we get to where we’re at with you?

Jeff Hathcote (01:22):

<Laugh> I definitely have a windy story. There’s no doubt about that. You know, interestingly enough, I worked my way through college in working for the prison system, the state Louisiana state prison system. And it was interesting because my job was to run the inmate store where they bought candy and cigarettes and things of that nature. And it was one of the few locations that was actually computerized at the time. And I was able to program the applications to do what I wanted them to do so we could do better tracking. And so that just kind of led me down the path that always liked computers. However, in college, the only curriculum was mathematical computing, which did not interest me whatsoever. I took several programming classes and enjoyed those, but that just was not what I wanted to do. So when I graduated from college, I went to work for the federal bureau of prisons.

Jeff Hathcote (02:18):

So you might say that prison was in my future. A lot of people would agree with that. It just, just not on that side of the fence. And I was one of the first at, at the time we, we were building what was then called computer services. It has now changed its name to information technology and so forth. But I was one of the first members of that team and I was able to help the bureau of prisons build that division within, you know, an organization whenever it has bureau in the title, just imagine bureaucracy, right? Mm-Hmm <affirmative>. But we were able to do that. And I had multiple roles in the, in the prison system. Everything from, I was a, I was a, a developer, I was a network engineer, but I always had that security, security mindset. And one of my collateral duties prison system was that primary hostage negotiator.

Jeff Hathcote (03:11):

And people always say, what does that have to with IT? Response is, are you been around IT? It’s got everything, it’s got everything to do with it. But security was always a primary focus because interestingly enough, in the prison system, I had inmates that were working on computers that were networked. I had a big CAD outfit that they were learning how to use CAD. And this was part of a educational program. So whenever they were released, they would have marketable skills, but at the same time, you still had to keep security first. And for foremost in your mind, and when I left the bureau of prisons, it was during that time, when, you know, it was, it was the.com, everything was computer, computer, computer, computer. And I went and entered into the private sector and everything that I did, whether I was the, the director of it developer always had security.

Jeff Hathcote (04:12):

And I was always interested in security. And you know, when you’re, when you’re around, when the first firewall comes into existence in the late eighties, nineties, you’re kinda interested in it. So you get to see the growth and it, it just development was fun. I enjoy writing applications, but I, I found that I was never through doing that. So it just, my, my OCD kicked it a little bit and I just kept pinging away at it, network engineering, the same thing, but I was done with that because I solve a problem. Next thing, security is a lot a lot different for me because it’s always changing. You never know what’s coming next. And the bad guys are always operating and having come from the environment where I work with the, with the bad actors all the time, you kinda get that mindset. Right.

Jeff Hathcote (04:57):

And so you kinda understand how they think, and it’s just been fascinating to me. And I’ve, I’ve, you know, I went down various certification paths just to develop my skills, keep myself sharp, keep my hands in the game. And then whenever the opportunity came to, to work for hilarious, I jumped at it because it’s the opportunity to not really get stuck in one organization, but to work with multiple industries, multiple customers and partners, to help those customers solve their business problems that they’re facing in the cyber security world, which to a lot of folks is actually still new and quite scary, quite scary. And so what I, what I try to do is explain have a conversation and I come in agnostic, right. And, and understand what your problem is and architect a solution to solve for that problem and bring the right suppliers in that can implement solutions to that effect.

Josh Lupresto (06:00):

I love it. And, and I love this background that you’ve had not just that the whole prison thing. It all makes so much more sense now, I’m I totally get it.

Jeff Hathcote (06:09):

<Laugh> sure. But a lot of people say that Josh,

Josh Lupresto (06:11):

But I feel like I know you now. I mean, I get it in, I, I just think, you know, your perspective from being in the shoes seeing what some of the bad guys are capable of your shoes of working on the supplier side, understanding how that side works and what you’re faced with at scale there, but then also, you know, working on the customer side and having to build out some of these infrastructures. Right. And, and so I think it’s, it’s good pervy. You get to see all of that, like you said, right. From code to application, to technical controls and everything. I need you to flex on the certifications here for just a second, because I, I want people to know how important these are, right. So there’s a lot of good certifications out there. There’s, there’s the CISSP there’s the CISM maybe you happen to have both of them. I only happen to have one but

Jeff Hathcote (07:01):

Can’t all be Jeff. So,

Josh Lupresto (07:02):

But talk to me about what, what does that mean? Right. I mean, a lot of people think that certifications are to teach me how to turn this knob and a technical, this, and a technical that, what did, what did you learn out of those?

Jeff Hathcote (07:14):

So, certifications to me are proof number one, that you know, the material, right. And, and yes, I do have a CISSP. I also have the CSM, which is certified information security manager in addition to some and Microsoft as well is you to show that, you know, the material, because it’s not simply a case of taking a test and you’re done. And, you know, taking the CISSP exam is a, is a brutal, brutal mm-hmm <affirmative> process. I mean, you study, you cram, you don’t really know what to expect until you take that exam and you start seeing those questions and, and it’s, it can drive you crazy. But more than that is, it’s not a case of just taking that exam and moving on and saying, I’m a CISSP. We have to maintain our expertise through continuing professional education.

Jeff Hathcote (08:18):

And I do that through a lot of the speaking engagements that I do. I’m on a lot of webinars, things of this nature. We hold our Telarus academies, cyber security academies, which are tremendous events where I talk about frameworks. I talk about what’s going on in the industry, things of that nature, but it’s also a lot of behind the scenes stuff that you don’t see that may not he may not understand how it’s related to work, but I spend usually the first hour of every morning, I’m an early riser. So I get up and I, I scan around and see what the bad guys are doing. See, what’s on the horizon. What’s the changes in technology. I usually do that in the morning and in evening, and I’m, I’m a subscriber to multiple, multiple lists of, you know, Hey, this is what we’ve seen.

Jeff Hathcote (09:05):

Maybe it only occurred in Romania. Well, guess what? It’ll be in Utah, Colorado, Illinois, before you know it. So certifications are key for me and I like them because it’s not simply taking an exam, it’s you? It really is living a lifestyle because you do have those con the continuing education and all the certifications that I have, I have to maintain those. And if you don’t maintain them, guess what that certification goes away. And you have to take that test again to get it back. And that’s something I would not wish on anyone. Mm-Hmm

Josh Lupresto (09:38):

<Affirmative> good stuff. Let’s, let’s talk about academies you know, when, when, when you first started, right, we, we were going right into an academy leading out some of the first academies in security Telarus had ever done. So if you take into consideration that we have this more immersive, two day deep, deep dive for an academy versus a shorter maybe more boot camp focused, right. Four or five, six hours, whatever it might be, what do you see that, you know, the things that you’ve been part of, right? If I’m a partner listening to this and I’m going, okay, I’ve, I’ve maybe been on the network side, or I’ve been on cloud infrastructure, or maybe I’ve sold contact center. And I want to, I wanna dive deeper into this. What do you see the partners getting out of either going to that short term event, going to that long term event? What, what’s the value in that that Telarus puts out there?

Jeff Hathcote (10:28):

Well, I think, I think what Telarus does very well is we prepare our partners to have the conversation, have the security conversation with their customers. And these may be customers that they’ve had for years and years and years have sold SDWAN to, or UCaaS or CCaaS of that nature, but they’ve never had the security conversation. And honestly, of a lot of our partners come up to me and say, just not comfortable having the conversation, because there’s so much to it. I don’t know what this means. I’m afraid the customer’s gonna ask a question, put me on the spot and I’m not gonna know the answer. And I like to see the light bulbs go off, because I think the biggest thing is to let our partners know that you’re not alone. You don’t have to be the 100% expert, right. Bring me into a call.

Jeff Hathcote (11:21):

It could be a discovery call. It could be three calls into the deal. But it’s, it’s, it’s, it’s what we do. And we want to enable you to partner to, to get comfortable. And it may take one call. It may take five calls that we’re on before you are comfortable asking those questions, right. Getting the, getting to the solution and understanding what the availability of Theis providers are. And then in those academies and boot camps as well, you have the opportunity to interact with our providers, right. Instead of just hearing about these things, you actually get to get to be hands on and see, and understand and ask questions and, and get to know the people that you’ll be working with.

Josh Lupresto (12:04):

So we’re talking about virtual CISO. So to set the stage here a little bit once an organization gets to a certain size or you know, has a specific amount or, or sensitive amount of data and really wants somebody overarching to lead out that strategy and, and, and work with the C-level, right. We somebody’s looking to hire this CISO. And so we, we always talk about this, right? You pay ’em 200, 300, 400. We’ve seen the trends go up to 700 grand on a salary. What’s the, what, what’s the unemployment pool right now on CISOs? Negative…

Jeff Hathcote (12:44):

Yeah. Eh, you, you wanna be a CISO. <Laugh> go be one. Yeah.

Josh Lupresto (12:51):

So the idea here to talk about, you know, this virtual track, cause I do wanna get into trends. The, the goal here is, Hey, CISOs are expensive. They’re great at some companies are absolutely necessary, but not, I, I would say not everybody can afford them and, or find them because the shortage is more real here than it is in any, anything. I mean, we’re talking about shortages everywhere. The shortage here is more real. I think it’s, it’s even worse. So obviously we’re, we’re pitching this idea of augmentation. We’re pitching this idea of a virtual you know, augmenting the, the security team with a virtual CISO. So talk to me, you know, laying that out there, I’m not talking about necessarily tools or anything, but what trends are you seeing? Either driving the need for that, or trends of people that are, are getting recommendations for that or what what’s driving that,

Jeff Hathcote (13:43):

You know, one of the, one of the big things that we see is there’s been a, a huge change in the insurance industry regarding cyber insurance. A lot of companies must have a cyber security insurance policy in order to do business with, with certain partners or, or, or, you know, their vendors or, or what have you. And because of, you know, the last 2, 3, 4 years, the insurance industry has just been cremated with ransomware and the payouts. So the reality is the insurance industry had to change their change, their tag a little bit. And now it’s, it’s, it’s a case of maybe you’ll get a policy. It used to be a guaranteed fill out this form, give me a check. Here’s your policy. Now, it’s more, do you do this? Do you do this things like multifactor authentication? Do you encrypt, do you have 24 hours, seven day a week, or, you know, 24 hours a day, seven days a week monitoring, do you have someone that’s dedicated to security?

Jeff Hathcote (14:46):

If you answer no to those, it’s either gonna cause you to not get a policy or you’re gonna pay a lot more for that policy. And then the other, the other piece is because you may have already gotten a policy when it was easy to get it. Now, the renewal is coming up and the insurance industry is teaming with a lot of cybersecurity providers and point solutions. And they’re saying, you have to have this. Like I said, just now multifactor authentication things of that nature. Well, in a smaller organization, there’s nobody to really handle that. They don’t necessarily even know what it means, where to start, what to do policies and procedures or key elements of these things as well. Policies being what needs to be done. The procedure is how it’s done and they have to be married together. And they have to be for everything from acceptable use to encryption, to remote, authentic all of that stuff.

Jeff Hathcote (15:44):

If you don’t have somebody that can help you with that, you’re gonna be, you’re gonna be spinning your wheels really. So the recommendation that that we always make is to outsource that to a third party and we call it a V-CISO, virtual CISO even in organizations that have a CISO in place, we’ve placed virtual CISOs as well. And just to kind of give a little hint, we don’t necessarily have to call them virtual CISO, because when you’re talking to that customer who may have that title, they’re like, wait a minute. You’re gonna outsource meat. No, this is a consulting arrangement. This is somebody to come beside you as a thought leader, to help you in those gaps that you have, and to understand what needs to be done. Cause it’s a huge job and one person it can be, it can be overwhelming.

Jeff Hathcote (16:35):

And that’s why a lot of physical CISOs are leaving those jobs as, as we speak. And, you know, I’ve placed VCISO engagements in, in organizations that it it’s been eyeopening to them because the initial conversation, their eyes get wide and they go, wow, that sounds expensive. And the reality is we can place and a lot of times a team, right security as a team in an organization that includes that CISO person, that, that person that has been in that position, along with network engineers, security engineers, penetration, testers, even technical writers, to help with the policies and the procedures and, and all of that for less than the cost, the yearly cost of a full-time employee. We’ve seen that time and time again, and it has been eyeopening and, and, and world changing for a lot of these organizations that, that we’ve done that for.

Josh Lupresto (17:32):

You know, you, you bring up a good point too, from a trends perspective, I would maybe throw out, I like to give it this spot, you know, glimpses of when partners start going down this road for things that they might run into you know, objections and objection handling. I don’t start this sentence a lot, but my favorite part and the thing that I learned most of selling vacuums door to door was the, the sales training, the, the Zig Zigler level sales training with the binder and all that goodness that went along with it. But to me, it, it was objection handling. And, and so what you know, trends that I think we’ve seen are, Hey, I I’ve already I’ve bought a firewall or I, I have this Norton on my, on my device, right? Isn’t that enough? Isn’t that a good start? And obviously we’re talking about augmenting with CISO. What do you, if a partner hears that from a customer perspective, what’s the, what’s the talk track back to continue that conversation?

Jeff Hathcote (18:28):

Well, if, if you’ve ever heard me have a conversation regarding security, it’s about what we call cyber resilience. And when a customer says, well, we got, we got a firewall or we’re good. You know, we’re small, whatever building that cyber resilience is key because the main thing I want to impress to you, whether you’re the it director Timmy, the it guy sitting in the closet, pushing buttons, flipping switches, or the CEO, or the director of the board. I want you to understand that you are going be compromised, no ifs, ands, or buts. It is going happen. How you respond to that compromise is the difference between you continuing, continuing in your business or being the last person out the door, flipping switch, shutting the lights off. So while yes, you do need a firewall. Yes, you do need anti malware. You need it to be in such a way that you’re building resilience and you’re building a cyber security program.

Jeff Hathcote (19:27):

That’s more than a point solution, more than hardware, more than software. It includes things like training your staff. One of the, one of the, the number one attack vector of any organization is the people teaching them how to identify those fishing emails. We have multiple suppliers that can provide ways of doing that in, in house where you you know, fishing campaigns. And if you do that malicious link, you’re taken to a little bit of training. You’re not embarrassed. We’re not trying to scar you for life. We’re trying to educate you. And, and that is, that is a key element. And that is part of cyber resilience is training your encryption. Well, that’s, there’s certain things that you need to do. Multifactor authentication, understanding your environment. Having eyes on that environment is key because we talk about the five functions of a framework, identify, protect, detect, respond, recover, right?

Jeff Hathcote (20:28):

Which is a continual process. It never ends. There’s no beginning, there’s no ending. And most companies, whenever you said, well, you know, we’ve got a firewall. We know where our data is, and we know who has access to it. That’s identified. Protect would be that firewall. There’s other things associated, but that’s where most companies stop. They don’t, they don’t understand the detect and respond and recover piece. And you really have to have someone looking at your environment, 24 hours a day, seven days a week in this world that we live in. Now, unlike the world of the early nineties, where you turn the, the network off, when you went home for the day, now everybody’s connected all the time. And, and sad to say the, the, the bad actors don’t work Monday through Friday eight to five and take weekends and holidays off. They’re always, always working. And so you need somebody not only to be there, to respond to an anomaly that’s going on in your environment, but also to do what we call proactive, threat hunting, the average dwell time of a bad guy that gets into your environment, meaning they just sit there and they don’t do anything is over 200 days, right before they launch an attack.

Josh Lupresto (21:43):

Patience, man.

Jeff Hathcote (21:44):

Yeah. Yeah. And, and they may be in, you know, hundreds of, or thousands of different places. And they’re just, you know, a lot of these bad guys run these as organized crime. It’s a business. So you’ve gotta have someone that can go in and do proactive threat hunting in your environment and find those, those dwelling, bad actors. If you will find the anomalies and take action against them, respond to those. And then obviously the next piece of that would be to recover from that. If you can’t recover, if you can’t respond, if all you can do is detect well, that’s like having a fire alarm in your house that just rings a bell. Mm-Hmm <affirmative> right. If it doesn’t alert the fire department, it doesn’t really do a lot of good. Your house is burning down and now there’s a beeping noise on top of it.

Josh Lupresto (22:35):

Good, good point. Alright. So as we get to final couple thoughts here, I wanna walk through a detailed example what I, what I love. And I think what we see most often is, you know, sometimes things are exactly they end up looking like the need is exactly like it was when it was brought to us. Sometimes it’s vastly different and we uncover more than, than meets the eye. So can you walk me through though an environment where we, you know, it may not have been told to us that we were gonna sell these guys virtual CISO and we gotta obviously keep customer names and all that stuff out of this, but walk me through, how did you get brought in? What did you know, what were you told versus kind of what was uncovered throughout and then what was ultimately sold at the end?

Jeff Hathcote (23:21):

I’ve, I’ve got a great example. It was a partner on the east coast had a customer that was doing business or attempting to do business with federal government. And so their biggest their biggest desire was to ensure that they could get CMMC certified. Right. And so that the, the ask was, we really just want to get an assessment, just somebody come in, take a look, tell us what we’re doing. Right. And, and that was the attitude was, we want outside proof that we’re doing these things right. Well, as we start, I call it peeling the onion, right. As you start having these conversations and I would start with, okay, well, tell me about your policy and procedure. What, you know, what kinda shape is that in? Well, you know, we, we wrote policies five years ago and you know, they’re, they’re pretty good.

Jeff Hathcote (24:17):

When was the last time you updated them? Oh, we haven’t updated. Oh, okay. Well, well, tell me about like an example of an incident response plan that you wrote. Yeah. We’ve got a good incident response plan. When did you exercise it? When did you, when did you have a test of it? Well, we’ve never done that well, and that’s where it started. And it was a case of, do you train your employees? Well, we do once a year annual training where they watch a 10 minute video and have sign that video. And that as we started talking about the government response to that would be, well, at least you’re doing something, but you’re not doing enough. Right. And you need guidance to help you build the cybersecurity plan. That architecture that is ongoing, it’s a continually improving plan. And that was one where we actually did.

Jeff Hathcote (25:16):

They, they did not have a CISO. They had a, a kind of a technical manager, all their C levels were CEO, COO, CFO types, but no one, really 100% focused on the security of the organization and the infrastructure. And so that’s when we made this approach of, we’ve gotta do a lot of stuff. You need to understand that it’s not simply filling out this form and bingo, your CMMC qualified. And now you can start doing business with uncle Sam. It was, you really gotta have this in place. And you’ve gotta understand how to maintain it through the years that you want to do this. And their eyes got wide. And they say, wow, that sounds expensive. And that’s an example of bringing in a virtual CISO, including some other team members under that, including the, the security analyst, the network engineers, the, you know the technical writers, people of that nature for a year engagement. It, it was far less than the cost of a, a full-time employee that would be considered like a network engineer. So, you know, it is actually less than a hundred thousand for a one year engagement for all of that. And that came out of an initial conversation of, Hey, we just want somebody to come check us out and tell us how good we’re

Josh Lupresto (26:35):

Mm-Hmm <affirmative>. Yeah, yeah. We’re feeling fine. Good.

Jeff Hathcote (26:38):

Yeah. Yeah.

Josh Lupresto (26:39):

Yeah. I, I love it. And I feel like that’s, I mean, that’s such a common theme, right? I mean, obviously we, we feel that we add a lot of value in this conversation of helping people understand what they need and where they’re going. And security has just been one of those areas that underscores people, people are just reaching out, looking for help. Some of them wont admit it. Some don’t either way we just wanna help and we wanna make a more secure and we wanna make, you know, we wanna make the customer, the hero, ultimately at the end of the day, is being proactive with all of this.

Jeff Hathcote (27:07):

Well, a lot of times the customer will come in and the ask is, you know, we need an, for an, an analogy that I like to use is they’ll ask for a chocolate cake. We need a chocolate cake. Well, as we start talking and understanding the problems and digging into it more, once we get to the base reality is where you asked for a chocolate cake, but what you really need is a cherry pie. Well, they’re kind of the same, but really different <laugh> right. So just getting to that point and helping the customer understand and get away from point solution point solution point solution point solution, and getting an overall understanding of what that cyber resilience looks like and how to build that, that plan, that cyber security plan. So you can move forward year after year after year after year. And don’t have to reinvent every six months when a new shiny object comes out, that you have to have

Josh Lupresto (28:07):

So final thoughts here. So as we look forward you know, I would certainly say technology changes fast. We know that, but security changes really fast. Obviously you do a good job of, of helping us stay up on the trends, the threats, the dynamics, the, oh my gosh, this, we thought we’d seen it all. And this now has happened. So we see a lot of things out there, and there’s a lot of noise in the space, whether it be CASBY, sassy, zero trust, what what’s what’s next, right. If you’re looking out a little bit to, to, to just pay attention to what’s around the corner, what, what do you see coming? Is it a, you know, trends right now, staying on prevalent for a while, new stuff what’s cooking,

Jeff Hathcote (28:50):

You know, the bad guys are always gonna be doing what works for them. And what has worked in the past has been ransomware. Obviously you can, you can buy ransomware as a off the shelf product on the, you know, in various places, ransomware is a service, if you will. But the other thing that is never going to go away that is always gonna be prevalent is called social engineering. It’s just the bad guys, sending you pfishing emails, calling you on the phone, acting like they’re the help desk. So they, you know, you, they can harvest credentials, things of that nature. I, I see a lot of low tech attacks, dumpster diving, for instance piggybacking going into, going into businesses back whenever we still had real offices. But you know, those things are never gonna change. The counter are getting smarter and they have to, because the bad guys are starting to use things like artificial intelligence and machine learning.

Jeff Hathcote (29:49):

And, and like I say, they run these organizations like, like businesses, they’re enterprises, they’re criminal enterprises, but because they’re using artificial intelligence, machine learning, things of that nature, we have to counteract them using the same, same thing. So we need to understand what artificial intelligence can do in our world, what machine learning can do in our world. We don’t have resources. We just don’t. You cannot hire enough people to, to take care of everything that needs to be taken care of. So our providers are consistently working on smarter tools being able to engage the, the bad actors and, and the threats that they present in a smarter way, and take a lot of that off of the, off of the shelf of the, the human. You still gotta have the human component in cyber security, but that’s what I see moving. And I think 2022, 2023, moving forward, we’re just gonna see smarter and smarter and smarter the world oft everybody’s got a nest thermostat or an Amazon echo in their house. Those are the things that are being attacked. Msps are being attacked because they know if I can attack you, Mr. MSP, I’m gonna be able to get every one of your customers. So it is not just the customer that needs to be protected. It’s the providers that need to be protected as well. And they never sleep, never sleep. And so we have to be just as good as they are, if not better.

Josh Lupresto (31:22):

Love it. All right, Jeff, that brings us to the end. I appreciate you. Thanks, man, for for coming on and doing this podcast with me.

Jeff Hathcote (31:29):

You bet. Appreciate it.

Josh Lupresto (31:31):

All right, everybody that wraps us up. Jeff Hathcote, CISSP, CISM, security architect for Telarus. I’m your host, Josh Lupresto, SVP of sales engineering here at Telarus. And this wraps us up for security and virtual CISO. Stay tuned. Next week. You’re gonna hear from Paul Robinson at IGI, we’re gonna get deeper into the CISO and see what they do. Thanks everybody.

Speaker 3 (31:57):

Next level BizTech has been a production of Telarus studio 19. Please visit telarus.com for more information.