Ready for an unexpected journey? Meet Mike, a cyber security expert with a background as diverse as the challenges he tackles every day. Starting with an early passion for computers, through studying geology and anthropology, and finally landing in the world of IT, Mike's story is a testament to the value of curiosity and mentorship. We dig deep into his hacking escapades, the lessons learned, and how a knack for problem-solving morphed into a career securing our digital world.
Mike opens up about the human risk element in cybersecurity, drawing fascinating comparisons between convenience store hold-ups and elaborate cyber attacks. He gives us a sobering reminder - the most secure computer is one that never gets powered on. Technology and security advancements are making it tougher for hackers, but Mike warns of the ever-present risk of human vulnerability. Even the smallest of betrayals can bloom into massive security breaches.
Wrapping up, Mike shines a light on the comprehensive cybersecurity services offered by his organization. Ranging from risk assessment, regulatory compliance, to incident response and digital forensics, they've got IT security covered from all angles. He emphasizes the significance of trust in his client relationships and unveils ambitious growth plans for the next few years. Whether a tech enthusiast or an IT professional, this conversation is packed with insights and practical advice to help you navigate your way in the ever-evolving world of IT security.
Follow the Podcast on Social Media!
TikTok: Not today China! Not today
How's it going, mike? It's really good to finally have you on the podcast. I mean, I think that we've been trying to schedule this thing for a while now. I'm very excited for our conversation.Speaker 2:
Yes sir, thanks for having me, joe.Speaker 1:
Yeah, absolutely so. Mike. How about we start with your background? What interested you about IT, or even just security overall, that made you want to go down this rabbit hole of security?Speaker 2:
Sure Well, I think my passion for computers started at a young age. I was able to get my hands on a couple of computers, my neighbor's computer and my parents finally bought me a computer. I programmed my own door alarm to keep my sister out of my closet and taking my sweatshirts and stuff using a computer, a dot matrix printer and a car alarm. But then, just understanding, I wanted to get into the computer field pretty early. I liked programming, I liked problem solving. I took every computer class I could in school. Ironically that was not my first degree in college. My first major in college was actually geology and then anthropology and then back to computers, initially computer science. Then, realizing I didn't want to program device drivers, I changed my major from an engineering degree to more of a computer business degree. Then at the same time I'm pretty involved with doing some contract work for the government to do intelligence type work which really exposed me to the threat and the threat actor criminal side of cyber, where the risks are and where people are vulnerable, companies are vulnerable. Then working a lot of actual criminal cyber cases over the years led me back to school to get a graduate degree in criminal justice and then also to teach In addition to being a cyber guy. I've been in IT and cyber for almost 30 years now. I've also been a college professor teaching computer science, cyber, the criminal justice side of forensics and some other things for about 23 years now.Speaker 1:
Wow, it sounds like to me you had a bit of a hacker mentality, getting into it right, even from a young age. Do you look back on it and see it as that as well? Did you potentially even maybe recognize that at the time when you were doing all that and going through everything?Speaker 2:
Not initially. I think it's common with people that are curious about technology and programming and what can computers do and how do I get into that stuff? The Tim the Toolman Taylor version of cyber. But I definitely was. I was a tinkerer, which is really what a hacker is. How do I get this thing to do more than or something different than it was designed to do? Being able to get a computer and a dot matrix printer to actuate a bolt on my closet door so that only I knew the code and my sister couldn't steal my stuff? That's an example of a hack, a lot of those similar to people that are just curious. You don't always understand or recognize the implications of your hack, of your modification or the things you're doing until there is a consequence. There is a reckoning, if you will. I did one day have a reckoning. I was faced to ride my bike to the mall where there was a radio shack and access to I think they had three or four computers, three or four different computers there. I would take my programming knowledge that I learned from this magazine subscription I had and some other things that I learned books I read. I would go to radio shack and try out my programming skills. One day I wrote a loop a programming loop that messed up their computer and they asked me never to come back to that radio shack. That was kind of my eye-opener, that, hey, I can actually do damage and I need to be more responsible. I learned that at a young age, growing up in a military family. When you get in trouble there's adjudication. Let's talk about what you did and the consequence. I was very aware that at least at that point that I did something wrong and I needed to be more responsible with the things I was doing.Speaker 1:
Yeah, that makes sense. Can we talk a little bit about your degree changes? What made you want to go into geology and anthropology? The reason why I ask is because I remember when I was in high school and trying to get into college was the biggest feat that I had ever tried to accomplish. I was then trying to decide what major to go down, what area to specialize in, and thinking I can't change or I can't go somewhere completely different down the line If I felt that this wasn't for me, which almost sunk me. Thankfully I changed from pre-med and went into criminal justice. What was your thought process? Because it sounds like to me that's way out of left field. I never would have expected that. I would have expected criminal justice as your bachelor's before geology and anthropology, or at least attempting that there were several factors that led me down those paths.Speaker 2:
I'm currently working on my doctorate and my dissertation is on cyber workforce development. One of the gaps that I've come to well I've known, but the research is actually supporting is that there's one of the problems with cyber workforce development and this is probably consistent with other fields as well is there really aren't enough mentors. There aren't enough people to help educate or even have the conversation with those that want to get into a particular field. What do I do with these skills that I have? What kind of job would I be good at based on the things I know and can do? With regard to cyber, I wanted to do something with computers and not really knowing what these different jobs in cyber or IT really were like. What is the day in the life of a network administrator or an engineer or a cyber person or a programmer? Had I learned about the programming part of that, I probably would have never approached the computer science engineering degree at all. I didn't care to take five years of math learning, number theory and all these things. That's not real applicable to the job I wanted. But back to your first question about geology and anthropology. I am kind of a rockhound. I like crystals and gems and different types of rocks. I'm always kicking around rocks and looking at fossils. I have a pretty cool collection. But at the same time my mother was a college professor and I went to school where she taught. I got an academic scholarship there reduced tuition because she was an employee, but they had a really cool geology program. We went around on field trips to look at dinosaur bones and digging the dirt around Texas and Oklahoma and Arkansas. That was just something cool that I like to do be outside, treasure hunt, problem solve. Here's this thing how old is it? What's it made of? That analytical stuff really fit my personality. But then I got a scholarship to play football at a small school in Kansas and they had a computer science program but not enough people signed up for it to make a class. The class would have been in the basement of a building, I think it was only going to be two of us and a professor, so the class didn't make. So I had to take other courses until the class could recruit more students and those other courses ended up being anthropology. I learned about every bone in the body. I learned about how to tell someone's diet by their teeth, how old they are because of the cracks in the skull and the length of the bones, whether they were muscular. If it was a female pelvis you could tell in general, especially the older ones, how many kids they may have had, based on different angles of bones. Is it male or female? Ethnicity based on eye sockets and nose and this kind of thing. So again, pretty fascinating and kind of that problem solving analytic alignment with my personality. But after my football career was over and I came back to Texas, I really had to get serious about what I wanted to do for a living. I started being pretty independent at that point and I needed to get serious. So I was computer science for about a semester here in Texas at UT Arlington. I was able to have pretty good conversations with some advisors and some people in industry that talked to me about cyber jobs and that really opened my eyes and helped me refocus from an engineering program into more of a business technology leadership career path, which is where I ended up.Speaker 1:
Hmm, yeah, it's a. You know it's an interesting journey, you know, like it. Uh, I feel like when you're younger you always feel like it's going to be a straight line, and if it's not a straight line I'm messing up. You know, I remember when I was in college I tried to do pre-med first and along with pre-med you have to take, you know, calculus, I think like calculus two or something like that, and I chose to take anthropology. I was miserable with anthropology. Like I could do the labs, the labs were fine with me, but sitting through those lectures the battle was staying awake for me. You know that's my personality, right, but it was a very interesting time. And you know you bring up computer engineering. As you know, I don't want to learn five semesters of math and I don't want to code in these obscure languages and whatnot. I actually had a friend in college that he took calculus with me and he was a computer science student and we were talking about what he had to do and I mean the level of math that you would have to go to, like you might as well just get a bachelor's in that math, because there's so much of it. It's like, okay, you're two classes away from getting a bachelor's in there, like theory classes. It's not even the in-depth stuff that you've been learning and you know we talked about, like the coding languages that he was learning, and it was coding languages that were dead or dying, like foundational languages, and he's like, yeah, I'm never going to use any of this. It's more of a thought process, and I mean he spent all of his time on it, like he didn't really go out that much, he didn't hang out with friends a whole lot. Right, it was a lot of studying and so I was like, man, I do not want to go down that path. And so I landed on criminal justice, and thankfully, you know, because I found the coursework to be very interesting, I found it to be fairly easy, which was a nice change from pre-med trying to learn chemistry and fail it not as bad as others, right? So you're ahead of the curve, which was the craziest thing to me. You get a 30% on a test and that's an A. With the curve, it's like I clearly, I clearly do not understand these topics and you're giving me an A.Speaker 2:
That is common and I'm right there with you. I did have to learn seven programming languages when I was in that computer science program. I did kind of develop the same thought around not just programming languages but that upper level math. Really it's just designed, in my opinion. It's designed to help you approach and solve problems in different ways. It teaches you different tools for approaching a problem, maybe some some, some shortcuts, some ways to analyze a problem, but really you're going to get to the same answer as just shorter math than well in some cases a shorter math. Some of that calculus is front and back page or multiple pages. But yeah, it's just that's kind of where I ended up with what the math was. It's just this is just teaching me different ways of problem solving. Some of this is just ridiculous. In fact. I remember I remember sitting in a in a calculus, an upper level calculus class, and I was doing well on all the daily work and I actually tutored other students on some of the homework and things. But when I got to the test I just blanked and there were it's like four. You have two hours to solve four problems. I mean, that's, that's indication number one. You might be in the wrong room. But I remember on one particular test I actually wrote my professor and apologizing for not knowing how to do this problem and that hopefully it doesn't reflect on his ability to teach. It's really just my ability to sit for this test, and so I did a one page apology note for that question.Speaker 1:
Wow, yeah, like you know, calculus wasn't even so for me. I enjoyed calculus right, like I always think that if I wouldn't have landed on criminal justice I would have actually gotten a bachelor's in math because I enjoyed it so much. The problem was that same semester I was also taking chemistry and physics, and either of those classes are like learning two different languages of how to solve problems. And you know, I mean chemistry isn't even like, isn't even English as far as I'm concerned, and so I really didn't have that much time to study for calculus. But thankfully I was in this advanced study class or whatever it was, where the first day the professors like these are going to be the most difficult calculus problems you'll ever encounter, and so when you get the final, it's going to be, it's going to be nothing for you. And you know I didn't believe them, because you know you hear that sometimes and it's just not true, but 100% it was true. I got to the final. I didn't study at all. There was five questions. I whizzed right through it and I ended up getting like 80, 90% on it. Like I scored well above everyone else and it was pretty easy. I was the first one done in this lecture room of like 250 people. So I wonder, you know, I probably would have gotten a bachelor's degree if I didn't convince myself. My only path forward was criminal justice.Speaker 2:
Being the first one done in a large room like that is kind of unsettling also.Speaker 1:
Oh, yeah, I mean I was done so quick. I looked up and no one else was done and I was like, oh wait, I must have messed something up, like I had to mess something up. So I checked it over for like quite a while and I'm like I don't know. I mean I answered everything. But yeah, you know, it was fantastic, I enjoyed it. I'm always tempted to go back just for a couple couple classes and math. This is me, though. So you ended up getting a IT business administration degree. Do you think that that set you apart and prepared you for your career in IT in different ways than what computer engineering or computer science would have? And the reason why I ask that question is because, you know, I feel like too often people go into IT thinking, okay, it's going to be, you know, all technical, it's going to be hands-on keyboard at all times, and I'm going to have to be a developer and things like that, right. Well, there is this other option it's IT with business administration. I have a friend that actually got his master's in it, and it sounds like that could be a different path. Is that true, or what was that like?Speaker 2:
You're right, and so just to back up a little bit while I was working on my well, you back up even further. I've got an associate's degree in math, because I really like math too. But then when I was working on my undergraduate it was an information systems degree out of the business school at the University of Texas at Arlington. But because it incorporated so many computer courses and I did have some programming courses completed, I was able to select whether I wanted the degree to say bachelor's of business or bachelor's of science, and so I selected bachelor's of science. So my degree is actually out of the business school but it's a bachelor of science and information systems. But I had to learn all the business stuff. I took business law, ethics, marketing was one of the electives. I took money and banking, business stuff. But the time going to school for the undergraduate degree I also had my own computer business. So for six years I had a consulting company where I would teach companies how to use Microsoft office and do spreadsheets. And I also did basic computer maintenance, network cabling, troubleshooting, cleaning keyboards, upgrading computers, that kind of stuff, and so I had exposure to the hardware part of it. I was building some experience running my own business being a consultant, customer service, doing my own accounting and financial forecasting and having to buy equipment and this kind of thing. And then I got my degree and wanted a corporate job and at the time, even back then, probably at equally or maybe even more so than today there was that requirement for an undergraduate degree or some unreasonable amount of job experience in order to get hired. And so as soon as I graduated I think I graduated in August, but I was applying for jobs over the summer so in July I was selected for a job as an IT auditor. I've never heard of that position. I knew what an auditor was, but I didn't know what an IT auditor was, and so a lot of the interview questions were around my familiarity with hardware and technology, but really they focused mostly on my ability to go research and find the answers. And if I don't know the answer, how good am I at collaborating and asking for help and this kind of thing? So I started that job and that was definitely a business side job. My job was to go into a company. So I worked for a $5 billion telecom big international telecom company and my job was to ensure that the technology departments and people and things that the business relies on was following company policy and regulatory standards, and are there any weaknesses or risks that could impact the operations or the finances or the reporting of the company? So I learned quite a bit, not just from a well, what's this audit thing and how do I become an auditor? And it has its own disciplines and procedures and things you have to follow quality and documentation. All this good stuff. But there was a very strong and critical component of customer service and diplomacy and tact, because back in the day when an auditor showed up, it was because someone was trying to get you fired. So they're here to find the problem with me so that they can justify firing me. Or you know, you're taking time away from a job I already don't have enough time to do to answer your questions, so you're putting me behind, and so audit had a bad reputation and so you had to come at that very diplomatically. I'm here to help. You say you don't have enough time in the day to do your job. Well, maybe I can highlight that in my report and maybe we can get you some part-time help or figure out a way to help you do your job better, more effectively type of thing. So that taught me quite a bit soft skills communications, report writing. I had to do presentations to the board, and it was during that time at that telecom that I realized that one of the biggest risks to this $5 billion telecom is they had zero security from a network perspective. They had a firewall guy that looked at firewall alerts and rules, but nobody looked at the company as a whole to figure out where bad things could happen or maybe they are already, Nobody knows. And so I worked with my boss in the audit department to talk through that and we actually came to the consensus that we need to do a presentation to the board about the need for a cybersecurity specific group. And so I put that together and pitched it to the board and they told me that I was the one that was going to make it happen. So that was my first foray into a formal cyber job. I built that company's first cyber team and eventually even incorporated physical security, doing executive protection and flight travel threat and risk planning. A lot of stuff happened, some of experience at that telecom, but that's what got me into like a true cyber position role and I haven't looked back since.Speaker 1:
Hmm, yeah, you bring up a lot of different interesting things. You know part of it is the ability to do your own research and find your own solutions without potentially having to escalate a problem or reach out to other people and whatnot. Right? And I remember earlier on in my career I was interviewing for a job and question came up how would you solve a problem that you don't know anything about, that you don't understand? My first answer was I'm going to go to Google. You know I'm going to go to Google. I'm going to look it up, see what other people are encountering with it, how they're resolving it. Try that. If it doesn't work, I'm going to ask a colleague and the hiring manager was actually very against me saying I'm going to go to Google. Right, this is mid 2000s, right? So, like Google was established, google was something that you would use to resolve problems and whatnot. And he was very against it and didn't hire me because of that. I thought to myself, like well, if you're not going to hire me because of that small little thing, then I won't. I probably don't want to work for you. And two, you're not very forward thinking if I can't even use the internet to solve a problem you know. Like how am I supposed to write you? You want me to go into a log file and try and decrypt what Microsoft is saying about an error message. That is dug into this thousands of lines of log file, like it doesn't make any sense, you know. And another thing that you bring up you sold the incident response or kind of disaster recovery process to the board and it just reminds me of a time when you got to be careful what you ask for, because you're going to be faced with doing that work and I didn't quite understand that. Until you know, I was working for a company as application specialist, I was trying to get into security, and so I understood the security part you know pretty well, for where I was at right, I was the only one at the company with a security mind that cared about it and whatnot. And I pitched it to my VP like hey, we should really actively be securing this application a lot better. This is how we can do it. You know, look at all these vulnerabilities that I found and everything like that. And I mean his only response was like you know what? You're completely right, you should do that. And I was like wait a minute, so I have to do everything else too. And he goes oh yeah, you gotta do your normal day job stuff, and now you gotta do this security stuff that you want to, you want to explore. When I was thinking of like, oh, let's get you know, yeah, a bunch of people around this to work on this, from different teams and different perspectives, is like no, you're, you're doing it, you know, so you gotta be gotta be careful with that.Speaker 2:
Certainly, I know. Completely agree with that.Speaker 1:
Yeah, absolutely. So fast forward a little bit when you were working for the government and looking at the different unique Types of attacks and learning about them and whatnot. What were some of those unique attacks, at the time at least, that maybe you didn't see in the Private sector, where they, you know, solely unique to the government? You know, what I would think of is, you know, nation-state attacks and whatnot like. Was there unique things like that? Or was it kind of dispersed in a way where, yeah, it was targeting public and private Infrastructure and things like that?Speaker 2:
Well, a lot of the work that that I did was on the the human side of intelligence. So a lot of the tactics I used and a lot of the scenarios I was involved with were all more social engineering Getting getting places you shouldn't be obtaining, information You're not meant to have, utilizing people and processes to you know stepping stones to subvert or circumvent security controls mostly physical, but ultimately, you know, there were some, some technical controls that you needed to get through or get passed in order to get information. So that was kind of my foray Into cyber. It was understanding a lot of the human risk involved with the technical Controls that are put in place to protect stuff, because it's still people that configures it, implements it, runs it, has access to it, and so that was a huge perspective and learning experience for me. I think, unlike others that get into cyber, they learn all the technical stuff first. I was able to have the experience of learning all the human risk first, which I think gives me a little bit different perspective when talking about risks to clients and companies, because you can get rid of all your technology, I mean if you, if you're able to, but you're still having to do business with people, and people are always your biggest risk, your biggest weakness. And then you give people access to your technology and so you know it just gets worse. I think the the joke about the the most secure computer is the one that that you don't turn on or plug in, it's in case in cement and it's dropped in an ocean somewhere, but then you can't use it. And I think that's the paradox with With security is the more secure something is, the less usable it is, and I kind of joke that that's why convenience stores are robbed More than banks, because security is really just a hindrance, it's not an absolute. If something was absolutely secure, you couldn't use it. So you've got to find the balance, and that's something that I think that experience with the intelligence contracting work I did really helped me understand sooner than later. Hmm.Speaker 1:
Yeah, that's different. That's a different approach than what you normally hear. You know, you normally hear about people going down the technical side rather than the human side. I've actually never done the the human part of it, but you know, I was talking to Jim Lawler from from the CIA, and he was talking about how technology and, you know, security-minded governments and organizations are getting really, really good at security. So the likelihood of a cyber attack actually being pulled off against Someone that is very much prepared for it is very low. Actually, it's lower than what we would think. And the most vulnerable part is the people part, like you said, right, you can secure a system. You can air gap it by powering it off and unplugging the thing from the network, right, and now you have a whole bunch of sensitive data that's secured Unless you have physical access, and that, unless part is the people part, you know, and so it. It turns into a very interesting problem to have. And I remember when I was working with the government a few times and you know one of the people that I was talking to, I brought up that part, right, because to me, an outsider, I'm saying to myself well, how in the world are these people getting bought off? How are they selling secrets and whatnot? Like that's? It doesn't make any sense to me. And he said if someone can find out that you work for the government at a certain facility, right, they start to do their own checks into you. They start looking up your credit report, they start seeing where your debt lies and you know if you're going to make enough money to actually pay off that debt within a reasonable amount of time. And they start you off very small. They say, hey, you know, just give me a name of someone that works at your facility and I'll give you 10 grand to pay off your medical bills. You know, and they snowball you like that, where you get comfortable with getting the money, you don't feel like you're betraying anything, when in all actuality it's building up to a larger betrayal. Right, you may have not betrayed very much by just giving a name, right. But now they know one more person that works there and they're going to be targeted and things like that, right. And so the human part I feel like I don't want to say it's evolving, but I want to say it's becoming more prevalent because of the need to actually go down that path where we have, you know, secured our networks to the point where it's like, yeah, this is really secure in most cases and the only thing left is actually, you know, buying these people off and giving them money to live an easier life while they're betraying their country. Is that what you saw as well, kind of.Speaker 2:
Not so much on the recruitment side. Mostly what I saw and the things that I did was to try and figure out to kind of the nth degree you're really playing out and kind of mind mapping, almost all the relationships between you know what's the target and everything involved with that. So, for example, if you've got an air gap machine that's got the prize data on it, well, where is that machine, what facility? What are the controls around that physically? Who are the people that have access to that thing? What are the procedures for them to get access to it? What kind of work did they do with this machine? What are their hours? Who are they related to or work with? Where do those people live? Who are their neighbors? Do they have kids? Where do they go to school? And, to your point, everything about their lives, their credit, their criminal history, their clearances, the car they drive, how much they owe on stuff, where's their family? Do they have online social media? Where do they eat lunch, all those things give you kind of an attack surface in relationships so that you can start to plan out. All right, so I need to compromise the home network of Bobby down the street, because Bobby plays with Jim's son, john, and you know they're both pretty active on mobile devices. They have phones and tablets and you know the likelihood that you know Bobby's home network because his dad's a school teacher. You know I'm able to compromise that to get malware on Bobby's tablet that he takes over to John's house and you know kids are always like, hey, can I join your wireless? And so now you know Bobby's at John's house and he's on their home network and it's his dad that works with the guy at the lab and so if I can compromise their home network and then put some malware on something that dad takes to work, now I'm introducing, you know malware to work. Or you know something that collects information for that next phase of my attack but maybe introduces it to coworkers and then eventually it makes its way into that air gap network. Or you know, doing enough reconnaissance, and maybe they post who their vendors are and the types of work they do and I just show up and pretend to be you know a contractor and here's what my work order. I already know what the work orders look like and social engineer my way into the building, which maybe it's an adjacent room, and one of the things that we have is if I can touch it, I can own it. So you can, you can encrypt it, you can chain it to a desk. You can do all these great things, but if I can touch that device, if I can physically interact with it, then all of your technical controls go out the window.Speaker 1:
Yeah, that's a really good point. So, you know, is this kind of where the experience with working with the government Is that where you started to go into your work with Black Swan, and what are you doing at that company? What is that company, how are you guys operating and what do you specialize in?Speaker 2:
Well, I've actually, I've worked with a number of companies over the years Telecom, financial, you know some of the biggest banks. I was the director of threat and vulnerability management with Pricewaterhouse doing consulting and instant response. But along the way I always had this entrepreneurial itch and so I've had several technology companies over the years and the last two have been cyber specific and at Black Swan, which is the most recent and the most successful, we are a full lifecycle cybersecurity company, so we help organizations understand the need for cyber, how to design and develop cybersecurity programs. So that's policies, procedures, the right people, skills, partners, vendors, coverage, technology and a lot of that's based on the risk specific to that organization, so we can help them through that risk assessment process as well. We help them ensure that they're compliant with regulatory requirements like credit cards or health or financial data, or if they're a publicly traded company all these different compliance regulations or if it's just a best practice, standard certification like ISO 27001, or helping them get their SOC2, type 2 type, accounting based certifications. And then, naturally, out of both of those initial engagements, you've got these opportunities to improve. There's a gap you don't have the right people, you don't have the right technology, you don't have any policies and procedures. You don't even know kind of where you want to start and where you want to be that maturity roadmap. So we can assist them with remediation and training, developing custom or putting a process in place to do scheduled, automated training. And then from that obviously you want to test, you want to make sure all that stuff is effective and not just a point in time but throughout the year or year over year. So we do those traditional assessments as well, whether it's an audit or a network security assessment or a penetration test, and we do that on buildings as well. So part of again, if I can touch it, I can own it. So you can invest a lot in cyber protection, but if your physical security is lacking, then you've misallocated, at least misproportioned, your security. So we do physical security assessments, also trying to get into buildings where we shouldn't, trying to get to restricted areas of a facility where important stuff is, whether it's documents or technology, and then along the way testing the security awareness and response of the people and then giving them recommendations for improving both the technical side and the people side. And then, in the event that there isn't incident, we have an incident response team where we help manage a data breach or a theft of a laptop or an employee that stole data. And then part of that naturally is forensics, so being able to do digital forensics and support that incident response investigation. But then also, if it ever goes to court, we do expert testimony. And then at the core of our business, we have a 24 seven fusion center where we monitor client networks, user behavior, device behavior 24 hours a day. We're all US, based out of North Texas, we're all US employees. All the data stays in the US and then we call it a fusion center because all of those things that I mentioned from start to finish are available to people 24 hours a day, in addition to a lot of threat intelligence that we collect from government agencies and vendors and other sources.Speaker 1:
That's really interesting. I mean, that's a pretty expansive business that you've built. Do you ever point to any one experience in your career that really prepared you for what you're doing now? Or is it kind of a conglomerate of the experience that you've had throughout your career, you know, kind of coming together and culminating With this company?Speaker 2:
Well, I think there's a lot and there's several parts to it. So a lot of what got us to where we are are the relationships that we developed over the years. So having relationships with people that are auditors, having relationships with people that are hackers and educators and forensics, and having the experience of building a fusion center and knowing how to staff it and build the culture of the company that supports like-minded individuals that have that passion not just for protection but also collaboration and teaching others, is one thing. So over the years, building those relationships and becoming friends and professional acquaintances with just a large number of awesome people is part of it. The other part, and one of the reasons that we have services that fill that full life cycle, is the struggle that I've seen both on the corporate side, as the consumer of services, but also on the provider side, where a customer or a vendor isn't the single phone call. A lot of organizations when they have a problem, they've got to figure out five or six different service providers or vendors to call to help solve one problem. And then on the provider side, on the professional services side, there's a struggle with working with a client and your service doesn't satisfy enough of the objectives of the problem. And so what we wanted to do with our organization is not only be the one phone call. So we have an 800 number. It's 855-BLACKS-1. So you can call us 24 hours a day for whatever your problem is. Technology cyber flat tire is kind of our joke, but the idea was give clients one phone call to an organization they can trust and they know that we're here to help them fix whatever problem, that is, even if that doesn't involve us. So back to the flat tire joke. We say you can call us if you have a flat tire. We're not going to be the ones to show up and fix your tire or tow your car, but if we're the ones you called, we'll be on the phone with you and help coordinate the tow truck, the AAA, whoever it is that needs to get there to help you fix that tire. And so, similarly, on the IT side or the technology side, clients call us because a network broke or somebody stole something or they need to know who we know that we trust that does some XYZ thing. They know they can call us and we'll figure out the right solution and get them in touch with the right people.Speaker 1:
That's a really interesting business. Where do you envision that going and growing in the next 18 to even 36 months?Speaker 2:
Well, that's something that we've put a lot of thought into just recently. We do enough to keep us busy, but we're always looking for opportunities to expand the value, and some of the value that we've seen most recently is in that traditional IT support area. We need to buy new computers or build a new network, or troubleshoot problems with printers and wireless access, or we need help managing our Office 365 environment. So those aren't things that our organization currently does directly. If someone asked us for that help, we would point them to a partner that we trust, but we seem to be getting a lot more interest in that area. So we've started talking through the idea of growing through acquisition of some of these complimentary type services, and so maybe acquiring or partnering more closely with merging with some of those traditional IT support vendors, so that they've already got relationships and adding value to organizations with the services they provide, which are just naturally augmented by what we do, and vice versa. Whenever we're providing our cyber services, very often we find some of these technical things that need to be fixed or implemented or changed, and again, that's not something that we typically do. We would partner with someone else to do that, and so those kind of managed IT services and skills would naturally complement the things that we do and the problems that we typically find.Speaker 1:
That's really interesting. Well, Mike, we're unfortunately running out of time here. I really try to honor my commitment time-wise. When I say it's an hour-long interview, it's an hour-long Before I let you go. How about you tell my audience where they can find you if they wanted to potentially reach out to you or connect with you, and then where they can also find your company?Speaker 2:
Certainly so. I'm on LinkedIn. I also have a Twitter account, but you can find me on LinkedIn. I'd love to connect and collaborate with people, especially on the education side. If you need help mentoring or finding a career path, I'd be happy to help. We also have an intern program at Black Swan and it's blackswann-cybersecuritycom. Our phone number is 855-BLK-Swan. Reach out Contact at blackswann-cybersecuritycom, which is also a form on the website. But we're here to help and educate and collaborate. Happy to connect with anyone.Speaker 1:
Awesome, and I'll put all of those links and sources in the description, of course. Well, thanks everyone. I really appreciate you listening and I hope you enjoyed this episode.