Get set to embark on a journey to the heart of cybersecurity with our distinguished guest for today's episode, Metin, the CTO of Rhymetec. This tech maverick, with a background rooted in computer science, has skyrocketed to the zenith of the field, bringing forth a wealth of insights on data privacy regulations like GDPR and CCPA, and the ever-growing importance of compliance. We unravel the intriguing concept of virtual CISOs and investigate the impact of remote work on cybersecurity insurance premiums, throwing light on the balancing act between remote work and security.
Brace yourself as we delve deeper into the world of Rhymetec, a pioneer in cybersecurity solutions. Metin gives us a sneak peek into how Rhymetec empowers businesses with AI-powered solutions across industries, thereby improving their efficiency and customer experience. But, it's not just about AI; we also talk about the crucial aspect of data privacy and how Rhymetec ensures the safeguarding of their clients' data. We leave no stone unturned in this all-encompassing conversation about cybersecurity, so whether you're a greenhorn or an experienced hand in the field, don't miss out on this captivating episode.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
1
00:00:00
Speaker 1: I was going to Metin.
00:00:01
It's really good to finally have you on the podcast.
00:00:04
I think we've been trying to get this thing scheduled for
00:00:07
like almost the entire year at this point.
00:00:09
I've been since.
00:00:11
Speaker 2: February.
00:00:12
Speaker 1: Yeah, yeah, it's been a while.
00:00:14
It's been a crazy year for me overall.
00:00:16
You know, like had my first kid and she came a little bit early
00:00:20
and it was just it's like one life change after another.
00:00:26
You know.
00:00:28
Speaker 2: Yeah, well, it's good to finally see him.
00:00:30
Speaker 1: Yeah, absolutely so.
00:00:33
You know, Metin, I always start everyone off with telling their
00:00:37
background right, how they got into IET or cybersecurity, and I
00:00:45
feel like it gives my audience a really good picture of you
00:00:50
know, not just your background, but that anyone can come into
00:00:55
this thing from any background and, you know, really thrive in
00:01:00
IET, and so I think it's always beneficial to hear everyone's
00:01:04
you know different backgrounds, because I haven't heard the same
00:01:07
background twice actually on this podcast.
00:01:11
Speaker 2: Yeah, absolutely.
00:01:12
I'll start off with a quick introduction here.
00:01:14
My name is Metin.
00:01:16
I'm currently the CTO at Rometic.
00:01:18
Rometic is a cybersecurity solutions company.
00:01:21
We provide virtual CISO services and on top of that we
00:01:25
also provide other cybersecurity services like penetration
00:01:29
testing, network assessments, internal audits and all of that.
00:01:33
And I've been working with the company for the past now six
00:01:38
years.
00:01:38
So I've kind of been working at Rometic since day one with
00:01:44
Justin the CEO, and before that I was actually working as an IT
00:01:50
specialist.
00:01:51
I have a computer science background, so after kind of
00:01:54
like work through IT, eventually I got into cybersecurity and
00:01:57
compliance there.
00:02:02
Speaker 1: Yeah, that makes sense.
00:02:04
So, Rometic, I guess that's an interesting area I've had on a
00:02:12
few other people previously.
00:02:14
It was a long time ago that did virtual CISO functions, but can
00:02:22
we talk a little bit about that Because I haven't seen that as
00:02:25
being in the field.
00:02:26
I haven't seen that as much as it was promoted when I was
00:02:32
trying to get in the field like 10 years ago at this point,
00:02:34
right.
00:02:35
So it seems like that landscape has completely changed in the
00:02:41
offering and what it's like to be a virtual CISO.
00:02:45
Can we go over that a little bit?
00:02:48
Speaker 2: Yeah, and I think it's really because compliance
00:02:51
is becoming a much bigger deal than it used to be.
00:02:54
Like we have all these new data privacy frameworks like GDPR in
00:02:58
Europe.
00:02:58
When it was released a couple of years ago, it was chaos.
00:03:02
Everyone was just trying to figure out, like, what to do for
00:03:04
GDPR, what those requirements are, because data privacy wasn't
00:03:08
really a thing that was legally required before, and now we're
00:03:13
seeing some states in the United States, like California,
00:03:16
releasing CCPA regulations.
00:03:19
So those are just some of the examples.
00:03:22
There.
00:03:22
I think that compliance and legal regulations around data
00:03:25
privacy and like customer data has been increasing and because
00:03:30
of that, these organizations whether they are small or large,
00:03:34
they need to become compliant with these frameworks.
00:03:37
I feel like back in the day, only very large enterprises
00:03:42
really needed to do security compliance, but now, even if you
00:03:47
have, like an employee you're a startup, you're a very small
00:03:50
organization you still have to comply with these regulations,
00:03:53
because there's just no other way to get around that.
00:03:55
However, small companies don't need an entire security team of
00:04:00
like 10, 15 people, and they may not even need one person full
00:04:04
time.
00:04:04
So what we're doing is we work with startups, we work with
00:04:08
enterprises, we work with mid-sized businesses and we
00:04:11
provide them a virtual CSO and essentially this person would be
00:04:15
an extension of those organizations as cybersecurity
00:04:19
team and, in some cases, the only person who is really
00:04:22
responsible for their cybersecurity program.
00:04:24
And we really just do this because these businesses may not
00:04:29
have enough knowledge on the compliance frameworks that they
00:04:31
need to comply with or simply they don't have the resources to
00:04:34
create and maintain a cybersecurity team, so that's
00:04:38
why they hire us and outsource the service.
00:04:41
Speaker 1: Hmm.
00:04:42
So what does it take to be a virtual CSO?
00:04:45
You know, do you have to be a full time CSO at another company
00:04:49
to get the experience, to be able to do it?
00:04:52
Is there different specialties?
00:04:53
How does it work?
00:04:56
Speaker 2: I think a compliance knowledge is absolutely
00:04:59
necessary, because we work a lot with audits, we conduct a lot
00:05:03
of assessments based on various frameworks.
00:05:06
So I think having some type of a baseline knowledge of
00:05:10
cybersecurity frameworks is very important, but it is also
00:05:13
important to be technical enough that, when you are working on
00:05:17
implementing security controls based on these cybersecurity
00:05:20
frameworks, you know how to implement them on the customers,
00:05:24
cloud hosting providers, on their physical servers,
00:05:27
databases.
00:05:28
So I think a combination of a technical knowledge and a
00:05:32
compliance knowledge is necessary in order to succeed in
00:05:35
this role.
00:05:37
Speaker 1: Hmm, yeah, that makes sense.
00:05:39
You know, security is such an evolving field that I feel like
00:05:45
even just analysts and engineers have to have such a broad range
00:05:51
of experience now and skill sets.
00:05:53
That I mean it's it's it's becoming difficult, you know,
00:05:57
like, even even for someone like myself you know I was at a
00:06:02
place that was moving more into containers Well, that's, that's
00:06:07
like an, that's an abstraction layer on top of an extraction,
00:06:11
extraction layer, right, that that makes things more difficult
00:06:14
.
00:06:14
It's a whole new, you know kind of language that you're
00:06:18
learning of.
00:06:18
How to, you know, administer and maintain and manage you know
00:06:23
that, that whole deployment, and you know, I'm here 10 years
00:06:27
in the field and I'm still, I'm still learning these different,
00:06:31
these different skills, right?
00:06:32
So how, how do you, how do you stay on top of all the different
00:06:37
changes, especially in the compliance area?
00:06:39
Because I mean, here in America , right, we have, you know, 50,
00:06:43
50 different states.
00:06:44
Each state can have its own compliance regulation that
00:06:48
someone would have to comply to, especially if you're a
00:06:52
nationwide company, like it's extremely easy for startups you
00:06:56
know small startups to become nationwide companies.
00:07:00
You know, overnight, to actually have customers in these
00:07:03
other states.
00:07:04
How do you stay on top of it?
00:07:09
Speaker 2: We don't expect one person to have knowledge of all
00:07:12
of these compliance frameworks.
00:07:14
I think having knowledge on some of the more standardized
00:07:19
frameworks is very helpful.
00:07:21
For example, we work with implementing NIST 853 controls,
00:07:26
which is really a standard that was released by the US
00:07:29
government for basic cybersecurity controls.
00:07:33
When we're looking at other frameworks, they utilize
00:07:40
controls from framework standards like NIST 853, NIST
00:07:44
CSF 171.
00:07:46
I think that having a knowledge of some of these more
00:07:50
generalized frameworks is very useful so that when you're
00:07:53
working with other compliance standards, you're not unfamiliar
00:07:57
with what the requirements are.
00:07:59
There is a lot of overlap.
00:08:00
One of our most common cybersecurity framework that we
00:08:06
implement is SOC2, and then afterwards it comes ISO 27001.
00:08:09
Even these two frameworks have so many overlapping controls
00:08:14
that just implementing one of them can help implement up to
00:08:19
about 40-50% of other frameworks as well.
00:08:22
Having a good baseline is very important because once you have
00:08:26
a good baseline, it will be a lot easier for you to implement
00:08:30
other frameworks, because there is a very likely chance that
00:08:33
there is already a lot of overlapping controls that you
00:08:35
don't have to do additional work .
00:08:37
In some cases we'll implement more strict controls, like PCI
00:08:41
DSS compliance, or we'll work with our customers to implement
00:08:45
FedRAMP, which is a government requirement, if you're working
00:08:48
with the US government Implementing those security
00:08:51
controls.
00:08:51
Some of those customers can easily pass a SOC2 audit or an
00:08:54
ISO 27001 audit without really doing any additional work,
00:08:59
because they're already covering almost 100% of the controls.
00:09:04
Speaker 1: Yeah, that makes sense With so many different
00:09:06
controls out there.
00:09:07
Whenever I'm asked, where do you even start, I always
00:09:11
recommend that we start with a least-privileged model and that
00:09:14
we try to work towards the NIST recommendations.
00:09:17
At some point there's going to be a good amount of overlap and
00:09:22
then you just start knocking out the things that are the
00:09:25
outliers, that aren't the overlap of the compliance
00:09:29
framework that you need to meet.
00:09:30
That's probably the only way to do it now, because everyone
00:09:37
needs to be compliant with so many different frameworks.
00:09:39
There's probably frameworks that you don't even know that
00:09:42
you need to be compliant of, that you are not compliant with.
00:09:49
It's a mess that doesn't get.
00:09:52
I feel like it doesn't get enough attention on the outside
00:09:55
of security.
00:09:56
What are some good ways of actually enforcing this
00:10:03
compliance within an organization?
00:10:05
Because as organizations get bigger, they have more people,
00:10:12
their teams grow, the applications that they're
00:10:14
developing and managing are increasing it's easy for these
00:10:21
recommendations and compliance requirements to get pushed to
00:10:24
the side.
00:10:24
Do you recommend that companies enforce strong policies and get
00:10:33
those built out and in place and regularly touch base with
00:10:37
their teams, or is there other ways and methods of doing it
00:10:40
that you found to be effective?
00:10:43
Speaker 2: I see compliance as a good starting points and a good
00:10:47
baseline for any organization that wants to have a good
00:10:49
cybersecurity program.
00:10:50
I do not see it as the finish line.
00:10:54
I think that just because you are compliant with the framework
00:10:58
, it doesn't mean that you're secure from cyber attacks.
00:11:00
You don't have to do anything now.
00:11:01
There is still absolutely a lot more work involved.
00:11:05
Sometimes we need to implement very strict security controls
00:11:09
for our customers that aren't required by the compliance
00:11:12
frameworks, just because it's a good security practice.
00:11:14
I think that organizations need to use compliance standards as
00:11:19
a good baseline, but they shouldn't just use that as the
00:11:23
only way to build their cybersecurity programs.
00:11:26
A good cybersecurity program that consists of a good
00:11:30
compliance standard, frameworks that you're complying with, on
00:11:34
top of that, good risk management controls, a good risk
00:11:37
assessments, internal audits, regular gap assessments and
00:11:41
enforcement of those security controls.
00:11:43
For example, soc2 is a very weighted standard in my point of
00:11:48
view.
00:11:48
You can define the controls based on the organization level
00:11:54
requirements.
00:11:55
I can say something like I want my password policy to be six
00:11:58
characters and that's it.
00:11:59
I don't really require any other special characters
00:12:03
uppercase, lowercase.
00:12:04
I don't have to do that.
00:12:05
As long as that's what it says in my policy, soc2 can be like
00:12:09
okay, you're good on this control now it doesn't mean that
00:12:12
you are secure.
00:12:12
You may need to do some additional work to update that
00:12:16
password policy so that you're actually following a good,
00:12:19
secure password controls.
00:12:24
Speaker 1: Yeah, I've also experienced that back and forth
00:12:28
on it as well, where you're pushing a compliance standard
00:12:36
and then the teams that are actually deploying it and
00:12:39
meeting the standard it's lacking.
00:12:41
It's lackluster in what it provides in terms of security.
00:12:49
Saying that you're compliant with SOC2 doesn't really mean
00:12:53
that you're going to be able to protect yourself from a wide
00:12:58
variety of cyber attacks that can happen.
00:13:01
I think that's also something really important that I guess
00:13:07
small companies would need to hear more than the bigger
00:13:11
companies.
00:13:11
They typically have that down.
00:13:13
They already know that.
00:13:15
But the smaller companies and I think back to when I was working
00:13:18
for a smaller company they were very adverse to deploying any
00:13:24
security.
00:13:25
One because of the budget.
00:13:29
Two because they felt that they were meeting the bare minimum.
00:13:35
But we had customers that were expecting not just the bare
00:13:41
minimum, they were expecting top tier security.
00:13:44
I was the person that was kind of fronting that, where I'm the
00:13:49
one that's dealing with all the blowback.
00:13:51
I'm the one that's dealing with the complaints at 2 AM because
00:13:54
this security thing isn't enabled and they're missing
00:13:57
their requirements, maybe internally or their own
00:14:00
compliance requirements.
00:14:01
It's a difficult game to play, especially when you're a small
00:14:07
company, because you probably don't have the head count that
00:14:12
you would need to actually enforce some of that.
00:14:14
Do you also provide engineering services around that to be able
00:14:21
to actually assist in deploying some of the controls?
00:14:25
Speaker 2: Oh, absolutely.
00:14:26
We do not only conduct gap assessments, internal audits and
00:14:30
risk assessments.
00:14:31
On top of that, our team may need to work with the customers
00:14:36
to actually implement those controls on their hosting
00:14:38
providers, on their technical systems.
00:14:41
So there's definitely some engineering efforts involved
00:14:44
there.
00:14:44
In a lot of the cases, we work with the software engineers that
00:14:50
work at our customers companies , so that also happens a lot,
00:14:54
but we absolutely have to provide some type of an
00:14:57
engineering resource in order to fully implement those security
00:15:01
controls.
00:15:03
Speaker 1: Yeah, it has to be more of a full suite offering to
00:15:08
actually have it make sense for the smaller companies.
00:15:12
Where do you see this space going and growing over the next
00:15:21
five years?
00:15:22
Where do you see the virtual CSO space going?
00:15:26
Do you think it's going to be still evolving and growing?
00:15:31
Do you think that there will be a different way of approaching
00:15:35
this, or what's your thoughts on that?
00:15:40
Speaker 2: I think it's definitely up and coming and I
00:15:43
think it'll be required more, because I think the main reason
00:15:46
why companies need this level of service is because of the
00:15:49
increased amount of compliance frameworks.
00:15:52
Now their customers are probably requiring them to
00:15:56
comply with these frameworks in order to work with them.
00:15:58
So, yes, there's definitely some financial aspects of that
00:16:03
involved, but in a lot of the cases, when you become more
00:16:08
compliant with these frameworks, you open up the markets to your
00:16:12
organization more.
00:16:13
Like, for example, we've just talked about FedRAM compliance.
00:16:16
It's a one of the government compliance frameworks.
00:16:20
If you want to work with a government agency and you need
00:16:22
to process their data have to be FedRAM compliant.
00:16:26
Some other government agencies may require things like state
00:16:29
ramp and other frameworks.
00:16:30
However, once you are compliant with those frameworks, that
00:16:35
means now other government agencies can also work with you.
00:16:38
So you're really opening yourself up to the market more
00:16:42
and expanding the number of customers that you can reach.
00:16:46
Another example would be HIPAA compliance.
00:16:49
There's a lot of healthcare organizations out there and
00:16:51
there's also other technical organizations like SaaS products
00:16:55
that offer services to healthcare organizations Without
00:16:59
becoming HIPAA compliance.
00:17:00
You really shouldn't be working with those healthcare
00:17:06
organizations because you don't have the proper security
00:17:09
controls to secure electronic protective health information.
00:17:12
But once you do become HIPAA compliant then you are able to
00:17:15
actually work with those organizations and that can bring
00:17:18
more customers and help your company grow faster.
00:17:22
Speaker 1: Hmm, yeah, it's interesting balance, because you
00:17:29
have to be able to open yourself up, to be ready for
00:17:35
different opportunities, as well as balance that with not
00:17:42
putting undue stress on your team or on your organization in
00:17:48
ways that you'd fail or it takes too long.
00:17:50
Now the opportunity isn't the same.
00:17:53
How long do you typically notice organizations coming up
00:17:59
to compliance?
00:18:00
Maybe what's the longer compliance standard that it
00:18:03
takes for different companies to come up to compliance with?
00:18:07
What are some quicker ones?
00:18:09
The reason why I say that is because in security, when
00:18:15
there's a really large problem that you have to solve,
00:18:19
typically where you start is the low hanging fruit.
00:18:22
What's the things that I can handle in the next seven days
00:18:27
that'll make maybe 40 percent of a difference?
00:18:30
Get me 40 percent of the way there.
00:18:32
Is there compliance standards that you recommend like that, or
00:18:38
is it something else?
00:18:41
Speaker 2: I don't know if I can recommend the compliance
00:18:43
standard because I think it all depends on the regulations and
00:18:48
really your customer network, Like what type of customers that
00:18:51
you have, what laws really apply to you.
00:18:54
I always tell my customers like before you really start building
00:18:57
your cybersecurity program, you need to look at your customer
00:19:01
requirements and you need to look at the laws and regulations
00:19:04
that apply to you so you really understand what you need to do
00:19:09
in order to better service your customers.
00:19:11
We've had many customers that come to us because they needed
00:19:17
HIPAA compliance and these organizations were already
00:19:21
working with healthcare institutions without being HIPAA
00:19:24
compliant.
00:19:24
Sometimes they just don't know that they need to become HIPAA
00:19:27
compliant.
00:19:28
They just know that they need to do better in terms of
00:19:30
security.
00:19:30
But understanding those laws and regulations are very
00:19:33
important because in some cases they fail to comply, they can
00:19:38
have very negative consequences, both financially and legally.
00:19:43
So I kind of see cybersecurity as also insurance to protect our
00:19:47
organizations from these types of incidents.
00:19:50
So you're not again just being compliant.
00:19:53
You can also prevent any issues regarding compliance happening
00:19:57
to your company and you can also prevent other cyber attacks
00:20:00
because that compliance framework is going to be a good
00:20:03
baseline to build a better cybersecurity program.
00:20:08
Speaker 1: Yeah, from what I understand, I guess the
00:20:12
cybersecurity insurance premiums almost across the board doubled
00:20:17
or tripled overnight this year and that's a crazy amount of
00:20:28
money that you're already paying for this insurance for it to
00:20:31
double or triple overnight when it's the exact same posture.
00:20:37
Companies don't change their security postures overnight.
00:20:40
It happens over a couple of years of working on it and it's
00:20:47
just crazy.
00:20:49
I've heard companies actually getting rid of the cyber
00:20:53
insurance and almost underwriting it themselves and
00:20:57
having an underwriting department actually do that for
00:21:02
them, which is something interesting, and I feel like
00:21:06
that feel in that area is still evolving because the premiums
00:21:12
got so high that companies are like, okay, it's just cheaper to
00:21:15
form our own department and underwrite this thing.
00:21:18
Speaker 2: Well, I think there are two things that are driving
00:21:22
that price increase.
00:21:22
When it comes to cyber insurance, everyone has remote
00:21:25
work.
00:21:25
Ever since COVID started, people have been remote.
00:21:29
Even the organizations like that require employees to come
00:21:33
in person.
00:21:33
They're only doing that one or twice a week, so it's becoming
00:21:38
very fair.
00:21:39
I live in New York City.
00:21:41
I don't see people go to the office anymore.
00:21:43
I travel to San Francisco a lot and downtown is like a ghost
00:21:46
town.
00:21:46
People are just not there.
00:21:48
Everyone is remote, and I think that is already introducing a
00:21:52
lot of cybersecurity threats to these organizations because now
00:21:58
their employees, the laptops and other systems that they're
00:22:02
accessing they're being accessed from all around the world.
00:22:06
So I think that's definitely increasing the threat levels out
00:22:11
there, and I think that's one reason why these cyber security
00:22:13
insurance companies are probably increasing their premiums.
00:22:16
But the other thing is we now have artificial intelligence.
00:22:20
That's becoming more and more common, not just in chat, gpt
00:22:25
and other generative AI tools, but now AI can be also used as a
00:22:31
cybersecurity threat.
00:22:32
It can be used for cyber attacks, and this is going to
00:22:36
become probably just worse and worse.
00:22:38
That just probably means that we need also our own AI that
00:22:42
protects us from these type of cyber attacks rather than just
00:22:46
attacking.
00:22:47
I always see the positives and negatives of artificial
00:22:50
intelligence, but I think that because these things are
00:22:53
happening more, we're seeing more data breaches, like that
00:22:55
recent Samsung data breach that was caused by, I think, one of
00:22:59
their employees like using chat GPT.
00:23:01
So there's just a lot of cyber threats out there and I think
00:23:06
because of these two things the cybersecurity insurance premiums
00:23:11
they're probably going to increase more, but it's really
00:23:13
increasing because the risk level is higher than any other
00:23:19
time.
00:23:19
Now Any company can have cybersecurity incidents and we
00:23:24
do training on this.
00:23:25
We try to catch up to all of the vulnerabilities out there,
00:23:30
remediate them and also implement security controls to
00:23:33
really protect our customers from these emerging cyber
00:23:37
threats.
00:23:37
But I feel like from now on it's just going to get worse
00:23:41
unless we do a better job of protecting ourselves.
00:23:46
Speaker 1: Yeah, that's a really good point with the rise of AI
00:23:50
and I didn't even think about it like that was.
00:23:52
With the rise of AI and how quickly it's evolving, I guess
00:24:00
insurance companies would be seeing that and they're getting
00:24:03
extremely worried because it's an unknown risk and I think
00:24:07
that's a great thing.
00:24:08
With AI, of all things, it's a completely unknown risk that can
00:24:12
really cause some great damage to an organization if it's used
00:24:17
in the wrong slash right ways.
00:24:19
So that is a great point, quite interesting.
00:24:24
And then the working remote part.
00:24:27
I didn't even realize that that would increase insurance
00:24:31
premiums.
00:24:32
Maybe that's why some of these companies are pushing so hard
00:24:35
for workers back in the office.
00:24:38
Recently, amazon came out and said that they're going three
00:24:44
days in the office, two days from home, and then it was also
00:24:50
released in an internal memo that they said that it would
00:24:56
take five years to get fully back into the office.
00:25:00
So it seems like they're not stopping at the three.
00:25:04
Three is just a starting point and whatnot, which adds
00:25:09
complexity, right, because now I think as a worker, as an
00:25:14
individual contributor, it's coming to my mind, right.
00:25:17
It's like well, what did you do during COVID?
00:25:20
You were remote, so what's the problem with me being a remote
00:25:23
now, but looking at it from an insurance premium perspective,
00:25:27
there is a risk to that if you don't have the proper security
00:25:31
stack in place and a lot of companies don't want to rip out
00:25:36
their existing security stack and augment it with some new
00:25:39
technology.
00:25:39
That's typically very scary for older companies, that's for
00:25:43
sure.
00:25:45
Speaker 2: Yeah, I've been seeing a lot of these insurance
00:25:47
companies also send out additional security
00:25:49
questionnaires to companies now and they're basically asking
00:25:52
them about their security posture.
00:25:54
Some of them want to conduct an audit for those companies to
00:25:58
verify that they actually have those security controls in place
00:26:01
.
00:26:01
And I don't know if AI and remote work force they're
00:26:07
definitely indirectly impacting this, because they're one of the
00:26:12
reasons why there is more security incidents and data
00:26:15
breaches out there now?
00:26:19
Speaker 1: Yeah, that makes sense.
00:26:20
Well, Metin, I think we're coming to the end of our time
00:26:25
here.
00:26:26
Before I let you go, how about you tell my audience where they
00:26:31
could find you if they want to reach out and where they could
00:26:34
find Rometic if they want to learn more about what you guys
00:26:38
are offering and potentially reach out to get more
00:26:41
information?
00:26:42
Speaker 2: Yeah, absolutely.
00:26:43
You can always send out a contact us form through our
00:26:47
websites, which is Rometiccom, r-h-y-m-e-t-e-ccom.
00:26:52
And yeah, one of our sales people will be approaching us
00:26:56
from there, and thank you so much for having me, joe.
00:26:59
Speaker 1: Yeah, absolutely Well .
00:27:00
Thanks, and I hope everyone listening enjoyed this episode.
00:27:04
Thanks everyone.
Speaker 1: I was going to Metin.
00:00:01
It's really good to finally have you on the podcast.
00:00:04
I think we've been trying to get this thing scheduled for
00:00:07
like almost the entire year at this point.
00:00:09
I've been since.
00:00:11
Speaker 2: February.
00:00:12
Speaker 1: Yeah, yeah, it's been a while.
00:00:14
It's been a crazy year for me overall.
00:00:16
You know, like had my first kid and she came a little bit early
00:00:20
and it was just it's like one life change after another.
00:00:26
You know.
00:00:28
Speaker 2: Yeah, well, it's good to finally see him.
00:00:30
Speaker 1: Yeah, absolutely so.
00:00:33
You know, Metin, I always start everyone off with telling their
00:00:37
background right, how they got into IET or cybersecurity, and I
00:00:45
feel like it gives my audience a really good picture of you
00:00:50
know, not just your background, but that anyone can come into
00:00:55
this thing from any background and, you know, really thrive in
00:01:00
IET, and so I think it's always beneficial to hear everyone's
00:01:04
you know different backgrounds, because I haven't heard the same
00:01:07
background twice actually on this podcast.
00:01:11
Speaker 2: Yeah, absolutely.
00:01:12
I'll start off with a quick introduction here.
00:01:14
My name is Metin.
00:01:16
I'm currently the CTO at Rometic.
00:01:18
Rometic is a cybersecurity solutions company.
00:01:21
We provide virtual CISO services and on top of that we
00:01:25
also provide other cybersecurity services like penetration
00:01:29
testing, network assessments, internal audits and all of that.
00:01:33
And I've been working with the company for the past now six
00:01:38
years.
00:01:38
So I've kind of been working at Rometic since day one with
00:01:44
Justin the CEO, and before that I was actually working as an IT
00:01:50
specialist.
00:01:51
I have a computer science background, so after kind of
00:01:54
like work through IT, eventually I got into cybersecurity and
00:01:57
compliance there.
00:02:02
Speaker 1: Yeah, that makes sense.
00:02:04
So, Rometic, I guess that's an interesting area I've had on a
00:02:12
few other people previously.
00:02:14
It was a long time ago that did virtual CISO functions, but can
00:02:22
we talk a little bit about that Because I haven't seen that as
00:02:25
being in the field.
00:02:26
I haven't seen that as much as it was promoted when I was
00:02:32
trying to get in the field like 10 years ago at this point,
00:02:34
right.
00:02:35
So it seems like that landscape has completely changed in the
00:02:41
offering and what it's like to be a virtual CISO.
00:02:45
Can we go over that a little bit?
00:02:48
Speaker 2: Yeah, and I think it's really because compliance
00:02:51
is becoming a much bigger deal than it used to be.
00:02:54
Like we have all these new data privacy frameworks like GDPR in
00:02:58
Europe.
00:02:58
When it was released a couple of years ago, it was chaos.
00:03:02
Everyone was just trying to figure out, like, what to do for
00:03:04
GDPR, what those requirements are, because data privacy wasn't
00:03:08
really a thing that was legally required before, and now we're
00:03:13
seeing some states in the United States, like California,
00:03:16
releasing CCPA regulations.
00:03:19
So those are just some of the examples.
00:03:22
There.
00:03:22
I think that compliance and legal regulations around data
00:03:25
privacy and like customer data has been increasing and because
00:03:30
of that, these organizations whether they are small or large,
00:03:34
they need to become compliant with these frameworks.
00:03:37
I feel like back in the day, only very large enterprises
00:03:42
really needed to do security compliance, but now, even if you
00:03:47
have, like an employee you're a startup, you're a very small
00:03:50
organization you still have to comply with these regulations,
00:03:53
because there's just no other way to get around that.
00:03:55
However, small companies don't need an entire security team of
00:04:00
like 10, 15 people, and they may not even need one person full
00:04:04
time.
00:04:04
So what we're doing is we work with startups, we work with
00:04:08
enterprises, we work with mid-sized businesses and we
00:04:11
provide them a virtual CSO and essentially this person would be
00:04:15
an extension of those organizations as cybersecurity
00:04:19
team and, in some cases, the only person who is really
00:04:22
responsible for their cybersecurity program.
00:04:24
And we really just do this because these businesses may not
00:04:29
have enough knowledge on the compliance frameworks that they
00:04:31
need to comply with or simply they don't have the resources to
00:04:34
create and maintain a cybersecurity team, so that's
00:04:38
why they hire us and outsource the service.
00:04:41
Speaker 1: Hmm.
00:04:42
So what does it take to be a virtual CSO?
00:04:45
You know, do you have to be a full time CSO at another company
00:04:49
to get the experience, to be able to do it?
00:04:52
Is there different specialties?
00:04:53
How does it work?
00:04:56
Speaker 2: I think a compliance knowledge is absolutely
00:04:59
necessary, because we work a lot with audits, we conduct a lot
00:05:03
of assessments based on various frameworks.
00:05:06
So I think having some type of a baseline knowledge of
00:05:10
cybersecurity frameworks is very important, but it is also
00:05:13
important to be technical enough that, when you are working on
00:05:17
implementing security controls based on these cybersecurity
00:05:20
frameworks, you know how to implement them on the customers,
00:05:24
cloud hosting providers, on their physical servers,
00:05:27
databases.
00:05:28
So I think a combination of a technical knowledge and a
00:05:32
compliance knowledge is necessary in order to succeed in
00:05:35
this role.
00:05:37
Speaker 1: Hmm, yeah, that makes sense.
00:05:39
You know, security is such an evolving field that I feel like
00:05:45
even just analysts and engineers have to have such a broad range
00:05:51
of experience now and skill sets.
00:05:53
That I mean it's it's it's becoming difficult, you know,
00:05:57
like, even even for someone like myself you know I was at a
00:06:02
place that was moving more into containers Well, that's, that's
00:06:07
like an, that's an abstraction layer on top of an extraction,
00:06:11
extraction layer, right, that that makes things more difficult
00:06:14
.
00:06:14
It's a whole new, you know kind of language that you're
00:06:18
learning of.
00:06:18
How to, you know, administer and maintain and manage you know
00:06:23
that, that whole deployment, and you know, I'm here 10 years
00:06:27
in the field and I'm still, I'm still learning these different,
00:06:31
these different skills, right?
00:06:32
So how, how do you, how do you stay on top of all the different
00:06:37
changes, especially in the compliance area?
00:06:39
Because I mean, here in America , right, we have, you know, 50,
00:06:43
50 different states.
00:06:44
Each state can have its own compliance regulation that
00:06:48
someone would have to comply to, especially if you're a
00:06:52
nationwide company, like it's extremely easy for startups you
00:06:56
know small startups to become nationwide companies.
00:07:00
You know, overnight, to actually have customers in these
00:07:03
other states.
00:07:04
How do you stay on top of it?
00:07:09
Speaker 2: We don't expect one person to have knowledge of all
00:07:12
of these compliance frameworks.
00:07:14
I think having knowledge on some of the more standardized
00:07:19
frameworks is very helpful.
00:07:21
For example, we work with implementing NIST 853 controls,
00:07:26
which is really a standard that was released by the US
00:07:29
government for basic cybersecurity controls.
00:07:33
When we're looking at other frameworks, they utilize
00:07:40
controls from framework standards like NIST 853, NIST
00:07:44
CSF 171.
00:07:46
I think that having a knowledge of some of these more
00:07:50
generalized frameworks is very useful so that when you're
00:07:53
working with other compliance standards, you're not unfamiliar
00:07:57
with what the requirements are.
00:07:59
There is a lot of overlap.
00:08:00
One of our most common cybersecurity framework that we
00:08:06
implement is SOC2, and then afterwards it comes ISO 27001.
00:08:09
Even these two frameworks have so many overlapping controls
00:08:14
that just implementing one of them can help implement up to
00:08:19
about 40-50% of other frameworks as well.
00:08:22
Having a good baseline is very important because once you have
00:08:26
a good baseline, it will be a lot easier for you to implement
00:08:30
other frameworks, because there is a very likely chance that
00:08:33
there is already a lot of overlapping controls that you
00:08:35
don't have to do additional work .
00:08:37
In some cases we'll implement more strict controls, like PCI
00:08:41
DSS compliance, or we'll work with our customers to implement
00:08:45
FedRAMP, which is a government requirement, if you're working
00:08:48
with the US government Implementing those security
00:08:51
controls.
00:08:51
Some of those customers can easily pass a SOC2 audit or an
00:08:54
ISO 27001 audit without really doing any additional work,
00:08:59
because they're already covering almost 100% of the controls.
00:09:04
Speaker 1: Yeah, that makes sense With so many different
00:09:06
controls out there.
00:09:07
Whenever I'm asked, where do you even start, I always
00:09:11
recommend that we start with a least-privileged model and that
00:09:14
we try to work towards the NIST recommendations.
00:09:17
At some point there's going to be a good amount of overlap and
00:09:22
then you just start knocking out the things that are the
00:09:25
outliers, that aren't the overlap of the compliance
00:09:29
framework that you need to meet.
00:09:30
That's probably the only way to do it now, because everyone
00:09:37
needs to be compliant with so many different frameworks.
00:09:39
There's probably frameworks that you don't even know that
00:09:42
you need to be compliant of, that you are not compliant with.
00:09:49
It's a mess that doesn't get.
00:09:52
I feel like it doesn't get enough attention on the outside
00:09:55
of security.
00:09:56
What are some good ways of actually enforcing this
00:10:03
compliance within an organization?
00:10:05
Because as organizations get bigger, they have more people,
00:10:12
their teams grow, the applications that they're
00:10:14
developing and managing are increasing it's easy for these
00:10:21
recommendations and compliance requirements to get pushed to
00:10:24
the side.
00:10:24
Do you recommend that companies enforce strong policies and get
00:10:33
those built out and in place and regularly touch base with
00:10:37
their teams, or is there other ways and methods of doing it
00:10:40
that you found to be effective?
00:10:43
Speaker 2: I see compliance as a good starting points and a good
00:10:47
baseline for any organization that wants to have a good
00:10:49
cybersecurity program.
00:10:50
I do not see it as the finish line.
00:10:54
I think that just because you are compliant with the framework
00:10:58
, it doesn't mean that you're secure from cyber attacks.
00:11:00
You don't have to do anything now.
00:11:01
There is still absolutely a lot more work involved.
00:11:05
Sometimes we need to implement very strict security controls
00:11:09
for our customers that aren't required by the compliance
00:11:12
frameworks, just because it's a good security practice.
00:11:14
I think that organizations need to use compliance standards as
00:11:19
a good baseline, but they shouldn't just use that as the
00:11:23
only way to build their cybersecurity programs.
00:11:26
A good cybersecurity program that consists of a good
00:11:30
compliance standard, frameworks that you're complying with, on
00:11:34
top of that, good risk management controls, a good risk
00:11:37
assessments, internal audits, regular gap assessments and
00:11:41
enforcement of those security controls.
00:11:43
For example, soc2 is a very weighted standard in my point of
00:11:48
view.
00:11:48
You can define the controls based on the organization level
00:11:54
requirements.
00:11:55
I can say something like I want my password policy to be six
00:11:58
characters and that's it.
00:11:59
I don't really require any other special characters
00:12:03
uppercase, lowercase.
00:12:04
I don't have to do that.
00:12:05
As long as that's what it says in my policy, soc2 can be like
00:12:09
okay, you're good on this control now it doesn't mean that
00:12:12
you are secure.
00:12:12
You may need to do some additional work to update that
00:12:16
password policy so that you're actually following a good,
00:12:19
secure password controls.
00:12:24
Speaker 1: Yeah, I've also experienced that back and forth
00:12:28
on it as well, where you're pushing a compliance standard
00:12:36
and then the teams that are actually deploying it and
00:12:39
meeting the standard it's lacking.
00:12:41
It's lackluster in what it provides in terms of security.
00:12:49
Saying that you're compliant with SOC2 doesn't really mean
00:12:53
that you're going to be able to protect yourself from a wide
00:12:58
variety of cyber attacks that can happen.
00:13:01
I think that's also something really important that I guess
00:13:07
small companies would need to hear more than the bigger
00:13:11
companies.
00:13:11
They typically have that down.
00:13:13
They already know that.
00:13:15
But the smaller companies and I think back to when I was working
00:13:18
for a smaller company they were very adverse to deploying any
00:13:24
security.
00:13:25
One because of the budget.
00:13:29
Two because they felt that they were meeting the bare minimum.
00:13:35
But we had customers that were expecting not just the bare
00:13:41
minimum, they were expecting top tier security.
00:13:44
I was the person that was kind of fronting that, where I'm the
00:13:49
one that's dealing with all the blowback.
00:13:51
I'm the one that's dealing with the complaints at 2 AM because
00:13:54
this security thing isn't enabled and they're missing
00:13:57
their requirements, maybe internally or their own
00:14:00
compliance requirements.
00:14:01
It's a difficult game to play, especially when you're a small
00:14:07
company, because you probably don't have the head count that
00:14:12
you would need to actually enforce some of that.
00:14:14
Do you also provide engineering services around that to be able
00:14:21
to actually assist in deploying some of the controls?
00:14:25
Speaker 2: Oh, absolutely.
00:14:26
We do not only conduct gap assessments, internal audits and
00:14:30
risk assessments.
00:14:31
On top of that, our team may need to work with the customers
00:14:36
to actually implement those controls on their hosting
00:14:38
providers, on their technical systems.
00:14:41
So there's definitely some engineering efforts involved
00:14:44
there.
00:14:44
In a lot of the cases, we work with the software engineers that
00:14:50
work at our customers companies , so that also happens a lot,
00:14:54
but we absolutely have to provide some type of an
00:14:57
engineering resource in order to fully implement those security
00:15:01
controls.
00:15:03
Speaker 1: Yeah, it has to be more of a full suite offering to
00:15:08
actually have it make sense for the smaller companies.
00:15:12
Where do you see this space going and growing over the next
00:15:21
five years?
00:15:22
Where do you see the virtual CSO space going?
00:15:26
Do you think it's going to be still evolving and growing?
00:15:31
Do you think that there will be a different way of approaching
00:15:35
this, or what's your thoughts on that?
00:15:40
Speaker 2: I think it's definitely up and coming and I
00:15:43
think it'll be required more, because I think the main reason
00:15:46
why companies need this level of service is because of the
00:15:49
increased amount of compliance frameworks.
00:15:52
Now their customers are probably requiring them to
00:15:56
comply with these frameworks in order to work with them.
00:15:58
So, yes, there's definitely some financial aspects of that
00:16:03
involved, but in a lot of the cases, when you become more
00:16:08
compliant with these frameworks, you open up the markets to your
00:16:12
organization more.
00:16:13
Like, for example, we've just talked about FedRAM compliance.
00:16:16
It's a one of the government compliance frameworks.
00:16:20
If you want to work with a government agency and you need
00:16:22
to process their data have to be FedRAM compliant.
00:16:26
Some other government agencies may require things like state
00:16:29
ramp and other frameworks.
00:16:30
However, once you are compliant with those frameworks, that
00:16:35
means now other government agencies can also work with you.
00:16:38
So you're really opening yourself up to the market more
00:16:42
and expanding the number of customers that you can reach.
00:16:46
Another example would be HIPAA compliance.
00:16:49
There's a lot of healthcare organizations out there and
00:16:51
there's also other technical organizations like SaaS products
00:16:55
that offer services to healthcare organizations Without
00:16:59
becoming HIPAA compliance.
00:17:00
You really shouldn't be working with those healthcare
00:17:06
organizations because you don't have the proper security
00:17:09
controls to secure electronic protective health information.
00:17:12
But once you do become HIPAA compliant then you are able to
00:17:15
actually work with those organizations and that can bring
00:17:18
more customers and help your company grow faster.
00:17:22
Speaker 1: Hmm, yeah, it's interesting balance, because you
00:17:29
have to be able to open yourself up, to be ready for
00:17:35
different opportunities, as well as balance that with not
00:17:42
putting undue stress on your team or on your organization in
00:17:48
ways that you'd fail or it takes too long.
00:17:50
Now the opportunity isn't the same.
00:17:53
How long do you typically notice organizations coming up
00:17:59
to compliance?
00:18:00
Maybe what's the longer compliance standard that it
00:18:03
takes for different companies to come up to compliance with?
00:18:07
What are some quicker ones?
00:18:09
The reason why I say that is because in security, when
00:18:15
there's a really large problem that you have to solve,
00:18:19
typically where you start is the low hanging fruit.
00:18:22
What's the things that I can handle in the next seven days
00:18:27
that'll make maybe 40 percent of a difference?
00:18:30
Get me 40 percent of the way there.
00:18:32
Is there compliance standards that you recommend like that, or
00:18:38
is it something else?
00:18:41
Speaker 2: I don't know if I can recommend the compliance
00:18:43
standard because I think it all depends on the regulations and
00:18:48
really your customer network, Like what type of customers that
00:18:51
you have, what laws really apply to you.
00:18:54
I always tell my customers like before you really start building
00:18:57
your cybersecurity program, you need to look at your customer
00:19:01
requirements and you need to look at the laws and regulations
00:19:04
that apply to you so you really understand what you need to do
00:19:09
in order to better service your customers.
00:19:11
We've had many customers that come to us because they needed
00:19:17
HIPAA compliance and these organizations were already
00:19:21
working with healthcare institutions without being HIPAA
00:19:24
compliant.
00:19:24
Sometimes they just don't know that they need to become HIPAA
00:19:27
compliant.
00:19:28
They just know that they need to do better in terms of
00:19:30
security.
00:19:30
But understanding those laws and regulations are very
00:19:33
important because in some cases they fail to comply, they can
00:19:38
have very negative consequences, both financially and legally.
00:19:43
So I kind of see cybersecurity as also insurance to protect our
00:19:47
organizations from these types of incidents.
00:19:50
So you're not again just being compliant.
00:19:53
You can also prevent any issues regarding compliance happening
00:19:57
to your company and you can also prevent other cyber attacks
00:20:00
because that compliance framework is going to be a good
00:20:03
baseline to build a better cybersecurity program.
00:20:08
Speaker 1: Yeah, from what I understand, I guess the
00:20:12
cybersecurity insurance premiums almost across the board doubled
00:20:17
or tripled overnight this year and that's a crazy amount of
00:20:28
money that you're already paying for this insurance for it to
00:20:31
double or triple overnight when it's the exact same posture.
00:20:37
Companies don't change their security postures overnight.
00:20:40
It happens over a couple of years of working on it and it's
00:20:47
just crazy.
00:20:49
I've heard companies actually getting rid of the cyber
00:20:53
insurance and almost underwriting it themselves and
00:20:57
having an underwriting department actually do that for
00:21:02
them, which is something interesting, and I feel like
00:21:06
that feel in that area is still evolving because the premiums
00:21:12
got so high that companies are like, okay, it's just cheaper to
00:21:15
form our own department and underwrite this thing.
00:21:18
Speaker 2: Well, I think there are two things that are driving
00:21:22
that price increase.
00:21:22
When it comes to cyber insurance, everyone has remote
00:21:25
work.
00:21:25
Ever since COVID started, people have been remote.
00:21:29
Even the organizations like that require employees to come
00:21:33
in person.
00:21:33
They're only doing that one or twice a week, so it's becoming
00:21:38
very fair.
00:21:39
I live in New York City.
00:21:41
I don't see people go to the office anymore.
00:21:43
I travel to San Francisco a lot and downtown is like a ghost
00:21:46
town.
00:21:46
People are just not there.
00:21:48
Everyone is remote, and I think that is already introducing a
00:21:52
lot of cybersecurity threats to these organizations because now
00:21:58
their employees, the laptops and other systems that they're
00:22:02
accessing they're being accessed from all around the world.
00:22:06
So I think that's definitely increasing the threat levels out
00:22:11
there, and I think that's one reason why these cyber security
00:22:13
insurance companies are probably increasing their premiums.
00:22:16
But the other thing is we now have artificial intelligence.
00:22:20
That's becoming more and more common, not just in chat, gpt
00:22:25
and other generative AI tools, but now AI can be also used as a
00:22:31
cybersecurity threat.
00:22:32
It can be used for cyber attacks, and this is going to
00:22:36
become probably just worse and worse.
00:22:38
That just probably means that we need also our own AI that
00:22:42
protects us from these type of cyber attacks rather than just
00:22:46
attacking.
00:22:47
I always see the positives and negatives of artificial
00:22:50
intelligence, but I think that because these things are
00:22:53
happening more, we're seeing more data breaches, like that
00:22:55
recent Samsung data breach that was caused by, I think, one of
00:22:59
their employees like using chat GPT.
00:23:01
So there's just a lot of cyber threats out there and I think
00:23:06
because of these two things the cybersecurity insurance premiums
00:23:11
they're probably going to increase more, but it's really
00:23:13
increasing because the risk level is higher than any other
00:23:19
time.
00:23:19
Now Any company can have cybersecurity incidents and we
00:23:24
do training on this.
00:23:25
We try to catch up to all of the vulnerabilities out there,
00:23:30
remediate them and also implement security controls to
00:23:33
really protect our customers from these emerging cyber
00:23:37
threats.
00:23:37
But I feel like from now on it's just going to get worse
00:23:41
unless we do a better job of protecting ourselves.
00:23:46
Speaker 1: Yeah, that's a really good point with the rise of AI
00:23:50
and I didn't even think about it like that was.
00:23:52
With the rise of AI and how quickly it's evolving, I guess
00:24:00
insurance companies would be seeing that and they're getting
00:24:03
extremely worried because it's an unknown risk and I think
00:24:07
that's a great thing.
00:24:08
With AI, of all things, it's a completely unknown risk that can
00:24:12
really cause some great damage to an organization if it's used
00:24:17
in the wrong slash right ways.
00:24:19
So that is a great point, quite interesting.
00:24:24
And then the working remote part.
00:24:27
I didn't even realize that that would increase insurance
00:24:31
premiums.
00:24:32
Maybe that's why some of these companies are pushing so hard
00:24:35
for workers back in the office.
00:24:38
Recently, amazon came out and said that they're going three
00:24:44
days in the office, two days from home, and then it was also
00:24:50
released in an internal memo that they said that it would
00:24:56
take five years to get fully back into the office.
00:25:00
So it seems like they're not stopping at the three.
00:25:04
Three is just a starting point and whatnot, which adds
00:25:09
complexity, right, because now I think as a worker, as an
00:25:14
individual contributor, it's coming to my mind, right.
00:25:17
It's like well, what did you do during COVID?
00:25:20
You were remote, so what's the problem with me being a remote
00:25:23
now, but looking at it from an insurance premium perspective,
00:25:27
there is a risk to that if you don't have the proper security
00:25:31
stack in place and a lot of companies don't want to rip out
00:25:36
their existing security stack and augment it with some new
00:25:39
technology.
00:25:39
That's typically very scary for older companies, that's for
00:25:43
sure.
00:25:45
Speaker 2: Yeah, I've been seeing a lot of these insurance
00:25:47
companies also send out additional security
00:25:49
questionnaires to companies now and they're basically asking
00:25:52
them about their security posture.
00:25:54
Some of them want to conduct an audit for those companies to
00:25:58
verify that they actually have those security controls in place
00:26:01
.
00:26:01
And I don't know if AI and remote work force they're
00:26:07
definitely indirectly impacting this, because they're one of the
00:26:12
reasons why there is more security incidents and data
00:26:15
breaches out there now?
00:26:19
Speaker 1: Yeah, that makes sense.
00:26:20
Well, Metin, I think we're coming to the end of our time
00:26:25
here.
00:26:26
Before I let you go, how about you tell my audience where they
00:26:31
could find you if they want to reach out and where they could
00:26:34
find Rometic if they want to learn more about what you guys
00:26:38
are offering and potentially reach out to get more
00:26:41
information?
00:26:42
Speaker 2: Yeah, absolutely.
00:26:43
You can always send out a contact us form through our
00:26:47
websites, which is Rometiccom, r-h-y-m-e-t-e-ccom.
00:26:52
And yeah, one of our sales people will be approaching us
00:26:56
from there, and thank you so much for having me, joe.
00:26:59
Speaker 1: Yeah, absolutely Well .
00:27:00
Thanks, and I hope everyone listening enjoyed this episode.
00:27:04
Thanks everyone.
Related Episodes
Outsmarting Cybercriminals: A Deep Dive into Social Engineering, Deepfakes, and Digital Defense with Aaron Painter
Prepare to have your mind broadened and your digital defenses bolstered as we journey with cybersecurity expert Aaron Painter, whose insights from Microsoft and NameTag are nothing short of enlightening. We tackle the increasingly sophisticated realm of social engineering, where attackers prey on h...
Educational Grit and Quantum Communications in Space Security
Embarking on the rollercoaster ride of higher education can be daunting, but what if it's the key to unlocking a career in the complex world of cybersecurity? That's exactly what I dive into in our latest episode, as I peel back the layers of my own experience, from the decision to pursue...
Unlocking the Secrets of Effective Insider Threat Management With Joe Payne From Code42
From the fizz of soda pop to the buzz of cybersecurity – witness Joe's extraordinary journey through the tech landscape. Our latest podcast episode takes you through a narrative of unexpected career leaps and the critical role of intelligence in the digital age. Joe, a former soft drink enthus...