Episode 22: Is AI Good for Security, CIRCIA Starts the Clock, and the M&A Problem Nobody's Talking About
Today on the episode, is AI actually good for security? The CIRCA final rule and what it means for incident reporting, protecting yourself against a changing compliance landscape, and the cybersecurity m and a consolidation problem. This is Distilled Security Podcast.
Speaker 2:Somewhere right now, someone is digging through folders trying to find the right version of an evidence file for the third time this week. Controls scattered across a dozen system, owners who left the company months ago, due dates that already passed, nobody noticed. It's how it's always been done, and somehow, we just accept it. There is a modern, better way. Episki.
Speaker 2:Visit us at episki.com/dsp for a special offer.
Speaker 3:If you're leading a company today, you're not short on ideas. You're buried under them. More tools, more frameworks, more initiatives that were supposed to help and somehow made everything harder. Minus Partners exists for leaders who don't need another thing added. Minus Partners helps leadership teams remove friction that's been normalized over time.
Speaker 3:So execution gets easier, not harder. Less noise, clear decisions, faster execution. Minus Partners, what you remove defines you.
Justin:Alright. Welcome back everybody to the Distilled Security Podcast. We're starting off is we've done a number of topics on AI, basically used for hacking, AI dangers, all that stuff. But I thought maybe it'd be good if we actually asked the question, is it good for security, you know, into that? So there's been a number of articles into there and a couple of them from from Anthropic.
Justin:They have one in a prerelease model that they are dedicating for security discovery, you know, into that. It's basically a static code analysis Yeah. Tool into that. I I applied for the prerelease. I haven't got it yet.
Justin:Hint hint if anybody's listening. But, you know, with that and I think we mentioned was it last podcast that that Anthropic, when their new Opus model came out Oh, yeah. It pointed and found, like, five hundred zero days, you know, like, that was actually probably in between.
Rick:Oh, yeah. It was we didn't talk about
Justin:it yet. We didn't talk about it. Okay.
Joe:Alright.
Justin:But, yeah, like, with that and everything, so is AI really good for security? Do you guys have opinions? And the other thing that I I I will interject because I'm talking here. One of the charts did you see the chart I attached to the notes? Yeah.
Justin:Yeah. The Anthropic on all the agents that are released out there, number one is, like, almost 50% is used for development. Oh, yeah. Everybody else is, like, single digits, including, like, cybersecurity was, like, 2.6%.
Rick:Yeah. I saw a really neat thing the other day around, like, who gets value from AI. Yeah. Like, even just, like, general assistance. Right?
Rick:And a quote that that was with the research basically said, AI is interesting because it can make hard things easy, but it makes easy things hard sometimes.
Justin:Hell, yeah.
Rick:And so developers absolutely can shave a bunch of time off. Right? But if you're a kind of ticket processor, typically, your standard agents aren't shaving that much time off, like, general knowledge workers' days. Mhmm. So to your point on developers, like, that definitely seems to be bearing out.
Rick:And I think also for experts in various industries, like the cost of expertise is going way down. So like you could say, hey, specialized agent or even just general LLM, give me a market analysis. Yeah. Right? And maybe you don't need to pay McKinsey.
Rick:Maybe you have an internal person on staff or or, you know, and I'm not picking on them, although I'm happy to pick on them too. But but for a lot of specialized expertise, think the cost of that goes way down. And so it's actually like executives get a decent amount of value out of it typically with low effort, and then developers get a ton are the two stats I've seen.
Justin:Yeah. And, actually, I was just on a phone call today and a company pursuing ISO, not certification, but alignment into that. One of the things they're asking for, like, hey. Are there things out there to help us, you know, and all this? I was like, yeah.
Justin:There are number of kits out there that you can buy prepackaged policy. I was like, but seriously, like, AI is pretty close. So just ask AI on point of things. Ask it to develop a policy for you. It'll give you the same template for no cost of the Yeah.
Rick:Review you you need people to review it.
Justin:Like Oh, yeah. Tailor and all that stuff. Tailor. But but that's what you're doing with a kit anyways. Absolutely right.
Justin:You know? So it's kinda killing the market, like, of there wasn't a huge market for that, but there was a market. No. Absolutely. Yeah.
Justin:That's no you don't buy, like, 24 policies and then customize it to yourself and all that stuff Right. Sort of thing. So but, yeah, I think it is generally good for security. I mean, we have we have actually two security AI reviewers through all the code and everything. Oh, yeah.
Justin:And it looks not only just like performance, but if there's any security issues, it'll pop it up immediately into that. Yeah. You know, that won't fix it right on the spot there.
Joe:Well, one thing I saw an article on today was is AI good for the stock market related to to Anthropix launch.
Rick:So That was an interesting
Joe:I saw, like, CrowdStrike when have fell 11%. Cloudflare, 9.6% dive. And some SailPoint slid 8% is what was reported. And so I think they're a little worried about this cloud cloud code security and what it's gonna do to improve the situation. Do
Rick:it's you do you think that market reaction is because certain financial analysts or whatever just aren't sophisticated? They hear security and they don't recognize that, like
Justin:I think so.
Rick:Like, it's, oh, yeah. It'll replace SaaS and Dast. Okay. Who cares? And it's not a bunch of or because there's an alternate approach here.
Rick:Or is it because some people think that, oh, this is the first of several dominoes that are gonna fall, and so the market reaction is almost forecasting in nature.
Justin:Yeah. But I think that's a big leap. Like, you know, sale point. Like, okay. This is a security review.
Justin:Like, they're they're not in the same space, you know, into that. They might incorporate into their engine, you know Totally agree. You know, into that, but that's not taking over their tool.
Joe:Yeah. And that wasn't so much as a main point of the topic, but, you know, I thought it was interesting. Yeah. Yeah. As this came up since we're talking about Cloud Code.
Joe:But you think about, you know, is AI good for security? The one piece I don't think we're anywhere near ready for is that the human out of the loop. I mean, that's just huge piece. Agree. Maybe some
Justin:When do you think it point will be, though?
Joe:I don't not not this year.
Justin:No. Not this year. Yeah.
Joe:I would not make predictions saying years.
Justin:I I think years, you know, there again, might be it'll be little things at first.
Joe:Right. Yeah.
Justin:Because I'm not comfortable AI sending emails directly on my behalf, but I have a drafting them, you know, kind thing.
Joe:Well, just like SOAR was and if you take one piece at a time and you automate it. I saw some announcements in the last week about being able to look at the false positives and the false negatives of some of, like, SOC work, you know, with work, and then be able to start accelerating the reviews of that and the consistency of reviews. But that's good. But then I found an article that was a little bit different, like recent AI security failures that have happened. Right.
Joe:And even though, like, Amazon service was taken down, this was just a February 20, I think, article in the Financial Times. And Amazon Web Services suffered at least two internal outages tied to its own AI coding tools, one in December 2025. And I don't have the data on the other one, But they were they were saying that, well, engineers gave AI elevated privileges without adequate guardrails. And so it could do more than it was supposed to, and Amazon's official stance was that the outage was human error, not AI autonomy. Right.
Joe:But still AI in the system in order to enhance stuff ended up Yeah. Shutting down an entire part of that infrastructure.
Rick:Absolutely. Well, to your first sort of question, it just is it good generally? So my take on this kinda solidified a quarter or two ago, and I don't think I have a reason to change it yet. But it's basically on the offensive side, like for bad guys trying to hack in Yeah. It's gonna let them innovate and iterate a lot faster than before.
Rick:Right? Yep. But the defensive moat for that basically remains the same. Right? It's all your hygiene stuff that's been hard forever because people have been resource constrained and all that stuff.
Rick:And I think from a defense perspective, the way that AI gets leveraged the best is in doing hygiene better, more consistently, cross checking, all that stuff, right? So AI agents that can patch or alert or just find things better and more quickly, I think from a hygiene perspective, will be applied it'll be easier to be more consistent with stuff that, like, notoriously a bunch of companies get wrong.
Justin:Yeah. And that might be from the build process you're talking about with that.
Rick:Well, from an app dev perspective, but even just from, like not even, like, build app dev, but also just from a processes perspective.
Justin:Yeah. I guess the the thing I'm, you know, where security is lagging, but it's so hard not to lag is, like, when it found all, you know, those five hundred zero days, you know, type of thing. All of a sudden, if you have a malicious person that's Oh, totally highly motivated, The the patch cycle, you can even, like even if it was a standard pipe yeah. Exactly. Like, 500 things, like, rolled out.
Justin:Well, that's gonna take weeks to get it out to people. You know?
Joe:Do you think we needed to find zero day? Does everybody think everybody knows what zero day is? Put
Rick:in the show notes.
Justin:Yeah. Yeah. Basically, it's just zero day is, you know, an exploit out there that doesn't have a patch. Yeah. Know, into it.
Joe:Zero day of patch availability.
Justin:Yeah. Make sure.
Rick:But so one of things that's gonna happen that I was thinking this too. So okay. So you can unleash this this scanner, and it finds a bunch of stuff that the humans weren't finding for whatever reason. Right? Well, think about your software dev supply chain.
Rick:Right? As that gets unleashed on all these old libraries in, you know, public code that that people leverage everywhere Mhmm. Teams that are actually responsible for, like, patching code and dependencies in code, they're gonna get a typhoon.
Justin:Oh, how are they gonna
Joe:keep up?
Rick:It's gonna be insane. Like, you you're almost gonna have to use AI on the other side to iterate problems, challenges, hey, evaluate these patches, all that stuff, and try to run it through a couple filters and and and analyze it as quickly as possible. Right. Have rollback plans where it doesn't work.
Joe:Well, just kinda thinking about that and thinking about the whole life cycle of what happens. You find these vulnerabilities, what's gonna be expected? You're gonna be expected to patch them. We're gonna get into this a little bit further on our next topic, I think. But with we're seeing government regulations saying, you need to respond faster.
Joe:Everything needs to happen faster. And if you take these four or 500 Vons that were discovered through AI, get it into the queues of people to fix. Yeah. I don't know how they're gonna do it. And but there's gonna be an expectation that you're you're doing it because now you know.
Joe:Now you know. Now it's negligence if you don't do something. Right?
Rick:Yeah. That's absolutely right. And that I think it's exacerbated by the fact that we're talking about old leg it's it's almost like, to jump topics too much, but it's almost like the quantum encryption thing we were talking about where it's like, well, what happens if quantum hits and all the data breaches of the past, you're right, are now actual public.
Justin:Yeah.
Rick:It's kinda like that for code that's out there today, But the problem gets even harder because what about all the new code that's being developed and the speed at which new code can get developed by AI agents, especially when you have, I think, well intended individuals putting stuff together, but they're not necessarily security minded, and they just don't know to prompt the thing appropriately, or they don't know to cross check or red team. Like, I actually think the volume of new code is gonna go up, up, up, up,
Justin:Oh, yeah. It already is.
Rick:Yeah. It's crazy. Yeah. And in addition to that, you have all these vulnerabilities with old code that's going up
Justin:up up up up up up, and it's
Rick:just gonna be kind of a nightmare as you have to react to all that stuff.
Justin:Yeah. So it'll probably be if I would put my crystal ball on with this, there'll be definite spike in vulnerability disclosures, you know, into this. And the result will probably be that the we'll have to have more gateway blocks into this. Oh, yeah. Yeah.
Justin:Because we just can't keep up with the software that's exposed or minimizing obviously, minimizing exposure is always a good idea. But in that case, if you're having to deal with it, you gotta slow down the the pipe somehow.
Rick:Yeah. More allow listing approach
Justin:than Yeah. Exactly. Listing. Yeah.
Joe:Well, what what I'm really worried about is, are the attackers gonna use AI to generate exploits just as fast? And Absolutely. And then now now what can you do to protect against that?
Rick:Yeah. I mean, I think that's the when you get into, like, AI on the defender side and, like, well, what does normal look like and what are they doing? And is there context about what's really risky versus not so risky? And, like, I mean, we've been talking about UBA forever. I think we're now actually just getting to the point where UBA can sort of start to be effective.
Rick:Sorry, security vendors who say you've been doing it forever. But
Justin:Well, I mean, it's always a kinda thumb in the air on trying to figure out what's normal, you know, type of thing. Like, if you're trying to figure out, like, the wind out there and your finger in the air and you're like, is that normal wind or is that like, you know, a tornado is coming? You know? And normally, can see normal, it's like going back and forth and all that. Right.
Justin:But that's basically what they do is try to Yeah. See what's going on and it's like, is this a normal thing or
Rick:Well, and one question I always
Justin:Is somebody blowing on my finger?
Rick:Yeah. Well, in a UBA question that I've kind of always had that I've never heard a great answer to is like, well, but what if you've been compromised forever? Like, since putting this in place.
Justin:Normal. Right? Yeah. It's normal. This is it all looks I've heard that before.
Justin:That's funny. I mean, they obviously incorporate signatures Absolutely. You know, and everything. So, yeah, they're not blind to those. Yeah.
Justin:But I
Rick:do think it's getting to the place where, like, agent orchestration can do a thing where it's like, does this user typically do these things? Are some of these behaviors inherently risky? What's the destination of what they're doing? Oh, is that particularly scary or not? And then also, you can orchestrate, like, how the alarming works a little more cleverly, or is it an outright block based on risk source and stuff.
Justin:And it's
Rick:the architectures and patterns have been built for a while, but I think we're actually getting to a point where they can be really effective without having to hard code what risk looks like. And then that's a block list. And then when something weird happens that no one's ever seen, it's an all list. So to your point, Joe, I absolutely think that's gonna happen more and more and more, but I think the tools are gonna get a little better on the Defender side too.
Justin:Yeah. I mean, they have to. And we've already seen, like, some examples, but honestly, I haven't seen enough security people, like, fully dive into AI into this. In fact, the sorry. I was gonna mention, but I just wrote a kind of a letter to my entire company.
Justin:It's only, like, five people. Four, five counting me, you know, type of thing. But it does basically saying, like, we need to basically consider AI as a first thing, but that doesn't mean it's AI blind. You know? It's like, hey.
Justin:Start considering what you can use AI to, like, speed up what you're doing. Augment what you're doing. Like, you know, I should do that that app that I was kinda working on to source stuff off from the Internet to get into my mailbox where I can put Right. Eyeballs on. You know?
Justin:It saves me the time to try to reach out and pull that, you know, every day. Just things like that. Like, you start thinking like a sys admin trying to script something. All of a sudden, you're like, I could do this. I could just do I could do this or I could do this,
Rick:you know. Like the concept of thinking about AI as kind of a commodity tool. Yeah. Like, it's kinda like the Internet, right, at this point. And when the Internet was kind of becoming a thing, you would have to talk to people and be like, hey, you know, you might wanna consider sending an email as opposed to walking all the way across the office and up a couple floors, you know, or or or doing a phone call.
Rick:You could just send an email. And so you change the mindset to your point about, like, AI first. It's like AI first, but not not AI only.
Justin:Yeah. And I always said in there, not AI blind. Yeah. Like, you don't ask and take whatever and throw it in, you know, into whatever bucket. It's like, how can I help to get to where I want to go faster?
Rick:Yeah. You have to build the habit.
Justin:Yeah. You know? But a lot of people, like, outside of a simple chat prompt don't know the capabilities. Like, I'm starting to incorporate stuff like drafting emails on my to do, and it'll throw it in my draft box. Yeah.
Justin:And then I go up and review it and tweak it and send away. So it's helping me be way more efficient with the time that I have. And you guys know being business owners, like, it's just, you know, constantly shifting mindsets to, you know, to operations, to delivering, to finance, you know, to all this stuff and you're like, I gotta do this. I gotta do this. You know, like, you know, with it.
Justin:It's like, oh, I gotta focus on the marketing website. I gotta focus on now delivery, you know? It's like
Rick:I actually added a thing to my morning routine now every day, and I basically I basically so I'm like a Gemini shop. So I go to Gemini and I say, hey, every day and I built some gems around this and all this stuff, I said, hey, every day I want you to give me a new use case for using AI that I'm not currently using it for. And they're not always fantastic, but there have been a couple things where it's like, oh, yeah, that's a good use of time or, oh, yeah. That's an interesting application. Yep.
Rick:And it's taken a while to get off the ground, like adding all the context of the business and all that stuff. So it's like, say, oh, do you wanna email? Like, here's how we can make your entire HR department, you know, way more efficient. I'm like, well, my HR department's me, so I you know, I don't need I don't need massive analytics here.
Justin:Right? Put a glass of bourbon in front of you.
Rick:It has been really helpful and interesting in having that because I think some of the thing with AI is people are apt to think of it like a silver bullet. Like, I just build this one thing, and now everything's so much easier when it is more about, like, habits and patterns and Yep. Incremental automation over time, all that sort of
Justin:stuff. It it's interesting. I was talking a couple of weeks ago. An employee from Meta, he was telling me that they get measured on their AI usage.
Rick:I was at that dinner with you.
Justin:Yeah. So, like, that they actually they the company monitors how much they actually engage with AI on a day to day basis. Mhmm. And they basically have a quota, you know, into that. And I think I don't I'm not gonna get into the
Rick:They're they're unique. They're they're cultures.
Justin:Yeah. Exactly. I think. But I think it's a way to force habit, you know, into that. Now that you're basically being measured on it, you're like, okay.
Justin:How can I do that? And he was telling me that they some people were even writing scripts to, like, tickle AI every now and then just like So instead
Joe:of the little thing that keep pushing Yeah. Yeah.
Justin:You're asking. What's the weather now? What's the weather now? What's the weather now?
Joe:But one of the things I loved to do whenever you you you look for the breach. Right? Look for the news article about the breach, and what you really wanna get into is what are all the things that happened to this company? What are the controls that failed? And what was the write up?
Joe:What are they gonna have to do? What are they gonna have to fix?
Rick:Right.
Joe:And, you know, what what what happened to them? Because I don't want that to happen to me. And so now, just a a really easy use case for how AI can help security practitioners is, you know, analyze the public reporting of these breaches.
Justin:Yeah.
Joe:Mhmm. And then take a look at our own architecture, like all the documentation, like Mhmm. You have access to everything inside the organization. Review it. Review the controls.
Joe:Tell me if this is gonna tell me what percentage I'm likely to have this happen to me. Yeah. What do I need to do to fix it? And then go to your risk register, see what risks you have, see if you need to increase the probability of those risks come to fruition, and then get that into your your your work work pipeline.
Justin:Yep.
Rick:Yeah. I like that.
Justin:Yeah. Especially, like, that vulnerability, the Oracle vulnerability as so many companies have got hit by. Yep. Like, you do, like, oh, a lot of people are getting hit by that. I wonder where what our asset list looks like, you know.
Justin:And if it had a connector into ServiceNow or something like that, like, oh, look at that. Then we do have that version, you know.
Joe:Yeah. Right? Write me a write me a triage plan. Write me a remediation plan.
Rick:Yeah. So do we think defensive teams should be, like, adding not just general AI stuff to the budget, but like, hey. I'm gonna need more compute because we're gonna need to analyze stuff or we're gonna have to run through things through the engines and stuff like that?
Justin:Yeah. I think, honestly, in my personal opinion, I think we need more training around it than tooling That's right. Right now. And once you understand the the concept and the tooling, then you can look for innovative solutions out there. And when you get it, you're like, oh, they're using this and this way to do that.
Justin:Okay. That's cool. A lot of it, there's a lot of flash out there. They'll they'll slap AI on the side of the cart and be like, hey. We're AI enabled.
Justin:Right. And now it's like, okay. What does that mean? Well, sometimes we prompt you a button that you can ask questions. You know, like, they just build a We have a chat box.
Justin:Recorder. Right. Yeah. That just goes straight to, like, chat GPT. You know, it's like, woah, okay.
Joe:And then that stuff's still running on the outside. So the training I think that would be good is how do you bring this in? How do you set up a cost effective internal LLM? Mhmm. Train it on your data, and then not have it going out to be trainable on the public models.
Joe:Right? And then you can ask it real questions. And so but out of all the people out there, I mean, like But you don't need
Justin:your own LLM. I mean, by default, the enterprise accounts for Anthropic and ChatGPT turn off training.
Joe:Sure. Yeah. But your data still ends up in their database.
Justin:I mean, your data's RA in Microsoft and Google and
Joe:It it might be, but recently, wasn't there just an announcement by was it OpenAI that and help me out here if you remember better than me, that anything that you're telling the AI is not protected from subpoena. And so as private, all any search you had, any history, that kind of stuff, they're not may not be training the model, but they certainly have logs on what you're asking Yeah. And their responses. And so the benefit of an internal LLM is it's actually not being none of that stuff's being stored in their Still their model. But it's in your area.
Joe:You can control it. You can decide you wanna get rid of stuff sooner. You don't know how long you're gonna keep it.
Justin:That's fair. Yeah.
Joe:But it comes back to training and I'm thinking like there's probably a huge knowledge gap. How many people out there actually know? How do you set up your own internally and get it working?
Justin:Yeah.
Rick:Well, how do you and how do you even to your point about a lot of flash, some of that's on software. But if people don't know, they're like, well, I know I need training or I need to get my team training. How do you determine the good training from the bad then?
Justin:Yeah. Absolutely. Because I mean Good point. Everybody's doing training on AI, you know, right now.
Rick:Well, and it's all very, like, wild wet. It's very much like, well, here's what I know about it. Well Yeah. Yeah. How do you know that?
Rick:Well, I did a bunch of stuff. Yeah. Okay. Well, was it the right
Justin:I spent three hours doing it, and now I made a YouTube video, and now I'm close. I was type of thing.
Rick:Well, to your point about, like, in a couple years, like, where's the offensive and defensive security gonna be because of AI? Mhmm. I was talking to someone about this today. Was like, dude, when did, like, when did AI videos start to become a thing? It's only been two, three years.
Rick:You remember, like, the video Will Smith eating spaghetti?
Joe:Oh, yeah.
Rick:Right? Yeah. Yeah. And now you have, like, practically photorealistic long form videos of people doing things.
Joe:Did you see the comparison of Will Smith eating spaghetti and and from three years ago and then
Rick:Oh, and then currently? Like, currently?
Justin:That's right. That was like yeah. A little bit ago. Yeah. That was And then what was the was it Brad Pitt and Tom Cruise fighting?
Justin:Did you see that?
Joe:I missed out.
Justin:Don't think
Joe:I know
Justin:that one. That just came out. It was a deep seek, the model, like, a few weeks ago, and they had basically a full fight scene between both of them.
Rick:Oh, was that like the everyone is freaking out because it was, like, so long form?
Justin:I wasn't It
Rick:was, like, consistent. Oh.
Justin:I didn't see a long. No. It was basically, like, a thirty, forty five second clip, a bit basically, them fighting, like, action movie fighting, and that was all AI. Yeah. There was
Rick:one where it's like I saw a minute thirty or a two minute clip that was like hyper consistent with details and stuff like that. And so people were freaking out because, you know, there's certain I mean, there's like Internet communities around this. Like, is this AI? Right? And so it went as it gets better and better, certain tricks for telling, well, they cut it at the forty second mark, and so that's indicative of, you know, not having enough processing or not wanting to spend all the tokens or whatever as opposed to, oh, yeah.
Rick:Look. This is a four minute video, and it's and look at the trees in the background or whatever.
Justin:Yeah.
Rick:So it's getting better and better. My point with that is, though, it's accelerating so quickly.
Joe:So instead of six fingers, it's instead of having six fingers in your hand, it's it's a forty six minute video or Right. Forty six second video.
Rick:So then, like, what training's adequate? Because everyone's figuring it out almost fresh every month.
Justin:Yeah. Yeah. I guess it's more of the capabilities. And really, mean, we're seeing a a big thing right now where Anthropic is focusing a lot on connectors and tools. And now, like, ChatGPT is as well, you know, into that.
Justin:I think that's where the the main value is gonna come from. It's not necessarily the the models are good, but they're keep getting nudge nudgingly better, you know, type of thing, and we're gonna, like, see them get, you know, minorly better.
Rick:They're commodities.
Justin:But Yeah. When they connect into your back end data stores and your emails and, like, we start releasing that. Development going in our back end database server, like, oh, something's wrong and out it looks at my database scheme. I'm like, there's a problem.
Joe:Yeah. Simplification of the integrations is gonna be and and making it so easy that, you know, you can have you don't need to be a computer security expert Right. To put it in place, but you probably still want somebody in our field to take a look at it and make sure you
Rick:Yeah. Double check. Confirm.
Joe:Did it right.
Rick:But from a training perspective, I do think you hit a super good point, which is like, well, it's less about tools and specifics. It's more about, like, patterns and capabilities.
Justin:Mhmm.
Rick:More about, like, how could you be using this? How should you be thinking about building out the habits? Where should you go for news on this stuff? What's meaningful? What's not?
Rick:Like, that kind of stuff is a bit more evergreen, probably.
Justin:Yep. Yeah. Like like, you guys saw the commercial I did for Episcay. I mean, that was all AI, you know. You know?
Justin:Yeah. Different parts of AI. Google was the video then well, I guess I did final cut for some of those stuff. But then Eleven Labs for the voice over and everything. Like, all that stuff, if you know the best of breed and can marry them together
Rick:Right.
Justin:That's gonna be I mean, that's where I think the training needs to be. It's like, how do I get the best components out of these things, connect them together, get a data source talking to them, and all of a sudden, you got a thing that you can direct, do stuff, prepare for you, review, basically condense into here's what you need to focus on, Justin. You know? And I'm sure it'll make, you know, mistakes along the way, but it'll make less mistakes than, you know, a junior person. You know?
Justin:Like
Rick:Well, and and even if it doesn't to some extent, if you're killing all the hard costs associated with context switching between this task and that task and that task, like, you can go regenerate it again better next time. Like, in may if the tools aren't perfect, then okay, then you do something else. But if you're not, like, killing a ton of time in it like, this is always I think of as the executive mindset, where it's like, earlier on in my career, I'd go like, oh, well, you know, they make decisions so fast, and they don't have all the information. Yeah. The reason they're an executive is because they're good at making decisions fast.
Rick:They're good at understanding what kind of decisions are irreversible versus what are reversible. And an early decision now is typically like, if it allows you to rewind, is much better than no decision or the wrong decision or analysis paralysis. So I kinda get that from the AI thing quite a bit. It's like, yeah, you can iterate a bunch of stuff super quickly. Yeah.
Rick:And if one of them isn't perfect, alright. Iterate again.
Justin:Yeah.
Rick:Or throw it in another orchestration agent to red team it or whatever.
Justin:Yeah. That was I'm not sure we covered it on the podcast. I think it was in one of our notes with it. But somebody did a study on they sent a professional red team, you know, over targets and then AI over target Yeah. And did that comparison.
Justin:It was probably a while ago. Maybe we did. I don't either which way
Rick:I don't remember talking about it.
Justin:No. I'm either. It it came down to AI was more comprehensive. It got all the vulnerabilities. It it was more kind of scope, you know, into that.
Justin:But the red team was better at looking at the business logic and finding vulnerabilities out of there.
Rick:Like, what's practical? What's more likely? What's the actual prioritization
Justin:type stuff? Basically, the red team was getting the the high high level fruit and it you know, AI was getting all the low level fruit Yeah. You know, into that, you know, with it. And so you look at that, you're like, well, so I'll start with AI, you know, get a clean bill of health and then pay somebody else to look at it.
Rick:Right. Or manually prioritize.
Justin:Wanna pay $20 for a pen test if all they're gonna find is low low, you know, low hanging fruit.
Joe:Right. Know?
Justin:And let me
Joe:go fix all those things first and then bring in the pen
Justin:test for doing focus on the week that I'm paying them to try to find bigger stuff. Exactly. Right. Yeah. Exactly.
Joe:It reminds me of if we if we look at you you ask a junior analyst, hey. Write write a bunch of risks about what you're seeing in the organization, and it'll be all these technical risks and maybe there won't even be real risks.
Rick:Yep.
Joe:They haven't been trained up. But what you're saying is, well, all risk is business risk. How do I reform this into a business risk? And how how is AI is probably not ready to be able to talk about the business risk implication of the problem
Justin:it found. Yeah. Yeah. Yeah. I think I mean, it can pull out some analogies.
Justin:I mean, you know, there's data out on the Internet. I'm sure it can find some of the stuff and correlate that. But when you're sitting in front of somebody and, you know, adjusting on the moment, like, that's where a human has to, you know, do that. Like, I've done I I don't know if you guys have run into this. If you're, like, interviewing somebody over the phone, you know, they'll I've had cases where they'll pull up AI to answer questions, and they'll have it like
Joe:I've heard a lot of that.
Justin:I and I actually had it happen to me, a developer that I was hiring for. Yeah. And you could just tell the answers were straight out of the AI playbook, you know, giving you, like, the most simplistic example of, you know, something that I ask, you know, type of thing. Yeah. Yeah.
Justin:It's it's it's
Rick:a college kid that just got their degree but doesn't have practical Right. Experience yet. Like, it's you know, the textbook answer is not always the right answer or the best answer.
Justin:Well and this is where so everything we're talking about is security. I might switch a little bit into this. This is where I think the biggest danger of AI, like, coming out of this. It's like trying to teach somebody math, but to hand them a calculator immediately, you know, type of thing. Right.
Justin:Like, our kids are growing up with, like, AI at their fingertips. If if their first response for everything is to run the AI, you know, and not to think logically about it, you know, it's like, alright. Like, you know, let's talk about that. We we I just had I was having a conversation with my daughter. We're talking about, like, the early times of basketball, and she's like, well, it was illegal for women to play basketball.
Justin:I was like, that's not true, Lila. Like, that's that's not a thing. You know? It's like she's like, well, not a lot of them play. I was like, well, that's different, you know, into that.
Justin:She's like, well, there was a lot of people that died playing basketball. It was like, Lila, that doesn't make sense. Like, that that's not a true thing. It's like, we learned it. I was like, well, then you're learning the raw stuff.
Justin:You know? But that's where, like yeah. I I get afraid of we're not teaching kids, like, how to learn or even adults, you know, on how to, like, properly do this stuff. Like, we we're pretty learned. You know?
Justin:We pay attention, you know, reflect Score
Joe:hard not.
Justin:Yeah. Exactly. But if you your answer to I have to write a paper is to go to AI first and get a paper done, you know, type of thing, you know, like
Joe:Well, here's my personal experience. And I find myself falling into this this pothole sometimes myself. Mhmm. And I want a quick answer to something. I want and that's why go to AI to get me some help.
Joe:Help me draft something up here, and it'll give me stuff. And it's just so obviously AI.
Justin:Yeah.
Joe:And somewhat of it is garbage. Some of it is tangent. And I'm like, you know, it's taken me twice as long now
Rick:Oh, yeah.
Joe:To actually answer this question where I already knew the answer, and I just didn't wanna I was too lazy at this moment or just enough time in order to actually write this thing out. And I was hoping it would just write out what I was intuitively thinking. Yeah. And instead, I got this and then I go down a rabbit hole. Right?
Joe:And then I start, like, oh, no. Correct this part. Alright. Throw it in Canvas inside of ChatGPT.
Rick:Yeah. Yeah.
Joe:Alright. Now edit this part. And I'm like, till I was all done, I could have just wrote the
Rick:Out of
Justin:my mouth.
Joe:Three sentence reply and been done. But, you know, I just wanted to see what would happen.
Rick:Yeah. I I think so that you're talking about people maybe not learning or not being able to do maybe even content generation like they did in the past if AI becomes ubiquitous and everyone can use it. Mhmm. It's interesting. I think the what ends up happening is the problems change.
Rick:Right? So, yeah, people aren't as good at content generation. And and you have this stuff onto the side, which becomes artisanal document creation or whatever. Right? Because people are, like, building it themselves by humans, that'll be a differentiator sometimes or whatever.
Rick:But what happens is as content gets generated so fast, like we're talking about code before, the problem no longer is how do I build code more quickly. The problem is how do I sift through all this code? How do I sift like, it ends up being dead Internet theory, but for AI stuff. So I actually think content curation, knowing how to trust your sources, making sure that you're diligent about citing things. I I think people are gonna start to spend a lot more time on identifying the nature and sources of the information
Justin:Yep.
Rick:That is coming to them as opposed to, like, researching it themselves. It'll be it'll be totally different.
Justin:Yeah. Yeah. It is. It's an interesting concept. But yeah.
Justin:Yeah. I just got maybe off that topic because Not like it. We're talking about training, you know, type of thing. Yeah. Mhmm.
Justin:And, you know, just handing somebody AI without the the fundamentals is I I compared to handing somebody a calculator without knowing how addition works. You know? It's like, okay. Yeah. Let me type and here's the answer, you know, type of thing.
Justin:It's like, you don't know the fundamentals of it. You're like, you're just
Joe:It was on a hallucination? Yeah.
Justin:Exactly. Have no idea. Yeah. Yeah.
Joe:You know, I think that was a great topic. My conclusion is I think AI is good for security. I think it's gonna be good for a ton of stuff. I really I think that it's not ready yet for you to hand over the keys and let it take something from begin to end without human in the middle.
Justin:So no VC so AI?
Joe:No VC so AI. I think there's enough of that happening right now. Oh. Trademark. Yeah.
Joe:It's trademark. Yeah. Yeah. And I think that, really, it's use with caution.
Justin:Yeah.
Joe:But I really like the idea of training. Maybe a future topic we can do is some research and just talk about what we find, what we've been using for training, what's worked, what's not. Yep. But I don't I don't think we're we're at a point where, you know, AI for good is equal out there right now as AI for bad.
Justin:So Yeah.
Rick:Yeah. I think it'll be asymmetric, but, like, benefiting defenders more than attackers eventually. But right now, it's still so wild west. People are figuring out how to use them.
Justin:Honestly, I think it's the most beneficial right now is GRC people. You know? I find that all the time. Like, we're so deep in the content and evaluations and looking at stuff and we're so process focused that it's just ripe for GRC to get, like, AI embedded into some of the process.
Joe:Only that, but you no longer if you can trust what you're seeing, you no longer need to, like, go get a a network security expert to explain and break something down to you.
Justin:Mhmm. You
Joe:can Right. Ask some intelligent question. If you learn how to ask the right questions
Rick:That's right.
Joe:Do the prompt engineering properly, then you can start to get answers to things that otherwise, it would have been harder for you to get to.
Rick:Dan? Totally agree with that.
Justin:Yeah. I was just on a pen test, you know, summary report, you know, on a call and everything. And one of the things, like, they identified some device. And, like, yeah, we didn't know what it was. So we asked AI, and I said it was a DVR, you know, into that, like, was it in the presentation.
Justin:I just thought it was funny. It was like, and so we looked it up and it was a DVR, you know, is what the, you know, it's at. I was like, okay. You know, like
Rick:That's funny.
Joe:Was it really a DVR?
Justin:I don't know. It was just, you know, in the test and everything. They did screenshot it that said it was some model of DVR not supported anymore, you know, into that, which could be true, you know, in the context of the customer who was on it could absolutely be true.
Rick:So The trust question is interesting. It'll keep being interesting. Like, oh, can I trust AI for that? It's like, don't know. Can you trust that wiki that you googled for that?
Rick:I don't know
Justin:if trust that expert that you're paying that you don't know their entire history for that.
Joe:Yeah. There was all there was a customer, and you would be in the meeting with them, and they would be explaining to their other departments the answers to something.
Justin:Yeah.
Joe:And as you're sitting there, you're like, the only thing I can think of in today's terms is, wow, he
Justin:was hallucinating that answer because that was nowhere for me.
Rick:Right. Right.
Justin:So I'm not I'm not
Rick:trying to, like, defend or attack AI, but I do think the trust question's interesting. I've been saying for a while, like, I think we're gonna actually start to move more and more towards, a trust based economy, whether it's just process based or even, like, act like money based. But I think that'll be the thing because as there's more and more content, like, where to come from, how to source it, how do
Justin:you sift it. That's And I also think, like, we're we're probably gonna I agree with you, but we're probably gonna have to go into the realm of how much I need to trust it. You know? Absolutely. So look at that DVR example.
Justin:Like, do I have to put my full faith in, you know, my everlasting soul in that it was a DVR? No. But the their scanner said there was a port open and this is the device and feel like, so I have enough, you know, concrete. Is it the DVR? I'll accept that for now.
Justin:I You know? But I'm not gonna Yeah. You know, you know, rely on that to my deathbed. You know?
Rick:I've absolutely had conversations recently about this. Like, well, should we use it to define, like, patient meds right now and just trust it blindly without checking?
Justin:Would say no.
Rick:Should we use it to, like, define material strengths that go into buildings and just trust it blindly? Maybe not. But can I use it to, like, plan a vacation for me? And I'm like, yeah, I probably can. If it's not fully optimized or it makes a mistake, like, okay.
Rick:Who cares?
Joe:Oh, yeah. It'll be fine. I've so many good ideas for vacations for that. Absolutely.
Justin:Yep.
Rick:But you're right. So, like, figuring out, like, what's the importance or reversibility of a decision Yeah. Is absolutely gonna be part of, like, the new habits that people form interacting with AI daily. Yeah.
Justin:Great.
Rick:That's good.
Justin:Alright. Next topic here. Oh, there it goes. Circa. Circa?
Justin:Circa. Circa. Circa.
Joe:First, it's CIRCIA, and it's a federal law passed in 2022 that requires covered critical infrastructure and it is to report cyber incidents in twenty seventy two hours and ransom payments in twenty four hours. But that's not really the most important part. The most important part is how does everybody pronounce yeah. Sure. Thanks.
Joe:Cirquia and
Justin:That's a whole topic for this. That's a whole topic. So as I was
Joe:as I was prepping, I was like, oh, man. I wonder what everybody's saying this is. And so I went on the chatty bitty and I said, how how is everybody pronouncing this? And it it basically came out and said, it's sir, c I r, key, k e y, ah, sir Kia. And it says and and here here Did
Justin:you have something different? You had sirsia. I thought I thought sirsia. Okay.
Rick:But it's just because I'd never heard it. I've seen it in a ton of writing,
Justin:but I've never heard it pronounced.
Joe:Yeah.
Justin:Yeah. That's the same with me.
Joe:Yeah. And it said most I'm like, alright. Is it hallucinating this or does it really know? Most practitioners say it as a word, not letter by letter. Yeah.
Joe:And you may occasionally hear somebody spell it out, c I r c I a. But in interesting conversations, cerquia is the norm. I mean, is it really? Have Yeah. No I didn't ask it to do that.
Joe:But Mhmm. We
Rick:So anyway, we we wanna know. Right? We wanna know what the listeners think.
Joe:Yeah. How do
Justin:you say it?
Rick:How should you say this?
Justin:Yeah. Is it knight circia or is it cercia? Like Game of Thrones, you know? Yeah. Right.
Justin:Right. Exactly. So But anyways, you wanna continue introducing Oh, sure. Outside of the pronunciation which
Joe:is very important. Whatever whatever you wanna call it, call it. But, you know, CISA's writing the final rule and it's expected in May 2026. And, the law, I I understand, is already in place, and the rules define how it works operationally. So it's it's not a breach notification law, but it's more of a federal situational awareness law.
Joe:Mhmm. And what they're looking for is covered entities. In this case, these 16 critical infrastructure sectors, like things like health care, financial services, energy, transportation. They this this rule could affect about what 300,000 entities are talking about.
Rick:And that's directly impact.
Joe:Directly impact. Mhmm. And it's not just large enterprise, but mid market companies, will fall in scope. And so it has a couple triggers. Yep.
Joe:And one of them is a cyber incident to be, to be disclosed. The clock starts. The seventy two hour clock starts when you reasonably believe there's gonna an incident occurred. So reasonably believed an incident occurred
Justin:Boys will have a field day.
Joe:Yeah. And then seventy two hours is your your clock for reporting. And then ransomware payments, you need to make a notification that you paid a ransom in twenty four hours.
Rick:Yep.
Joe:And I'll I'll pass the baton here, but that's that's kind of the background. Yep. And it has a lot of implications, and it also is way different than all the other things that are already published for these notification timelines.
Justin:You're talking about all the state Yeah. HIPAA breach all that stuff.
Rick:They all have different timelines.
Joe:Yeah. The SEC Yep. Disclosure. So there's different clocks reaching
Rick:So I think there's a couple traps that I get, maybe not nervous about, but, like, wanna make sure that you're if if you're impacted by this, like, that you're thinking about, one, is that 72 thing is reasonable suspicion of a material cybersecurity breach. First and foremost, I don't know who has had the joy of these conversations in the past. I've talked material with lawyers. Materiality with lawyers and finance people, and if you're public versus not public, and all of these things get crazy fast.
Justin:Are you sure this is material though? I'm not sure. I
Rick:thought it was material breach. I I would love to be corrected.
Justin:Yeah. Keep keep going and everything. Yeah.
Rick:No. I I mean, I'll be happy if I am because I think this is I think that part of it potentially makes it difficult. Because one of my one of my notes here was, like, if you haven't defined what constitutes a material breach, like, with lawyers and finance people, assuming this is in Mhmm. The regulation, do that now because I think that could be a trap if you have it. Or if there's if it's not in here, it's in another regulation.
Joe:It's between the Yeah. An incident and a breach. And there's some customers I work with where they're very adamant to say, well, we have an event. Right. And that event isn't even an incident unless it does these things for our impacts.
Joe:Yeah. And then it only becomes a breach when this happens because they have contracts that say must notify their customers for security incidents. And so once that was figured out, they had to make sure they train everybody on well Yep. You know, is it an event, is it an incident?
Rick:So so make sure you're clear about that because the seventy two hour clock will start in some situations, but it might not in others.
Joe:Oh, absolutely. And, you know, the the, you know, the clock problem is a huge one because, you know, your sock detects activity. And then it takes time for forensics to become something that figures out if
Rick:there's something happening. Even know you know something is happening. You don't even know what it is yet.
Joe:Right.
Rick:Often.
Joe:And who all wants to know? Well, your leadership wants to know. Legal doesn't wanna start doing any reporting until it's confirmed, but that circilla clock may already be running. Right. And it may have started already on that.
Joe:So imagine you have a seventy two hour circilla notification, HIPAA, sixty days. Lot of state notifications are thirty days.
Rick:Yeah.
Joe:Four day is it four days for the SEC disclosure? And I
Rick:should know that.
Joe:Yeah. And and then, you know, what's your cyber insurance notice? Usually, they know you got like twenty four hours or things are gonna might go wrong.
Rick:And you
Justin:have to be states depending on the residents that are affected and what's involved with the data.
Rick:And you end up running legal liability risk if you're not consistent in your responses. Right? So, oh, we were worried about Zerkia, but we weren't as worried about state breach laws or whatever. It's like, well, that doesn't really hold up. If you could take one seriously, you need to take the other one seriously or else you might get penalized the same way.
Rick:So that's I think that's one thing. Whether materiality or not is a thing, like defining materiality, just knowing what constitutes reporting and not. I know you're I think you're looking it up, you can tell me if I've hallucinated that.
Justin:So the couple of things I looked up and I just asked AI as the final thing, it's a no. Not in the traditional don't know why I thought it was. Okay. A substantial cyber incident is triggered by any of these. Substantial loss
Rick:of Substantial.
Justin:Yeah. Okay. Loss of c CIA of information systems, serious impact of safety and resilience of operational systems process, disruption and ability to engage in business operation operations or delivery good services, unauthorized access facilitated through a supply chain compromise, including MSPs or CSPs. Yeah.
Rick:So still still fairly qualitative and make sure you define what significant is before that seventy two hour clock starts ticking.
Justin:But this isn't just like maybe a simple phishing, you know, like No. Right. This wouldn't be phishing. But this is data got stolen that's confidential Yeah. With that or you're down and it impacts the operational ability.
Justin:Again, this is critical infrastructure. Yeah. So I think if your HR system goes down
Rick:Yeah. They would they
Justin:probably wouldn't care, you know, into that. But if it affected service, you know, maybe
Rick:There are gonna be gray areas. Yeah. Oh, we use this as a document exchange.
Justin:Yeah.
Rick:Exactly. Is it operational or is it not? I don't know. Oh, well, it this is how we report KPIs. Well, it definitely is.
Rick:Oh, this is how we do QBRs. Well, maybe only at certain times it is, like Yeah. So anyway Yeah. Just be clear upfront.
Joe:Well, and I do like your materiality conversation as well because I think every organization really needs to think that through.
Rick:Yeah.
Joe:And the severity of the impact of the incident is going to be highly related to the materiality to the organization.
Justin:Yeah.
Joe:That takes the severity from a continuity or a, you know, IT kinda conversation into a what really matters is what the business impact is, and that becomes is it a material problem for the business? Well and and we hit about on the incident side and the and the notifications. The other part that I'm a little worried about with this is ransom reporting implications. Mhmm. Because if you need to tell the federal government that you've paid a ransom in within twenty four hours of making that payment, what does that do?
Joe:It's gonna impact your negotiation strategies,
Justin:you know, whether you pay
Joe:it all. And a little bit of it almost feels like it's a disguised way of creating a I've been ransomware reporting requirement that didn't exactly exist before because now you're not just saying you how to pay ransomware, but how much, you know, the details around it, I think they're looking for.
Rick:Yeah. It's like it's a it's a cooling factor to try it could be to try and make people pay less. I I could actually I could see that because I hadn't thought about that before, but it absolutely could impact like, the bad guys will know if you have to report if you pay a ransom, so they're gonna adjust their tactics accordingly. That's pretty interesting.
Joe:Yeah. And I think it's been for a while, I I think isn't the FBI's whole stance or it used to be like, no, don't pay the ransom. Mhmm. They're they're always encouraged don't pay the ransom because every time you pay the ransom, now you're funding somebody. And if you do the pay the ransom and that money goes to certain countries that Yeah.
Joe:You're not allowed to put money into, now you're actually breaking some.
Rick:It's a collective action thing. If nobody ever pays the ransom, then people try and extort other people less.
Joe:Mhmm. Right. Right. And so I don't That's
Justin:Yeah. Mean and that came from, you know, never given, like, kidnappers or whoever. Yeah.
Rick:We don't negotiate with terrorists. Yeah.
Justin:Exactly. Yeah. You know, type of thing. And they tried to translate that over to ransomware, but I think they the thing that they really didn't consider is, like, all my data is gone unless I pay $10,000. You know?
Justin:And for a business, you're like, I'm gonna pay $10,000. You know? Like
Rick:Yeah. Depending on what it is and and I don't wanna say how much you trust, but like if that's Yeah. Not the most material thing in the world to you, like in terms of like, well, can I pay $10,000? Then like, alright. Well, your option is nothing or maybe something.
Rick:And then there's all sorts of international law and, like, all sorts of things that apply. But ultimately, if you're like a small business owner and you get ransomed
Justin:Yeah.
Rick:Yeah. I mean, your risk profile is different than like
Justin:Oh, yeah. $10,000 might be all you have in your bank, you know, But, type yeah, when you go into a bigger company that, you know, either you're gonna spend three weeks getting everything back or get the decryption key and get everything done in a day, you know, type of thing. And for the most part, like, I've heard a number of presentations around this. For the most part, it's not always a rule. You know, those ransomware people want to maintain trust into that they're gonna give you the the decryption key Because if that falls apart, then nobody's gonna pay it.
Justin:Right. Right. You know? So most of the time, you're getting that decryption key to rescue yourself, you know, into there.
Rick:Yeah. It's complicated than talk to your lawyers in those situations.
Justin:But yeah.
Joe:The other part that I thought was interesting, if you wanna talk about this, I'm not sure how this got into the, you know, the the concept here, but the the connection with CMMC. Yep. So Mhmm. Yeah. The the CMMC requires documented instant response capabilities, and Cirquia adds mandatory federal federal reporting.
Joe:And so for defense contractors, if you're in the defense industrial base, now you have both CERKEA plus CMMC requirements that are that are hitting you. And so, you know, at this point, for defense contractors, you know, you gotta expect that the contract clauses are the the prediction is the contract clauses are gonna start referencing Serkea. Assessors are gonna ask how reporting, is tracked. Mhmm. Like, how do how's how's your clock work
Rick:Right.
Joe:For this stuff? And when's that clock start? And your IR documentation is gonna need to have a little bit more growth, a little bit more maturity.
Rick:Yeah. Another thing that I thought about reading this, because I didn't see anything explicit, I think and this is what I was getting at when I said directly impacted before. Because of the way they I was thinking materiality, but the way they define significant That's
Justin:a lot in the financial Yeah. Because of interiority.
Rick:But way, like, is it big enough? Right? Yeah. Well, if your vendor gets popped and has an impact on your operations Yep. Your clock has started.
Rick:Yeah. Right? And you might be completely beholden to their analysis investigation of the what happened side of things. And so for critical vendors and all that. Is that what you say,
Justin:like Change health care.
Rick:You know? Right.
Justin:So you say, like, oh If they heard that name before
Joe:Right.
Justin:They got breached, you know? Yep. And they're like, wow. They're really connected to a lot of
Joe:things. Exactly. Yeah.
Justin:In fact, what was that preach that's going on right now? I forget the name of the company, but they process, like, most of the Snap processing.
Rick:Right. Yeah.
Justin:And they're saying, like, 25, 30,000,000 Americans are actually impacted by this breach. They Oh, yeah. The people were in there for five months, you know Mhmm. Just sitting in their network, you know, into that. So Yeah.
Rick:Yeah. But so I think one of the things that I was thinking about is if you are one of the lucky 300,000, right, that need to do this, like, if you haven't already thought about your critical vendors or suppliers or people that could, in theory, drive an operational consequence, or I mean, access is in there. So a breach of if you do, like, any kind of staff aug or have a staffing firm or something, a breach of, like, their account that could map into your environment. Like, there are Yep. Things there that are worth thinking about that are new, and you might need to ask your vendors if they're critical.
Rick:Hey. What how are you gonna help me comply with this thing?
Joe:Yeah. I mean, we're changing from, hey, we'll figure this stuff out after the incident as we do the triage and containment to classifying and reporting almost in real time because how else are you gonna meet the Yeah. The timelines?
Justin:So honest question for me, guys, or honest answer. I want from you. How many companies do you think are actually gonna follow this to the letter?
Joe:Let me ask you a different version of that. How many do I know that can that even have the capability based on their current processes to follow this? Yeah. Yeah. It's Not many.
Rick:It's few to both of those questions. But like the reality is
Justin:How many can pronounce it? Nobody. Yeah.
Rick:Oh, you're asking about cerchaea?
Justin:Yeah. Oh, I
Rick:Oh, I'm so sorry. I didn't produce anything.
Justin:I thought it was Circea. Yeah. I was looking at the wrong thing.
Rick:But I I think, like, all of these all of these requirements, it's it's very rare for it to be as direct as an if then statement. If you fail, then you have this massive consequence. Like, it's if you fail, then a conversation starts with lawyers and regulators Yeah.
Justin:And and and. So But I'm just thinking about, like, I think of all of us have been involved in one way or another with, you know, breaches and all that stuff and everything. The almost the last thing in your mind, you know, at in the beginning is where's my lawyer? You know? Like, you're trying to get, you know, operational stability as fast as you can or at least stop the bleeding, you know, like, that's your first priority.
Rick:Well, how bad is it, and is it getting worse?
Justin:Yeah. Exactly. Like, that's that's your focus, You know? It's like, we're down, money's going out the door, whatever it is, like, we need to stop the bleeding now. The last thing you're thinking about, unless you're practiced and, you know, know who to call to the table anytime something happens like this is where's our lawyer at, you know, type of thing.
Justin:Like, that's not a thing that Well, I think is immediate. You stop the bleeding and then you're like, okay.
Joe:Well, this is where things are gonna change. You're gonna have to. And you think about this. Let's keep this in context. This is not, you know, the local candy store having a problem.
Joe:This is critical infrastructure.
Justin:Right.
Joe:And so think your electric or your gas company or things like that. They're the ones that you're have to really worry about this.
Justin:Be surprised how much of a shell of a company it like, people run that.
Rick:Critical infrastructure is terrifying.
Joe:Right.
Justin:So my parents had a house in around the 2000 time frame up at Seven Springs area. Mhmm. At that point, when they bought that house, they were still getting bills sent to them handwritten at that point. Oh, from, like, from one of these utilities. Yeah.
Justin:From the power company there. It was like, what? Like, this
Joe:is crazy.
Justin:When they signed up for a phone line there, and, like, Seven Springs is what? Two hours away? They're from Pittsburgh. It's not that far away. They asked if we wanted a party line, you know, or a a direct line when we signed up for a phone.
Rick:Did you get a party line?
Justin:No. We didn't get a party line. Aw. I had to ask my parents to be like, what's a party line? That sounds fun.
Justin:You know? And for those who don't know what a party line is, is you're connected to multiple households. Yeah. And you basically share a common It's almost like a walkie talkie. Yeah.
Justin:If you think of the pain, it was in and again, dating myself, trying to go on the Internet with a modem and somebody picking up the phone, like, it's basically that, you know, to your neighborhood of cut talk.
Joe:Yeah. But worse, like, I had I had the I was on the party line when I grew up, and there were all, like, at least seven or eight neighbors. Some of them were family, like aunts and uncles that live close by, and then others were just other people
Justin:Yeah.
Joe:That I think my parents knew, but I didn't know. But we were in a small area. Yeah. And if you pick up the phone and you'd hear somebody talking, you'd politely hang it back up. And but you could also hear it click when somebody does and so and you'd hope they would hang it up.
Joe:But then remember, these are like the the black phone on the wall
Justin:Mhmm.
Joe:With the handset and the big long cord for all of anybody who doesn't know this with the actual circle thing where you'd
Rick:have to The rotary.
Joe:Yeah. Yeah. Rotary dial. And so it was that.
Justin:Do you ever watch the YouTube videos where, like, parents will get their kids and, like
Joe:Oh, yes.
Justin:Could you use this phone? Or They're pretty entertaining. They're like, I don't know. What is this thing? Yeah.
Justin:They're pretty entertaining. Yeah.
Joe:Well, as we're wrapping this topic up here, I was just I had some notes on what companies must do to actually build any can they get close to being operational with this? Mhmm. And you you really gotta start right now. Clear incident severity frameworks
Justin:Yep.
Joe:Define what meets covered incident thresholds before the crisis. You gotta figure that out. Yep. Reporting playbooks. You can't you need to have these pre drafted.
Joe:And to to your point, the first note I had on this was, what's the legal review path? Like, that is top of the list now, not the let's figure it out later.
Justin:There are lawyer firms that actually specialize in Oh, yeah. Brief notifications that you can almost not fully outsource, you know, into it, but it's one call to say
Joe:Right.
Justin:Here it is. Here's what we do, and they'll actually help you. They even have, like, media packages and all that stuff.
Joe:They'll you if you feel cyber insurance Yeah. You probably already have access to this. And I'll tell you, there's another tangent here. There are a number of cyber or companies who went and they bought cyber insurance, and I asked them how much of the cyber insurance benefits you take advantage of. They don't even know what I'm talking about.
Joe:Right. And so we start laying it out, and I said, well, let's look together. There's probably a place to go log in. Let's call up your broker who negotiated this for you from one of the Mhmm. Agencies.
Joe:Let's start asking them questions. And then we end up getting tons of good information, playbooks Yeah. Materials. They can even sign up on that, like, where do you get educated about what's happening? You can sign up on the newsletter and they'll they'll send you when something significant's happening.
Joe:So all of these things make sense. So but you're right. And on the panel of these cyber insurance is the the the lawyer you work with Yeah. That you can pick from.
Rick:Well, make sure they're on the panel. Yeah.
Joe:Make sure you're getting along. The panel. Yeah. And, you know, and then also your incident response company. Like and you wanna pre negotiate.
Joe:We've probably talked to this before. You wanna pre negotiate these contracts
Justin:So they do another insurance podcast. Yeah.
Joe:Yeah. I'll I'll wait for them for the rest of But, you know, it's about your reporting playbooks. You need to do that. What is your government submission process? You don't wanna wait until the clock starts to go Tap it.
Joe:How do I actually
Rick:I don't have access to that website.
Justin:How do
Joe:I actually tell them? And how are you gonna preserve the, you know, the evidence? The clock ownership.
Rick:Right.
Joe:Who declares when it starts? What is the trigger? You know, and how do you reasonably believe this is reportable? You need to document that. And then lastly here on the ransom decision protocol, you know, is your board I was just in a conversation at lunch about board level pre alignment.
Justin:Mhmm.
Joe:Will we pay this? How much will we pay? Right. And we'd like to have some board members sit in where on some private companies when their top executives are going through a Mhmm. Ransomware tabletop exercise and say and we we force the issue on, it's gonna be a ransom needs to be paid
Rick:Right.
Joe:Just to see how far away from being aligned they are.
Rick:Mhmm.
Joe:And the answers across the tables from executives in this conversation Yep. Were like night and day. It was just crazy to see how unaligned they were until after the meeting. And that was like one of the first things we started hashing out. We we got to that was like one of the first lesson learned.
Joe:Let's get to that, figure it out. And and and under, you know, and then under what conditions would you pay? And so, like, all these things need to be you can't wait until the issue happens. Now with this short time You
Rick:have to do it upfront.
Joe:And if you're in critical infrastructure, you're you you really need to be on this.
Rick:Well, and I would say one other pro tip when we're talking about playbooks and reporting and things like that is as you're drafting your communications, draft a preliminary notification, which is to say, hey, everybody. We think we have a thing going on. We don't know what that thing is yet, but we're supposed to tell you that when we think we have something happening, we're gonna tell you. So here's what we know so far. It's an evolving situation, and we'll get back to you in x hours or x days because Perfect.
Rick:You'll with these timelines Follow
Justin:our status page because you can track security incidents into that or spin up a dedicated hedge real quick.
Rick:So with these because these timelines, you're not gonna We
Justin:take your security very seriously at x company?
Rick:Not to a government regulator. No.
Justin:No. Don't know. I always see that, like, statement in right after they, like they're telling you they had a serious breach. They're like, we take your security very seriously.
Rick:You almost have to. Yeah. That's But I will say draft a preliminary notification because you may be forced into a situation where you still don't know anything because it's been seventy two hours, and it took twenty four like, when does the clock start, all that stuff, you realize, oh, no. We're way behind the eight ball. Okay.
Rick:Look. Whoever your chief counsel is or whoever's like, has access to the site, I actually don't know how reporting works for this. But whoever can do it is like, okay. Well, put the default something's going on. We'll tell you more when we know more thing into the system so that you can move forward.
Joe:Right. And and Draft that. And, yeah, prewrite that. It's part of your playbook. Have as much of that drafted as possible.
Joe:Reminds me a quick quick side story here is as we were doing things like third party risk management companies I was at, and we get to a point where somebody wanted to make the decision that they're gonna go with a vendor or I have this in multiple situations or it was just an internal architecture decision. We're gonna do it this way.
Rick:Yep.
Joe:And the security team's looking at it and saying that operationally, that's that's gonna be a problem. This is as a a high chance of actually failing and, you know, breaching data. So but we need to do it. Business decision, we have to do it. Alright.
Joe:Another business decision we're gonna make right now is we're gonna predraft the customer notification letter. Oh, wow. So let's just go and get the lawyers, sit down. The only way first, I'm not signing off on this. You can have my boss sign off if you need sign off because you can't get this live unless one of us are saying But you get that.
Joe:The only condition I have is we prewrite the the the breach notification letter.
Justin:I love that so in. That's so good. Now wait. What?
Rick:We're not gonna do that. We're not gonna get lawyers on the phone. That's funny.
Justin:That was that was always fun. Great. Yeah. Good wrap up into this here. Yeah.
Justin:Why don't we dive into the the spirit of today? Yeah. Thank you, Joe, for supplying this. So we got Whistlepig, old rye whiskey, aged twelve years. And, Rick, I'm gonna let you pronounce the it went into a secondary barrel.
Rick:Yeah. Well, several three secondary barrels.
Justin:Right? Secondary barrels, and then it got blended back into it.
Rick:Madeira, Saturnis, I think. I could be wrong. Alright. Yeah. Correct that pronunciation like, Circea as well on the comments.
Rick:And then port. I know that. And then port. Yeah. I I got the port.
Joe:Yeah. This was this was specially blended for the PA fine wine and spirits.
Justin:Spirits. Yeah.
Joe:Good spirits. Yeah.
Justin:Yeah. So and you a lot of people don't know, like, a lot of the spirit companies Mhmm. Have that. You can do your own bottle selects. You know?
Justin:Yeah. It costs well, per barrel, it costs about 10 to $15 usually into that. But out of it, get 200 and, you know, 210, 200 and some odd bottles out of it. Depending on spirits and other things, it's a lot very
Joe:Well, the way I got introduced to Whistlepig was I was actually on a podcast at a company called Prosper, Pittsburgh based company. They help in healthcare, awesome partner. And they brought me on to do a podcast and afterwards, I I ended up getting a gift of one that they had blended. And so they went and they did the tastings. We're able to get this put together.
Justin:Yeah. Okay.
Joe:And they had, like, their own instead of it saying for good or fine spirits, they had their company name on on the label.
Justin:Oh, nice.
Joe:It was delicious.
Justin:So you're saying we should get Distilled Security Podcast actual spirits. I think That's what I got out of that entire story.
Joe:You're right. I think
Justin:we need to get our own blend. Alright. Yeah. That'd be good.
Joe:Let's we'll make that a I don't know if that could be a 2026 goal, but maybe a
Justin:20% goal. We'll get we'll get it eventually, you know, into that. That'd be good. Yeah. And I've heard and I've seen actually some videos of people doing it.
Justin:They put a whole experience together for you usually get, like, six ish, four to six people that you get to bring
Joe:with you. That's what I heard. Yeah.
Justin:Yeah. And you get to spend they'll pull barrels out for you. And it depends on the the place. Usually, some I've seen you can, like, basically just point the wall and select them. Some will pre pull Yeah.
Justin:You know, and be like, you're, you know, the Ford that you get to pick from and get to pick the best out of it. But, yeah, it looks like a blast. That's cool.
Joe:What's the what's the proof on this one again?
Justin:The proof is low. Was it 80?
Rick:4? 86? Something like that.
Justin:Yeah. It's 43, so 86. Yeah. Yeah. Yeah.
Justin:It's kinda smooth. 43?
Rick:Yeah. I think this is delicious. I love this.
Justin:Yeah. It's very good. You can definitely get a lot of that that wine after flavor after it. You know? I would say it's probably like a little bit sweeter angels envy.
Justin:You know? People are familiar with that. It has more of that because that's finish import. Absolutely. That.
Justin:So, yeah, you get a a little bit sweeter, and it's a better finish, I think, than Super clean finish. Yeah. Yeah. Than Angel's envy. But, yeah, thank really good, man.
Rick:Thank you.
Justin:Cheers. Appreciate it.
Speaker 6:Quick break to hear from one of our sponsors. If you own security, compliance, or risk, and it feels like you're always pushing a boulder uphill, I want you to know about CISO. CISO helps growing companies get order ready, reduce risk, and stay resilient without drowning in tools, endless checklists, or one time reports that quietly rot the moment the audit ends. This isn't shelfware. It's not drive by consulting.
Speaker 6:With CISO, you don't just get advice. You get hands on support from real security engineers, GRC specialists, and former CISOs who help you build, operate, and continuously improve your security program over time. Whether you're chasing SOC two, ISO 27,001, CMMC, HIPAA, or you're simply trying to get security under control so the business can move faster, CISO meets you where you are. Their managed VGRC model gives you enterprise level expertise without hiring a full internal team or reinventing the wheel. The focus is simple.
Speaker 6:Clear priorities, practical controls, and measurable progress leadership can actually understand. Visit cisollc.com and start the conversation. Security you can trust, compliance you can prove, and people you can depend on.
Justin:Alright. Welcome back, everyone. So for our next topic here, it's protect yourself against a changing compliance landscape. So what do we mean by that? So there are a number of things happening this year.
Justin:So we got CMMC phase two. We got the potential for a HIPAA overhaul, which is pretty likely. We got CCPA audits Mhmm. Triggering this year. You know, we're just talking about some of the the incident re response, you know, reporting and everything.
Justin:So how do you keep your head above water for all this stuff here?
Joe:Yeah. There's so so much. And Yeah. Did you just say incident response reporting stuff because you couldn't remember how to say cerquia?
Justin:Yeah. Okay. That's it. Don't I
Joe:pronounce it. And then this too as well. Right. And so Yeah. All of all of these items.
Joe:Well, we were chatting about this a little bit earlier and everything has its own like, it's all coming together. Everybody's like looking at who do I get a report to on what and what makes sense. And I always like to get it back to basics like, well, if I'm running a proper security program and I have all the right controls in place, then I'm probably most of the way there. And then Yeah. It's almost like build once, audit many.
Joe:Mhmm. And so that that's how I wanna kinda lead off the thought process is get the proper security program in place, get the and we're talking about not to confuse it with the the for sale unified compliance framework, but what is your internal unified control set Yeah. That you follow? And then and then what are the nuances? And so if you're gonna get audited for ISO or you can audit it for something else, you have to go figure out, you know, what each of those specific pieces are.
Rick:Yeah. Various scopes and things like that. But
Joe:then my take is get the proper security program put in place and then start to only add in the things that where you become required from all of
Justin:this Yeah. Convergence.
Rick:Yeah. Totally agree. I mean, you you basically like, a good control will satisfy many frame. Like, if you have the right MFA, like frameworks that need MFA, you'll probably check that box.
Justin:Like But I think just to play a little devil's advocate into here, you know, a lot of frameworks are selfish, you know, into that, where they only care about their data, their systems, their particular, you know, aspects of that. So you're not gonna take, like, a standard of PCI and apply it to your entire organization, maybe Right. You know, into that. There are scopes. There's limitations.
Justin:There's into that. Even if you had a really mature organization and basically had all the controls
Rick:Right.
Justin:You're still limiting it to from an audit perspective. So I think it's it's easier said than done to have, like, I mean, I agree with you that if you have a good mature program, you can adjust easily to any demand, you know, into that. But not everybody has the same maturity across different aspects of their business or maybe, you know, business units or subsidiary businesses, sister businesses, whatever it is. So all of a sudden, it gets a little bit more complicated when you're dealing with, like, six different systems that need MFA, not just one, you know, type of thing.
Rick:It's true. But I guess it depends, like like anything else. You're gonna have global controls,
Justin:and
Rick:then you're gonna have controls for high risk areas. Yeah. And maybe there's reasons to cut it more granularly than that. There can be. But, logically, I don't know that it needs to get all that more great.
Rick:So okay.
Justin:Bam.
Rick:Is are systems with PCI data high risk areas? Yeah. Okay. Apply all the high risk controls. Okay.
Rick:Should all that satisfy typically PCI? Well, yeah. If you're not, you're probably doing it wrong. And to your point, there are gonna be data specific things in certain cases or whatever. But for the most part, like, I think of MFA as a global control.
Rick:So, like, if you're doing it, you should be doing it everywhere that matters.
Justin:Right. But you have a dozen SaaS systems, and someone don't doesn't integrate into your authentication system, so now you're managing the SaaS system through their admin interface, you know, and have to manually turn on multifactor. That's what I'm I'm saying is, like, it it there's multiple places where a control can diverge or have to be managed.
Rick:Is there the critical vendor isn't sampling back
Justin:to No. There are some, like, aspects of that. I You know? Well, there's always gonna be exceptions. Yeah.
Rick:There's but but that's why you have exception management and approved exceptions and stuff like Well,
Joe:I think that's where evidence so so you have your control. Right. Your standard for way of doing it. And what really is gonna matter is whether I have to show three pieces of evidence or one, I still need to make sure I can show evidence. And the evidence becomes more important than policies.
Joe:In fact, I've been in some audits Yep. Where they're like, well, do you wanna see my policies? Well, no. I need to see the evidence that these main controls are working.
Justin:I don't I don't care except if you're going through an ISO certification, and then they'll wanna see your policy.
Rick:Well, I I don't care.
Justin:We actually I've been in
Joe:ISO certifications where they I barely glance at the policies, and the policy glancing was, oh, pull that policy up. Control f, show me MFA, and then you see the one line. They're like, alright. I see you're covering it. I'm not looking for Yeah.
Joe:Exceptions to that.
Justin:I'm not I'm phase one part of the certification where you have to Yeah. Submit all the documentation first, then they'll go into sampling and Right. I much prefer those types of audits,
Rick:by the way. Like like, don't certify against whatever written down, certify against what I'm doing. Yeah.
Joe:And and then and so and even some of the SOC two audits I've observed, they're like, well, I don't really the auditors, like, I don't really require that you have a specific policy. I need to see the evidence
Justin:Yeah. That you're making Yeah. Something negative.
Joe:And so that kind of stuff comes into play.
Justin:And that's one of the things, yeah, I'm critical on PCI in a lot of different areas, but they came out years ago with their prioritized approach. It was a one through six six scale on all their controls. One being the most important, six being, like, the last thing you focus on. They put all their policy and documentation at number six. You know?
Justin:Because, like, guys, you gotta get the controls together, implemented, then you worry about the documentation.
Rick:You write it down
Justin:less. Yeah. Yeah. So, like, if you're looking from a priority perspective. Yeah.
Justin:So yeah. And I and again, I agree with you, but it it is a little bit more complicated when you're dealing with a bigger organization. I mean, you know this, like, you know, trying to dig out a big organization now. Yeah. You know, it's different.
Justin:That it's it's easier said than done to say, yeah. We have a mature program. It's It's like, okay. There's areas of focus that, you know, tomorrow, we gotta focus on this system because there's the upcoming requirement that's coming, you know, due sooner rather than later. I can't just focus on entire company Right.
Justin:You know, implementation today. But I
Rick:do think it the heart of it and and rolling it back to like, well, how are you keeping up with all of these changes? Like, it's not gonna slow down. Like, compliance is getting more and more and more. AI is gonna layer that on top. And, I mean, people complain like, oh, the law is not keeping up with, you know, with technology or whatever.
Rick:Alright. Well, give all the lawmakers AI and see how fast they start to run through additional legislation that has its own hallucinate, like, I Talk
Justin:about AI slop at that point.
Rick:It's not a prediction show, but I won't be surprised if we start to see legislation that, you know, actually starts to get faster, at least certain because well, even and even if it's not the legislature doing it, the aides now have access to AI and things like that. And it's like, okay. You can again, drafting things is no longer the holdup.
Justin:It's Well and that was a funny thing, like, like, bringing in Epstein into this. We've never talked about Epstein. But they did all that document dumps and everything, and it was thousands upon thousands upon thousands of document. Like, nobody could go through and read all that. You know?
Justin:Would take you years Right. You know, to read it cover to And everybody was sorting it through through AI. Be like, pull out these names. Pull out these names. What are this?
Justin:You know? Pull out the they're like, they were basically asking questions against that trove of information, you know, into it.
Rick:So I think, like, how do you keep up? It ends up being like, okay. Well, no. Actually, how do I just engineer continuous compliance? Right?
Rick:And this gets back to
Justin:Yeah. Yeah.
Rick:Automation, you know, regularly, you know, pulling via API's evidence, like, all those things and making sure that you're utilizing systems that enable you to go fast as opposed to, like, yeah, I still have, you know, half a dozen people in spreadsheets doing stuff.
Justin:Now I'll I'll throw in another Yeah. Devil's advocate here. So that's all great, but the way you're kind of framing that is you have dedicated people to do that. What if it's your most senior security person is the IT person also in charge of desktop builds and all that stuff? How does a company like that keep on top?
Rick:Oh, well, I think I think either way, you have to engineer it. Like, the nature of how you engineer it is gonna be different. But either way, the compliance burden is just gonna grow and grow. And if you don't engineer to deal with it, the the problem like, your solution isn't gonna scale with the nature of the problem.
Justin:Yeah. But a lot of people like, I've worked with organizations that they just don't know what they don't know, you know, type of thing. So working with organizations where, you know, I come into it and they're building every machine by hand and its local authentication to this machine, you know, into that. And they've grown to a 100 people by that way. And we come into that.
Justin:They're like, why aren't you, like, doing a Microsoft three sixty five subscription
Joe:Right.
Justin:And syncing your, like, ID to that? Right. Well, I didn't know we could do. Right. Right.
Justin:Know? And that's like you know? And it's just like we take stuff for granted. And then that's that's why I'm kinda saying, like, the smaller you get, you know, into that, they might not know the landscape as, you know, obviously, we know it. They don't know the solutions that apply to that landscape.
Justin:You know? They don't know how to architect what you're talking about, you know, into that. That's why I'm saying, like, if you have dedicated CSOs, g or c, whatever security people, most likely, they're gonna be knowledgeable. Yeah. At least in some capabilities, you know, into that.
Rick:Yeah. But still the problem doesn't change. Like, at the end of the day
Justin:I agree. But how do you how do you get, you know It's still a build versus to, you know, focus on compliance.
Rick:Well, you know, it's a build versus buy.
Joe:To subscribe to the podcast. Yeah.
Rick:Right.
Joe:Then he needs to understand there are people like us that can help him because he's got a day job.
Rick:That's what I was gonna say.
Joe:You gotta work on it. And I'm and that that's a good question. I don't really know if there's a great answer. That comes back to
Justin:But I do have an answer.
Joe:We talked about training. Oh, what's your answer?
Justin:Do outsource it to somebody else.
Joe:Yeah. Oh, I got you.
Justin:I agree. I gonna say that's why people
Rick:that's why people hired.
Justin:There's so many things that, like, I'll have conversations and this is a new concept for businesses, but focus on what you're good at. And if you're not Right. Core focus on it, outsource it. Yeah. You know, reasonably outsource it.
Justin:You know, type of thing. So, like, if you're not if you don't have the expertise, if you're a 100 people, you don't have a security staff, don't try to hire than a full security. I worked with this one company that. Yeah. That like, I I actually actually tried to hire me.
Justin:I said no. And one of the reasons was, like, I was talking to the CSO. He's like, we're building out our full owned SOC, you know, security operation center. It'll be twenty four seven.
Rick:Or internal. Hiring people, turning the tech, doing
Justin:the building. Building up this fancy thing, and I'm like, but why? Like like, why are you why are you doing that? Like, that's not a core focus. Outsource it.
Justin:Find a good partner, you know. And there are bad partners and good partners, but you find a good partner. Why do you need to handle that staffing load, you know, and build the systems and continually to do that? Pay somebody that does that for Absolutely. Dozens of companies, you know.
Joe:Like, that that's actually one of the things that and I've talked about this before and I don't wanna over plug what my company, CISO, does, but one of the core things that we do is, you know, just that. If you're a 100% company, the last thing you need is to add many percent, whole percent of people Right. To your organization. But what do you need? You probably need somebody who has like a variety of skills.
Joe:You need somebody if, you know, if you're a software development company at the 100% company, you probably need somebody who understands like technical security, software development security, GRC
Rick:That's right.
Joe:Red team and offensive security. And so You know
Justin:how they all play together. Yeah. You look
Joe:at that and then are you gonna hire four people to be in that position and each of those four people are gonna have 6 figure salaries And Yep. That's that's a big investment.
Justin:Skimp on it, you're not gonna get the value out of
Joe:Or you're not. And instead and and here's the other part. Do you actually at that size, I find and so not even a question. This is like what I'm seeing is that these size companies do not need twenty eighty hours times four of these people.
Justin:Right.
Joe:Yep. Absolutely. And so for a fraction of that cost, you can get a team of people to do like like our RV GRC offering, our vProdSec offering. You put those kind of two things together and all of a sudden, you have the right skill sets you need to cover yourself from product security through pen testing through Yep. The GRC that handles it all.
Joe:And that that makes perfect sense.
Rick:I stand by it's an engineering problem. It's just who's doing the engineering.
Justin:Yeah. Yeah. Yeah. And I I mean, I agree with that. It's just like, you know, I see a lot of people, especially, you know you know, less mature companies Oh, yeah.
Justin:They just don't know the pathway.
Rick:And you you don't have the engineers to build it to your point. And so what do you do? Oh, I I need a Joe. I need a Justin. I need I need people and organizations to help get the support that I need.
Rick:But Yeah. At the heart of it, it ends up being a build versus buy concept. But And the rate of performance aren't
Justin:going it's to buy is cheaper than to build. It's almost always
Joe:If it's not your yeah. If that's just not what your company does
Justin:Yeah.
Rick:Focus on There's a tipping point on
Justin:this Like, there's calculated. It's like, it's almost always. It's almost always. So
Joe:Yeah. And and a differentiation, would say.
Justin:People don't include the maintenance thereof years after, you know, and what it's gonna take to maintain that. Okay.
Rick:Got it. Yeah. I agree from a system bit. We're talking like like kind of app dev code. Like, I'm talking about, like, full on capabilities.
Rick:Like, people, Yeah. Like, Yeah. Yeah.
Justin:That yeah. There is a That's what we There is a There are absolutely But Bill Burst
Rick:is by for, like like, technological solutions. Fully agree.
Justin:Yeah. Fully agree with what you're saying. But yeah. That and, yeah, there is I mean, eventually, FTEs will be cheaper, but it'll be a a transition, a big transition in that. And, honestly, I still say that I mean, most companies still outsource certain components.
Justin:Oh, I know it's something that Absolutely. You know, because, again, who would build a SOC? You know? Like, why would I wanna manage a SOC when all I need is alerts and troubleshoot and that, like, somebody to monitor and
Joe:do things. At what scale? And at what scale a company?
Rick:I see this with, like, in legal departments all the time. It's like, yeah, you have a couple internal lawyers and then you have external counsel. And there's reasons for it, but, like, to some extent, like, well, I don't need all these people all this time. I need a couple people to man the ship. Right.
Rick:And then if something's going down and I need specialized expertise or, like, a body shop or
Justin:Like a breach. You know?
Rick:It's like you
Justin:hire Exactly. Lawyers that are specialized in the breach. Like Exactly. That's not gonna be your general counsel for the most part, you know, into that.
Joe:So before we wrap this part up, I wanted to go kinda go back to the core topic of this, which was, you know, think about the not only the change in compliance landscape, the convergence of all these things at once. And so, Justin, you and I were talking about this right before we got started. And it's, you know, to me, I don't care what kind of security program you're building and what your ultimate goal is. It doesn't matter to me whether you're trying to get a SOC two audit, you're trying to make sure you're HIPAA compliant, you're trying to get ISO certified. I'm looking at all these frameworks and having, you know, my dipping my, you know, actually jumping in full on all of these frameworks including CMMC.
Joe:You you kinda get all the meshing of this stuff. And I look at it and I go, oh, well, I really like what HIPAA says about the rule for that. So I think every ISMS we build, every security program we build should have a proper risk analysis process, which is HIPAA's way of saying a risk assessment. And I like how ISO says you should have interested parties. And if you're in a NIST CSF shop, that's kind of your stakeholders.
Joe:Mhmm. And so where's your interested parties list? What and then the other part I like that a lot of people don't do, it's, well, what's your statement of applicability? Yeah. Well, what is that?
Joe:That's your control list. Mhmm. Okay. So you mean, like, the CIS controls I wanna pick? Yes.
Joe:Absolutely. In fact, if you like the CIS controls better, then use those over the ISO controls. And so now what are you doing? You're saying, well, let's look at a proper framework for a security program that we're pulling some of the best pieces from each of the major things that people are getting certified or audited on
Justin:Yeah.
Joe:And pulling those together.
Rick:And just wrap it around. It's like a wrapper around
Speaker 2:It is.
Rick:All the it's like a best of breed approach
Joe:It is.
Rick:But for controls.
Joe:And then what happens is you're going into, oh, hey, I got a customer that says what we need to get ISO certified. Oh, well, let's figure out what we're missing. Let's do that cap assessment. Very rarely do I walk in an organization that doesn't need to be ISO. They have a, you know, a statement of applicability.
Joe:Oh, where's your control list? Well, what do you mean a control list? I don't have an well, we we've it's the CIS. What you you adopted the whole thing exactly as written or you modified it? What's control list?
Justin:Actually, I had a call today and they're like, we're getting killed by our baselines because we adopted every single CIS.
Joe:Oh my
Justin:goodness. I don't know why. And they're like, we don't know why. Yeah. And And it was a little cultural thing, but it was it was funny.
Justin:It was like, you don't need to do that. But Yeah.
Joe:And and I liked your response to me earlier before we were recording where I where I said, well, list your list your interested parties. Like, why would that be important? Well, probably because we wanna know who's making us do these security things. Right? Yeah.
Joe:What's the why? It's because of these. And, oh, by the way, we we have listed in there this law. Well, let's let's run this by the the attorneys. Do we actually follow that?
Joe:No. Well, let's get that out of there. So we're not creating
Rick:Not liable
Joe:for it. Stuff we don't need to do. Yep. So anyway, so I like the convergent part taking us to that, getting the it's almost like that one comic that says, yeah, we have 15 frameworks. I'm gonna make one more sixteenth one.
Joe:Yeah. That's what we need. Oh, now we have 16 frameworks. Yep. Yeah.
Joe:But, you know, it's the superset of Was that
Rick:yeah. It was Or an ex KCD.
Justin:Yeah. That's what I was was an
Joe:ex KCD. Yeah. Anyway, that's my thought process on it. Yeah. Is let's get some of the best practices from the various frameworks, put them in place, and then and then then then you're on your way to be ready.
Rick:Well, we've all said this forever, like, they all kinda sorta say the same things. It's like the best practices are the best practice, but to your point, they're selfish Yeah. For for their specific things. So like, I I like the concept. Pull the best ones from the best places, make sure you're doing them in all the right places, and then you're gonna be good.
Rick:But I also think at scale, it absolutely becomes an engineering problem where you go, okay. What do we automate? How do we get out of the world of asking engineers for screenshots every quarter or every time we get audited by someone external? How do we, like, do this on a recurring basis or on a continuous basis? Mhmm.
Rick:And then, really, the only meetings we should have to have with the control experts are, hey. Is this still designed the same way? And all the evidence just kinda flows.
Justin:Yep. Yeah. That was one of the things yeah. I'll do a little selfless plug too. But Mhmm.
Justin:I think Joe's seen it. I don't know if I showed you the the SCF thing that I did with the security controls framework. I So I I did a module where I digested the
Joe:entire inside of PISCI.
Justin:Right? In inside of PISCI. Yeah. That basically out of the over 300 Yeah. Forte of sources you can do, you can go through and pick any which ones you want, and it will build SCF based on those requirements.
Justin:Oh, auto map. Auto like, and it maps everything into what you selected. So if you pick two, you'll pick two, and you'll see what those are mapped to and how they overlap or, you know, stand alone. Or you can pick 200, you know, if you really wanted to.
Speaker 2:Well
Justin:And it'll all do that.
Rick:And so it's like a hub and spoke model. SCF is the hub. Yeah. And you can map out to anything. And so then I assume it'll tell you, okay.
Rick:These are your sources and here's your controls, I do all the magic mapping.
Justin:Well, that's part of the controls. I take all the SCF controls, you know, type of thing.
Rick:Yeah. But I, as a client, might not use all the SCF controls.
Justin:Oh, that might be. But this allows you to say, I want SOC two.
Rick:That's what I'm saying. So then you can
Justin:click a button and be like this.
Rick:Here's here's your report for the controls you're doing, but it's hub and spoke from SCF. Like Yeah. Exactly. Exactly what I mean when I say it's an engineering problem.
Justin:Yeah. Exactly. Yeah. Yeah. And we don't have it today, but I hope in the future to be like, if you already built that program, to be like, well, now I want to add, you know, and you say that, and then you just basically add it and it will add whatever SCF controls that are You just aborted
Rick:saying Cirquia again, didn't you?
Justin:Cirquia? Oh.
Rick:Because you said you wanna add something.
Justin:Oh, yeah. Yeah. Exactly. Yeah.
Joe:So you're saying you already so what you so right now, you can go to security controls framework, get the spreadsheet, and follow their it's a little tedious process I
Justin:it's spreadsheet. Yeah. To do that. All the authoritative control.
Joe:You pull that into a PISCI now and instead of going and saying, oh, I want this one. Let's put a next in all these. Now let's And delete
Justin:the rows that don't apply.
Joe:And then now let's go get the next one.
Justin:It's it's basically a three step workflow.
Joe:You say I want I I wanna comply with this, this, and this.
Justin:Yeah. It's a big search and you just start typing Mhmm. And then select it. You search again to filter it out because it is like 300 plus. But basically, you get kind of what you want and you can scroll down if you really want, you know, into it.
Justin:Yeah. But it basically has the title, description, all that stuff. Yeah. And then you just
Joe:So the value yeah. That's that's really powerful because I mean, do you have a fixed price for is it public? Like Yeah. $5.05 500 a
Justin:month? Yeah. Yeah. Cheaper if you do annual.
Joe:And and if you're doing that and so and if you were to say, hey, consultant, go and take SCF and put this stuff together. Get me that, QA it, make sure it's good. You're gonna spend more than $500 of consulting dollars Yeah. Month. I did this for
Justin:companies, and it took me a couple of hours. Yeah. Like, they wanted they had a new GRC system. They wanted to build it on a blended of a whole bunch of things. I would download the SCF.
Justin:I would eliminate all the controls out of the spreadsheet and then figure out a good CSV way of uploading it into their GRC tool. You know? That was the way. And I'm like, man, there there has to be a better way. Know?
Justin:Well, and
Rick:getting back to options analysis earlier, like, I wouldn't wanna trust AI to do it blind. Right. And I wouldn't wanna pay the consultants to have to do it themselves, like, manually do it.
Justin:Yep.
Rick:So it's like, oh, yeah. The the system solution feels like the right one. Yeah.
Justin:Yeah. So, yeah, it's it's nice, really flexible. I had to teach my app to basic digest because they come out once a quarter with it, and we'll keep it updated, you know, as they release it and everything. But I had to teach it to basically digest it, put it into a database structure. So we digest all their data into their spreadsheet into the database structure.
Rick:And it's
Justin:a lot.
Rick:It's a big spreadsheet.
Justin:It is a big You
Joe:could just if you just have Episki only for the purpose of not having to pay a consultant to keep Map control list up to date. Would be worth
Justin:for one month. Get what you need out of it and then It can't be worth it. No. No. Just keep
Joe:it because it's gonna change.
Justin:We do have a free trial that doesn't need a card.
Joe:So Well, not even stop stop
Justin:stop on your hey, I'm trying to I'm trying
Joe:to sell your product here. But and then, well, when when stuff changes, you're gonna keep it up to date. That's gonna automagically happen in the background. And you said it's a future ad, that now you've Future ad that you'll
Justin:be able to modify whatever you created. So you can create whatever you want today Yep. And I will establish it. The future will be, I want to add something on top of what I already created.
Joe:Yeah. We're do like a what if and and and without Yeah.
Justin:So, basically, I'll go through yeah. It's so I have all the mappings and the core controls kinda in another database, a back end type of thing. And then when we go through and create it, I say, what do you want? And I'll create it. All it will take is actually it, you know, saying, what do you need to add?
Justin:And then I'll have to add map the mappings to what they already have and then add whatever that's
Joe:not And
Justin:then that shows up in
Joe:a PISCY as, hey, here's the controls you haven't satisfied yet. Now let's go work
Justin:on those? Yep. It'll be untracked now. You know, we're working on it.
Rick:Awesome. That's great.
Justin:Big feature of actually improving our programs. It'll basically on any new controls and untracked, you know, thing. And then you can, you know, add either regular tasks to test it or in the future will be automation, you know, into that. Yeah. We're putting a
Joe:lot Alright.
Justin:You heard here. Go buy a PISCY. You need it because
Joe:it will simplify a ton of stuff.
Justin:Oh, yeah. So alright. One forty. Can we finish?
Joe:Yeah. I think we need to get this last topic.
Justin:Yeah. Okay. Good. So for the last topic we have, cybersecurity mergers acquisitions, there has been a pattern of a lot of acquisitions. Mhmm.
Justin:And this comes on a heel that Google just bought Wiz for $32,000,000,000. Billion. Right?
Speaker 2:That's a
Justin:lot of money. And and but the bigger thing, I mean, obviously, that's a a huge deal, you know, into that. But if you actually look at a lot of the m and a deals, 10% of the entire cybersecurity industry changed hands in 2025. That goes from a lot of the merger acquisitions. So things are consolidating to bigger players, you know, into this.
Justin:And the question is, is that a good thing, the bad thing, indifferent, you know, into that? What do you guys think, you know, into this? Is it good from a consolidation point?
Rick:I think it's good.
Justin:Okay. Why?
Rick:My selfish take on this is operationally rooted in the fact that actual security practitioners have just way too much going on and So
Justin:you rather go to one vendor instead of 12? A
Rick:common UI format framework, vendor agreement, all that stuff is just less noise, less to train new people on, less less less.
Joe:Fewer contracts to manage.
Justin:It's Yeah.
Rick:Yeah. So don't get me wrong. There are there are things on the con side of that equation. Yeah. On the margin, on the net, I think it's I think it's a good thing.
Rick:Best of breed historically, if you look at ERPs,
Justin:if you look
Rick:at security tools, if you look at anything, it becomes a nightmare to manage. So I just think from a pure operational play perspective, it's good as long as it doesn't squeeze out the innovation side of the equation.
Joe:Yeah. And that's one of the things. But I'm gonna stay on the good side here before I talk about the cons I was thinking about. But I like I like that because you get tighter integrations with the various tools that you wanna use if they're all inside the same platform. Maybe.
Justin:And I'll put that a little caveat there.
Joe:Oh, no. You got you an example?
Justin:So there are certain tools like OneTrust was notorious for just slapping the sticker on the side of the thing. What was that? Tugboat and there's another GRC. They they basically, like, ran them in parallel for, like, years, you know, even though they bought them. Yeah.
Justin:So I think it depends on the integration. You know? If they're buying, like, core tech that's good and they're gonna integrate it into their core product, great. If they're just buying another silo and stick the sticker on the side and it does it's not managed well.
Joe:Oh, a 100%.
Rick:Or if they're buying it to kill it. Like that stuff, I really
Justin:I mean, that's what it is.
Rick:You know,
Joe:those are some of the cons I had. And so I guess I should say the pros and probably you would agree that the pros we're talking about are when this stuff goes right, what's gonna be better?
Justin:Oh,
Joe:yeah. And what's gonna be better is, you know, you're gonna get one platform with broader capabilities. The integrations will be tighter. You potentially could get some cost savings if you're going to be able to eliminate some of their tools. But some of that feeds into my my cons as well because we've seen this is, once you consolidate Mhmm.
Joe:You get pricing pressures. The, you know, the vendors may raise the price because the competition is shrinking.
Rick:Right.
Joe:And so you kinda lose some of that. I'm thinking, like, what happens when a bigger vendor buys that boutique shop of, for for a software as a service, And how long is that founder gonna stay on who kind of was driving the innovation?
Justin:Oh, yeah.
Joe:Yeah. You're gonna start to have maybe talent Three drain years. Yeah. If that And talent drain and the founders and key engineers, they might leave after, you know, at some point afterwards. Yeah.
Joe:And then are is the company gonna keep innovating? And so
Justin:Yeah. Oftentimes, you'll see big culture shifts, you know, into that. In fact, I really liked I was working with a company. I forget what the company was, but it was what do they call it? Startup Studio or something like that.
Justin:Cisco was trying this out where they would basically have a board that was made up of Cisco employees, senior people, you know, in Cisco. And they would task another like, a company they own to do a task, but if they ran it as a startup. And they basically said, you can do whatever you want. You know? You can use our stack if you wanna use Teams.
Justin:Oh, I see. Or you can go out and buy Slack. We don't really care. You know? Here's money.
Justin:You know? Like focused skunkworks. Yeah. It's and they basically would build products out of that. And I think that's actually how the the was it Meraki?
Justin:Kinda came about, you know, was through kinda that development, you know, into it where they would have basically a lean startup team, hungry. They developed their kinda own culture. They didn't get the culture of a bigger company coming in and kinda polluting it, you know, into that. You know? But they left it there and said, you know, we're still gonna hold you accountable.
Justin:You know? We got we got deadlines. We got stuff. The cash isn't infinite, but, you know, it's your company and you have interests and profit, you know, sharing and all that stuff, you know, into it. And I thought that was really innovative, you know, to basically kinda help control the the culture into that because as we all know and we've seen it, how many times of acquisitions, the culture just gets murdered in these you get these companies that they're building something exciting.
Justin:They're excited about it. They sell. Everybody's excited. Nine months later, the layoffs kinda come on the consolidation and now they're like, well, this stinks, you know.
Rick:Oh,
Justin:yeah. We used to have, you know, four weeks of vacation. Now it's two and now with this and that and it's just Well,
Rick:it's like the golden rule of acquisitions. Like, don't break the thing that makes the acquirers special.
Justin:Right. Yeah.
Rick:And just sometimes when you try to apply standard corporate, like, logic or patterns to that, you break what made them special. Like, it just happens.
Justin:Yeah. Exactly.
Joe:Yeah. And and one of the things one of the things I I see when I'm watching some of the even from my ends
Justin:Mhmm.
Joe:And seeing some of the faculty, the consistent responses when they talk about various mergers happening.
Justin:Mhmm.
Joe:And it's a lot a lot of that becomes, well, if you're in a contract right now, if I depending on who's being bought by who, let's let's take a look at it and see what what do you do for the next nine months. What do you do at renewal time? Mhmm. What should you watch for?
Rick:Well, even now, do you have a change of control clause in your contract?
Joe:Yeah. And and if you were evaluating that company, then, you know, what what should you be worried about if you're gonna evaluate them to be a product you're gonna buy? Mhmm. Do you do you buy them now, or do you hold off? What's the, you know, what have you seen as traditionally happen with some of these very large companies when they integrate stuff?
Joe:How much, innovation has dropped? So is it a wait nine months and see where they're at? Are you gonna see product road maps come out that show how it's how you're integrating properly? Or are you not getting that kind of information?
Rick:Yeah. It it's interesting. I so I think that that makes a lot of sense. I think one of the things that makes this a very interesting industry is a lot of security people are passionate about security. Yep.
Rick:And because of that, they're they want to have a best of breed model. Like, I see fairly frequently security programs that gold plate certain elements of the program because it's what an individual is passionate about, and other parts of the program are left to languish. And I actually think one of the things I like about sort of the platformization or consolidation to some extent is if you're forced to pick a couple, I'll call them like mega vendors or a mega vendor or whatever, and you're like mostly into that ecosystem
Justin:Yeah.
Rick:It's not that much different than, like, Apple for humans operationally or whatever. Right? Like, there's a lot of operational benefits, and sometimes it's interactivity and and other things. But
Justin:Data sharing, whatever it is.
Rick:The other thing is, like, if Apple's not the best at a specific thing, like and I don't know this for a fact,
Justin:so just don't
Rick:beat me up too much. But, like, pretend they're, like, cell cover. Like, I guess it's really more Verizon or whatever. But, like, if there's something they're not the best at. Right?
Rick:Yeah. But they're good enough, you still hang out with the ecosystem. Right? Like, you're still in. And so
Justin:I mean, that's very common with the cell phones. Like, look at all the the Pixel, you know, Google Pixel phones. I mean, they're coming out with bigger, you know, better megapixel for the cameras and everything. Apple was never one to try to compete in that. They always got better, but they were never, like, the best, you know, into that.
Justin:And even, like, when Jobs was there, he's like, well, we're we're not always the first to it, but we're they tried to be the best at it, you know, type of thing. You know. So and
Rick:And I I think there's a danger with like like hyper passionate security people that are really deeply focused in an area. They're like, oh, I'm so mad. My company got purchased. And again, it you have to
Justin:They get a little profit sharing then they're not Well, right.
Rick:Well, not my company, but like this company, my vendor.
Justin:I'm mad that my vendor got purchased. Right?
Rick:Yeah. Because they're the best at this thing. It's gonna kill the product or whatever. And as long as they don't kill the product or don't butcher the integration, as long as it remains good enough like, you can be annoyed as a security nerd hat on, but as, like, a person that's meant to be driving organizational risk, it's kinda like, well, is it no longer good enough? If it's no longer good enough, you have a problem.
Rick:You have to make a change. If it's still good enough, it's probably just easier because it might be part of this ecosystem you're already bought into, or you might be driven to buy into an ecosystem you don't like. That's a different problem. Right.
Joe:But Well, that's and and that reminds me of another conversation. But if you're looking at this from a holistic program and all of a sudden, this tool that you're using over here pops into it and now now you don't need to pay to
Rick:client of mine recently, and I'm like, I'm not upset about this at all.
Justin:No. Yeah.
Joe:No. Unless they like you were saying, unless they ruin or don't bring a feature in
Rick:Yeah.
Joe:But, you know, just think, you know, before you probably had to send somebody to training for that tool. That's exactly training for this tool, and now it's all integrated. Can you get one person who's an expert on it to be able to see everything across the
Rick:And before I could platform. And I could only I could only have, just pretend, like, two resources. And one is this, like, platform baked resource, and the other one is this I always refer to as, like, the island of misfit toys resource. Right? Like, all the other, like, one off things.
Rick:Mhmm. Well, if one offs start to move into the platform thing that you're part of, well, now I have two resources. And guess what? One can take a vacation. Right?
Rick:Because they're part of the same ecosystem. Like, they kinda they have to be perfect. No. But that's the same support contracts. It's like, it just makes it so much more manageable.
Rick:Yeah. And there are cons Yeah. Yeah. But the pros, think, I would.
Justin:So really, I think if I'm hearing the message correct and summarize it, it's consolidation is great if they consolidate it right. Yeah. You know, type of thing. Right. And I would agree with that.
Justin:You know? Like, I think everybody likes to deal with less vendor, you know, relationships at the end of the day, you know, like, with that. But as long as they do it right, you know.
Rick:Yeah. I mean, it's like I mean, I I know you're, like, part of the Apple Apple ecosystem and you use Notion, both Yeah. Great things. Well, if Apple bought Notion and they integrated it well, you probably wouldn't be terribly upset.
Justin:I wouldn't. Yeah. I mean, yeah, it's I would be like, I wonder what's gonna happen now, you know, type of thing. But, yeah, it's yeah. As long as they do well.
Speaker 2:Well and and
Joe:the other part though, what happens when they screw it up Yeah. Is somebody's gonna come along
Rick:That's right.
Joe:And fix that problem, and it's gonna, get somebody else to create a new startup. Like, hey.
Rick:Well, and who's that somebody? You mentioned before, like, oh, the founders are gonna bounce. What are they gonna go do in a year after their noncompetes up?
Justin:Yeah. So I actually it was funny. I won't mention it directly, but I know somebody specifically that they they got their company bought out, you know, well bought out into it. Yeah. They had a three year noncompete in the industry, you know, which is typical, you know, for a founder.
Justin:And he came back and they're like, they're still not doing it right. Let me take, what I got from the company. I'd start the company right back up after a three year, break and everything.
Rick:Right.
Justin:And now he's at the what he sold the company for, like three or four times the size of the company was. Yeah. Because he had now Learn better, do mobile, contacts, all the Yeah. All in all Yeah. All the stuff that like build this thing.
Justin:He What's funny is And he had the funding.
Joe:Think on who you're talking about, but actually know three examples that just fit what you're saying.
Justin:So it's kinda kinda Yeah. And it was funny. And it it it's so funny because, like, he got bought out for the company that, you know, and they inquired and did a a number of things. But he's like, I'm gonna do it again, you know? And it's just he did this well, not the same playbook, but, you know, he No.
Justin:But, like, here's what I learned and here's what I would have done different. So now
Rick:I'm gonna do it different. Like, that's cool. I Yeah. I will say there is one, I think, really nasty risk in certain scenarios when someone gets bought. Mhmm.
Rick:If you're kind of a smaller to mid market company and you're used to dealing with another smaller mid market company and you're basically in each other's ballpark with respect to sort of size of Kleiner Way. Or you're a big fish in their pond potentially. If the if the if the system you like gets bought by a really big player, your support contract is now a rounding error. Like, you just might not get the same attention. Yeah.
Rick:And I do think for mid market and smaller companies, that kind of consolidation can be really painful if you're now getting a lower tier quality of support or personal service than you were accustomed to. And that can be
Joe:a big deal. You might have just Slack messaged Bill the engineer over at the at the company that you were getting the product from, and they were giving you quick Yep. Fixes and
Justin:Yeah. Go run it in your environment. Yeah. You know, type of thing.
Rick:Yeah. So I do think that's a real and legitimate problem that impacts a bunch of clients when this or customers when this happens. But I think on the net, it's probably better.
Justin:Yeah. Anyway Thoughts?
Joe:No more thoughts.
Justin:No more thoughts. Alright, gentlemen. Wrap up here. Let's do it. Good wrap up.
Justin:So we're about Oh. Good time?
Joe:Alright. We want we want we want as part of our wrap up, we want your questions.
Justin:Oh, yes. Yeah. Yeah.
Joe:So as I was eating dinner before I got here, I was I got a question from a colleague of mine who's in compliance. And the question was, you know, it it was a kind of a it was a great question. So I'm thinking through the answer here. And I'm like, you know what? Why don't we ask our listeners to send us some send us some of your compliance questions.
Joe:Send us some of your cybersecurity compliance questions, the things that we're talking about, and we'll randomly pick a couple and Yeah. Talk about them on the air.
Justin:Yeah.
Speaker 2:Where should
Joe:they send that to?
Justin:Ask.
Rick:Yours is better.
Justin:I think the shorter is better. Right? Askask@distilledsecuritypodcast.com. Yeah. So we can put
Joe:that in the show notes.
Justin:Right? We will put it in the show notes, and we'll also because we're not sure how many people actually last, you know, all this long here.
Rick:Thank you if you do.
Justin:Yeah. We'll we'll blast it out over LinkedIn, and I'll actually do some other messages with that. But, yeah, if you do a s k ask@distilledsecuritypodcast.com.
Joe:Yeah. Brad, we'd appreciate it. Give us another piece of content to talk about on here, and we we love solving those kind of problems.
Justin:And we'll drop your name, you know, anonymous name, you know, first name, you know, only and give you some credit and we'll talk about it. So alright, everyone. Well, thank you for joining us again for episode 22. Don't forget to like, comment, and subscribe. It really helps us with the algorithm with YouTube for to do that, and join us next time.
Justin:Thanks all.
