Episode 6: SEC Penalties, M&A Security, and Due Diligence
Welcome, everybody, to Distilled Security podcast, episode 6. My name's Justin Liepline. I'm here with Rick and Joe, and welcome. This is halfway through the year here. We got episode 6 in the books.
Joe:Yeah. It's pretty good.
Justin:Fantastic. Look at this.
Rick:Going by.
Justin:So we got a number of exciting topics here, just coming off Tris. We have a, welcome video that we did a whole bunch of interviews there. They'll be coming out either with this podcast or alongside it. We're still deciding that and everything. But while we wait for that, we want to dive into a number of interesting topics.
Justin:First one here, the SEC, this week here has announced that they're finding a whole bunch of different organizations for not lack of disclosure, but not disclosing enough. Insufficient. Disclosures. Disclosure and everything. So I wanna get your guys' thoughts onto this.
Justin:I think it's really interesting as we're kinda figuring out what the SEC disclosure really means, and it was all related to the SolarWinds incident. Yeah. And the 4 companies that are in question here, you know, they all got fine different things, and they did disclose, but they were kind of the CYA, you know, type thing. You know, they yeah. We something happened, you know, that we don't wanna really tell you about.
Justin:You know, we think it is or is not material, and that's about all they did. And the SEC basically came out and said, hey. You you didn't give enough information.
Joe:Right. These aren't small, issues either. The 4 companies, just for the record here, Unisys, their civil penalty was fill $4,000,000. Yeah. And Avaya at a million, Checkpoint at 995,000, and Mimecast at 990,000.
Joe:Yeah.
Rick:Yeah. They're big I mean, it's a lot of money.
Justin:So, I mean, out of this, what do you think companies are gonna take, you know, from this? I mean, obviously, they're gonna scrutinize if they do have a disclosure, the right amount. But how do you know what the right amount is, you know, at this point here?
Joe:And I'm even worried about how long is it gonna take. I mean, these were filed in 2021 and 2022, and so this is, like, years later.
Rick:Yeah. I wonder if we'll see I mean, it would be interesting to see if if we see some companies doing amendments potentially, because they might realize, like, oh, we had this thing going on. We should actually proactively say something now or say something in our next k or q.
Justin:I don't, but so I don't I'm obviously not a lawyer, but even do an amendment amendment, like, how late until it doesn't matter anymore? Because it has to be shareholder relevant, like.
Rick:It does. But I think, like, if you demonstrate, oh, we were confused or we weren't fully aware, I mean, you'll probably still it might it might reduce your penalty, I would say.
Joe:Well, with this, you could well, maybe companies are in a position now to say, well, we looked at what the decision was that came out this week, which now prompted us to go back and reevaluate Like,
Rick:precedent changes.
Joe:So that would maybe be a reason that we might see those updates. I'd be very interested to see if we do see those updates.
Rick:Yeah. Yeah. But in terms of, like, how much is enough, I think it's probably still a question. Now, when you look at these specific ones, and it actually took me a while to find an article that had, like, the actual, the fact pattern, like, what existed in terms of the breach, and then what the actual disclosure was. Most of the articles I've seen, I probably did, like, 20, 25 minutes of, like, research on this, we're just parroting the SEC disclosure on it.
Rick:So I did wanna shout out to Cyber Scoop, which is a website that I had not really I'll
Justin:put a link in the Yeah.
Rick:I looked at before, but they were the only one that I found in my journeys that actually did what I would think of as like novel reporting in terms of, hey. We looked at the disclosures. They were this. Hey. We looked back at what the breaches were.
Rick:They were that.
Justin:Which every security person reading that article is like, I wonder what they said.
Rick:Right. Exactly. That's why that's why I was like, oh, well, I wanna, like, I wanna understand, but all I could find was, like, the SEC quotes, which is straight in the press brief. So yeah. So, Cyber Scoop and then the reporter themselves, Derek Johnson.
Rick:So good for you, Derek. Thank you for, doing good reporting. But But I was actually 1 the first thing was I was kind of surprised at how many articles were just rehashes of the SEC press brief, like so, like, dead Internet theory is a thing and blah blah blah blah blah. Yeah. But, but I did walk away still with, like, 2 questions that I thought were interesting.
Rick:1 is I wonder how those fines were calculated. Right? And if you are a company thinking about whether or not to revise your disclosures, maybe, that's probably pretty relevant information. Yeah. Right?
Rick:And then, 2, I wonder how knowledgeable the external audit firms that worked with these companies were about the reality on the ground of the brief and how much they may have advised or didn't advise the company on what those disclosures should be. Because I saw civil penalty penalties for the company. Right? Right. But external auditors, like, their whole job is to sort of, you know, make sure that what you're putting in the financials is complete and accurate.
Justin:Well and I think it comes down to the question, is anybody really knowledgeable about exactly how much I have into this? I I think I mean, the SEC has given a whole bunch of information out, but they're still pretty vague onto it. It's like, hey, you need to disclose if it's material, which means it affects any, like, a common shareholder would want the information to be known. But the they don't give examples. They don't get into, like, here are the details you need to disclose.
Joe:You know? Be clear
Justin:Yeah.
Joe:This and I don't know if everybody who's watching is tracking this, but this will all happen before the SEC rules in place. Right?
Justin:The final enforcement. Yeah.
Joe:Yeah. Right. So, there wasn't a standard to follow quite like there is now.
Rick:Yeah. So that's interesting too, like the timing condition, you know, associated with that. I will say in this case, some of that reporting that I saw, suggested that the the breaches were clearly material in nature. Right? It was like state sponsored adversaries and multiple servers, access to customer files, literally monitoring, you know, in one case, like, the incident response team's emails.
Justin:Okay.
Rick:Right? But the disclosure that mirrored that like, disclosure that, you know, reported for that period of time effectively said, oh, well, a limited number of emails were impacted, and there's, like, something along the lines of, there's no current evidence of an active cybersecurity breach. Right? So a little bit different than, like, oh, cost client, you know, customer email or customer, information was compromised and, you know, our emails were monitored for a while. And so, you
Joe:know I love to see what makes Unisys, they're misleading 4 times as misleading
Rick:Right.
Joe:As Yeah. Avaya from the 4,000,000 to the 1,000,000.
Rick:Yeah. I know 2 of the 2 of the 4 as well were very much the the situation was effectively they had a breach, and it was clearly a material breach. But what they did in their disclosures was they just kind of repeated the general cybersecurity risks maybe with 1 or 2 very tiny tweaks to say, oh, yeah. You know, cybersecurity instead of, like, could have an impact, like, you know, has had a minor impact or something like that. So almost, you know, or I should say very much seems like minimizing the nature of the disclosure, almost advertising it like it's, oh, yeah.
Rick:It's a lot of the same old stuff as opposed to, oh, a new thing happened, and it was big or big ish. So yeah.
Justin:And I'm curious. You go into, like, talk about, like, the, you know, the fine structure. If they lost money, you know, started reported into their, like, 8 k, 10 k that they lost money because of this incident, that would almost, have a a direct impact on shareholder value into that. Like, if they said, we lost $5,000,000 because of this hack, shareholders would wanna know that because that affects bottom line, affects their investment interest, all that stuff. So that might have, depending on how they disclose how much money was involved with the hack, could be an impact into how much they got fined.
Rick:Right. If they dig into the books and say, what was the actual internal Yeah.
Justin:If you said it cost $5,000,000, but you said it was nothing, you know, type of thing, like and you're over that percentage of the company Those
Rick:were business as usual improvements.
Justin:Yeah. Exactly.
Rick:Kicking out your sales efforts.
Justin:We're planning to do this anyway.
Joe:And and You're planning
Rick:on patching eventually anyway.
Joe:This reminds me of something we talked about a a couple months ago where MGM, they were attacked. They had their incident. And if I recall, I don't have any of these facts in front of me, didn't their leader say, compared to the size of us, all this was still not material?
Rick:Right.
Joe:Mhmm. Yeah. So I'm wondering if we look into the future, is somebody gonna challenge that?
Rick:Yeah. It's interesting in in there's I should be more informed on this, so I won't say too much. But, like, I do think that the SEC is carving out cybersecurity risks in a way that, it's material because it could have major impacts. Like, I I
Justin:So the way they they have the disclosure is, they actually advise because a lot of people are reporting I forget what the section is. Yeah. If it is material, you report in this section. If you're not sure, it goes into another section. But that
Rick:that's what I'm saying. So like even if you're not sure, you still have to include it, right?
Justin:If you're unsure, you there's basically, I've seen a lot of them that basically say we're still evaluating whether it's not material today. Right. It could become material, then we'll do a notice, you know, when it does that. And that's actually the SEC requirement
Rick:Right.
Justin:Is once you consider it material, you have to file in into this other section Right.
Joe:Right.
Justin:Right. Yeah. Type of thing.
Rick:Yeah. But it but it's interesting because, you know, there could be, in theory, a bunch of things that happen, right, that that could become material, but then they don't because you realize the extent isn't as big as it could be or whatever. And so I think their thing is, oh, you need to make people aware that something bad might the other shoe might be about to drop, for people that might be about to invest, I suppose.
Justin:I don't know. The whole thing is interesting. I I don't envy the, the lawyers that are trying to sort this out, giving advice to the organizations when they're going through a stressful time of breach, being like, okay. How much information do we put? Like Right.
Justin:We don't wanna give everything, you know, with this, but we also don't, you know
Rick:Well, yeah. I mean, it's it's it's making sure you're saying all the things that are required, but you don't necessarily want to say any of the things that aren't required. Mhmm. And the guidance is kind of general. So
Joe:So what do you think CISOs who are sitting at companies that are getting pulled in should be doing right now, should be thinking, what should their steps be? And I'll I'll just start with, I do not think that CISOs should put themselves into the decision making process as a decision maker, but as an adviser providing the right information. But what else?
Justin:I I would say ask the right questions, making sure all the your your concerns are being addressed, you know, through legal representation, through the audit firms reviewing that and everything. Because we have all the what about the SEC case that find these 4 companies? We can ask those type of questions to be like, have we considered that? Are we putting enough information that we're avoided out of that? I think that would be the role to me in the CISO is to make sure those concerns are addressed.
Justin:Yeah.
Joe:So the CISO should go review what the decisions were this week. Go and look at the article that you found. Yeah. Look and see what the details were that were missing, and at least build into their plans to ask those questions.
Justin:Yeah.
Rick:Yeah. And I would also suggest, like, run some table tops specific to disclosures. Right? Like, do it with your general counsel and your audit support and stuff like that. Evaluate whether or not you if if you self assess, whether or not you would disclose or would not disclose in certain situations at certain, you know, thresholds of materiality or perceived thresholds of materiality and how you would do that.
Rick:Because if you get that kind of codified in a memo, well, now you can have, you know, whatever it is, a handy table or something that when you're in the heat of battle, you can at least refer to and say, well, when we I know we're saying we don't want to disclose it now, but when we ran this exercise, you know, when it wasn't a real thing 6 months ago, we said that, oh, we probably need to put it in that section where we're not sure yet. So are we really sure? Because when we were in this evaluation and we weren't running around with our hair on fire, we came to a different conclusion. So I would think it's probably worth spending a couple of cycles, running some tabletops, getting comfortable, and whether you're codifying that in memos or results or something like that, at a high level, just understand what you do with some of these things.
Justin:Yeah. And I think I mean, United, when they had their their big, big change, you know, health care, they were doing a whole bunch of external meetings with customers, with a whole bunch of, you know, relevant parties. I mean, I haven't seen, like, a kind of a a lessons learned out of that, but they were doing a whole bunch of communication into that. I'd like to see, you know, how that kinda played in. Were were they prepared for that?
Justin:Did they do that on the fly? Right. You know? Obviously, you wouldn't wanna do that for every you know? Like, it it depends on the the, you know, how big the impact is, you know, type of thing.
Justin:Yeah. Like, I don't even think, like you mentioned the one where they're, you know, in the environment and got access to some customer data. There was no outage. You know? Right.
Justin:Like, you know, and so do you really need a whole bunch of external I
Rick:think it wasn't a material impact. Yeah. It didn't impact our service at all.
Justin:I mean, I think the day, week, month update iteration would probably be good. Like, you you inform the day, you inform a week later, you inform a month later, you know, kinda clean up. You know?
Joe:And here I just thought we might go through one episode without talking about talking about tabletop exercises. No. Never gonna happen.
Justin:Yeah. Those are important.
Rick:Refer to other ones.
Justin:So moving on to any other topics on the this here?
Joe:No. I think those are some good takeaways, and, I I just think everybody should take a look at those articles and build it in
Rick:Yeah.
Joe:And exercise it. Then we're gonna at least have a have a game plan.
Justin:Yeah. Great. Well, speaking of SEC and private companies and everything, you wanna introduce, the next topic here with m and s?
Joe:Well, yeah. I was just wondering what you all thought about, how security review should be built in to the m and a process. So if you're gonna if you're gonna buy a company, and I get reached out to about this, pretty frequently, and they're saying, hey, we're gonna look at this company. What can you do to help me take a look at their IT, their cybersecurity, and see if we can uncover any risks?
Justin:Mhmm.
Rick:And
Joe:so I just wanna kinda go around and see Yeah. Where do you start? What should what should you be considering? And, you know, what should be, like, the first couple of things, and then how does that drive the next couple of things? And what do you think?
Justin:So I think first thing, I've done several of these from internal company, and from consulting company like you're in, you know, right now. I think the first thing to get aligned with with the business is what do they intend to do with the organization. If they're gonna buy and, you know, leave, you know, type of thing, that's a whole different question strategy than to buy and integrate, you know, into that. Like, you might not be worried about their end points, you know, if you're gonna swap them all and replace it to the standard image, you know, type of thing. So there's a lot of things that go off the table if you're gonna say, hey.
Justin:They're gonna adopt all our policies. They're gonna be integrated with our active directory, you know, whatever it is. You know? Like, if they're we're gonna buy them and just leave them as their own company to operate of their own and flip them in a couple of years or whatever, you
Joe:know, that's right. Question is context.
Justin:Yeah. Exactly. Then that offers a way different scenario. And I give this example when I worked at Diebold, and this predates me into this. But, you know, Diebold is famous for the voting machine incident, you know, with that.
Justin:What a lot of people don't realize is, they bought that company and just left it alone. Yeah. They didn't like, the core Diebold team was not involved in that organization's security program whatsoever
Rick:Interesting.
Justin:You know, into that. And this, again, predates me. So, you know, with this but the end result was they bought it. They left them alone. They, you know, just kinda left them operate the way they did, and then all of a sudden, it's like, you have FTP going to the, you know, the machines and a whole bunch of integrity problems, and it was a big brand hit.
Justin:I mean, they're still known to this day for bad voting machines. Yeah. And they divested all their stuff out of the states, you know, into that. Like but they're still attached to that, you know, type of thing.
Joe:Interesting. Yeah.
Justin:You know? So, again, knowing the context, first off, is where I would go, you know, after that.
Joe:So let's assume that you're going to, let it you're gonna buy it. You're gonna let it run for a little while, and then you're gonna slowly integrate it. So whether you slowly integrate it later or not, not worry about that part, but you're gonna, Start counting on
Justin:Grant within a year. That's a typical time frame.
Joe:Yeah. You're gonna put it in place. So then, what areas are you looking at first?
Justin:I'll let you go. I talked.
Rick:So well, I think one thing even just to add to the context, though, before we get there is, I think you need to understand as the person responsible for security or compliance or whatever it is, like, what table do you have a seat at? Right? Because if you're at if you have a seat at the table where all those decisions are actually being made, great, you can help control your own destiny. You can influence timelines and budgets and things like that. I talked to, or I've talked to, a lot of security leaders in the past that don't have a seat at that specific table.
Rick:Right? They get told later, hey. We purchased this company, and we need to have it integrated in 6 months or whatever. Or, you know, or something in between, hey. We purchased the company.
Rick:Now come up with a plan for integrating it. So there's kind of those 3 scenarios.
Justin:By the way, you've been assigned to this project.
Rick:Right. Right.
Joe:It's that's a it's a concept I wasn't even thinking about because the ones I'm dealing with, I'm talking to the owner who's gonna sign the check to make the purchase.
Rick:Right.
Joe:Or we're brought in by the, Capital Bank who, is working directly with the owner in order to assess that part. So let's keep going down the item where you're at, which is your internal in a company.
Rick:Yep. You find out it's there, And now Now you're reacting, right? Yeah. So I guess I kind of start with the philosophy more than like specific domains to Go attack. But philosophically, the way that I look at this is there's kind of like 3 major elements that are probably all related.
Rick:1 is, and how I frame this, you guys might feel like it's controversial at first, but I think you'll both agree with me at the end. Yeah.
Joe:I'll hear
Rick:you out. I think you need to understand where it's okay to move fast and break stuff. Yeah. Right? And really be bold in terms of your timeframes right out of the gate, right?
Rick:Because regardless of whether you're at the decision maker's table or you're being told that this is happening and you have to support it, the expectation is that you're going to help the business move forward with it. Right? And you're not going to have all the resources you want necessarily. You're almost certainly not going to have all the time that you want or that your team wants. Right?
Rick:And so it becomes really critical to understand what are the things that are kind of acceptable collateral damage in terms of processes or technologies, and what are the things that are nonnegotiables must be, like, must be taken care of. Do you
Justin:give some examples on that? Yeah. I have examples on my head. So, like Yeah.
Rick:The one, like, the one in my head of, like, the the don'ts on both side of the coin is, like, like, don't get paralyzed in terms, like, trying to merge together 2, like, data classification schemes or something. Right? Because chances are, that's a thing that unless you have super secret information that truly needs protected in certain ways, like, you can fix a lot of that in post. Right? If, but if you're like, oh, in 6 months we need to integrate these networks.
Rick:And we know the company being acquired has business operations in an adversarial nation state and a super flat network, maybe you need to think about some of those technical security controls. Right?
Justin:I was thinking something, like, way simpler. Just, like, if you go into their their patch management, horrible, you know, and you're not, rip and replace,
Rick:you
Justin:know, strategy. And they're and, basically, I look at exposure. Like, how are you from the Internet? Yep. You have MFA.
Justin:Yep. You know, everything locked down. How are you phishing protection. How are you you know? But the most common attack pass, you know, into that.
Justin:And if they're keeping that, that needs to change Absolutely. Pretty frequently. Yeah. Yeah. Yeah.
Justin:Sort of thing. So But if it's a developer company and if they have keys in the the development code, okay, we'll get to it.
Rick:You know? Yeah. So, like, so no and and you you're likely going to have, at least at large enterprises, as the security leader, you'll probably going to have a team where all these people are responsible for their own domains, and they're all running out their hair on fire, potentially, because they all think this thing that's about to be integrated is a huge problem. It's your responsibility to know which ones, like, it's it's acceptable to have some late nights and weekends fixing this later versus if this piece goes wrong, we're all sunk. Right?
Rick:Or we're like, it's significant business. So I think that's the first thing. Know where you like, you have to move fast, but know what's breakable and what's not. The second thing is no matter what you think it's gonna cost, ask for 1.5 that. Like, part of moving fast and being able to
Justin:Like Murphy's Law of Investment.
Rick:Yeah. Like, I mean, the the cynical the cynical framing or phrasing is, like, you need to sandbag a decent amount because, you know, like, it's not going to go according to plan. It's just not. It never does. No big integration or implementation ever does.
Justin:And if you That's if you're pre into negotiation and Yeah. If you
Rick:can't, right? But if you can't, you still need to set the expectations that, hey, we're going to move fast and break things. We need everyone to be chill with us, and we might you know, we think we're going to need x, y, z, but we might actually, you know, but that's our minimum, you know, viable resources. We're probably going to need 1.5 that because skeletons are going to fall out of closets that we don't expect.
Justin:Right?
Rick:So that's the second thing, whatever you have in terms of resource, whatever you think you need in terms of resources, set the expectation that you probably will need 1.5 that, because, again, if you're moving fast and intending to break things, you might need to phone a friend, which costs money typically, you know, to to help fix some of those things in post.
Justin:And are we only talking about security, or is this security IT kind of enjoying together?
Rick:I've got security IT compliance. It because, honestly, to me, that routes into the 3rd thing. Yeah.
Joe:Let's do that.
Rick:Which is which is do what I think of as pre mortems. Right? So this is where you do, like, the brain I mean, it's just a risk analysis approach, essentially, but it throws out all the constructs of, like, how you might typically do risk analysis. It's just to say, okay. We wake up on 1 Monday, and this integration has gone horribly wrong.
Rick:What happened and why? Right? And you start brainstorming the things that went wrong. And, at the end of that, you kind of prioritize how wrong did it go. And, at the end of that, you know, oh, these were the things that were really, really horrible, super bad for the business.
Rick:These were the things that were kind of less bad or that we could fix in post. And then you use that to help you understand part 1, which is, you know, where you can move fast and where you can't move fast. So that's kind of my three principles, though. It's like, you have to be bold and move real fast, but you have to know what's important. You have to ask for more resources than you think you're going to need, because you're going to need more than you think you're going to need.
Rick:And do that pre mortem with your team so that you can actually help sanity check them. Because, again, if they're all responsible for their own domains
Joe:Yeah.
Rick:If you're lighting each of their worlds on fire, they're all gonna scream equally as loud ish depending on personality. But it's probably also true that the people screaming about, you know, data classification in my example before, if there's not anything super secret and scary, they're screaming just as loud as the people you know, the network team being like, how can we plug this thing together? Mhmm. And, and you need to be able to to help sandwich
Joe:that. That last one because it's really it's it's almost like the risk assessment. It's Yeah. What could go wrong, And let's start mapping out those items so we can in fact, that'll let you go faster for step 1.
Rick:You measure twice on those things. Right? And and only measure once on all the other stuff.
Joe:And and so the perspective I had was, or or my baseline for this conversation was less about being an internal person, but Yeah. You're the owner of a company and now you need to go get some things done. What are you looking for somebody to come in and help you do? And so, and I think a lot of these are going to be similar to what you would do as an internal one. The first thing I'd worry about is what's the posture assessment?
Joe:Like, first, I want to know if we're going to connect a network or buy somebody. This is even before we sign any paperwork. Before we buy, I want to get an assessment done. Like, are you breached right now? And we don't even know.
Rick:Right. Like threat hunt.
Joe:Yeah. So I want to do some of that.
Rick:A lot
Justin:more actually doing that more commonly into the due diligence.
Joe:Absolutely.
Justin:And so, like want that debt coming in. Oh, absolutely.
Joe:Like, vuln scans, pen tests, incident breach history. In fact, finding out what kind if you have, like a CrowdStrike or MDR. Mhmm. What's your reporting look like? Can I get a look at that?
Joe:When's the last pen test? If not, let's get one. Let's do some scanning. Yeah. Let's do an application security assessment.
Rick:Mhmm.
Joe:If it's if they have a forward facing, web app, for example. And then, so that kind of gives me a perspective
Rick:of
Joe:oh, we'll hit that on the side. That gives me a perspective of what's the technical look like right now.
Justin:Yeah.
Joe:And then the next thing I would do is start looking at the program. Is it a company big enough to have an actual ISMS, some kind of security program? And if you find find if you have findings from that first technical review
Justin:Yeah.
Joe:And then you start looking at the program, it will tell you whether or not those policies are even being enforced.
Rick:Right. Right.
Joe:Depending on what you're finding.
Rick:Well, it brings up 2 things, and I don't wanna hear your story. Yeah. Yeah. Yeah. But we'll get to that.
Rick:2 very top line things in my head. Like, a lot of that stuff almost distills down to, like, what's the security philosophy of the organization being acquired, and is it compatible with our security philosophy?
Justin:Or it doesn't even matter. Like I said, if you're gonna rip and replace, it doesn't even matter. It's true. It might not.
Rick:It might not.
Justin:It might not. Yeah.
Rick:But then the and then the next element or related to that is, you know, we talk about, like, tech debt all the time, but very rarely do we talk about, like, process debt or people debt. Mhmm. And when you think people process technology, that's that's a third of it. Culture.
Justin:Like, a lot of people don't spend enough time actually integrating culture. Absolutely. You know, and Absolutely.
Rick:And so but I think, like, that process debt, which when you talk about the program, like, that's kind of how I mentally frame that. And the people debt, too, like, have they been, like, you know, running at 110% for the last 10 years and effectively falling behind each year? Or, you know, are they ready to go? Have they been empowered? All that stuff.
Rick:And it kinda comes back up to philosophy. But I think that stuff from a top line really matters. Yeah. So back
Joe:to your story.
Justin:Yeah. So, I was part of, gift cards.com, and we got acquired, you know, with that. And we were going through a whole bunch of, you know, due diligence and all that stuff. And one of the potential
Rick:under NDA here, are you? No. Okay.
Justin:Just making sure. It expired. Christ. It's not that anything of that serious. But, but one of the things that was actually funny was they reach out.
Justin:It was q 4. And if you don't know the gift card business, you make most of your money between, like, October December.
Rick:Was it, like, 70%, 80%?
Justin:40, 50 percent Oh, okay. Of the entire year. Still, that's yeah. It's made in those, like, 2 months. Last quarter as well.
Justin:Exactly. So, I mean, that's a big chunk. So oftentimes, we go into, like, don't change it. Don't change it. Nothing's broken.
Justin:Yeah. Yeah. You know? And one of the due diligence companies is like, hey. We're gonna do a pentest against you in q 4.
Justin:I'm like, woah. Woah. Woah. Yeah. We need to coordinate on this.
Justin:I'm not saying no, but I need to understand what you're doing and where's the contact if something starts to happen.
Rick:Right. And he knocks up and down.
Justin:It's Oh, yeah. Like, I mean, again, it's like we get 1,000,000 upon 1,000,000 of dollars, you know, like with this. And it, coming through and I finally get on the phone with, the potential buyer and, they're like, oh, yeah. We're just gonna run, like, enmap on your server. I'll I'll like, alright.
Justin:Knock yourself out. Yeah.
Joe:The the bad guys are doing that all day
Rick:long anyway.
Justin:We have a bug bounty program. Alright?
Rick:Yeah. Right. Right.
Justin:So it was just like, oh, yeah. No. That
Joe:is not
Justin:cool. Yeah.
Joe:Yeah. Yeah.
Justin:Yeah. It was it it was very humorous. Yeah. To me that it was like they're like, oh, we're gonna do a pen test, and then they come out like, can we do a pork scan? I'm like, yeah.
Joe:Yeah. Sure. Go for it.
Rick:But I think, but I think like all that program health stuff you mentioned, right. And even getting into like, you know, how, how, how much are you really assessing your third parties or your dependencies and all that stuff because you're going to inherit all these different things.
Joe:Well, you took the yeah. One of the things I had in here was, you know, supply chain security. Yeah. So taking a look at that, that was the, last out of my list.
Rick:Yeah. But I'm
Joe:good, jumping ahead on that, because you're gonna be buying Right. All of their and then there's probably another kind of debt for that.
Rick:Yeah. Right.
Joe:What is that? And so you'll have that. The other things I would look at is things like, well, are they using M365? Are they using what cloud security are they using? And I don't know that even after a company has deliberately went through and tried to make sure their cloud security, their M365 is locked down and configured
Rick:Mhmm.
Joe:When our teams go through it, and I'm sure you've all seen this too, you still find ways to improve
Justin:it. Yep.
Joe:So how bad is it? And let's do a configuration review of those most critical tools.
Justin:And then also maintain that. But oftentimes well, I guess, again, it comes back to the strategy. Right. You know, type of thing like
Joe:Well, I'll get to why you'd wanna do it anyway. And we'll
Justin:talk about Well, isn't that that breach hunting, you know, type of thing? Or
Joe:It is, but it's for a different reason. The reason you might look at those things even if you're not gonna use them, discounting.
Rick:Yeah. I was gonna say. On the pricing price.
Justin:And this is where it comes down to the bottom line when you're doing this due diligence is it's not a no. It's a how much. You know, type of thing. And if you can build that cost into it, it gives, you know, the negotiators a little bit more power, you know, to say, hey. We we gotta invest all this to, like, integrate with it.
Justin:So we need them to knock the price down or
Rick:And that's actually a thing I'd say. If you are a security leader that doesn't currently have a seat at that table, right, it's worth working with your, you know, CFO or CEO or strategy officer or whatever it is to say, hey, look, I understand we're in an acquisition phase or an acquisition mode. I know we're looking to make sure that we get the best deal possible and don't end up buying a bunch of problems that then we have to pay to fix. Mhmm. If you include me on the front end of this, where I can help do some of these evaluations, or at least say, we need these evaluations and say, hey.
Rick:No. You're not allowed to do it. Then, okay. Well, we're gonna increase our fee. Right?
Rick:You can actually impact the the sale price, but that's sometimes pretty significantly depending on what's going on.
Justin:And that's where I think you need to have, you know, a voice in the ear of some of those people. Like because I've seen just industries decimated on, acquire and leave. You know? Tell me. Like, they they've just grown organically collecting revenue.
Justin:And then their infrastructure is so diverse. It's, you know, it's its own islands. There's no central management of it. Everybody's responsible for their own little things. You know?
Justin:Is a nightmare to deal with, especially when you start getting into security and compliance. You're like, I don't know. That's that group. I don't know. That's that group and everything.
Justin:And all of a sudden, it's like, we need to shift culture here and then get a 5 to 10 year plan, you know, to get everybody on the same page.
Rick:Yeah. But there there's a 1,000,000,000 financial reasons to do it, though, whether it's, you know, labor efficiency or buying power for software licenses or, you know, or just, you know, like you said, you're buying and inheriting potential security. A lot of
Justin:people look at it as like, I'm collecting revenue now and leaving them alone. So it's it's
Rick:cheaper for me.
Justin:I don't have to put work into it, you know, that type of thing. But it's like, are you gonna put work in it now or later, you know, is really when it comes down to it. Yeah. So
Joe:Well, that all makes sense. And and the last thing I'd look at would be identity and access reviews.
Rick:Oh, for sure.
Joe:How how well, which is another indicator of how well they're maintaining things. If you go on and you do a quick look at their users and compare it to who's, in the HR system and you find Yep. A whole bunch of people with active accounts, that's going to be an indicator of probably a whole lot of other problems.
Rick:That's a hygiene issue.
Joe:Yeah. And so, when I'm when I'm doing these, it's not super expensive to do. And you don't go super deep on it either. Right. You're basically looking for what are some red flags that will be indicators that we might have some problems here?
Justin:Mhmm.
Joe:And we need to understand a little bit more. And that might then take you into the path of what to do next. And one of those next things might be, well, let's go ahead and, see how much this is gonna cost us to fix Yeah. Get that big discount. And I see you wanna say something.
Joe:So I'll
Rick:get it over to you
Joe:when you come back.
Rick:Well, I was gonna say I really, really love that point because the goal is not necessarily to know all of the issues. It's to have a general understanding of is it very, very bad or just kind of bad or mediocre or pretty good?
Justin:I mean, it's the same thing going over their finances, you know, perhaps negating it from a risk perspective, you know? Yeah. Yeah. Yeah.
Joe:Yeah. So let's flip it. You're the company, you're selling your company. What do you want to do to make sure that you're solid so that you don't get discounted?
Rick:Yeah. I mean, all that same stuff, but in advance. Right? Right. And and frankly, you can do it yourself, but probably it makes sense to pay someone to do it on your behalf.
Rick:Well, we could
Justin:do it ourselves. You know?
Rick:Well, we could. But even if even if it's a company that I'm selling, I probably want someone else to an independent party to do it so that I can say, hey. This is not my letterhead. It's this company this respective company's letterhead that says I didn't just grade myself and tell you everything's good. I've
Justin:actually got virtual CSO contracts because of that. Yeah. What they're doing? Type of thing. That they're going to look to be on the market or something like that, and they just need an extra security arm, you know, into their, type of thing.
Justin:So, yeah, I think, and try to centralize. Like, a lot of people try to invent their own stuff and be, you know, with that. And it's like, no. Just go use, you know, Microsoft 365. Like, that's the best solution, you know, or Google or whatever it is.
Justin:Get all centralized. Get into something where you get central reporting. You know, you don't have to spend a ton of money. Just get it owned one place.
Rick:That's a that's a really good point too. Like, streamline your architecture and your tooling and your stack. Yeah.
Justin:Like, a lot of this stuff I mean, obviously, I'm a a 3 person company counting myself, but, you know, we all centralize on Google authentication. I create an email account for everybody with that. Yeah. And all the tools that we use authenticate through Google. I can terminate, you know, everybody.
Justin:There's a couple of apps that don't do that, but, you know, you keep track of those. Yeah. That's the thing. But now it's easy, you know, with that. So Yeah.
Rick:So did you have extra things that you would do if you're selling that are different than if you're buying?
Joe:Not really. I would still do the same thing. I'm like, how can I but everything is with the idea that I can create assurance? Right. So what is the yes, please.
Joe:What is the best way to
Justin:Just to
Joe:layout that oh, we'll get we'll get to this in a moment Yeah. And see why he only wants a touch. But how how would I lay it out so that I can, it's basically getting audit ready. And my auditor happens to be, in this case, the buyer. Right.
Joe:And so how can I give assurance that we're doing all the things that we should be doing to make our price, you know, the high the high price I wanna
Justin:Get a pen test? Yeah. Or a port scan?
Rick:Yeah. Probably not a port scan. It's kind of like a vendor questionnaire in terms of getting the assurance, which is a perfect segue to the next topic potentially.
Justin:What do we gotta talk about? Oh, that's right. It's talking about news first too.
Joe:So but anyway. So, yeah. That to kind of wrap it up and, put a bow on that, you have, you know, what what's technically could be wrong? Yeah. And let's make sure that we don't have those problems.
Joe:And then how can I support that my technical stuff is working through the proper policies and governance and program? Yeah. Because without the policies and governance and program, no matter what you fix, it'll degrade later if you don't have a process to keep it good. Right. So how are we doing that?
Joe:And then what are the other indicators of a, you know, a a risky environment?
Justin:Yeah.
Joe:Not maintaining identities. Not having third party. You know, patching, not having third parties, know knowing who you're outsourcing to
Rick:All the rest of it.
Joe:And those kinds of things.
Rick:There might be actually one thing that if you're selling, you need to do, but if you're buying I mean, I guess it's still an indicator. But, you'd want to make sure that your team is fully aware of I don't want to say what the story is, but what the actual reality is. Because if these interviews are happening or these assessments are happening and people walk away with 2 or 3 different stories across 2 or 3 different people on your team, odds that's those are problems. Right? So it's always good to make sure that your whole team knows what's going on, but, you know, operational reality
Justin:is is try to keep that under wraps
Rick:Right.
Justin:That they're selling.
Rick:Well, right. But but making sure that you're in so so there might be a bit of a needle to thread here, right, in terms of making sure that your team understands the most up to date, not story, but reality in terms of your program, especially if you've been cleaning up some things over time.
Joe:Yeah. Consistent talking points. Yeah. And that's just standard audit prep. Yes.
Joe:20 some years ago, 30 years ago, when we were just starting to go through SOX audits, year 0, Right. We were getting coached by, the accounting firms, the the firms that were helping us. Yeah. Here's, you know, here's what you say to the auditor. Here's what you don't say.
Joe:That would be no different for this. If you're the company getting bought Yeah.
Rick:And prepping. But but potentially, you know, again, depending on that company's what they've gone through in the past, they may or may not have that capability locked down already.
Justin:Yeah. And I would think the senior person would be the point person just to make sure that there's one voice.
Rick:Maybe. Whenever I've pushed in the whenever I've been part of the acquisition team in the past, I've always pushed to talk to a wide variety of people just for that reason.
Joe:Mhmm. Yes. Yeah. Okay. And from the other side of it, if you're gonna get bought, don't go it alone.
Rick:Right.
Joe:Bring somebody like 1 of the 3 of us in.
Rick:Yeah.
Joe:Sit down and actually get your game plan together.
Rick:You're right. Yep. Good topic. How about that bourbon?
Joe:How about that bourbon? What about that bourbon? You said you either hate it or love it.
Justin:And you're in the middle.
Joe:I you can't be.
Justin:You're a renegade.
Joe:So Yeah.
Justin:It happens. Yeah. So for this one, we got barrel seagrass. So this is one that a lot of people have mixed feelings about. It is ryroski finish in margantine rum, mandiriar and apricot brandy barrels.
Justin:I don't know. I'm I'm sure I'm butchering it.
Joe:Martinique, rum,
Rick:Madeira, and apricot brandy barrels.
Justin:Yeah. So it's a very unique blending of this 119 proof, which is, we all agreed that it's a little hot on the intake and everything.
Rick:But, actually, I'm surprised it's but it it drinks smoother than a 119. I would say that. Yeah.
Justin:I would say that. Yeah. And then once it settles into the back taste, you get that kinda grapefruit Oh, it's a fruit bomb. It's a sherry cast. Sweeter.
Rick:Oh, yeah.
Justin:A lot of different flavors happen on the back, and everything. So, yeah, I think it's a combination of that brandy and that grapefruit. It's, it's interesting. And then with that rye, you got that kinda, you know Pepper. Yeah.
Justin:Yeah.
Joe:Yeah. I always like to just sip it first, and then I like to add ice and see how it changes. Yeah. Every time I drink something, I add a little bit of ice, just a trip of ice. I can notice a difference.
Justin:Yeah.
Joe:And this opened up nicely. It was much less hot after,
Rick:See, I started with it. I started with a couple of chips of ice and yeah. I the I liked this to start and as I drink it, I like it more and more and more.
Justin:Okay. Gotcha. Yeah. Like I said, it's a very unique flavor profile. It's not just like, you know, Angel's Envy with, like, cherry cask.
Justin:You know? It's a very simple flavor additive, you know, into that. This has a very unique combination of flavors.
Rick:Are they in Louisville?
Justin:They are. They Barrel Craft Spirits, Louisville, Kentucky. No. So and they make a lot of good, different type of spirits. I don't
Rick:think I'd have a Barrel Craft before. I like this. Yeah.
Justin:Alright. Cheers, guys. Cheers to episode 6, and
Rick:and thanks for everyone who's listening.
Justin:Alright. So getting a little fun here.
Rick:Let's do it.
Justin:Favorite security movies is, like, something cybersecurity focus was into it and why. K. Or most hated. You can Yeah.
Joe:Most hated. Well, we had a whole list.
Justin:There was a big list.
Joe:Yeah. Well, I have them I don't know that I hate it, but I'll get to it later. So we'll we'll come back to it. It's down further on my list. But, I don't know.
Joe:I I'm always a big fan of war games. I watched it with my kids recently after not having after going many years between watching it. And it's just a, play a game. Yeah. It's just a really fun one.
Joe:Anybody else got comments on War Game?
Rick:No. I mean, it's just super solid. I haven't seen it in a while. I probably need to give it a another watch now that I'm a little older.
Joe:Oh, yeah. Yeah. This movie led to the creation of the Computer Fraud and Abuse Act in 1986. Really? I did not know that until I started looking at that today, and it popped up.
Joe:And I'm like, wow. I gotta share this.
Justin:So the movie said, oh, there's people that put the phone down on a receiver and go, you know, into Well their systems.
Joe:The system said welcome. But, nevertheless, the computer, you know, the the CFAA is all about getting onto a computer Yeah. Having authorization to get onto it, but abusing your access. Right.
Rick:And so what happened we have those banners. Interesting. Yeah. Well, that's that's the thing.
Joe:The banner came up. Didn't it say welcome?
Rick:Well, yeah. You're right. Because because the kid was looking for games. Right? That was the whole thing.
Justin:Yeah. He wore that.
Joe:Yeah. Yeah.
Justin:Jumping around a whole bunch, and then he found the military weapon.
Rick:But he thought it was a game, and then he, like, started doing stuff, and then they thought it was Russia.
Justin:Because they had, like, tic tac toe nuclear, thermodynamic, you know, whole idea. Yeah. That looks fun.
Joe:How about a nice game
Rick:of chess?
Joe:So but instead I love Civilization.
Rick:It's a great game.
Joe:Yeah. And and but instead, he knew he was doing something that was exceeding the authorization he
Rick:had. Mhmm.
Joe:And so that's where the,
Rick:the
Joe:new SAT came from.
Rick:I did not have to lose weight. Grades in, In his own school.
Justin:Yeah. Yeah. He definitely was. He was there. So Yeah.
Justin:Yeah. I think yeah. That definitely introduced probably a generation into, like, cybersecurity, you know, into that. So I thought that was a pretty interesting good one. Well, and the one.
Justin:The the so I will say similar to that, but it's not my favorite. Hackers, you know, introduced with that. But my favorite all time favorite hacker movie is Sneakers. I love Sneakers. Oh, yeah.
Justin:I would say it's probably my favorite. Get out. So, like, it there's so many things good with it. And, I mean, obviously, it's, you know, Farfetch from the the box that can break any, you know, security, you know, out there or encryption algorithm out there and everything. But the concepts and how they break in this stuff, it's just like it's almost like real world and how they break into the bank at the beginning, you know, and everything.
Justin:How the like, I love the one scene where the guy was, like, where he got past his security guard by, like, having, like, the
Rick:the bleeding k did.
Justin:And just the annoyance of a social, like, engineering finally, like, buzzed him in. Absolutely. And then he couldn't like, when they get, like, key cards, you know, whatever they were you know, whatever it was, he's like, I might have a solution. Uh-huh. Uh-huh.
Justin:And then he just kicks open the door. It's also just a great
Rick:caper movie. Yeah. Like, it's just really well put together.
Joe:That's good. And so that's the one where, I have a couple of quotes I wrote down for this one. You know, anybody remember the, the line, my voice is my passport.
Rick:Oh, yeah.
Joe:Verify me.
Rick:Yeah.
Justin:Yeah. Yeah. C Tech Astronomy.
Joe:That was, doctor Warner Brands was the, the character.
Justin:Well, they had to go on a date to record all the voice. Yeah. Yeah. Yeah. I'm like
Rick:That'd be a good word
Justin:I would love you to say?
Rick:Assport. Yeah. Yeah. Yeah. Yeah.
Rick:Yeah.
Joe:I've seen so many Facebook ads with these really unique, shirt quotes from these 19
Rick:80s. Deep cut. Yeah. Really, really cool.
Joe:Here's another quote, from the movie. There's a war out there, old friend, a world war. And and it's not about who's got the most bullets. It's about who controls the information.
Rick:When did that come out?
Joe:That one in 1992. 92.
Justin:Okay. 92. My, one of the things that I loved about, some of this stuff. So if you remember when Robert Bradford went to go, the guy that invented that box Mhmm. He went to go visit the lecture, you know, into there, and the guy was talking with, like, with, like, notes that he written on a clear thing and was showing on the the slide rule and everything.
Justin:So fun fact about that, first off, they had in a PowerPoint presentation. They hired Alderman, which RSA Yeah. The a and is Alderman. They hired him as a consultant onto that, and they're like, yeah. Mathematicians don't do that.
Justin:They just write it onto there. So they switch it to, like, that. And that was all his written math, and all the math makes sense onto there. Really? His condition on doing some of this stuff.
Justin:I guess his wife was a big Robert Redford fan. So in the audience, it was, Alderman and his wife were sitting in these, classrooms in the classroom there.
Rick:That's I didn't know that. Like, that's cool. Yeah. I knew they had him as a consultant on, but, like, that's super cool. Yeah.
Rick:I don't know.
Justin:It was one of the conditions of it, like, like, working into that. So, yeah, like, stuff like that is, like, oh, that's That's awesome. Yeah. Yeah.
Joe:Now and I did say Stingers is my favorite movie, But when it comes to TV shows, let's slow down here too, Mr. Robot. Yeah. You don't like it as much?
Justin:I I watched I watched a handful of episodes and it kind of dropped off.
Joe:Oh, I watched every one. And then my son who's 18 years old now and at college, a year or 2 ago, we sat down and watched the whole thing again. I need to be here. And he loved it.
Rick:Yeah.
Joe:And because he loved it, I loved it so much more sitting there going through it. Oh, that's fun. It was just good. Yeah.
Rick:Yeah. Yeah. Everyone everyone tells me great things about it except for you. You're the first person I've actually
Justin:heard of. No. Right?
Joe:But you didn't watch the whole thing.
Justin:No. It was only like 3 or 4 episodes in, and it got dropped off and everything.
Rick:I would say, as far as ones that haven't been mentioned yet, 2 of my favorites that are probably close enough to be considered, Johnny Mnemonic.
Justin:Oh, okay. Yep.
Rick:Right? Has I mean, it it gets into that, like, biotech, biometrics, but but the concept of, like, encryption and sneaker nets effectively and stuff like that, and moving data around, you know, physically because you can't trust, you know, how it moves around digitally. I think there's some neat stuff there. It's also just a super fun movie.
Justin:I saw
Joe:it a long time ago and I don't remember it. So now I have to go watch it.
Rick:Yeah, so the gist of it is, the way that things work in the future is people have these cybernetic implants and Was
Joe:this a Keanu movie?
Rick:Yeah, it is. Yeah. And you, and basically there are these people that move data by putting it in their own head and then physically going to the place and then getting it out of their head. But it's, like, encrypted, and they blank out when it happens and all this stuff, and it breaks some cool stuff. But, anyway, what the Yakuza gets involved in in in ruins this data courier's whole thing for a while.
Rick:And so
Justin:They overload his brain. They give him too much, and he has to get to, like, where he can empty it, but it's, like, messing with him the entire movie.
Rick:I mean, it's it's it's probably, like, you know, it's peak nineties wackiness in some ways, but like, they're like giving dolphins heroin at one point, stuff like that. It's it's the whole thing. But I I like that one. Ghost in the Shell is another one. It's an anime actually, And it's, it's a similar kind of thing in a way, but basically they figure out how to like move consciousnesses around.
Rick:So like you could upload your consciousness out of your, your body, your shell, and your consciousness is called a ghost. You can, like, put it in the Internet or move it back to bodies and stuff like that. And so there's this hacker effectively that is taking over people's identities and jumping around and they're going after the hacker and stuff like that. So I don't know. There's there's some neat stuff there, I think, in terms of Yeah.
Rick:Identity and, and and, you know, in reality and the digitization of things. That's super neat. So
Joe:Yeah. That's cool. And, well, I'd be remiss without saying Hack the Gibson, which goes back to Justin already bringing up Hackers Yeah. But not in a way that seemed like you liked it too much.
Justin:I mean, it's alright. I think a lot of people will over blow it. You know, it's
Rick:It's a big hit of, like, nostalgia dopamine for me. Like, I can still hear, like, a lot of songs in the sound. Like, I can summon songs from the soundtrack in my head and stuff like that. Well
Justin:and, you know, and it's always funny, like, when they're like, everybody suit up. We're like, we're gonna we're going in. Put on your VR goggles. You know?
Rick:It's like,
Justin:alright. It's hard to be Well,
Rick:it's what's I was I was thinking about Tron
Justin:Oh, yeah.
Rick:When you're thinking about this. And if you were to go, like like, maybe not exactly how computers work, but good fun, good movie. Yeah. Yeah. About Tron, I didn't know this.
Rick:I guess it was like a good chunk of it was inspired by the game Pong. Really?
Joe:Yeah. I can see that.
Rick:Yeah. And then they got into, like, the light cycle thing because the whole thing ended up being, like, the games within the computers and rogue programs and stuff like that. So it's fun, but, yeah, that I think might have single handedly damaged a lot of people's perception of how computers work. Right. Have you ever seen Lawnmower Man?
Rick:Oh, yeah. Yeah. I think the first R rated movie I
Joe:ever saw. So that movie, again, another one my, my son and I decided to watch. And the parts that just kind of blow my mind now are the, very weird graphics that
Justin:you come up with
Joe:from the, well, I don't even know when that movie was made. Nineties, I guess?
Rick:It's gotta be nineties. Because, like, that Windows 95 cutting edge because it's like a person's face, but it looks like it's wrapped around a cylinder. Yeah. Like, yeah.
Joe:And the, the guy trying to break out, and then he's shooting the attempts through all the different ports.
Justin:Yeah. Yeah.
Joe:Yeah. So, anyway, that's not even the worst one of them all. The worst one. What's your worst one?
Rick:I don't even know. I I'd have to think really hard.
Justin:And there are a lot of bad ones.
Joe:I'm gonna go with the Net.
Justin:Oh, The Net was up there.
Joe:Sandra Bullock, right? Yeah. Yeah. So that was from 1995. Yeah, it looked like
Justin:a pie sign down the bottom of the web browser. And
Joe:here's the thing I love about here's why I love to hate that movie is did you ever notice, the impossible IP addresses that were shown on the screen? Oh, great. Like, I noticed this and it was such an irritant. So I had to look it up today. And one of the IP addresses was 23 dot 75 dot 345 dot 200.
Joe:What's wrong with that? 345. 345 dot octet is not possible. And then they also listed the other one.
Justin:It could be a secret government routing. It's 345,
Rick:like, Hollywood's version of starting a phone number with 55 plus, because it doesn't exist. That's pretty
Joe:much what it is.
Rick:Oh, is it really?
Joe:And then I I that's what I read today.
Rick:Okay.
Joe:And the other thing was, 75748-8691. So 748 as your 2nd octet. Yeah. You know? So if you're not a a nerd, you're not going to get this.
Joe:But, yeah. So those were the things that you're watching on the screen. You're sitting there with somebody who has no idea, and you're like, oh, this movie sucks. So, like, why did you see that octet?
Rick:That's so funny. But so, but it's not it can't just be the IP address, fake IP address screens, that makes it the worst. What makes it the worst? I don't know what makes it the worst. Is this the bad movie?
Justin:You know what? I hate when they just grossly simplify the cybersecurity industry, like,
Rick:let
Justin:me try and hack in. Okay. I'm in. Oh. You know?
Justin:Oh, the consequences are lower.
Rick:Plus, like, is that, like, NCIS or whatever where they they say they're like, you think you click really loud on the keyboard for a while and then, alright. I'm in.
Justin:Yeah. Like
Joe:And this is, at least a PG, podcast, so we can't talk about Swordfish and the hacking. So, anyway Fair enough.
Justin:Swordfish and everything. Actually, I didn't mind the, what was the movie? Is it live free or die hard? One of the die hards where they hacked everything. Yeah.
Justin:That was actually a pretty good one. And what's his name? Silent Bob was the mega hacker. He's in the basement. Everything.
Justin:I I enjoyed more the concept of it that, you know, the fire sale where they brought down the different industries and basically exploited a backup that the government, you know, had in case of a
Rick:Like a backdoor?
Justin:Yeah. So they basically like, after a whole bunch of bad stuff happened, they downloaded all the financial information into a few secret places.
Rick:Mhmm.
Justin:And then they knew of that, so they went and basically stole it.
Rick:Yeah. You
Justin:know? That type of thing. Yeah. So, I mean, the the concept is very interesting, you know, in there, type of thing.
Rick:But That's cool.
Justin:Well, if
Joe:you're watching, and you're looking at this on YouTube, go and post your favorite movie in the comments. We really wanna see what that is.
Rick:Yeah. Especially if it's one we haven't talked about.
Joe:And also the one you hated the most because I'm very interested to know what that is because I'll probably enjoy it. Yeah. So I'll go watch it.
Justin:That I mean, you watch it, you hate it, you know, type of thing.
Rick:Yes,
Justin:sir. We got about 5 more minutes till the hour. Do you wanna dive into that last topic there?
Joe:We we can hit on it and maybe pick it up, even more later.
Justin:Yeah. Sounds good. So questionnaires that companies get. So we're not talking about questionnaires sending out. You know, that's 3rd party risk management.
Justin:But you as an organization getting all the due diligence we talk a little bit about due diligence today in the form of m and a. Yeah. But even if we're not selling, you know, or buy you know, we're bombarded with due diligence.
Rick:You know?
Justin:How are you doing? Tell me the security. I even me, like, as a sole practitioner of consulting, I get these questionnaires, you know, like, do you have a, you know, a SOC 2?
Joe:Do you have this? I'm like, it
Justin:it's just me. Like, come on, guys. Like and I write up, like, 3 I have a 3 paragraph thing. It's like, I use Google. I patch everything.
Justin:I use MFA.
Rick:Right. What
Justin:else do you want? I don't wanna say what else you want, but it it implies, like
Joe:And plus, I don't want any of your data. I don't. I wanna log in to your system.
Justin:Don't give me any of your access. Yeah. Absolutely. Yeah. Like, I won't have access.
Justin:I won't have this and all that stuff. But, anyways, dealing with this, and they're all different. Mhmm. How do you deal with all of that without telling the customer to go pound salt? You know?
Joe:Well, I think you brought up a very good point.
Justin:Sand, salt? Yeah. Whatever. Yeah.
Joe:I think you, brought up a very good point. Are you, and what should you do if you're a one person solo preneur kinda doing this? I think you got a very good approach. You have a very small landscape of things to protect in order that you can demonstrate. Yep.
Joe:And so how do you get that done? And how do you convey that and what do you want them to do that minimizes everybody's time? But then you have the next level which and are there more than one more level? Tell me. Think your 10 person company, 10 to a 100 person company, and then you have your enterprises.
Joe:So I think they're all a little bit different in what the expectations will be. Well and I don't think
Justin:I don't think it breaks down in the method of size of the company. It's your clients that you're going after. Because I know, like, you know, depending on the industry you're in, like, sometimes it doesn't really matter. But if you're, like, prerevenue I've worked with a couple of clients that their pre revenue start up company is 30 people, but they're trying to appear into the fintech finance area. And they're like, we can't even start without all this stuff.
Joe:And the same with, processing health care data.
Justin:Yeah. Exactly. Like, it's a no go to get into some of these clients without some of those due diligence done Yeah. You know, type of thing. So depending on where you're at, it doesn't even matter the size of the company.
Justin:If you're going in a certain market that's highly regulated, they're gonna expect all their customers to have this in place already. You're not gonna get past start there, you know, type of thing.
Rick:Yeah. I I think as far as, like, strategies for dealing with it, right, it's, you know, it's gonna be a lot of the basic stuff. Like, come with like, make sure you have defined your standard response, whether it's 3 or 4 paragraphs or pages of third party documentation that say, hey. We did this pen test and this controls assessment and this, that, and the other. Make sure you have that.
Rick:Make sure it's up to date, all that stuff. If you can, right, it's you know, I I know people are not experimenting. Some people had varied success with kind of automated solutions in terms of, like, leveraging a portal with a chatbot that can reference policies. Right? I mean, people have been doing it forever.
Justin:Like a trust, trust portal type of thing like Avana Andrade has had.
Rick:Something like that. Yeah. But, you know, it doesn't even necessarily have to be like that. I mean, tech support's been doing this for years years years, right, in terms of, oh, you know, have you, you know, you type in your question in the chat. Hey.
Rick:Can I help you with anything? Yeah. My here's not working. Have you turned it on and off again? Like, I mean, there's no reason you can't do a compliance support portal in that way, and I I know a couple of clients that have, that have had varying success
Justin:with that.
Rick:But I think an underleveraged strategy, again, when you start to get into the enterprise space where there's a bunch of different teams watching these things, is, kind of shifting the burden left to an extent so that you're empowering your salespeople with that internal portal and with all the documentation and stuff like that. You say, hey. Look. We, the compliance team, which is typically like this big, you know, we're going to manage and maintain and support you when weird stuff happens, right, and help you fight battles. But you guys take the first swing, Right?
Rick:Don't be reliant on us to understand the security posture. Here's all the answers, and we'll help support you.
Justin:I didn't want salespeople ever to answer questionnaires. That was one of the things that at Diebold, we actually took.
Rick:You took back.
Justin:Yeah. We took because, I mean, you look at salespeople will say yes to anything. They'll they'll answer in accuracy. They'll answer stuff that's not what Their motive to get the deal done. Yeah.
Justin:Exactly.
Rick:But but I do think there's this And
Justin:we set up an SLA for, like, 3 days. Like, you give it to us. We'll finish it in 3 days. They were happy to deal with that. You know?
Rick:I think that's fair, but but I do think there's this natural pendulum pendulum that that swings in terms of fully decentralized security to fully centralized security to decentralized but managed and overseen security. Right? So I guess I'm talking about late stage maturity to an extent in terms of shipping out.
Justin:Agree with you. Like, give them the artifacts that they can dish out to the customers and everything. Take the first one. Yeah. Exactly.
Justin:So if they're asking for a SOC 2, here's our SOC 2. Like, you don't need to involve me into that.
Rick:You don't have to cover that. Basic password policy stuff. Like, they should be able to say, like, oh, how often do you do instant response? Like, they should have an under typically and again, if you can manage the process, right? If it's fully unmanaged, and the sales team has basically always owned it and had no oversight, yeah, you probably need to start to fix that.
Rick:Right? But if you've pulled it all in and now you're overwhelmed, right? Well, you've built the patterns in terms of responding. You just don't have the, the, the manpower to do it. Right.
Rick:So you can start to apply those patterns back, give those patterns back to the business and say, look, here's how we answer these things. Right. We've already done a bunch of these. You know, you can roll some of these things forward and keep you up to date on what's there. Here's here's the internal trust portal with the chatbot.
Rick:You can
Joe:So the concept of the portal says, let's all collaborate in the same place. Right. Have something to work with. There's systems out there you can get that help you manage this. Right.
Joe:The part that we didn't talk about yet is take a risk based approach.
Rick:Oh, yeah.
Joe:And so sometimes
Rick:it's going What
Joe:do you
Justin:mean that? Yeah.
Joe:That's Well, it's sometimes just going to the, customer and saying, well, here's what we do for you. And you're giving me your same questionnaire that you're giving to this company that does about 10 times more
Justin:Yeah.
Joe:With your most critical data. And if you're not the cost if you're not that customer, then, well, what risk are you trying to manage? You might have that conversation. And that conversation may actually eliminate a lot of unnecessary work. Yeah.
Joe:And so you could say
Rick:In the long term, not just short term work. Oh. Work year after year after year.
Joe:If they've gotten to the point, they're giving you that critical, that high caliber of a questionnaire
Justin:Yeah.
Joe:They probably have you on a cycle. Mhmm. Well, if you don't belong on the yearly cycle Right. Get yourself on the by year of this twice or every every other year or the every 3 year cycle. Mhmm.
Joe:And if you've already invested in things like so here here's what kills me. You invest in the SOC 2, you get your ISO 27,001 certification, and yet you give them that and they still give you the 300 question question. Yeah.
Rick:You gotta answer
Joe:it in our way. What what exactly did I save by getting these, external stamps of approval for my program? Nothing.
Justin:So Wait a minute. Do you ever tell the customer no at that point?
Joe:You actually have a conversation.
Justin:Yeah. I
Rick:do. Yeah.
Joe:I mean, Microsoft does. They say we're not talking Well,
Justin:they're big enough.
Joe:You go down. Right.
Justin:AWS is like, here's our due diligence base. Yeah. You know? Self serve.
Rick:But it's, but it is exactly what we're saying. Like, look, our product slash service is this, right? We can appreciate you have these risks when you're using us. Here's how we address those risks. I love that.
Rick:If you have other stuff, right? If you have other concerns, well, they're probably not applicable. Right? Or or let's at least talk about them.
Joe:Talk about them.
Rick:Because I I I think very this was this was absolutely one of my points. Like, people don't push back, and it's bad for both parties. But the reason the the companies that send out these questionnaires get into those spaces because they have what are typically fairly junior people Right. Right, sending out these questionnaires, and they don't have the experience or the authority to assess how risky
Joe:all the time or a
Rick:100% of your product is.
Justin:People with big attitudes. I've seen that a lot. It's true. Right? So, like, you will answer my questionnaire, or else Yeah.
Justin:We had someone at Diebold, you know, not mentioning any names, but we had this set process. We we worked a lot to get everything what you mentioned optimized, repeatable Yeah. Yeah. In context of the services we're providing to the customer. We had this one credit union reach out to us.
Justin:They wanted all of our policies, all this stuff, and everything. It was like, nope. We're giving you a summary of our policies. Here's table of contents. Here's this.
Justin:Here's that. Right. Here's the due diligence you requested. The owner of the credit union came back like, that is unacceptable. I know you're CFO.
Justin:I'm going to contact you.
Rick:Telling them.
Justin:You know, this is awful. Yeah. We went we went, talked to the CFO, like, hey. Just a heads up. This is happening.
Justin:He's like, okay.
Rick:Yeah. Like, nothing.
Joe:And and at the end of the day, you take company names out
Rick:of it.
Joe:I don't wanna get in the middle
Justin:of that. Right. Right.
Joe:But, will the buyer actually decide, in this case, not to use that company because they couldn't get more information.
Rick:Rarely. If you're already at the stage where you're doing a questionnaire, it's typically because initially they've either decided on you. Well, like like I've never seen those questionnaires utilized as a real decision point in terms of what people are buying. I've only slightly seen it used, but it never happened at that part of the process.
Joe:Right. It was always at the due diligence phase.
Rick:Right.
Joe:Same kind of question. Yeah.
Rick:You could theoretically wind it a little. Yeah. So but so I do think you need to I I think you push back. I think it's extraordinarily rare unless you have something that's super bad that a buyer is gonna walk, you know, because you have a bad answer. Typically, even that's a conversation and negotiation around, well, what are you going to do to minimize my risk if you're not getting the information
Justin:taken out?
Joe:I'm not, I'm not sending you all of our policies. However, I'll screen share, but but you need to sign this NDA Yeah. That says you're not screenshotting everything I put in the market. I'll tell
Rick:you I'll I'll tell you the whole thing. Like, what do you wanna know? Like, let's talk about it. I'll also say, but part of that pushback, typically, depending on who the buyer is, if they're a large organization, it also means, you know, very kindly saying, thank you very much, mister or missus analyst, but I do need to talk to the person who is, you know, the actual risk, you know, the risk manager, the person who actually can decide this is okay or this is not okay, cause it's not always the per very rarely in large organizations,
Joe:the person sending questions. On the head. Somebody who has our level of experience is designing this program, then is being executed by people they delegate it to, who are told, go figure this out. Right.
Rick:And they wanna manage the the people who designed the program, they want to manage by exception. Right? Yeah. So they're having all the analysts go do the things and they well, whenever someone gives you a tough time or whatever, bubble it up to me and we'll take care
Justin:of it.
Rick:And then so if you can have a conversation with that person, I've I've never seen this they don't I will not say that people have always a 100% agreed with me, but I've never had a situation where I've pushed back, and there wasn't some reasonable accommodation of, yeah, you're right. Our risks are actually here. We're gonna lower the burden to this extent. It might not be exactly where I think it should be, but it's less than what it was.
Joe:I always love finding the takeaways that we should share at the end of this part of the conversation. What's the takeaways for, doing your
Justin:Before that, I I actually, I have a funny story about this. So on the other side of that, so when I was at BY and Mel, I spent a year with our 3rd party risk management. And we outsourced. We did we had 1,000 on our vendor list that we measured on 1, 2, 3 year increments. But we did several, we did about a 100, 120 a year that we did on-site, and we outsourced that to another company where we, you know, hired a consulting company, go on-site for 2 days, go through the questionnaire, answer all of it.
Justin:Then we get on the phone at the end of that, and we review some of the findings. And I would tell you, we had one. It was hilarious. Mentoring to, like, the analysts, you know, brings it up. They cited this one company that they were not educated on how to use the fire extinguishers.
Justin:And I'm like, isn't it printed on the side? They're like, well, yeah. But they didn't they didn't see there was actual training on it. I'm like, I don't care. Move on.
Justin:Right.
Joe:So that's a risk based approach
Justin:I really didn't hit a risk you were probably worried about, but they asked Your
Rick:poor vendor, all those questions.
Justin:I know. I know.
Joe:And they
Rick:should have pushed back probably.
Justin:We we had a conversation with our consulting company. Like, come on, guys. Like, come on. Like
Rick:Yeah. Yeah. But there are takeaways.
Joe:Yeah. I like the risk based take a risk based approach. Push back, which seems to me to be a common theme that we hit on before, which is Well,
Justin:I think standardized. Tailoring. Stand go ahead. Standardize first. You know?
Justin:So Standardize your responses. Yeah. Exactly. Right. Right.
Justin:You know, like, you get your ducks in real. Like, one of the things Create a library. Carry it around. Yeah. Here's here's how we're responding to all the things.
Justin:Like, one of the things that we did, in one of the companies is, like, we had in the financial sector, sig questionnaires were a thing. Yeah. So we just made full sigs for some of our services. And so no matter what the format that we got in, it could be a word document or just type questions, like, here's our full sig. You let us know what we're missing.
Justin:Like, if you have any other questions, let us know. Right. You
Joe:know? Well, I I like that. Yeah. And now there's software tools. We didn't even get into this whole there's a whole another conversation we had.
Joe:There's software out there.
Justin:Mhmm.
Joe:And now with AI
Rick:Mhmm.
Joe:There's software. Some of these compliance automation tools will take it, map it to the controls we already have demonstrated, and we'll create the responses. You have to validate it, and then you hit send and it goes back. Right. And those blend into the trust portals as well.
Joe:Mhmm. So I'd be remiss not talking about don't let this be a manual process. Right. It's now time then let the computers do the work, and then you deal with the exceptions.
Rick:Yeah. But
Joe:anyway, aside from that.
Justin:Yeah. Yeah. And then to your point, what you're alluding to is pushback. Like, once you have that standardized process, you've given that initial thing, it might not be exactly
Joe:what they want.
Justin:No. But you were talking about pushing back. Yeah. Yeah. You know, how do they tailor it.
Justin:Push back. Yeah. Like, give them what they like, your standard response. If they start saying, well, you didn't answer exactly my questionnaire, it's like, yeah, but I gave you, like, 300 questions of, you know, exactly what you're
Rick:And you don't have to be a jerk, but make make sure you're talking to the right person because that analyst probably isn't the the person that sent it is rarely the person that can accept serious, you know, significant deviances or, you know, say, oh, yeah. We'll just send you a different questionnaire. They probably can't We actually
Justin:we floated around. We were talking to, sub board committee and everything. At one point, we're talking about charging nominally of customers and insisted we, fill out a question. After we send them, like, the full say and all that stuff, they were like, no. You must do it in our format.
Justin:You're like, alright. It's, $800. We've added that. We
Joe:You know?
Justin:It's like it's like a nuisance charge to, you know, to some of our services. Like but if you're really serious, like
Joe:That's not the first time I heard that.
Justin:Yeah. We've added that around. Execute on it, but it was it was a serious thought.
Rick:I've seen that batted around at a couple places I've worked at before. Yeah. And and and, frankly, what what happened in some of those cases was the charge wasn't an upfront charge, but
Justin:it was tagged onto the the Right.
Rick:The price tag on the back end.
Justin:Yeah. If you really want this, like, we'll we'll give you a whole bunch of information that's included in this. But if you ask us to do work Yeah.
Rick:This is gonna take an extra 8 hours a year
Justin:to deliver on this to answer your specific questionnaire.
Joe:Yeah. Well, I've actually had those conversations where you're filling out the questions. Yes. You're getting back to the people on time. They ask you more, and then you go talk to the person who, is trying to buy the.
Rick:You make it part of your pushback. Yeah.
Joe:You're like, you know what? This is just going to this increases the cost of the service we're delivering. So if we don't standardize on these things, you will need to charge more.
Justin:Yeah. Yeah. One thing we didn't talk about I mean, we're talking about questionnaires and just dealing with this. One thing I will absolutely and do advise on is getting in front of your contracts as well to make sure you're not promising something that you can't deliver on. Uh-huh.
Justin:Typically.
Joe:That's a whole good conversation.
Justin:Yeah. Yeah. You know? But that's part of the that's almost the first battle that you're not promising a SOC 2 or an ISO or something like that. And then they sign the contract and you're like, what what do
Rick:I have?
Joe:Well, that's very simple. Whenever we're doing a SOC 2 readiness, evaluation, we're trying to figure out what trust principles to, pick Yeah. Yeah. So that you can demonstrate it. A lot of this and and one of my CPA friends had, mentioned this.
Joe:So Matt said to me, well, what in the contract with your customer are you telling me you're gonna do? Right. If you're doing SLAs, then you might wanna have availability
Rick:Right.
Joe:In there. If, you know, if you're saying the data that you give them after you process it is gonna be this accurate processing integrity. Integrity. So you might want those extra trust principles. So that's just another another thought process.
Rick:Yeah. Absolutely.
Justin:And Zed, the only required is security. Right. Yeah.
Joe:Yeah. And that's just a good place to start and add on later, but the thing you want to do more.
Rick:The contracts thing can be a nightmare though, because although the questionnaires, although they feel like a nightmare because they're constantly coming in, the contracts, typically any organization at scale has this mass of backlog of them. And so if you're coming into this from a from the perspective of an organization that has not really inspected those in the past, there can be quite a backlog to go through to get comfortable that you've, you're not already signed up for a whole bunch of stuff that you may not be doing.
Justin:Do you actually go through the backlog?
Rick:You, well, you take a risk based approach. Yeah. You figure out like, okay, which of these vendors are we using very heavily or which ones of these things could be very scary for various reasons? Let's start
Justin:there. You're doing that currently with the vendors in
Rick:your current capacity. You know, if you have the data, you also say, okay, which of these contracts are just naturally going to renewed in a year? Okay, I'll wait until their renewal date to do the review, but let's just make sure we flag them so that we go through them as they come due. Like, it's all that kind of stuff.
Justin:Yeah. Yeah. I don't typically, unless it's relevant to pull the contracts on previous engagement. Again, contracts are when things go wrong, not when things are right, typically, you know, type of thing.
Rick:So Yeah. But there is but there is a risk there.
Justin:But I'll try to inject myself into the process and make sure forward, you know, data that things aren't getting worse.
Rick:But there is like a the risk based approach there sometimes is, well, you're right. There if things go wrong, and if the thing goes wrong, but you have, confirmed or you you've certified to, you know, another party, then it won't go wrong for these reasons that were not occurring.
Justin:Mhmm.
Rick:Well, now you're liable for a whole bunch of things that you probably don't want to be liable for, even though you didn't know. So it's like this pocket of secret risks that you need to start to uncover.
Joe:Yeah. So make sure that the questionnaires you're getting and you're answering them are lined up with expectations in the contract you have. That's a great takeaway.
Rick:Yeah, actually I really like that because yeah, if you're redlining the contracts and I don't know that I've seen a program to date that has sort of a clear linkage between those two things. Probably should be.
Joe:Yeah. Well, now I'll have to look for it.
Rick:I like that. Yeah.
Joe:That's good. Awesome. Is that
Rick:a wrap?
Joe:Good episode.
Justin:It's a wrap. Yeah. So thank you everyone for joining us for episode 6. Don't forget to like, comment, and subscribe up to it and share. Tell all your friends with this, and we'll see you next month.
Justin:Cheers, everyone. Cheers.
Rick:Bye.