Insider tips from a cybersecurity CEO | Cyber Work Podcast

November 5, 2019 posted by


(upbeat music) – Welcome to this week’s episode of The Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader, and we discuss the latest
cybersecurity trends, how those trends are affecting the work of infosec professionals, while offering tips for
those trying to break in or move up the ladder in
the cybersecurity industry. Scott Madsen is the
CEO at Cingo Solutions, a provider of cybersecurity, MDR, and IT consulting based in the
southwestern United States. Now Scott has been a guest
on the infosec webinar concerning cybersecurity skills gap, which is a regular topic on this podcast, so we’re gonna talk a little
bit about the skills gap today as well as some of the interesting things going on over at Cingo. Scott, welcome to the show. – Thank you, thanks for having me. – So first of all, tell me
a bit about your background. When did you first get involved
in computers and security? Were these always interesting to you, or did you sort of come
to it later in life? – Always had an interest in it, I came to it, I ended up coming into it a little bit later in life. My partners and I all come from
kind of varying backgrounds. One of them’s from tech,
one of them’s from finance, I’m from more of an inventory
management logistical consulting background. But really when we kinda came together, our love of process, our love of trying to figure out how to make things more efficient, it kind of caused us to
end up launching Cingo. Since then, we started with just doing full fledged web development
and then managed IT, and we ended up kind of
working with a lot of companies that need or require
regulatory compliance. So it’s kind of been a very
interesting thing for us. We, with our backgrounds, we
kinda get that quite a bit, I had worked with the FDA quite a bit, and with, you know, individual Oregon, not Oregon sorry, individual organic qualifiers
in the food industry. I’ve done some other work
with banking, and so, we ended up taking on clients that had a really heavy compliance base, and we were looking for
cybersecurity professionals and companies that we could refer them to, or help kinda broaden
out our base of offering, and just never found anybody
that would be a good fit, that could deal with their compliance. ‘Cause like, we ended up
having to speak directly with state regulators and never
really found a good fit. So we ended up just doing it ourselves. And so most of our base for our clients all deal with industries that relate to some element of compliance. So we work with their internal compliance, we work with, again,
state, federal, and yeah. So that’s kinda where our
specialty ended up residing. – Okay, so you’re primarily
involved in compliance, sounds like that’s your primary? – Yep, well, primary
cybersecurity, but again, most compliance has a really specific requirement for cyber. – Sure. – Security companies really
understand how to deal with. But we’ve worked with
those guys for years, so it’s something that
kind of has helped us find our niche in the market. – Are there any particular, sort of, aspects of cybersecurity and compliance that you, you know, sort of got so good at that you’re sort of the brand leader? What are some of the more unusual sort of cybersecurity requests that people have needed to deal with
in order to do compliance? – Yeah, well a lot of it, what we’ll do is we’ll end up getting engaged by companies
for who are in an audit, or have been, you know,
have had a bad audit, and need to do some work on
their internal processes. And then they get referred to us just through our current customer base. And then we go in and basically just evaluate where they are. A big part of what we do, I would say that probably our specialty is financial institutions. We also work with the FDA
for both pharmaceutical and, you know, health care providers. I think that you guys have
done quite a bit of work and done great work on
notifying the public about CCPA. I think once regulation ends
up getting put into law, it’s very hard to back that off. And (mumbles) following
and trending that way. So, you’re talking about, instead of the people that we deal with being legal firms and accounting firms and these financial
institutions, things like that, you’re talking about people
who own bowling alleys, people who own diners, people who’ve never had to
deal with anything like this that are gonna all of a sudden be randomly audited and be
fined for noncompliance. So, really, I think right now, especially as a cybersecurity provider, the gauntlet’s kind of
been thrown down for us to say how are we going
to help our clients navigate the new framework that we’re entering into, and how can we better
train our staff, you know, as a cybersecurity focus, how can we better train our staff to have kind of a dual purpose of compliance and cybersecurity. – Is that sort of a niche that
you’ve found for yourself, working with, sort of, mom and pop businesses or the
small organizations like that, or is that just sort of part of it? – It’s just part of it. I mean, you know, for us, and it’s been a good thing. You usually kind of have to
swim upstream a little bit when you’re starting a business. But for us, it’s kind of an area where we all have personal proficiency, so coming together and ending up with the client base that we have, it’s something that’s been very natural. And since, really most of the, CCPA, it’s California Consumer Privacy Act, they, most of it’s dealing with how you’re dealing with data. That’s something we’re doing anyway. And are you protecting people’s data which, again, is something
we’re doing anyway. And so, kind of helping to create solutions that are
gonna be a lot more effective and cost effective for smaller businesses has been something we’ve really enjoyed over the past couple years. Putting those programs together has been, has been really effective for us, so. – Cool. So, yeah, going back to
something you said before. You mentioned that you and your colleagues come from kind of divergent backgrounds. You’re not strictly tech and cyber people. And I think this is something we, we come to on our program a lot, because a lot of our
listeners are people who might not be involved
with cybersecurity at all but might want to get
into it and feel, well, I can’t necessarily because I’ve been in finance for 20 years, or I’ve been doing
government work, or whatever. So, can you talk a little bit about that? What makes the, sort of,
diversity of backgrounds so important? – Well, I think, you know, we’re at a really interesting moment here with the skills gap with trying to entice people into doing what we want to do, or what we’re doing for a
living and need them for. And I think that IT is a
fantastic field to get into. It’s about as deep and
as broad as you can get as far as skillsets within the industry, as far as requirements for
education and adaptation for an individual basis and
also for a company basis. And I think that anyone
wanting to make the switch, I think it’s a great thing. I don’t think that there’s gonna be, that you’re going to regret
going the route that you did. We have, actually, I would say that if you lined up all of our employees, the most common background is in finance. Almost, we have probably
30 or 40% of our staff used to work as financial
advisors or brokers, used to work for banks as lenders. And they kind of started to
see a little bit of the threat that was kind of coming
up in their day-to-day and the way the banks
were starting to kind of, they’re kind of slow-moving, but the way they start
to surround themselves, say okay, we need to start
having a cybersecurity focus. They saw it as a way to
separate themselves out from every other FA or, you know, everybody else in their industry and to pick up a unique
skill set and move into it. So I think, and a lot of those are some of our more effective ones that come over later in life. They feel real passion, real
drive about what they’re doing. And I think that if we’re
talking about making a switch and how to close the skills gap, it’s 100% about passion and interest. Another thing, and I don’t mean to just go on if you want to move to the questions. – Oh, no, no, no. – I tend to speak, to talk a lot, so. – Sure, that’s fine. I only have so many questions, so feel free to answer them all in detail. – There you go. But I think that something
that’s kind of unique in our industry right now is we’re seeing a lot of people
being able to move into it, and the draw is that people
are saying, you know, move into tech, you’ll
make 100 grand a year, you’ll make six figures,
it’ll be really easy. And the reality is, no you won’t. It’s not, tech is just
like any other skill. And I think that people
underestimate that. And I think, we talk about a skills gap, that’s why we’re not talking
about a potential worker gap. We’re talking about just the skill that it takes to do what we do. And I think that we underestimate that. As an industry, we’ve underestimated it and we’re rewarded bad behavior in hiring people that are
not capable of doing the job at a high rate just because we need somebody in a seat. And I think it’s done
quite a bit of damage to people’s expectations
about what they can do and what they think they’re worth. And I think we’ve kind of
gone away from the model of, you know, apprentice, journeyman, master where people should come in and really be absorbing data. They should be absorbing how to learn, about how to do these processes. And as they adapt to in,
then they can actually become more valuable to the company because they can act on those adaptations. And then as they become, as they get 10, 15 years in, they’re basically masters. They can dictate how things go, they can recognize threats and trends coming down through the market. You know, a lot of our
analysts have come up through, and they’ve ended up just from
years and years of experience watching how the market moves and the way these threats develop. They can usually forecast with
a fair amount of certainty what we’re gonna be dealing with. But I think that, in order
to close that skills gap, you know, China doesn’t have
a skills gap in this area. And I think it’s because
they take the low paying jobs and learn it and come through it, and then, you know, end up building a career long-term in it. But again, I think in the U.S., I think we’ve taken a short-term approach to just getting people into the system, paying them a large sum of money, and not really doing our job to make sure they have the competence that they should. – Okay, so, you know, I think one of the problems, you said it specifically, is that a lot of places will say, well, just put someone in there, we don’t have time to
find the right person. So where does the time come from, exactly? What do we do in the meantime? Like, what you’re saying is there needs to be a
large sort of farm team of entry-level
cybersecurity jobs out there that people can learn through. And it sounds like that
fundamentally requires sort of restructuring large
swaths of the workforce. So what do we do about that? – Well, I think that the
interesting thing is, it’s not really the workforce’s problem. It’s our problem with
cybersecurity companies figuring out how to help
those people become the best that we can, that we can have. So for companies, some of that that we’ve
done here at Cingo, we’ve tried really hard to
take people where they are. So when we interview, we bring people in, you can teach anybody any skill out there but you can’t teach them a work ethic. They’ve gotta come in with that. And if you really wanna learn, then great. We have jobs, we won’t let them touch the high-voltage stuff, but they can certainly move around and learning those skills and, you know, we can pay them a
reasonable sum for doing so. But it really comes
down to their commitment to making that change in their career and getting on the right
path and staying on it. And so I think that the
burden 100% is not on the people who want to come over, except for that they need to have passion, they need to have that drive. It’s 100% on us. If we, if Cingo hopes to
have a long-term workforce that we can draw from and
that we can pull from, we have to have the
internal development here to be able to take people
from whatever skillset, wherever they are in their learning curve, and develop them through
to where we have, you know, if they wanna go all the way to the top, and they want to really be in management or they want to be taking
on a lot of responsibility, then heck yeah. We pay a very, very
competitive and fair wage, and we would love to do that. But again, it comes down to
where their latent ability is and what their drive is
kind of bringing to it. – Okay, so along with work ethic which obviously is crucial, and you mentioned 30-40% of your workforce is formerly in finance. What are some of the other
soft skills or skillsets that people in finance
or other industries have that you think are crucial
to a cybersecurity career apart from, you know,
coding and networking? – Sure, well, I think any industry, and I think it’s, you know, when you pull people from
professional services, there’s already a cause and effect that’s very natural. It’s kind of encoded into
them when they come over because they’re touching, whether they’re coming
from legal or accounting or from finance, which are usually the
three best to hire from, they’re used to working
in a framework where, if you do the wrong
thing, there’s not just, oh, man, I messed that up, but there could be jail time. They have a very rigid sense of rules. And I think, especially
moving into cybersecurity, it is extremely rigid, and the small things are
the ones that matter. You know, most of the breaches that our clients end up experiencing aren’t from a lack of
the high-end coverage, it’s from a small mistake
that an employee makes. And so, you know, you really have to find
people who have that sense of, these are the rigid areas
that we have to observe in order to have success here. And if you can get them
in and get them trained, then most people, it’s not rocket science. It’s just not. We have good enough high-end tools to make sure that the, like I say, the high voltage stuff is usually covered. We need people who are willing to learn how to train the employees of our clients. We need to have people
who have those soft skills to interact and to be patient with people who aren’t technical professionals. Like I said, there are
so many areas of this job that you can bring people
in and move them through up until they’re, like I say, if they’re doing an analyst job or if they’re, you know,
cybersecurity team lead or something like that. There are so many jobs in between that companies like us just
have to do a much better job of finding and being willing to train, and employees have to be willing
to stick with the company even if they’re getting better
offers from somebody else. – Okay, so there needs
to be a sort of loyalty with the understanding that, you know, the company is going to sort of be your, be your, you said your
journeymen or your tradesmen that you’re learning from. – Right, exactly. I think, if companies
have that well developed, and a lot of companies don’t, so I understand when people kind of flip, especially in our industry, from one company to the next. A lot of companies haven’t
done an effective job of creating internal growth mechanisms to help recognize good
talent, recognize people who are wanting to adapt and progress. But, I think that if you are
in a company that’s like that you should stick it through. You should be there
through until you feel like you’ve gained the knowledge base, that you’ve learned as much and you become proficient
as well as you can with the people around you. And then if you want to move, then great, now you’re a high-value
acquisition for somebody. I think that, again, in our industry, the difficult thing is people come into it
expecting a vast improvement over their previous life which takes a little bit of time. You can get there, but
you’ve gotta take the time. I think that’s the number
one area where our skills gap is kind of broadening now is because people are making that jump, they’re learning basic skills, they’re trying to leverage those skills into better, high-paying jobs, they’re not lasting in the job very long, and then they end up moving
from job to job to job, and it’s just never a long-term situation. I have a, a bunch of my friends
are mechanical engineers. I was speaking with one
of them a while ago about turnover in IT just because it’s something we’re all dealing with. I mean, the labor market
is crazy right now. And he was talking about,
as a mechanical engineer, if you’re not with a company for 10 years, it shows that you’re too, like, flippant. – Yeah, right, okay. – And that’s crazy to me. Imagine, like, you’ve gotta
be with somebody for 10 years before you have credibility
with other employers? There’s something smart behind that. – Yeah, no. I used to work in publishing, and I worked with people who, you know, had been there for 30 years, and that was pretty common. And then you go into the tech sector and you get introduced to the guy who’s been here for three years, and they’re like, he’s our vet. – Yeah, that’s exactly it. It’s incredible. And what we lose as newer people come into the industry, we lose the knowledge base
that that 30-year veteran could give you. – Oh, yeah. – And companies like us, we would pay quite a bit
to have a 30-year veteran. And I think most companies would. But again, people have to, and I think, again, the burden isn’t necessarily
on the people in the industry. It’s on the job providers. We have to give people a reason to stay and for them to understand that mechanism, and if we get a 30-year veteran in here, to understand that you get to teach the next generation of
cyber professionals. You get to, you know, be more involved in the day-to-day ops of business, the trajectory of where we’re going and how we’re identifying
new products and all that, then I think, I think we’ll have a better, we’ll be doing lot more service to people. And the skills gap, close that to keep
people in the positions, to keep them in the jobs
as they’re expanding, and to have a perceived benefit for more long-term commitment. – Well, and you say,
you know, specifically, that you would welcome a
30-year veteran, you know, and pay them a commensurate salary, but I think one of the problems is that a lot of places
don’t see it that way. I think a lot of them
are looking at, you know, their budget line and saying, why get this 30-year veteran
when I can get, you know, three people who’ve been
around for less than five years for the same price? – Totally. – So how do we change
that, sort of, perception across the field? – Well, I think there’s always
going to be the, kind of, the lower end providers. Managed IT companies are usually, you get kind of the bottom end where they’re just charging, you know, 20 bucks a desk to make
sure your printer’s working. Usually when you send in a ticket, they’re 45 days out. I mean, you’re always gonna have that really low-line provider all the way up to the
really expensive provider. We’re probably one of the
more expensive providers. But it’s because you get a
response within 48 hours, you have five people who
are assigned to your account that have been veterans here. You’re not gonna have turnover. You get to know these people, they get to know your company, the way that your data flows. They do, you know, yearly
follow ups with you to make sure everything’s
going the right way. We keep you with the best providers if we aren’t currently doing
or providing the software. So I think you’re gonna
have, no matter what, you’re gonna have lower-end
guys and higher-end guys however your market is. But I think that if you’re
a higher-end provider, then by nature we have to, we have to invest in the
people who have long-term goals because we need that vision. We need that vision, number
one to be in the company, but to kind of transmit down
through the ranks to say we are forward-looking people, and if you want to better yourself or better your position and your skillset, then be forward-looking
with us, ’cause we need you. And I think, if you don’t have and you’re not willing as a company to invest in high skill, then you can’t charge a high rate and you’re gonna be obsolete eventually, ’cause the lifecycle of tech is insane. I mean, three to five years, you’ve either completely
remodeled or redesigned your business plan and
become twice as effective or you’re out of business. – Yeah. So, one of the things that
we talk about on here, especially when we’re talking to people about the skills gap, is this sort of job posting gap. Which is to say, a lot
of HR people will put, they’re basically sort of
trolling for unicorn candidates. They want someone that has, you
know, 10 years of experience and certification’s only five years old, they want people with a master’s degree when they’re only gonna
be doing code analysis and things like that. And you’re breaking it
down even further to say, not just we want the right
skills for the right job, but we don’t even care
if you necessarily have the technical skills as much
as you have the soft skills and sort of the work
ethic in the background. So, like walk me through what your sort of ideal
job posting would be looking for this type of candidate? What would you put on there in terms of the skills, background? How do you sort of convey that, even if you don’t have all
of the things in the list, we still want to hear from you? – It depends on the job
that we’re posting for. Usually when we have, you know, really kind of entry-level jobs, we have a lot more of them because you work them
kind of like apprentices. They spend a lot of hours, they do a lot of broad things to try to pick up on as
many skills as they can. But we’re looking for
someone who’s gonna be running and leading, basically those style of apprentices, then we obviously need
little bit more experience for something like that. But we need less of them because we can kind of distribute
a lot of the, you know, the basic work, like my printer’s down, or this or that, those are skills you can
teach rather quickly. It’s when you get up into
the heavy cybersecurity side that you really have to look for specifically skilled people. I think one of the big
mistakes that we make as an industry, though, is we look for college graduates. I think that it’s something
that’s nice to have, certainly nice to have, but again, I think that if you took a random sampling of all the best hackers in the world, I wonder if any of them
are college graduates. You totally negate the latent
ability and talent of somebody if you say, if you can sit
in a classroom for four years versus you’ve been eat,
breathing, and sleeping this since you were seven or eight. You know, some of our best employees have been younger guys
that have been 18-25, and they just, they didn’t go to college, but they do this 24/7. They never stop doing it. A lot of the guys who actually pursue, and they will pursue like
ethical hacking certificate, a lot of them are just people who have that natural latent ability to really just pound through code and to, you know, be able to forecast a
lot of what’s happening with the market as far
as cybersecurity goes. And to identify trends early. A lot of them are just the guys who, if you find a gamer, if you find somebody who loves something, they do it all day, every day. And those are the people
that we really look for. And those are the people you know that you can advance really quickly. I think that if there are people who are just looking for a job, we need those too. We need those too. If you just do it because it’s a way to pay the bills, I get that, but there’s always
that, that glass ceiling because you’re not excelling
as much as you would if you felt passionate. Number one, people getting into tech in a robotic, kind of disjointed way where they’re not incredibly interested but it’s something that they
can make a good living at, I would say don’t do it. I would rather not have
you even enter the industry than to come in and cause more
headache and more problems. Hiring someone who you believe
is capable and competent, then watching them burn out quickly, and having to go through
the process all over again. I don’t think they’ll be happy, and it certainly doesn’t make us happy. – Okay, so how do you square that with, you were saying on one hand, you want these people who’ve been eating and breathing and
living this their entire life, but on the other hand
you have these people who’ve transferred in
from other industries who are a little older. So how do you, are you
specifically looking for those or is that just a byproduct? How do you sort of let
other types of candidates with other types of skills know that, even though they haven’t been eating, breathing, sleeping
this since they were seven, that they might also have
a position in your company? – Well, so we have one
employee who came over, she was in banking, and just kind of was going with the flow, going through the motions of banking. She ended up coming over
and getting into tech. And the fire that it lit
in her was impressive. I mean, she’s done a lot
of really good work for us and really rose through the ranks. Not because she figured
that out at a young age, but because when she came over she realized that it’s a passion. And when you’re passionate
about something, you develop as a person at
a totally different rate than, say, the next person. And so, I think that it
doesn’t really matter what your history is
or where you come from. What matters is you’re teachable and you’re willing to
actually do the groundwork. You’re not expecting to get
rich right out of the gate. I think that it is an industry that is going to continue to grow. I don’t think, if there’s
any sign of it slowing down, I think that the more
regulation that comes in, the more companies actually need companies like Cingo or other
companies to do cybersecurity. So, I think there’s plenty
of growth for everybody and I think there’s plenty
of money to be made, but I think everybody
needs to just slow down. Get your ground game right. Make sure that you have the skills that you’re claiming to have when you go in for these interviews. Make sure that when you’re
going into a company you are an asset to them
instead of, you know, or you’ve been honest about, I need to learn these things. That’s really what helps
us as employers know how to identify and how to
help people where they are is if they come in saying, hey, I’ve been doing this for a long time, I’m really good at it, they’ve worked at 17 or
18 different companies that have given them great
positions for six months each, you know, usually that’s a warning sign that people have been a
little shallow, maybe, with their own self, the way that they’ve
viewed their (mumbles). But I think being straight
up honest and saying, here’s where I’m at,
here’s where I’d like to be in five years or three years,
can you help me get there, and what are you willing to
pay me while I’m getting there? And I think, at that point, that’s a very hire-able person if they come in and have that language because I already know what they’re gonna be expecting of me, they know what I’m expecting of them, and I can build a success
path for that person to get them to where I need
them to be in five years and where they want to be. – So one of the questions
I had was talking about where you look for candidates. Now, I’m assuming you
aren’t just, you know, throwing your listings on Indeed and waiting for them to come to you. Are you actually seeking out
good candidates, and if so, what unconventional places
might you be looking? Where are some places
people should be looking apart from just saying, well, we only got one candidate,
I don’t know what happened. – Yeah, well, we go to a lot of shows. We’re kinda lucky. We’re based in southern
Utah outside Las Vegas. We have two really good hiring pools. Salt Lake has actually turned
into a pretty large tech hub. There are a lot of people up there. Adobe moved there, you’ve got
the Microsoft office there, you’ve got (mumbles) up there. You have a lot of really
well-paying, well-established tech companies up there, and they’ve been working with
a lot of our local colleges to get people into programs
to help them identify, you know, what they want to do and to help them become,
you know, skilled at that. And then also, just the
people around the edges who just do a really
great jo of (mumbles). You know, we’re lucky because
there’s a really broad base for hiring where we are. I think that, well, then we have the conventions. We go and try to be active
in going to small meets or meet and greets, things that are from our local community. But also, you know, we used LinkedIn, we use referral basis. A lot of our good workers that come in, they’ve usually worked with other people. Even if the aren’t in tech, we try to kind of draw from that. But really, we just try to have
a really solid ground game. We try to be really open
at the very beginning about what expectations are and how you can grow here if
you commit to the process. And then from there, luckily, we’ve not really run into too many issues where we’ve had a difficult
time finding talent. – Okay, so, jumping to the sort of organizational side of things. And, you know. I don’t know necessarily if
you hire everyone personally, but, like, what kind of questions should you be asking candidates or existing employees to prove
their knowledge, you know, rather than just looking at their degrees or their certifications or whatever. Like, what kind of, what clues do you see in a candidate? Well, so we have a multi, kind of a multi-varied approach. What we do is we try to have as many interviews in the process as possible. One will be a technical proficiency, one will be soft skills, one will be, if they make it through the technical proficiency then what we try to do it put together kind of a, we draw from different
parts of the company, from problems that we’ve experienced and how we’ve had to solve them. There are usually some
that are pretty difficult that have taken us a moment
to really get on top of. Other ones are pretty common. And what we try to do is see
how they adapt in the moment. It’s one thing to be able to be at home or be at your desk here
and to run into something and try to figure out, you have time, you have people to help you figure out the best way to do it. But again, watching the way
that they solve those problems, what their body language is
when they’re under pressure, ’cause we work in an
industry where sometimes there’s zero pressure and sometimes the whole place is burning down. We’ve got to get on top of a leak, we’ve got to get on top of
something really quickly. So watching how they
work in that environment has been really important to us. But we try to, we try to stage it out. I forget what the CEO of Yahoo!, a really bright woman that I’ve looked to quite a bit through my career, she said “Hire slowly, fire quickly.” And that’s a big goal for us is that we want to maintain
a culture of curiosity. We want to make sure that
we’re rewarding people who are constantly just driving
their own knowledge base and their own interest
in what they’re doing. We want to get rid of people
or cycle through people who are not interested in having
it as a long-term solution or a long-term investment for them. So for us, we try really
hard to go through, you know, a multi-staged approach to make sure that we know what the general
interest of this person is, where their proficiency is, where we can really fit
them into the company and with what team they would gel the most as far as their soft skills, their interpersonal interests are. So we try to be really broad about that, getting to know the candidates
before we bring them in. It’s obviously difficult
because with growth you have to get them
in as fast as you can, and so we just, we do the best we can, but, you know, every
company has (mumbles). We try to mitigate that as much we can with the hiring process,
but it’s inevitable. – So, sort of tying off this
section of the interview. If you have the proverbial magic wand to solve the skills gap tomorrow, what actions would you take? What is the combination
of fast track measures and long-term solutions that
you think would solve this? – Well, I think, you know, number one would just end end cyber crime, obviously. That would be a great thing. – Put us all out of business. – But I think that the
biggest thing, again, is just becoming adaptable. One thing that I think
people forget about. On the other side of this, there are individuals
and individual interests. It’s not this, you know, large
automaton that has, you know, miscellaneous interests. They want to make money, they want to do it by stealing your data, they want to do it by
stealing your identity. And so sometimes we get to this point where we feel it’s so advanced and so beyond the realm
of individual thought we forget that it’s
individuals on the other side. Brilliant individuals, but
still individuals nonetheless that are trying to figure out
ways to get that data out. And so, I think that the
way that we solve that is by, again, putting money as companies, investing in individuals
who are so driven by this that it makes it worth their while to come work on the straight side, not on the, kind of, the dark
side of this whole problem. And I think that, as we do that, it’s never gonna go away. Organized crime has been around as long as people have been around. But I think that understanding it and getting ahead of it the
way that we are starting to, you look at the 1990s and early 2000s the way we dealt with cybersecurity, last year cybersecurity
became a bigger moneymaker for organized crime than drug trafficking. Crazy. And I think understanding
that and saying, okay, we as people need to be more prepared. And so, better training, better investment in internal practices to make sure that we’re developing new software, that we’re adapting as
companies into the next model. You know, one of the
questions that you’d written on the thing you sent me was “What’s the future for MDR?” – Yeah. – I’d say the future for
managed detection response is obsolescence. It’s going away. – Yeah, okay. – For eight years, but we
can’t be behind it anymore. We can’t be behind the curve. We have to be anticipating and trying, basing statistical models
on what’s happening and trying to figure out how
to forecast what’s coming. And, you know, for Cingo, we’ve been working for
the last couple years to graduate to a managed SIM. And at the beginning of the year, we’ll be launching our SIM software for all our current clients and then going out and marketing
it to additional clients. But really, we have to
become more adaptive. We have to use, you know, AI. We have to try to get ahead of, if they’re using big data, then we need to use it, too. We need to be creating statistical models to get ahead of the threat. And we can start to see and
forecast a little better about the way that
they’re dealing with that. – How does that work? How would we, as you say, use big data to get ahead of the threat? What does that look like? – Well, when we’re looking at
the way that people come in and try to infiltrate,
there is a recorded method. And when we start to look at that, and if we can, the whole
way we’ve discovered phishing and spear phishing
and things like that. You have these different data sets that start to provide a
commonality between them. And I think that as companies,
especially cyber companies, start to look at this specifically, and we’ve done this internally, you start to look at the
ways that your clients are attempted to be breached every day. And you start to create
a statistical model based on the way that they’re
trying to make that entry. And then you can start to see trends. You’re still gonna have the low-end guys that are constantly just
pinging people’s IPs endlessly, and then you’re gonna
have the higher-end guys that are not just using spear phishing, they’re getting into your social media, learning your habits, learning your secretary’s name or birthday or everything else that
they’re starting to use instead of hacking. They’re social hacking
instead of cyber hacking. They’re getting information that way. I think, again, if we
can be smart about it, then we can end up basing a
lot of the decisions we make off of statistical models
instead of just our gut feeling or whatever, you know, is driving us. That I think we’re gonna
be able to get ahead of it a lot faster. And I think we are getting
smarter as an industry about how to do that,
about how to read the data, about how to get ahead of it. – Okay, so as we wrap up today, what are some cybersecurity issues that you would like to
see people more aware of and proactive about? And conversely, are there
any sort of cybersecurity, you know, scares out there
that people are spending entirely too much time worrying about? – Um, I think that, I mean, no, I don’t think that
anybody’s spending too much time worrying about it. I think that there are things
that are far less probable. But I would say that
probably the greatest threat is the soft stuff, the small stuff. You know, are you getting
public WiFi on your phone still at the coffee shop? Are you plugging your phone
into your computer at work to recharge it? I mean, it’s these tiny things, that I would say probably
70-80% of all hacks happen from these like minor things that people just forget. It’s just housekeeping stuff, really. And so, I would say, if there was anything
that I was gonna leave your listeners with, it’s just be smart about the small stuff. Have etiquette as far as
how you handle your data. You know, don’t email things
you know you shouldn’t email. Most people, and that’s the crazy thing, most people understand what’s wrong, it’s just they get a little
lazy around the edges. – Yeah. – Moments that you get trapped. I mean, you could live an
extraordinarily clean way as far as your interaction
with the cyber world goes, but you make one small mistake one day, and that may be the day that gets you. So, I would say that, I mean, the big things are always gonna be there, but the small things are
the things that they just, they’ll get in a lot faster,
so be careful with them. – Sweat the small stuff. So, if people want to know
more about you, Scott Madsen, or Cingo Solutions,
where can they go online? – Our website is cingo.solutions. All of our products and our
history are up on that site. Our Twitter is @cingosolutions. If you want to know more about me or any of the people that work here, just go ahead on LinkedIn. Most of our staff’s on that, so, good way to get a hold of us. Or you can just call in
through the front line. It’s 1-888, or sorry, 1-833-CINGOIT. – Okay, Scott Madsen, thanks for your time and insights today. – Thanks a lot Chris, thanks. – And thank you all for
listening and watching. If you enjoyed today’s video,
you can find many more of them on our YouTube page. Just go to YouTube and type
in Cyber Work with Infosec. Check out our collection
of tutorials, interviews, and past webinars. If you’d rather have us in
your ears during your workday, all of our videos are also
available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. And to see current promotional offers available to listeners of this podcast, go to infosecinstitute.com/podcast or click the link in the description. Thanks once again to Scott Madsen, and thank you all again
for watching and listening. We’ll talk to you next week. (funky music)

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *