A

Welcome to Cybersecurity Today on the weekend. An interesting topic for today. My guest is Craig Taylor. He's a virtual CISO. We sometimes refer to them as fractional CISOs or VCISOs but I think VCISO is better than FCISO. So we'll stick with VCISO for this interview. You've been doing this for 25 years and I've been fascinated by this topic. I've hung around with a group of people who are virtual CISOs for quite some time and found them to be a fascinating and. But I don't think we talk about the role enough and I don't think that it gets a lot of attention. So I'm just glad to have you. Welcome, Craig.

B

Thank you, Jim. It's great to be here. And as you said, I've been doing this for gosh, 25 plus years now and a lot of interesting days in the trenches and stories.

A

So tell me about this. Why did you become a. I understand it today, it's sort of a well known thing. But 25 years ago that had to be something you looked at and went that was a little on the unusual side. Why a virtual C cell?

B

In the beginning I was employed full time by one of these large multinational outsourcing companies. Think of it as a international MSP of a sort. It was Computer Sciences Corporation and at the time and they had some really interesting idea to assign a cybersecurity lead to multiple accounts. And, and they, what did they call us back then? We were lead information risk managers. Was this is before this virtual or fractional CISO came out. And so I went to work for a couple of accounts within Computer Sciences Corporation, DuPont was one and then a managed service provider, a managed hosting services. The CSC decided we're going to build data centers in Sydney, Australia, Copenhagen, Newark, Delaware and we're going to put companies that are just starting to get online into those data centers because they have a lot of security concerns. And then we're going to assign Craig as the overseer of the security of the web hosting arena. So in that sense I was supporting multiple companies that were hosting their data, their data and their websites in our data centers in the United States and abroad.

A

And then after that you sort of went off on your own, which is where you are today.

B

I went to work for Vistaprint, JPMorgan Chase, kind of in a full time role as a. He wasn't their ciso, it was a security lead in their programs and realized probably around 2014 that I could do this on my own and Part of the founding of my company Cyberhoot was to build a platform, a SaaS platform that could teach cybersecurity skills and then augment it with virtual CISO services as well. So that really took off. Over the last 10 years. I founded a peer group where I have about 20 different CISO, virtual CISOs, fractional CISOs from different companies. Not all Cyberhoot. We all get together once a month, we talk about what's working, we bring in guest speakers to talk about what's happening in AI these days, how are we going to protect and prepare our companies for AI and all sorts of good topics. And it's really done well in that sense of camaraderie. Kind of like on the Rotary foundation, you know, Rotary is a very similar professional organization that makes the world better community service organization. Our peer group is just trying to share best practices and teach each other what's working, what's not. But all under the vein of virtual fractional csub.

A

So you, what was it like jumping out on Your own in 2014? What was scary? The market line?

B

Yeah, yeah, it was scary at first it was kind of forced upon me. I had an unceremonious departure from one of those two companies where they said, we have what we need here. Thank you Craig, Goodbye. And I had worked 20 plus years for Fortune 500 companies and had to do some soul searching. And at that time I said let's branch out and do something for myself like build our own company. So I got together with some former colleagues at Computer Sciences Corporation, Chuck Taylor, no relation to me, he and I got together and we decided to found this SaaS platform company and lo and behold, you know, we didn't have a product to sell so we needed some money and revenue coming in and that's where VCISO played in. We were able to cultivate half a dozen VCISO clients to help both fund and inform the development of our SaaS platform. So it was quite a nice marriage of the two because we were dealing with security incidents at those six companies and that would feed into what we train companies about because it's real time feedback here. These things are happening. We need to train users not to click and to have better password hygiene and why multifactor is one of your best friends, that sort of thing. So it all played together and ultimately what you realize when you look at the Mid Market SMBs and Mid Market companies, a hundred million or less, is that budgets are getting tighter and they can't afford a full time person. And if they could afford a full Time person, they can't find them. There just aren't enough cybersecurity professionals in the world. You ask yourself this mid market firm, do we hire a full time lawyer? No. We only hire lawyers when we need them. Do we hire a physician? No. Do we hire an electrician, plumber? No. So why are we so focused on hiring a full time security person? It doesn't make sense. We don't need them all the time. Thus the birth of virtual fractional csaw.

A

Yeah, I think it's also the question of every company needed to have security services where at one point they might have had a little bit of help from their MSP or something like that, but really didn't do much. I think the idea that smaller companies and 100 million is not a tiny company, these companies are under attack now. At one point I think some companies thought, well we're too small, who's going to bother with us? And the reality is now cybersecurity attacks are a business, it's a franchise. It, it.

B

Everybody understands support organizations they're carving up their services will breach companies and sell those breaches to the ransomware firms. The ransomware firms will deploy ransomware, but we are not going to support it. We have that outsourced to a support organization that supports ransomware. So if you need to get your data back after paying the ransom, this organization will help you do that.

A

How do you explain your services to these companies?

B

Well, first of all, you got to understand cyber security. Cyber literacy and protecting businesses is not always rocket science. It's a lot of common sense that people might not otherwise have ever been taught. If you look at phishing, identifying and avoiding phishing attacks, or password hygiene, or the importance of multi factor, these are not complicated things. But Cybersecurity is the 1 field of study in the world where so many people, the majority of people don't know what they don't know. So it's a little bit of an educational perspective to share with people. Hey, did you know that I can look up your redacted passwords on the dark web like the tip of the iceberg shows me half a dozen passwords for you or for any person that's been around for say 10 years online. And that in the hacker forums below the waterline, there's probably a hundred times as many passwords for you? And if you're not using a password manager, I know you're using the same password everywhere you go, or some root plus prefix, suffix, etc. People are like oh my God, I thought that was only in the movies. No, it's real life. This is how it happens. That's why MFA is so important. And by the way, 80, 90% of breaches are tied to human mistakes relating to phishing, password hygiene, unpatched systems. So we've got to help you understand the scope of threats you face. And you don't need me all the time to do that. In fact, you could hire me for five to ten hours a month. And we'll get you up and running a robust program in place, meet your cyber insurance requirements, help you deal with third party risk management, give your clients assurance that you're doing the right things to protect their data and your relationship. And that goes a long way. It becomes a saleable point rather than liability.

A

So what are the other advantages? Obviously for a company hiring someone, the cost is less than a full time employee. What are the other advantages that, that they get from hiring a vcso?

B

I'll speak about my company now because it comes with some unique advantages. If you hire a vc, so. And they're a person of one, right? What happens when they're sick or on vacation or unreachable for any reason? At our company with this peer group, we've been able to identify and collect six to nine people who are really talented. One guy that is on our crew was the former CISO at Medtronic with 20 people and a $10 million budget. But he's retired. He's like, I'm bored. I want to run help companies with my free time. I'll work 10 hours a week with you. And so we get to attract these amazing talents, but they're not by themselves. So there's a primary and a secondary and a tertiary person who backs up anyone on our visa account. So if you hire someone or a firm, make sure they have some depth in the bench. That has two distinct advantages. You always have someone available when you need them. Because when do events happen? We call them events or incidents. They have it on Thursday night, Friday night and on long weekends. And you need your visa ISO at that moment because they have to do incident response. That's number one. But number two is I don't have all the answers. I've been doing this for 30 years. I know I have a lot of answers. But there's new things happening, like how does AI play out in our business? What are the threats of AI? I need to bounce those ideas off other people. And we need to work together with like tried and true security practices, but then applied to AI. And how do we work through that. And what do we, what do we need to do? So being able to bounce ideas and have a collective gestalt and talk and discussion around this, these emerging threats and topics is enormously valuable. What are your companies doing? What do we need to do as a group? And that really, really does help. So you get a depth of perceptions and a sharing of knowledge when you hire a virtual CISO who has other virtual CISOs around them.

A

Yeah, I think of all the CISOs I know, most of them have some sort of peer group or some sort of support, if only for conflict. Because I think if you're a one man band and you've got two clients, a Sunday night comes up and there's two incidents, you can't be in two places at once.

B

So that redundancy is helpful.

A

So those are the advantages. What are the challenges that you face in doing this.

B

Burnout? I would say for some that's one of the issues. If you have no respite, you're not taking care of yourself. I have to say a lot of the VSOs that I've come across are really noble people. They want to make the world a better place and they aren't good at saying no. And so they often over commit themselves and then they tend to lose track of, hey, I can't help you if I'm not helping myself, get enough rest, exercise, et cetera. So there's this idea of managing burnout in the vciso community. I don't have any clients myself anymore. We've been able to hire people and subcontract RV Siso so that we follow a nice beautiful process and checkbox and make sure we're capturing and doing the service in a consistent fashion at my company. But our job now is to make sure that we help manage the delivery of services. Right? So VCISOs, you might have troubles with clients that aren't making enough progress or skipping meetings. This is a new problem that we've been dealing with in our company where the subcontractor expects, I'm going to make 10 hours a month or 10 hours a week for a month, that's 40 hours a month. And then I have my play money or whatever, but suddenly customers are so busy we can't meet this week. No, we can't fix that problem that we're trying to do. We can't invest in this, we can't do that. And so things slow down and then the V siso is making less money because they're not engaged as much as they want. Or otherwise would want. So it's like any human resource company now. You sort of have to manage expectations and put things in place to help accommodate these challenges.

A

Yeah, I would guess that's a problem. I think every consultant in the world has that problem of trying to get visibility and trying to move things along at a client's office. But if you've got to set up a meeting with someone, I've had clients because I'm still a consultant on my own. I only do. I advise a very few clients, but I'll find that someone will take three weeks to get back to me. But they expect me to get back to them tomorrow.

B

Yeah, yeah, you get till tomorrow is usually today. I want this answer by five. And I. Oh, it's nine o' clock in the morning. Here you go.

A

Which is to some extent is fair. I get that and I work with it. Although we have to sometimes have an intelligent conversation about the fact that I don't do that.

B

Yeah, but here's the answer to your question, Jim. I think fiduciary duty is a really important thing to be clear on with your client. Many times we find clients that say, I don't want you looking in that corner. Don't run a pen test or an application security review because I can't afford to fix anything you find and I have a fiduciary duty to do. So I don't want to look in that corner just yet. There is one of the real challenges of a vc, so like, well, we can't push them and force them, but they're not doing the right things all the time. So I guess the point is, is to always talk about the potential consequences of inaction. Right. We don't own your data as virtual ciso, so we have this really magical get out of jail free card where we tell you you should do A, B or C. And if you don't do A, B or C, that's okay because it's no skin off our back. But at the end of the day, if there's a breach tied to that and they do discovery, and we told you about it six months ago, guess who's on the hook for this? Managing risk and being clear about that can be very helpful for getting traction.

A

One of the things I would think about if you're a vc, so and you're not part of the company itself is so much of security is cultural. We talked about so much of security is doing the basics. And it's true. I keep going back to that and saying, we always worry about that esoteric attack where somebody's going to find, you know, a memory buffer that they can overload and get one thing through there and break into our systems. And we do a lot of stories on things like that. And to be fair, they are used if that. If you're chasing that and you have lousy passwords, I'd go back to passwords. But again, so much of of security is cultural. How do you integrate with the client to get to help them move their culture along?

B

This is something that is very near and dear to my heart. I have a degree in psychology and I have worked 30 years in cybersecurity and I have a love of education. So if you took those three Venn diagram, those three circles, where do they overlap? In the middle is psychology, education and cyber literacy. Those three things have to be front and center when you want your culture to develop around cybersecurity in a company. What does that practically mean? For 75 years, psychology has said rewarded behaviors are repeated. It's that simple. If you punish a behavior, it's not also true that it extinguishes that behavior. That is a misnomer. And so many of the cybersecurity programs out there are focused on punishing the bad behaviors of clicking of sending these fake email messages to the inboxes of your users. And there's multiple studies that have proven that doesn't actually change behaviors. In fact, in some cases, because those tests are dumbed down so much, they actually oversimplify things and make people more liable to click. There's a study out of Zurich, Switzerland back in 2021 that found people who got a lot of fake email phish testing did worse at identifying real phishing and not clicking on them. In fact, they clicked more, not less. So when you use and turn to punishment and negative re negative reinforcement of bad behaviors, you're really doing your company's culture and performance a disservice. So what we do is we always focus our VCISOs in our platform and in our service offering to try to find ways to reward the good behaviors we want to see more of. So if that's reporting a real phish to the IT team, we'll reward that. Give a random gift card to the people that have reported phishing for the month and reinforce and then call it out in company meetings. All hands meetings say, hey, Jim reported a phishing email that was really good the other day and we're going to send them to lunch. We want everybody to play this game if you see it, because it snuck through our filters and our spam. That's okay. We just want to have everybody helping. We're going to, in fact, stand up a teams channel or a Slack channel. And we have some company champions that we think are pretty good at cybersecurity who are monitoring that list. They're going to confirm and deny if something's a fish or not. If you just dump it into that Slack channel. So we get immediate feedback on what people are seeing or not seeing. These are all kinds of ideas that we've shared as our VCISO peer group and have seen implemented that help build that culture of cyber literacy. And guess what? The more you reinforce that, hey, John, in accounting, this matters for you personally as well as professionally. So when you're at home on your Gmail account or on your Google Mail account and you're planning your weekends, you know, golf outing, and you get that weird email coming in, you don't have to click on it, just delete it and move on with your day. And that helps build that culture too, that this is not just professionally important, it's personally important. So paying attention helps.

A

Yeah. And rewards. I can't say enough about that. My best friend David Shipley is a psych major and a security person as well, and he's really paid a lot of attention to how the timing of these exercises has to be and how you can overload people and manage that. But once again, it's the incentives. I think it was Charlie Munger, Warren Buffett's partner, said, show me the incentive, I'll show you the behavior.

B

There you go. It's so universally understood in parenting, in dog training, in psychology, but it seems to have been lost in cybersecurity for some reason where we can't afford a click punish and fire these people who are clicking. That just does not work.

A

No changing the culture. I guess even from a like you, you still. You're there only part of the time, but you still feel you can have a good impact on the company culture. What about the tech stack? And this is a killer for me. I always want to worry about or think about poor VC sales because there's so many. I. I did a picture of how many, how many security apps there were out there and this was six years ago. We did it when I was publishing things with IT World Canada and must have been like 345000 apps out there or maybe more. I have no idea it and I don't think it slowed down. How do you manage the different tech stacks and the different things that are happening at all these clients.

B

Well, you do it from a position of risk, right? If you have to. Let's say you're a car mechanic and you specialize on, I don't know, German automobiles, You might be really good at those automobiles. You got BMWs, you got Mercedes, you have Volkswagens, but you don't work on American cars, you don't work on Russian cars. Whatever else, you specialize on one thing. But let's say now you have to do all cars, doesn't matter what kind of car. Maybe it becomes a little more challenging with the modern vehicles, right? I'm not talking about the old oil and gas and carburetor stuff. I'm talking the computerized vehicles of today. You can't possibly be good at 25 different car manufacturers computing systems to run those cars. It's just too difficult. So why do we think we would be good at 25 login consoles to tech stack our way through this stuff and no, the best practices, the proper configuration administration of all those we can. So this proliferation of platforms and apps is really a risk that needs to be called out and minimized as part of any of the risks that we try to identify as VCISOs. Right? We always start our VCISO engagement with a risk assessment at our company. We happen to like the NIST 800, 171, plus some really interesting modifications to that. Like we add a materiality column to the ratings of every risk. So normally you get probability impact done. No, we want a materiality because guess what? In third party risk management, this company gets asked that question 17 times a year. So they have to have a better answer for it. That bubbles that risk up to the top of the list or at least higher than it might otherwise be slaughtered. So materiality is a really helpful thing. But then we also take it a step further and say, okay, the NIST standard says you need to have authentication like IAM identity and access management controls. It never says anything about adopting a password manager. But the only answer to not having repeated passwords for each and every employee, making them long and strong and unique everywhere you go, is a password manager. It's not called out in the standard. We add that as a question. We make that a priority. And so I think having the threat of too many consoles, too many applications to manage an environment is a real risk. And we have to document that and come up with a strategy. Right? Maybe we get rid of the peripheral vendors and we simplify with a vendor that can handle more of our tech stack in A single.

A

So that's how it affects the client. What about the VC cell? Because I would just look at this and go, I'm expecting to see certain types of report certain types of data. And if I've got six different clients and they all have six different systems, how the heck do I keep my familiarity with all those different systems and the different data points or different data, the different ways data is going to be presented to me? How do you keep up with client stuff?

B

It depends on your service offering. Where do you draw the line of what you do within your virtual CISO offering? So for example, in our business we're not wrench turning anything. We're not going into O365 and enabling or disabling session token theft prevention. We're talking about it. We're letting our client's IT team or their managed service provider say hey, Microsoft just introduced at the E1 level session token theft prevention. It's a growing threat. We've seen this happen multiple times and handled multiple incidents where that token was reached in by the hacker and removed from a browser. So you need to a educate the employees about not B, you need to turn on token theft prevention in O365. But that's where we draw the line. We're not going to manually go in there and turn it on for someone. Nor are we going to say, you know, your ignite file exchange server is needing to be reviewed and audited on all these 17 different things. What you have to do is set out a policy that says share critical and sensitive information with only the person you're supposed to share it with. Don't put it in a ignite shared, you know, location where anyone can get to with the link. No tie it down. But in terms of enabling that and then perhaps even reviewing the configuration that may or may not be part of your VCISO engagement. A lot of times if you're going through the interface and you can get the vendor on the line, you can help make those determinations if that's part of your role and your service. But becoming an expert in 12 different file exchange services, that's a little bit beyond the scope of what typically I see in our vciso offering.

A

Yeah, that's what I would think is one of the big challenges of managing doing this role, getting the client to understand where your service stops. I think a lot of people get into a consulting type role and they're just a jack of all trades and master of none, which works in some aspects. There's nothing wrong with it. It's cybersecurity, I would suspect it's not the place you want to be. There's just too much that could go wrong.

B

But you could build in some fail safes or some mechanisms to help with that. For example, in the NIST standard it says you ought to do some pen testing of your public facing IP space. And if you are developing a software, you should do some application security, static dynamic stuff. And so you can remove the obligation to identify gaps or weaknesses in the network or in the application by engaging subject matter experts from third parties that that's all they do. So we bring in a pen testing firm to scan the network from the outside, to scan it from the inside and then we identify things that are in our documented policies that shouldn't be there. Every device needs to be managed, every device needs to be patched and you miss these three. How did that happen? Oh well, John left, we left his laptop on. So if someone could check in on his email. The RMM tool was uninstalled for cost saving measures. It's not being patched, but it's on. Why not just have John's email be readable by a person logging into the account, leave the laptop off or put it in inventory. You can identify some of the gaps in process. When you look at NIST 800, you're looking at risks in three different places. Administrative risks, technical risks and physical risks. You have to validate all of the administration of a company's networks, their human resource processes. Have a checklist, for example, we have a very, we have like a checklist that's a mile long for when someone comes on board a company and we give it to our clients as a VCSO offering and we say, okay, this is like a block of wood and you're da Vinci. Your job is to cut out of all of this policy, this process of onboarding an employee, anything that doesn't apply. And we have all kinds of stuff in there. Like Even here's a 90 day check in with the employee to see how they're doing. Here's a seven day check in. Those are not security things, but they are kind of risk because if you don't know what the new employee thinks about their job, you don't know if they're happy with it, angry with it, have some simple questions that they just don't know how to do, whatever. So it's kind of a, I think in my way, looking at the administrative risk that you might face and having people just carve that up and then taking it and reversing it for the off boarding helps you document and have a repeatable process that can avoid some of those mistakes.

A

Yeah. And talking about relationships with other players in providing security, I think There are good MSPs out there. I think there are more bad MSPs or more risky MSPs than there are good ones. That's my own opinion. How do you deal with conflicts with the customers, providers, suppliers and particularly their MSPs?

B

Yeah, it's a common challenge because cybersecurity is one of those fields where you don't know what you don't know. And MSP is moving along merrily thinking, hey, we're pretty good at this. But they have no clue that they're not good at it, that they're missing our gaps. You know, they don't roll out a password manager to their clients. They don't force MFA on every remote access entry point into the network. We just have a blog article we're going to publish tomorrow about a company that was breached with a password that was hacked or brute forced. It was 158 year old UK company. I'm trying to remember the name of the company that's just escaping me. They've gone out of business. They didn't have cyber insurance. The hackers that got in destroyed their backups and their disaster recovery servers before they implemented the ransomware. And the hacker got in on a brute force password account without MFA. And that 158 year old company is no more. They had to shut down. They couldn't recover from it. 700 employees lost their job. That's a tragic story that was so easily avoided. But it wasn't avoided with to our earlier point, no, they weren't hit with a zero day. They were just brute forced. And then someone got in and boom, it was done. No EDR on the endpoints, no network segmentation to prevent lateral movements. All the classic problems that can occur. But it's simple stuff that's still leading to the demise of companies. It's not rocket science. So get all these easy, simple things in place and then work your way up the stack of things you ought to be doing right. That's what that risk assessment's all about. If we have finite time and finite money, I want to assure my VCISO clients that we're working on the number 1, 2, 3, 4, 5 risks. And if the 10 risks are so critical and they can only afford to do five, then we have another difficult conversation, Jim, that says, hey Mr. CEO, CFO, you got 10 really bad risks. And you're only giving me money to work on five or your staff five. These other five are fiduciary risks that you have to address financially or from a regulatory perspective or from a best practice perspective. You ought to include increase the budget here because you need these 10 things done within the next five months, three months. Those are harder questions. That's I think where some of our visos try to bounce ideas off of each other. Like how do you have that difficult conversation where the company says we're going to spend X and it's nowhere near enough to address the risk that they've sort of the what you call tech debt that accumulates over time, you know.

A

Yeah. I think technology debt is particularly difficult these days as much because at when I was first starting out or when I was a full time consultant in technology, things were moving fast. Now things are moving really, really, really fast. So technology falls out of date much faster than it ever has before. I sit and think a lot because we still have a lot of really old legacy technology. You talk about this 158 year company. There are people still out there with Windows 95 running. There are companies out there that still have old COBOL systems. They have the most ancient technology and they may never be able to fix it all. It's just too big a problem for them. So when you run into companies that have these and they don't have to be as bad as I've described, but where they really have a difficult situation to get out of, how do you cope with helping them work through the fact that there's only so much budget they have versus I mean because I presume one of the reasons you hire VCs you don't have scads of money. So how do you deal with helping them move forward if they have limited budgets?

B

Everything is relative. Right. You can't make money grow on trees for these companies that have to invest in their infrastructure. So you work on mitigating risk. We had a company that we were VCISO at that had to move via sneaker net some files from this machine over to that machine in order to work with some really old software that just couldn't be upgraded. It was part of their foundational service delivery of whatever widget they produced. And the company that had gone out of business, I think in one case, and they couldn't get any upgrades, there was just no upgrade path. And until they made this giant leap to a new vendor of solutions, they had to work with this old process. And I think XP was in play. Windows xp and, and, but it worked. I mean, it was. They were producing a excellent product, but they had this risk that they couldn't patch anything. And so what we did was we said, well, listen, you're sneaker netting it when a. In a floppy, that represents a risk because you've already had one emergency. Go find a new disk drive, floppy disk drive for this computer. And you had to go to ebay and spend $1,000 on a, a floppy system that. Yeah. So get two of them, put one on the shelf until that ever happens again, until you make the big jump. But number two, we're not going to put this other system on the internal network. You're going to have to keep moving these floppy disks over to here to do the work on that one machine. And it's not going to be connected to the network because it's just too likely that somebody in that network could hack that machine if it was online at any time. So you're going to keep it segmented, you're going to use it only under duress and for, you know, your business processes. And we're going to try and limit and monitor that device separately. And we're going to accommodate the physical security risks and the lack of a replacement because a lot of times these systems get so old you can't get replacement board. There was a theft at a data center that we blogged about about a year and a half, two years ago, and the theft was really interesting. Fire showed up at the data center door and said, hey, listen, there's been a report of a smoke or, or some kind of problem in the data center. And they weren't fire department, they were, it was a ruse. They were trying to get into the data center to go to the certain machines that had these circuit boards that were worth a quarter million dollars a piece. They were able to lock the data center management up in a room, go into the data center floor, harvest eight or nine of these boards that were quarter million each and walk away with $2 million in profit. Right. Like they just left the build. It was well documented that this was something because these boards were no longer manufactured and they were central to mainframe running and stuff of that nature. It is a big liability for a variety of reasons.

A

If anybody, in case there's anybody out there going, ha ha ha, that old technology, what terrible companies these are. I refer you to the Federal Aviation Authority in the United States, which is probably one of the biggest customers for floppy disks because their technology is so old they're still running floppies so it's, it is a problem. Just as a. We always careful not to, not to make fun of people because you never know what it's going to happen to you. It's an interesting job. I'm sure it's fascinating. What give me a couple of favorite stories. What's your best story of being a vc? So what's the one you tell when you're in the bar at night? Somebody says, you know, tell me about this. What's the best story you tell?

B

Can I grab something from over here?

A

Absolutely, yeah.

B

Visual for this one?

A

Yeah, yeah.

B

I think it's actually within reach. But one of the foundational stories about starting our own company, Cyberhoop. About 11 years ago, I was consulting for a manufacturer, a sporting goods manufacturer and I got called into an incident and we're like, new hire HR person. Got an email from the president, top secret mission, you have to go buy gift cards for special. End of quarter, scratch the backs off, take a picture and send it to me in an email. Don't tell anybody because this is gifts for other employees. We want it to be a surprise and I want you to do this. Okay. So the person did it and then they got another email. Great job. Wonderful. They, you should have seen the faces in the room when I gave these out at the last meeting. We're going to do this again. We're going to do it multiple times. Can you go get 20 or 30 of these? And the person dutifully did that because brand new employee probably went on social media, said, I'm so excited to be starting at this company and I'm my first job out of college. So fast forward two weeks. She or he had maxed out their credit card, their company card. They had gotten an expansion on their card because they had presidential authority to buy these things. Right? You know, the president wants me to do this with company. And then they'd gone onto their own personal card and they had maxed out and they had accumulated about $24,000 of gift cards. And these are a hundred dollars each, right? We're not talking just minor ones. This is 11 or 12 years ago. All these all dutifully scratched off and sent back $24,000 before anyone asked, what the heck are you doing? You keep leaving your desk and coming back and leaving your desk and going to different places. Now to be fair, this can't happen today because Walmart and every other vendor of gift cards will. When you buy more than one is like, you're how. Why are you buying? They actually have their checkout counter stack. But this was such a simple bit of knowledge that was missing from this person. Very good human being, but didn't know what was wrong with what she was doing or he was doing.

A

So for those of you. Because we're an audio podcast and if you're watching YouTube, you saw that, that, is that the actual, the actual cards you have there? Yes, this is so the holy thousand.

B

Dollars in a hundred dollar Apple gift cards.

A

Yeah. So for those of us just listening to the audio podcast, you're holding up a bag of cards. But by the way, you could still get away with a fair amount of this in the world. Modern world, people give away these gift cards all the time. People can go out and buy 10 or 20 of them. They'll let you, they'll thank God, they'll ask you. And I'm glad that they, they also ask older people because I, I think that they're, I. And I'm. It's a soapbox I have, but I'm never going to step off of it. And that is. We do not protect our elderly. We do not protect people who are old, who are vulnerable in some aspect. You don't have to be old to be vulnerable. There are people who are lonely. There are people who are intellectually challenged or whatever it is. We let them be taken by these cyber crooks by not being good neighbors and doing what I think they're doing at Walmart, which is saying, you really sure you want to do this right? I think. And that's. I thank them for that and I hope every business will do that. When you see something that looks a little abnormal, just ask a question.

B

Right.

A

Why are you doing that?

B

Well, if I may just throw a little plug in for the education that we put out at our company. We have a video in our 2026 program, no, 2025. So we put out 12 new videos a year to deliver once a month, two to three minutes on some topic that is germane to cyber threats we face. One of them this year was on financial crimes. And since we're on a podcast talking about this, we cover romance scams where you might be catfished. Right. Where you are getting, you know, you're lonely to your earlier point, you're lonely and someone says the right things and they build a relationship with you. And then all of a sudden they have, I need 2,000, I'm in the hospital, oh my God, I crashed my car. Blah, blah, blah. You need to verify and have a method of recognizing that catfishing happens a lot. Romance Scams happen a lot. Charity scams. Here's a natural disaster. There's a flood in your hometown or where you grew up, and suddenly charities pop up and they say, donate for the relief. And it's not a legitimate charity. There's. There's ways. You can ask ChatGPT, what's the validity of this charity organization? What's their rating? There are organizations that rate charities for how much money they collect and how much they give out. It should be close to a hundred percent, but it isn't. So be aware of that. Overpayment scams. How many of us have sold something on Facebook, Marketplace, or some other Gigi, Right? You sell it and someone pays you $300 for a $100 item. Oh, my God, red flag. Do not send money back because you never got the 300. You're going to give 200 to a hacker. So overpayments. So in our videos, we try to share something that's personally and professionally helpful for people to become aware of these things. We cover QR code phishing, where you might go to pay for parking in New York City, Boston, Toronto, and all of a sudden you're scanning a QR code that looks like a sticker on the parking lot place. This makes sense. No, it doesn't, because that could be paying a hacker for your parking, and you're going to get a ticket when you come out of your venue.

A

Yeah, that's. And I'm a big, big proponent myself, and I don't know if you agree with this or not. I think everybody, especially elderly people, people you think are vulnerable, should be given access to AI on their phone and taught to ask one question. Is this a scam?

B

Right.

A

And you would be surprised at how good AI is in picking this up. I actually found one that came very close to fooling me. And I will tell you, it was really, really well done. They had Apple's. They had everything about Apple's pages down, including an abundance of pages behind it. And, you know, I was. I always say, I'm not bragging about this. I don't need you to test me out there, boys and girls. But I looked at this thing and I went, there's just something off about this. And, you know, the wonderful thing you can do is you can ask an AI, say, would Apple really ask this question this way? And the answer came back, no, they wouldn't. I think that there are some good tools and things that we can come up with. Going back over the. What's the biggest frustration you've had, you don't have to name the company. And by the way, it's just between you and me and 20,000 other people. But what's the biggest frustration you've had with a client?

B

Oh, with a client. Interesting. You're familiar with Malcolm Gladwell's book 10,000 Hours? Makes a comment in there that, you know, if you do something for 10,000 hours, you're going to be an expert at it. And if you really, really want to be the top of the line expert, teach it to someone else. And that really hones your knowledge and skillset. And that's what we as VCSOs represent. Right. We've got at least I do 10,000 hours doing cybersecurity, probably more. And we go to a client, they hire us for our opinions and then they ignore our stuff. Right. They say it's not that big a deal. I don't need MFA for the president. He's the one we got to do whatever he says because at after hours he wants to sit down his computer and send that wire in three seconds flat and never think twice about it. So we're not going to put MFA on his account. Everybody else, yes. Oh, and by the way, we're not going to train them. Either they're not going to do their awareness training because he's too busy and or she is. Many great good and bad CEOs of companies can be men or women, but they write these rules, they hire us for our pays and then they ignore us. And they don't pay attention to the simple but very effective mechanisms we want as non starters. Like you cannot have remote access into your environment without MFA today. And you have to have everyone training on how to spot and avoid phishing attacks and the importance of password hygiene. Because 90% of breaches are tied back to human error. And that human error is not malicious, it's just not knowing what they don't know. And it always boils down to social engineering of one kind or another. Smishing, phishing, vishing, quishing. And it could be password hygiene on another. So we want you to adopt password managers, turn on mfa, adopt passkeys, and please, for the love of God, don't allow remote access without MFA turned on. But they didn't listen to us.

A

No. And that's as I've always said. One of my, the consultants I worked with for years came up, they said, you know, you gave me the best advice I ever got and that was what I said. You said, the customer has the right to be wrong. And he said, that changed my attitude in talking to them. Said, you've got the right to be wrong. I'm going to tell you what I know, but I'm not going to get upset with you and I'm not going to get frustrated with you. But I've told you and you can buy a lot of peace of mind with that last question I want to ask you. Your last piece of the interview with you is because you've convinced me I want to hire a vc. So how do I go about this? How do I know I'm getting the right person? How do I check you out? How do I make sure? What are the things I should be doing if I'm interested in hiring a virtual ciso?

B

So imagine the best advice I have is something that I've used in managing people my entire life. Imagine you're not hiring a vc. So imagine you're hiring a doctor or a lawyer or anybody in your company and you want to know what kind of person they are. You want to know how they perform in the long run. You want to know that they're going to be a good fit beyond the credentials that you would want to see in a vc. So, like CISSP certified or some other long exposure to multiple companies, that sort of thing. Assuming you find all the technical things, check their references. I have never hired someone in any company without talking to people they've worked with in the past. That is the biggest predictor of future performance is how they were viewed in their previous roles. So ask for references. Speak to those references. Ask questions like, is there any reason why you would advise me or hesitate to recommend this person? And if so, what is it? And maybe they give you some answer that doesn't pertain to the role you're hiring them for. You can ignore it, but maybe it pertains to how they get along with others and how they share their concepts. Right? Because listen, cybersecurity for too many years has been the department of. No, you can't do that. That's too risky. Absolutely not. You don't want a V Siso. That's going to be the department of. No, you want a V Siso and a security team that says, you know what, Jim, we can do that, but we just need to adjust it a little bit because the way you've described it, there might be this big threat that we're not thinking about, and if we just tweak it and make it this way, it's going to avoid that threat and no one's going to have any extra work Any extra steps, it's just going to work the way you want it to, but it's much more secure. And by the way, thank you for bringing this to me today because if you brought it to me next week and you were three, four, five steps down the road of that other way, we'd have a lot more work to fix it now then. So bringing us in early is going to be your best friend because we can help guide you on your trajectory of where you want to get, but take it in a way that's more safe and secure in the long run. So be the department of. Yes. However, consider these things to avoid some big potholes in the road towards your goal.

A

Yeah. And if again, if you, if you need to know the qualifications that you're checking the qualifications, you could use AI to do that. Yeah, we don't know that. It's amazing what you could do. But I'm amazed at the number of people who've hired me as a consultant over the years. After a while, I guess because you get older, you get a reputation, but who haven't called references. Okay, so I think that that is, that's a powerful recommendation. One last question before I let you go, I have to know, well, how did you name your company?

B

Oh, well, Cyberhoot is, got a multitude of tie ins to education, Right. Owls are wise. We like the idea. And this has happened to us where people, you know, I'm in New Hampshire, okay. And I'll walk through down the town and someone will recognize me from a local business that uses it. And they go, have you done your hoots today? And I'm like, oh, they're using it as a verb. That's like Google it. Right? Do your hoots. I love that. But it's just the idea, this interplay between knowledge, positivity and in Canada, I was born and raised in Canada. So remember Smokey, was he an owl or was he a bear? Smokey, the bear was a bear, okay.

A

The bear was American.

B

It was the give a hoot.

A

We had the owl.

B

Give a hoot, don't pollute. That was the old thing. But it was all about being conscious, socially responsible. Right. And I think that's what we're trying to do. We're trying to create a social responsibility to share these simple things that you can do to protect your life from these $10 trillion industry. You know, it's stealing money from businesses and individuals and elders. So it's really this whole conglomeration of things, right? It's the knowledge, the social benefit and trying to impart that on others is how we came up with. Plus the domain name was available, cyberhooten. You know, that could be a challenge these days.

A

Cyberhoot works.

B

Would I be able to throw a shout out to free training we give away?

A

Absolutely. Yep. You can do that now. Yep.

B

So if you're interested in reaching out to Cyberhoot to do a little training, we give us all of our training videos and our Hoot Fish, our patent pending Hoot Fish fishing simulation, which teaches you how fishing works to feed you for a lifetime. We give it away free for individuals. Go to cyberhoot.com individuals register there. You'll get one video a month and a phishing simulation every three months. It's very low touch, but it teaches you how to spot and avoid these social engineering attacks and other things. Our hope is, of course, if you like it, maybe recommend us to your company or bring it into your business.

A

My guest today has been Craig Taylor. He is the head of Cyberhoot, a company that provides VCISO services.

B

Thank you very much.

A

Talk to you soon. Bye.