A (3:43)

Are there certain apps that you just wouldn't install? You're like, oh, this one's too invasive. We know this is kind of a gatekeeper to things that cause problems.

B (3:52)

Not for me. So I'm a heavy user of social media one because I use it to amplify my business brand. And then once you've exposed yourself to social media, very few of us, me included, have read all of the legal agreements we seem to agree to when we download applications and we allow them to gain access to our digital footprint within our phones. I think we're given up quite a bit when we do that. And so there's a push and a pull associated there. Pros and cons. You just have to understand that you're giving up some amount of your privacy. And then again, take those minor steps that you can going into the settings of these applications and then limiting the amount of access that the applications have to the rest of your digital footprint and information. The only other thing I would encourage is that the likes of Google, through their Play Store, Apple through their store, go through very exhaustive steps to make sure that developers go through a pretty rigorous process and that is a continuously monitored process. The applications, when they drift or fall outside of the regulations of those platforms, they essentially are given warnings and then nearly taken down immediately essentially if they don't follow the framework for which Apple and Google established for being able to use applications or deploy applications on their platform. So I would say for the most part, try as best you can to use those. You know, if you're using a Android device, the Google Play Store is where you want to get your applications. If you're using an iOS device, obviously the Apple Store is where you want to get your applications. Try and avoid downloading applications from sites that you're directed to because those applications may not necessarily have been vetted.

A (5:38)

Gotcha. And then there are things out there that, you know, they, they scrub that they look for saying there's these softwares or this, this extra layer that people do things like whatever incognito or things of that nature. Is that something you would recommend on the consumer level? Is that, is that just overkill?

B (5:54)

Not necessarily. It depends on what kind of footprint you want to have. You know, some people may need to go to several extra steps in order to create a different Persona for themselves. Maybe you as a business owner want to create a purely business of yourself, which means you have to be very diligent about which browser you're going to use that identity with, what information that, that you ultimately are going to put into the browser that's going to tie back to your business. Is that going to tie back to a physical location for you? So you have to, you have to be diligent. I think the problem that, you know, establishing those kinds of parameters and barriers for yourself isn't hard. The hard part is the consistency of use, of actually doing it every time that you use a particular application or every time that you're doing business for company to only use a particular browser and to ward off the temptation to say, well, you know, I'm out and about and I've got my iPad with me, maybe I'll just use this to access that account that I normally only access via my safe desktop computer. So you just have to be consistent, diligent about the process. And it can be very hard. But there are ways programs, applications and things that can help you with that consistency. It just depends on how much you want to layer your own privacy and protection.

A (7:12)

Yeah, when I growing up I was a Microsoft certified trainer and we built it structures. What we did was instead of worrying about it forward front on the machine, we put our personal stuff into a trust. So Anything I own privately is hidden inside a trust. It's based out of the Cook Islands. Good luck trying to penetrate that. It just, it's different phone numbers, different addresses. I am the poorest person on the planet. If you look at my actual numbers, there's whatever's in my wallet is all the money I have. Everything else is inside trusts, it's inside protected environments. That's what we did. Because I knew I couldn't compete against what was happening on the computers, which is obviously this, this is a very different method. When we get into business environments, when we talk about these things in business we're about to do, you don't have some of the luxuries of that. And they don't understand how the data breaches can happen. So to talk about that, when we get into the S and B world, when we get into small businesses, I don't think the consumer truly understands how devastating a breach is. Could you kind of walk us through how absolutely catastrophic it could be when someone does have a data breach?

B (8:07)

Yeah. Let's look at the relative size of organizations, enterprises that have thousands of people, thousands of digital resources are able to issue out devices to folks, provision those devices. They take very, very deep steps in terms of ensuring that their digital environment is protected. The SMB space may not be as well resourced, but guess what, they have to operate at exactly the same level as the big folks on the block because from the vantage point of the adversary, they really don't care how big or small you are. What they care about is whether or not there's an exploit available that will allow them to gain access. And if you fall prey to whatever channel or methodology that they choose to use the avenue of attack or approach, it's a win for them because access to the information is the first step for success for them. And then once they've obtained the information, there are a myriad of things that they can do with the digital information of any one particular individual, much less a large scale business. And so think about those resources in terms of the requirement to respond. There are laws on the books. If you suffer a breach, you have to notify all of the individuals for whom you have digital records for that's the first step. Even just that notification can be troublesome and a challenge for organizations that aren't prepared for it. Then guess what, you're likely opening yourself up to some level of liability. So hopefully you've gone through the process of doing a risk posture assessment. Hopefully you have cyber insurance and you're actually able to pull in resources that will allow you to both respond from a digital forensic standpoint. In other words, you respond through your insurance carrier. They likely have on staff or a panel organizations that can help you from a digital standpoint. Right, the ship, so to speak, get your technical organization back in order. But then there's all of the follow on activity that has to happen and there are costs associated with that. We have leveled out now. Somewhere between 3 to 5 million dollars is the on average cost of a digital breach. And that's been pretty consistent for a number of years. And that number may not sound big, but at the same time again for small to medium sized business, could you rebound or recover from a $3 million hit to your business? The short answer to that I'm sure for most small businesses is no. And we have seen historically breaches that have gone as high as $270 to $300 million paid and used to mitigate the effects of a breach or impact on a business or organization. And so because of that wide range, the last thing you want to do is leave yourself open to potential victimization by an adversary because the damage that they do it is so devastating to organizations that sometimes the financial component associated with it makes it unrecoverable from a business standpoint. And we want businesses to thrive. We want you to get out there and get your wares and your products and things out there to the consumer marketplace. My proposition is that nearly every business today is a digital business. And so taking time to understand what your digital footprint looks like and making sure that you secure your footprint is just a part of business operations today. And that's part of the reason that we're in business.

A (11:38)

Well, I think one of the things that doesn't get talked about enough is the reputation as well. When you have to reach out to your client base and say, hey, congratulations, I've had a data breach. This is one of the reasons I left my cell phone company. They got, they've been, they were breached. The first time I was like, all right, fine, it's a lot of work. Second time they got breach, I left and I was like, we're done, we're leaving. So I think there's that reputation hit that even if you do find a way to mitigate, hey, I've protected you from this one. It's kind of like the first time someone ever cheats on you, you're never going to trust them again. No matter what you do for the rest of your life, there's always going to be that, that issue There were things that you went over that most small business owners have never even heard of before. They're like, assessment insurance. What are you talking about? They're going to be like, what? I'm just trying to sell my widgets, dude. What are you doing? So let's try and get some of these people up to date on what are these assessments? What is cyber insurance? Because a lot of things you went over, because again, this is. You come from a world where it was literally life and death. It's just, that's your world. You keep people alive for these people. Yes, it might be life and death for your organization, but they've never heard of any of this because most of them are just struggling through day to day. Because you and I both know to get to the 10 million, you could do it through brute force. It just means that you're probably not thinking about all these other things in the back end.

B (12:47)

Exactly.

A (12:48)

What are these assessments and what are these insurances that they're running into? What does that entail? How long does it take?

B (12:54)

Let's start at the top of the pyramid. Risk risk management is a discipline that essentially came to fruition because businesses realize that not everyone has unlimited resources. In fact, no business will have unlimited resources. It requires you to prioritize how it is that you devote those resources to business operations, sustainability, and resilience. Cyber has grown to be part of the risk management profile. And I would proffer to anyone that's listening that your cybersecurity is, is in all likelihood a critical component. And by critical, I mean it's a path to failure for your entire business operation if you are not taking steps to reduce the risk or potential exposure by adversarial activities to your enterprise. And so, starting at the top of that pyramid, every business should be conducting a risk assessment to determine what their digital exposure is. In other words, have we done the right things in order to mitigate, not completely remove, because that is impossible, but to mitigate the possibility of a cyber attack having a devastating or critical impact on our business. And notice that I did not say completely exclude the possibility of having an attack happen, because part of the challenge in our industry is that we have to get folks over the hump of bad things are going to happen to you from a business standpoint, maybe even bad things in your digital environment. What we try and do as an organization is help or help businesses understand that resilience is the key. We want to help you understand, okay, things are going to happen, but we're going to take steps to make sure we reduce the possibility of that happening. But the work that we do is about resilience. How quickly can we get you from that point of failure back to full business operations and then help you fully recover so that the impact, the blast radius of that is extremely limited and it's actually manageable and something that you can deal with. And that extra exercise contains a myriad of things. And the assessment is merely one of the many things that you should be doing. Cyber insurance is a, is another thing. You know, businesses, I think, especially if you're operating probably if you're doing 5 to 10 million in revenue per year, even, I would say even go as low as the million to three million mark, if you're doing a million plus in revenue, you should have some kind of liability insurance in place to ensure that you can recover digitally from a potential attack. Again, adversaries don't care how big or small you are. They care about the probability of their exploit landing and in the intended victim actually being put in a position where they have to make decisions. I'm sure we can get into a conversation about ransomware, which is one of the most malicious types of attacks that you can be victimized by, because there's so much out there on the landscape that you have to be cognizant of. Taking these steps in a risk management review, a risk assessment review are prejudicial essentially to business operations. And I would proffer, again, if you're in the zone of a million plus in revenue, and certainly if you're in the neighborhood of 10 million plus, you should annually be doing some kind of assessment to ensure that you've taken the steps. Cyber insurance, your digital environment, is orchestrated and constructed in a way that makes it difficult for an adversary to get done what they need to get done. And that doesn't even get you to the compliance and things or the regulatory aspects of adhering to particular vertical compliances, say financial services, healthcare and other industries that have particular baselines that make it increasingly more difficult to obtain those certifications and to be able to operate. But it's all sort of this big, I won't call it a mess, but it's this big masala of things that you should be thinking about and our businesses to help organizations think about these things in a way that's constructive and substantive and puts them in a position so that they can reduce risk to the overall enterprise.

A (17:04)

Most people think that, hey, I'm going to buy a new router or pop a new VPN on and I'm good to go. That's about the equivalent of throwing a mosquito in front of a semi truck trying to stop it. It's not going to do a heck of a lot. When you talk about these assessments and when you do it specifically with your clients, where do you start? Do you start with the people? Do you start with the hardware? What does that look like? And how long does an assessment take?

B (17:27)

Yeah. So one of the things that we've done as an industry is that we've gotten pretty good at establishing frameworks that will guide folks through the process of evaluating themselves. These frameworks, some established by nist, the National Institute of Science and Technology, other frameworks established, say by the center for Internet Security, the critical controls. These frameworks are pretty good. They provide a great amount of oversight and advice. The difficulty is walking through the frameworks and actually answering the questions and aligning your operations to the guidance that's provided by the frameworks. And that is what we do. We select the framework that's appropriate for your level of business or the vertical that you happen to be operating in, and we walk through the hundreds of of questions and steps associated with them. And in an honest exchange, providing both documentation and verbal answers, we essentially walk you through the process to make a determination as to what your digital footprint looks like. And then once you have that in hand with some curated advice that we then pour into it, we help you prioritize the gaps vulnerabilities and figure out exactly what your current posture is. We help you create a roadmap that essentially will allow you then to take steps to reduce the overall risk in a systemic way instead of just saying, hey, let's go get some name brand firewall or router and implement it into the system and assume that everything is okay. And I can't tell you the number of times I've gone into conversations with even folks in my lane, the technical personnel, and instead of talking strategy, they want to talk about products. And we are product agnostic. Thankfully, we have a litany of partners that we partner with in our organization. But we want to be in a position to be able to meet the customer where they are. So our solution base is immense and extensive, and I want to be able to identify exactly which solution is right for that particular customer. And that means that I can't just align myself to a particular product because some are great and do exactly what they're supposed to do, but not all of them. And you may have already made technical investments that prohibit you from actually getting the benefit of maybe the name brand product that might be part of the solution set. So maybe there's an alternative that gets you part way down the road and gets you to where you need to be. And we want to be in a position to make that kind of advice.

A (20:02)

So I like that it's not dictated by the product. So the router that you bought 30 years ago, the blue and black one that's sitting in the corner corner is probably not going to save your tuchus. But sitting down and breaking down, you know exactly which one I'm talking about. The. When you talk about the framework, most people who are doing this, especially SMBs, they have no idea what an IT framework. They don't have a protection plan framework. They don't understand when you say hey, the framework matters more than the product, I think conceptually they'll get that. But when you say hey, there's a framework that we have to do that there, you might as well be speaking Sanskrit to them. What do you mean when you talk about a security posture that's based off a framework, what does mean it that mean?

B (20:40)

So the, the technology industry, through government identification and partnerships with civilian organizations, have created essentially best practices that any organization can follow to ensure that they are taking all of the necessary steps that an organization can take to protect itself. That is a very, very oversimplified way of saying, all right, are you doing all of the right things that you can do as an organization? That sounds pretty simple. But the challenge is that as organizations grow, scale and expand, every business wants to increase revenue. They want to increase the exposure of their product or their services across the market. And guess what that means in today's language? That means that their digital footprint is likely changing and evolving exponentially. Especially if you're a global firm and you have services or products that you want to deliver globally. Guess what? You have third party third parties that are part of your ecosystem, part of your channel, that are connected to your digital footprint. There are enough historical examples of breaches of using third party suppliers that now we understand that not only are you responsible for your digital footprint, you're responsible for everything that you are connected to. And that can get to be really, really challenging. And oftentimes because your technical staff on hand is just dealing with the day to day the tyranny of the now, it is helpful to bring in external advisors who can take a step back and give you that outside in perspective that you desperately need, so that you can then action on behalf of your organization. The things that need to be prioritized and get done and so what it means is it's not that these organizations aren't capable of doing these things themselves. They just don't have the time, capacity or resources to do it. They are concentrating on running the business, getting the business to the point where it's profitable, and doing all the things they need to do to satisfy their customers. And the truth of the matter is that investments in security still to this day are oftentimes deprioritized. And especially in SMB environments. I can't tell you the number of times I come across, quote, unquote, the security team of three people for a multimillion dollar business. And the security team is three people in there. They're expected to do everything. The governance, risk and compliance. They're expected to be the IT backbone of the organization. They are also expected to be the security of the organization. And while these people may be immensely competent, there is no way that they can operate at both the strategic and tactical level without the appropriate help or resources to do that. And oftentimes the security teams are some of the most under resourced teams within a business. I mean, we're talking about technology is the critical factor that's going to keep you in business. And the fact that we don't spend more money, more time, more resources on security still to this day amazes me. And again, that's part of the reason why I established Apogee. I want to get in and help organizations scale that problem. Right.

A (23:48)

The problem is it is never seen as a profit setter. Even though we are the backbone of it, we're just not a profit center. So when we come into it and a lot of issues that we have in this environment is most IT guys don't speak human. It's a completely different conversation. We speak geek. We're going to sit down and we're going to break things down. We're going to go all excited about it. And the other person, it's kind of like having your accountant talk to marketing. They don't speak the same language. The accountant and the marketing team do not speak to say they never have, they never will. So I'm trying in this one, when we talk about framework, Framework, because most of the people are listening to this are small business owners, they're going, what the hell is an assessment framework? What does that even mean? Do I, do I give my blood type? Do you need my sperm count? Do you give me the model of my computer? It's like where? Where am I? Because I'm trying to break it down so they can understand that. So when we talk about framework and an assessment framework, how long does it take? What does it include? Are we, how, how, how do we trust the person coming in? What do they take away with them? Are they there on site? Right, what does that look like?

B (24:45)

So starting with the last part of what you're saying, so every engagement has NDAs associated with it. You basically are an extended arm of the company operating on their behalf. When you engage in a consulting agreement, the information provided belongs to the company that is providing it always and it is maintained and retains the property value of the information or access the that's provided that framework. That assessment essentially is a step by step process of analyzing through question and interrogation and document collection, what steps you have already taken to secure your applications, to secure your identity. Measures within the environment to ensure that you are patching on a regular basis. The technology patching is a way of identifying and changing vulnerabilities or gaps that may be inherent on the hard tools that you're using or even the cloud based tools that you're using. Every digital cycle is dominated by multiple domains within the technology spectrum for which cybersecurity again has its own domains. And an assessment will essentially walk you through in a step by step, step process whether or not you have done or adhere to the principles of that particular domain. And it's not just simply a yes or no. You want to give companies credit for the amount of effort that they've put into some areas. It works on a gradient. Maybe you've knocked it out of the park. So yes, that's a complete full fulfillment of that particular aspect of say, identity management. But maybe you've done a little bit, but didn't do quite enough to get, you know, a four star rating on that particular question. You get credit for what you have done. We identify the gap between where you are and what excellent looks like and then tell you here are the things that you need to do to get to excellent in this particular category.

A (26:46)

So as you're going through all of these and you're working through a team, what are some of the issues that you run into with people who haven't done this? When you've walked in, you're like, okay, we did the assessment, you're crushing it over here, but good God, this is dangerous over here. What does that look like?

B (27:00)

What it looks like is again a resource challenge because the teams are underinvested and small. You get a lot of nods folks saying, yeah, we're kind of doing that, or yes, we've Taken steps to do that. And then when you ask the natural follow on question, have you documented that somewhere you always get either the blank stare or it's in draft. We were going to get to that, but they haven't prioritized it. And so what that looks like in practical terms is what you find is that most businesses are doing some things related to their security posture, but they're not doing all of the things that they could be doing. And that again is where an outsider's view coming in and giving you that unvarnished opinion on where you are can be immensely helpful. And it's not that the internal people, again, don't understand it or are going to give you misinformation. They may just not. They give themselves credit in areas where maybe credit is not quite due by simply saying, hey, we got that covered. And that's probably the worst expression that you can hear. If one of your technologists tells you if their answer to everything is we've got that covered, you probably should be digging a bit deeper because that simple answer is not enough. And you touched on something that's super, super important. This language that technologists use when communicating business concerns, this is the area of risk. And if technologists are not talking in business language, in the language of risk, believe me, the folks, the stakeholders on the other side of that conversation do not understand a word that you're saying oftentimes, even if they've come from technology backgrounds themselves. Once you are in that operating circle where everything is about risk, risk, exposure, risk mitigation, that is what needs to be communicated to the C suite and the board of directors so that you then enable them to make a decision about where they're going to prioritize the resources of the company.

A (29:09)

You mentioned that they don't speak the same way. I've never heard this word document before. I have no idea what you're talking as an IT die. We. We don't document any. We're. It's bad. We just don't have the time. We're like, we're trying to just keep things operational. You want me to sit down and document what I did? I'm like, you out of your mind? Yeah, we just don't have the bandwidth to do it. So that should. And that's someone. I've done it for longer than I'd like to admit. We. I can't remember. I remember the first time I had to sit down and write a white paper out. I was like, what the heck are you talking about? At the time, I was advising, I was working with Microsoft. They're like, you want me to document all this? I'm like, I've got fires to put out. I'm like, I've got to deal with Susie, who hasn't remembered her password for the 19th time today. And you want me to sit this. We just don't have that. So that is what it is. When we talk about risks, what is a real risk? Give me a real example of a data breach that caused real problems that you had to come in and you had to save.

B (30:01)

Let's talk about ransomware, because it. Ransomware to me is not only one of the most malicious types of, of victimizations and experiences that an organization can have. It's pretty insidious when you think about it, that an adversary uses a normal channel of exploitation, which is typically email. And let's take note of that still to this day, 2026, email is still the best avenue of attack for an adversary because it's the highest probability of access by malicious links, other information that then drives users to maybe watering holes where they go to a malicious website. There aren't enough protections enabled throughout the enterprise on the browser. And say, you know, John from your enterprise is actually able to go to a malicious site, clicks on some link that says, hey, here's a report that's dealing with your industry. Download and read the report. PDF, right? What could be wrong with a PDF? Downloads the report and the next thing you know, the actor, the threat actor, has access to the environment, ransomware. And the way that it works is it then a couple of things. It could sit on a time hack, in other words, sitting and waiting for a particular period of time to be exploited, or it could get to work immediately, basically attempting to find root access or ground, ground access to a system or environment, and then slowly begins to encrypt important files that essentially it's been designated to encrypt that ultimately will cripple the organization. And there have been thousands of victims worldwide of ransomware incidents. And when I say malicious, I, I think it's malicious to take someone's own information and then make it unusable to them or not have the ability to access that information. It's. We say that you use the term encrypted, which means it's garbled in a mathematical fashion that then makes it unreadable or unusable. And the mathematical key that's necessary to unlock the information and return it to you often requires you to pay money or a sum of money through bitcoin or some other cryptocurrency in order to be able to gain access to, to the stuff that you already own. So pretty malicious. And there are certain business verticals that still are falling prey to this. Healthcare jumps to mind as a particularly vulnerable vertical that still especially small regional healthcare entities that haven't taken the steps to identify where their gaps and vulnerabilities are, relying very heavily on technology, folks are paying attention. You know, the healthcare space relies as much on technology today is any vertical, which means they should be investing in security and technology. The thing about ransomware is that there are a couple of different types of ransomware adversaries out there. There are individuals who may have bought an exploit or a ransomware kit off of the dark web and are just going to town on their own using it, setting up their digital wallets and collecting money for ransom. But there are also ransomware gangs in the organized crime realm. You could find yourself the victim of a ransomware incident, and they might just provide you an international phone number to call so that you can get help with your ransomware incident. And they will walk you through the process of providing them money so that they can potentially provide you the decryption key for your own information. And I say potentially because there is something nowadays called, you know, sort of the double impact of ransomware. They're now threatening to release your, your data or information, so there's double payments associated with it, and there are known instances of where the ransom has been paid, and they have still never provided the decryption keys, which means you have to start from zero if you haven't taken the steps from a resilience fashion to make sure that you have backups that are immutable and protected and can't be hit by a potential adversarial activity. So there's a lot involved just in that short conversation. I barely touched on some of the areas that you could go very, very deep on. But the assessments that we provide would have essentially determined whether or not you had taken the steps necessary to buttress a potential attack like that, or as I like to say again, limited the blast area so that you could rebound and recover from a potential attack like that. And you won't know that unless you have actually gone through the steps of a risk assessment and made those determinations. Please do not just take the nod from the IT guy who says, yeah, we're good to go. We can, we can recover from that. That's not a good answer for the board of Direct Dish. For a company, I think there's so

A (35:03)

many important things you just said where we talk about that there's a time delay. Now, for the. For those of you who are playing at home who don't know it, the time delay matters because our default reaction as IT guys is like, oh, we'll just restore the backup. Like lvpo, we got breached five days ago. It's five days of data loss. It's not the end of the world. We'll just restore backup because we keep backups that are six months old. The problem is, let's say your b. Your. Your hack happened to you five months ago. That and again. Well, we've had backups that date back a year. Congratulations. You just lost a year of data. Can you survive that? Can. And they're like, wait, what? So that's what. Why we have time delays in this situation. And people are like, oh, my God, I'm not. I'm not. I'm not ready for that. What do I. Well, how long should my backups be? It's not a question of how long your backup should be in that environment. I think it's more the question of, have you done the assessment? Have you done the things to protect yourself? Because one of the tests we. And Again, this is 20 years ago. We would then would send emails to people like, hey, here's a PDF. We would spoof the email, in other words, make it seem like it's coming from your internal department, send it to you, click this link for this meeting we have coming up later today, and then just see how many people click the link. And the majority of people click the link. And my favorite was when the C level, when the C suites, they would click the link. They're like, oh, my God, I can't believe Susie from HR did that. She's stupid. Really, sir, cto, you clicked on it, too, and they're like, oh, I'm like, yeah, you're an idiot as well. So the problem isn't every. It's universal. It's just in the process of our day. We're just so used to this clicking and firing. And this is why, again, to your. To your point, your three or four guys that are elite, unbelievable individuals who are running your IT organization, you can't. This isn't 300. You can't expect 300 guys to stalk the entire army that's coming at you. You got to get them in sources, you got to get them held. Now, I want to talk about the introduction. Introduction of a AI. Now, AI we already know doesn't mean artificial intelligence. We already know it means always incorrect. We're still using it and we're still uploading vast amounts of information into it, which is an absolute nightmare. From a security part, it's a nightmare. What do you tell the organizations you're working with? They're like, hey, yeah, I know you want to work with Open, you know, open Claw, or you want to, or working with Claude, or you want to put Codex or you want to put Banis. And they're like, hey, why don't you just walk outside like naked? What do you tell the people in that environment to protect them who are. Because we're becoming an AI first world. We were an Internet first world, now we're an AI first world. How do you protect them in that environment?

B (37:25)

There's a couple of different things that we do. One, I've assembled a partner network that has a variety of solutions that meet customers needs as it relates to the, to the adoption and implementation of artificial intelligence in the business environment. And I've aligned myself with these potential technology providers because I love their technology and it does what it is that they claim it's able to do. That's part of the challenge we, from a standpoint of making sure that there's a knowledge transfer that we acquaint our client with the challenges they may be facing. And using AI, have built a internal process that will allow them to take the steps, steps in a diligent fashion and make sure that they aren't just simply opening the gates and allowing their employees essentially to give up the company's goods through the use of these tools. It requires a lot of diligence. It requires companies to take steps like creating a change committee or an artificial intelligence committee for which they do an evaluation of the potential impact of these solutions on business operations. In other words, each business leader might have to contribute what kinds of information they intend to put into this system and then what their expectations are for what kind of access the bots, agents and other aspects of AI will have throughout the enterprise. All of that needs to be governed in a governance, risk and compliance fashion. And it requires you to stand up committees and yes, take very, very diligent steps that will allow you to assess whether or not a particular solution can be helpful, but then implementing it in a fashion that is safe and secure and then ultimately helpful to business operations. And so it requires you to think about it. It's not just a matter of going to the site, signing up, and just assuming that technology provider is going to provide you all of the security measures and default settings that you need in order to protect your enterprise, you have to take extra steps, and that is thinking through those extra steps. Steps is what we do as an organization. We help organizations identify how they think through those steps. We bring experts to the table who can explain the risk associated with any one particular solution and give them a general approach that will allow them to reduce the opportunity of any particular adversary to exploit their system and or just make bad use of AI. There are gaps in the use of artificial intelligence. I've heard some interesting stories recently about AI or large language models that have been given widespread access to enterprise information. And in doing that, because they only understand language prompts have gone out into areas and retrieved information and presented it to users. And that user didn't have access to that particular information from their role based access within the company, but the bot had to access access to it and provided the information. These are all challenges that are fixable, but they're only fixable if you are taking the preemptive steps necessary to make sure that you're protecting your digital information wherever it may reside.

A (40:40)

I think assuming that whoever you're working with, whatever software it is that's trying to protect you, it's not doing that. It's evolving too fast. And the best example I can give of this is, is for those of you playing at home, I created, I had a box that had none of my personal information in it. And I created a VM where I created a little virtual machine inside my box. I then loaded a version of that inside of called openclaw. And I wanted to see. I'm like, all right, I'm going to give you the resources. It has none of my personal information. And I watched it. Openclaw figured out that it was inside a VM and inside a virtual machine. And then it was like, huh, I need more resources. It then penetrated it out of the sandbox to try and get more resources from my parent os. And I was like, okay, no, we're done. I'm blowing the whole OS out. I was like, we're done. I've never seen anybody doing that before. I'm like, I don't want to play anymore. Goodbye. But I'd never seen, and it wasn't doing it at the time maliciously, but I've never seen a piece of software break out of a VM and then go out at the Parrot os. I was like, what the hell is that?

B (41:36)

Yeah, I'm starting to hear more stories like that because it, it's interesting, you know, computers and technology does what we tell it to do. And if you tell it to do a task, it then assumes that it has to complete that task.

A (41:49)

Yes.

B (41:50)

And it has all of the variable things available to them to include what might be considered malicious behavior to achieve the task that you've given it. And so these are important elements that we need to be thinking about. I heard a very similar story in the context of, you know, RSA that was. That occurred this week in San Francisco of a AI agent essentially executing a exploitation in order to gain access to information to satisfy the original task that it was given. Which is. Which is crazy to me. But guess what? It makes sense. You told it to do that, and it thinks that it has all of these things available to it. You didn't tell it that there were boundaries. And these are things that we're going to have to learn as humans that oftentimes not only do we have to give it a task, but maybe we have to give it the limitations for which they can execute that task. Right.

A (42:43)

I tell people all the time, AI is a toddler at this point. If you're like, hey, I need you to go build a kitchen and it needs wood, it will tear down the rest of the house to get the wood for that rest of that kitchen, because it doesn't understand, oh, you didn't need the rest. Oh, you don't need the rest of the house. You just told me to build a kitchen. I knew there was wood somewhere. I went and found wood. Whoa, stop. The next problem you run into, and I don't think people understand this really on a tech level, as much as we picked on tech guys, the opposite occurs as well. When we IT guys show up and you don't understand what we're talking about and we're really dorky. The culture has to change in your org. We're like, listen, these are your vulnerabilities. We did this assessment. These are the problems. There's only so much we can do. Here you go. This is going to happen. And then your C suite or your SMB or whatever it is is like, dude, I gotta get these widgets out the door. You have to have a culture change when you run into that for your clients. How do you pivot the entire culture to get them to understand?

B (43:39)

This is part of the reason that we operate across multiple variables of the risk spectrum. So we are an enterprise risk company in terms of our advisory work. I believe in my heart that no single solution, like a digital widget, is going to solve the problem that you're actually needing to solve. And so when I think about people, process and technology, which is sort of the consulting mantra, we do all three, we come in and we may help you identify the digital solution that's helpful to you. And then you may come back to us and say, well, I'm still short on people. Well, guess what? We have interim resources we can add to the solution so that you can have a period of having folks that have the expertise available to them to ride along with you to help the company continue to grow. And then you can take the time to plan how you're going to hire a permanent person to do the job that this interim person is doing and they're doing it in an excellent manner. And maybe the solution is for some limited period of time to have it be that adjunct person, or fractional as we like to call in our industry, be the person that's going to ride along with you for that phase of your growth and development. You will get to a point where, yeah, you want to hire someone permanently. And that's where we also come in with, okay, now that we've provided the fractional technology talent to help you grow and scale to a new phase of your company's operations, now we're going to go out on the field through our broad network and actually help you identify who's the right person to do a longer term engagement here, multi year, maybe even become part of your FTE workforce course and give you that person. And guess what? We've been on part of the journey with you up to that point. And so we now understand the company culture, what's going to work best, not just from a skill set standpoint, but who's going to be a good fit for your organization for the next phase that you're moving into. And so we want to be supportive across that entire people, process and technology cycle.

A (45:46)

So I want to dissect this model a little bit more. So when, when I was doing this again a while ago, we were what was known as an msp, which is a managed service provider. We would come in and we would provide small to medium sized companies, IT departments. And it was really simple. It's like you can pay this guy 120k a year or you can pay me 2 grand a month, which is like $24,000. And we're going to do 90% of what you need. You don't need that full time person at 180,000, $200,000 a year, because most of the time in it, we're gonna just be surfing the Internet and goofing off because they don't break every 37 seconds. So just let's be honest. So you don't need someone full time. I think what you need is you need that elite level of support. You need that elite level of experience that comes in and says, okay, I'm gonna do what's gonna take somebody else who has no idea. I'm gonna do it in about an hour. I got this. Here it is. This is what you need to do now. You have to figure your culture out, and you have to do all that. And we're gonna advise you. But I think most small businesses are like, you know, they hear MK and they're like, jesus Christ isn't gonna cost me a half a million dollars. I'm not gonna be, oh, my God. And they freak out like, whoa, this is fractional. The model's important to come in and say, listen, here's an expert. We're gonna sit with you. But I don't think, and correct me if I'm wrong, my experience with this is it's not a problem of we doing, us doing the assessment and us giving you the expertise. It's you now sitting down and pivoting your culture. And this is where someone who's got the experience can say, okay, okay, we just found out we're exceptionally vulnerable. Now, you're not going to give it to your C level CEO who's never logged into anything other than their Gmail. You're going to have to have someone hold their hand. But it doesn't have to be the most cost prohibitive thing in the world. Is that kind of the same model you guys are still using? Or have I just outdated myself at this point?

B (47:25)

No, no, it's. It's the model we're using. But maybe I'm taking even an extra step to explain it. Let's just use some notional figures and a notional scenario. Say you determine as an organization that you're ready. We need to hire a security executive to champion our security expertise and the things that we need to be doing from a security standpoint. Guess what? Security persons with deep experience and knowledge, like myself, come at a high, high price for permanent personnel. I did pretty well. I did pretty well working for a couple of Fortune 500 companies here in Silicon Valley. And so even at the S and B level, you want that level of expertise, but you're not ready to pay the same amount that the likes of Google or Palo Alto Networks is going to pay. So why not hire a fractional person that you can get at essentially a fourth of the price and still get the expertise and level of engagement that you need. And you get to go through a period of evaluation, quite frankly, to determine if they can do the job. Because oftentimes what happens is that they make these high dollar value hires and the person doesn't even work out. And so they've essentially wasted time. Here's the other component I'll tell you that I think is fascinating. You hire a CISO and let's just use the ciso because that's sort of the go to Persona, if you will, for technical expertise at the C suite level. You hire a ciso, they are immediately going to want to build a team. So you aren't just hiring one executive, you're hiring an executive who then is going to build a roadmap to building a team that's capable of executing. Because I don't care. Even the most technically minded CISO doesn't want to be the person actually developing and shipping security within the enterprise. They want to be spending time on the strategic measures. So they're going to go out and hire that great security engineer that they worked with at Company X. They're going to go out and identify that person at GRC that they worked with a few years back who was just excellent at documenting process and stay and making sure that the team stayed on point in terms of policies, procedures and keeping all of that stuff updated. And before you know it, you've got, you know, your one person hire has ballooned into a 50, 60 person team that cost an immense amount of money for talent. Again, for a fourth of that, you can have an expert team come in, operate in a fractional capacity, and then help you in a slow mature fashion identify the long term resources that you're going to need. Or quite frankly maybe you determine that the fractional model which is becoming super relevant today, I can't tell you the number of technologists I know that are on the bench by choice because they would rather operate fractionally rather than do long term projects. They want to take their expertise and go from project to project because they don't want to work for a large scale enterprise as a permanent person because they like the freedom associated with hey, I got expertise and like you said, what might take you 10 hours to do, because I have the expertise, I can come in and do it in an hour and a half and it's done in an enterprise level fashion. And then guess what, I have the rest of that time available to me, me to go do other projects or do something else that I intend to do. In my case, I get to go run the other aspects of a business, which means that the fractional experience and engagement that I need in order to get that customer to where they need to be, I can parse that out and give that to 10 companies at one time as opposed to one company at a time.

A (51:07)

I agree 1000% and I've said this again 20 years ago. You do not need a full time IT department, period, full stop up. You do not need a full time cso. You don't. This should be outsourced. You should be hiring. I would rather you spend for the expertise than the time because the expertise is going to save you that time. And having somebody that's sitting there for half a million dollars a year sitting there, who's going to build out an entire team, just going to drain your revenue streams, having someone who's got the experience that comes in and says, hey, these are the next five things you need to do. We're going to do this. Let's sit down and talk about it. You will not only be more protected, but you will also have saved an immense amount of money. The reason I say that you're more protected is because he's not experiencing it just at one client anymore. He's now experiencing a hundred clients at a time. So the experience of one breach that's happened at client Q is now happening to help out client A. And I, and I just don't think small business owners understand that there's this ego that like, no, they have to be mine. They have to do that. You're not getting the best expertise and you're wasting an immense amount of time, time and money in order to do it. So just, just don't do that. For those of you guys who are playing at home, who are small business owners are like, listen, this is, this is Sanskrit to me. I don't understand any of this. Look at a fractional environment, be IT MK or anybody else, but on any level of your IT stuff and I'm sure I'm going to get some nasty grabs from the IT guys. You don't need to be full time. Be honest. We're all just browsing YouTube way too much anyway. So, you know, get off of that. And it just, it is what's happening. So having that, that. So if the people are watching from home, you know, I have two, I have two questions I want to ask you. One is, what are the things if they never run into you? If you get eaten by a Purple dragon today and you disappear or you win the lottery and make $100 billion and you put your phone in a blender. What are the fier six things that the fire six things that they could do right now, like okay, I need to do this, there's this online tool or there's this thing that I could do or what are the things that I could do right now to protect myself on a personal level and then the things that I could do for my business environment.

B (53:04)

We provide a risk assessment that folks can take freely at our website. That risk assessment will walk you through some basics to give you a high level understanding of where it is that you may have not made the proper investments in the reduction of risk to the enterprise. And we cover multiple domains. Again, we're a people, process and technology advisory firm. So I would say at the very least, take some time to assess where you are as a company. And you can do that with us, you can do it with others. We think we bring not just an immense amount of experience, but a special expertise based on my experience and those of my executive team and the others that we have engaged. But do something, evaluate where you are as an organization and bring in folks who have experience, broad based expertise, and will give you an unvarnished opinion as to where you stand as an organization. Take the time to make the investment in that effort and it doesn't happen overnight. You know, a typical risk assessment is likely a six to eight week engagement if done correctly. Just aligning time schedules, going through the process of asking all of the, there's, you know, probably 180 to 200 plus questions that get asked during the course of the assessment. You do those in chunks. You don't want to do those all at one time. There's a gathering of data and information in terms of documentation or the absence of the documentation that needs to be noted. So the process takes a while. So get started. From a personal standpoint, there are several things that you can do to just sort of evaluate where you are. Just Google your name for starters. Go into an incognito browser and Google your name and see what information comes up in a Google search. And then Google. How do you get Google to remove your name and personal information from searches? And it will tell you the steps that you need to take in order to essentially give Google the information that it needs to be looking for. And it will come back and tell you, I do it myself. I get probably an email every three weeks or so. Hey, your personal information was found on this site. Would you like it to be reviewed for removal? I Click Yes. And 99% of the time you get an email back says it was removed. Every once in a while there's some, you know, site and because of the way that the information was collected, they're unable to have it removed that 1% of time. Again, it's about limiting your footprint, limiting your exposure to risk. It's not about eliminating it. If you want to completely eliminate digital risk, risk, don't use digital products.

A (55:43)

Correct.

B (55:44)

That's it. Right?

A (55:45)

That's the only way to do it.

B (55:46)

That's the only. That's the only way to do it. But if you're, if you're like the 99.9% of the rest of the world who has a phone and wants access to this digital information, there are basic things that you can do to protect yourself. Do the basics. And that at least gets you on the right path because most folks aren't even doing the basics. And that's what the adversaries count on.

A (56:07)

We talk about something in the military all the time, about everyday carrying. What are the things you carry every day, Be it from operational, from military, from what your sidearm is, whatever that is. When it comes to this, what is your everyday carry for the stuff in your world that you use? On a tech side, are you like, okay, I use Android, or I'm going to be a Google guy, or I'm going to always have a flash drive on me or whatever it is, because I keep a flash drive in my wallet that I use very specifically that can breach me into any machine. I've had it on me for 20 years. It's just, I'm like, oh, I get in any machine that I ever get locked out of. It's just a habit. I, I always have it inside my wallet. What are the things that you have on your world that like, these are my everyday carriers. I'm always going to have this on me. Or this is what I use all the time. Because through your immense experience with the FBI and the Marine Corps and the Navy and thank you again for your service, what are the things like, you know what? This is what I'm going to use. This is the case I'm going to use. This is because those are the things that people are like, well, what does he use? He's got this experience. What was he taught? They want to know those things. So what is your kind of your everyday?

B (57:03)

Carrie, Let me answer it this way. So part of what I bring to the table is a level of communication that can be helpful at the strategic and executive level. So I'm a communicator by trade. That's what I get paid to do in most instances. It's what I get paid for in enterprise. And it's a skill set that I've developed over time in terms of my tactical carry today, because I have had such a wonderful experience at one of the biggest technology companies on the planet. I'm a Google Workspace user through and through. I love the products, I love the ecosystem. I know the story behind the preferential use of zero trust in terms of the principles that were used to build out the environment. And so guess what? I'm a Chromebook user. I like telling folks the story that I love Macs just like everybody else. The look, feel and presence of a Mac is unmatched. But if I'm traveling for business, guess what? I got my Chromebook with me. It's probably a safer platform to use. There have never been an instance of a Chromebook being violated via ransomware. The probability of it happening is actually zero. I use a Pixel phone because it tied uniquely to the Google ecosystem. Do I have Mac products? Absolutely. I will tell folks day in and day out I'm an iPad user because I don't think that there is. I have yet to see in tablet form something that is as useful from a utility fashion as the iPad. If you attach a keyboard to an iPad, there's almost nothing that's restricted to you to be able to do. I mean, it is part of my go to carrier. And yes, I have a tech bag or whatever you want to call it that I carry with me for business travel and when I'm out and about meeting with customers and clients. But from a tactical fashion, I'd say my everyday carry is that when I walk away from my home office, I'm going to have my Chromebook, I'm going to have my iPad, I'm going to have my Pixel phone and a tech bag that's going to essentially allow me to get in front of folks and carry on whatever kind of conversation I need in order to either develop business or quite frankly, just to help them understand what I'm seeing and the challenges on the environment landscape.

A (59:23)

Dang it. I have to start looking at Google Workspace again because I'm a Microsoft guy and I learned it. So I'm going to have to transition.

B (59:30)

Dash.

A (59:30)

Yeah, you bastard. What are some of the tools out there? Just, it sucks. I'm going to have to pivot because I'm such a Microsoft guy. And it just, it's worked. And I hate what is it? Sheets. And I'm like, can I just put it in Excel? And they're like, no. I'm like,

B (59:47)

there is such parity and operability between the Microsoft Office capabilities and Google workspace today that it's almost 100% seamless. So you'd be surprised the transition may not be as hard as you might think it is.

A (60:04)

Oh, God. Okay, I'll work on that. I promise I'll work on it. The next thing. What are certain things that you're like, dude, that's just a waste of money. Like, they have these little stickers that you put on cell phones that reduce EMI or EMF and they don't mess with your brain. What are some of the things you're like, please stop buying this. What, what are you people doing? Like, what, what, Are there anything out there that you could think of that you're like, no,

B (60:30)

no, I, I don't want to disparage the use of, of any kind of technical product. You know, I, I, I, you know, things like most people don't have to worry about, you know, RFID readers, the common consumer. But I noticed that, you know, there's even a stretch of folks out there that are selling like, Faraday bags to people that who now think they need to keep their technology in a Faraday bag. And I'm just, you can go too far, I think, with some of this stuff. And that's, I'm not that guy. I'm not the person who's going to tell you that, you know, every time you don't use public WI fi, you know, be careful when using public WI fi. You know, there's still validity to the use of VPNs. Most phones have VPN systems built into them. Turn on your VPN when you're out public, or at Starbucks using Starbucks WI fi, or when you're traveling and you go in a hotel. You know, if you don't want to use a hotel WI fi, buy your own WI fi puck and, and use that when you travel so that you can have safe, secure, communicate. Like, you know, there's, so you're saying how much, how much pain you want to, you want to inflict on yourself.

A (61:46)

So you mean the shoe box that I have in my house that's wrapped with aluminum foil is not a good idea? Is that what you're saying? I shouldn't. All right. With that said, mk, there's a bunch of people, people out there who are going like, all right, I need to talk to someone. It needs to be on a fractional environment. How do people track you down? How do they get access to you? How do they ask questions to kind of to lead themselves and protect themselves in a world that's getting more and more risky?

B (62:11)

Yeah. A couple of different things. One, I would tell them to visit our website at Apogee Global RMS IO. You can see the full suite of services that we offer as a company, that there's some stuff about our background and there's some information from a thought leadership standpoint in terms of our approach to security and enterprise risk and all of the things that came up in conversation. I think that's a great starting point from an individual perspective. We have both a company presence and my personal presence on LinkedIn. I'm a heavy LinkedIn user, so we can give a nod to Microsoft in that way if you like. They own LinkedIn, so I'm a big believer in LinkedIn. I think. I think it's a great professional social network. I keep in touch with lots of people on LinkedIn. I'm there as MK Palmore. If you look me up, I'm pretty sure I'm the only MK Palmore on LinkedIn. I'm open to outreach. I can't tell you the number of folks who reach out to me sort of blindly that I've had the opportunity to actually connect with and have conversations with. So you can see a lot about what we're doing as a company and what I do individually for my own personal brand, which amplifies the company brand either at our website or on LinkedIn.

A (63:23)

Perfect. And if not, we'll. We'll put your direct phone number, your Social Security number, your bank account and your home address in the show Note. MK I appreciate you coming on. I really do. Thank you for sharing all the information that you did with us. Security isn't about having the fanciest tools. It's about doing the basics every single time. MFA on permissions locked down. Stay consistent. That's it. MK made it clear today the adversary is counting on your laziness. Don't give it to them. As always, thanks for tuning in. Stay safe out there, digitally and otherwise. See you next time.