Steven Grossman [00:00:00]:
Cybersecurity is not a perfect science. Right. And no matter how hard any company is trying to protect their customers, information, things happen, right? It’s not perfect. And so you know, you have to do everything you can on a personal level to protect yourself so that you’re protected if something happens within one of these companies.
Karissa Breen [00:00:35]:
Joining me now is Stephen Grossman, CISO and CIO at Standard and Preferred Insurance. And today we’re discussing cyber security and compliance in regulated small and medium sized businesses. So, Stephen, thank you for joining me and welcome.
Steven Grossman [00:00:49]:
Thank you so much. Great to be here. Been following you for quite a while. We’ve spoken before and what you’ve done for the cyber community is really, really fantastic.
Karissa Breen [00:00:57]:
Oh, well, thank you. It’s a pleasure and an honor to have you here today. So, okay, so there’s a lot going on the SMB space and I think this is an important area because often a lot of the folks that I speak to, Stephen, are the enterprise, you know, government level. But I think it’s really important that we don’t sort of relegate our SMBs. Obviously in Australia and I live in the US now, but a lot of our economy in Australia is made up of SMBs. So maybe give us a bit of a landscape. How do you see Cybersecurity for SMBs where you’re sitting and what would you say ultimately they’re struggling with?
Steven Grossman [00:01:29]:
It’s a great question. I mean, to your point, you live a little bit in a tech bubble, right? When you’re in the tech world where you see everything as a venture backed startup or as a large enterprise. But to your point, quite a bit of our economy is tied up in financial services and accounting, in manufacturing. SMBs that are really kind of the bits and bytes of our world. But in a lot of those environments they treat IT and cybersecurity like it’s 1995. They’re trying to keep their business running. They don’t really understand the priority and they don’t understand the importance of taking things up to the next level. And you know, over the course of my career I’ve worked in everything from, you know, large enterprises to startups in, in the venture back space as well as SMBs.
Steven Grossman [00:02:13]:
And you know, having broken my teeth at PwC, I got an understanding of how cyber and IT intersect and how business process works and SMBs and even venture backed startups really struggle in that area. So it’s really largely a matter of priority and it’s largely a matter of recognizing its importance is really the first step to take.
Karissa Breen [00:02:33]:
And would you say that historically the cybersecurity industry perhaps haven’t done a great job, but maybe speaking to the SMB market and then more broadly, would you say that if you’re looking on a vendor like side of things, perhaps they think, well, there’s less money to be earned in the S and B space. So why would I waste my time in the S and B space? Where can I go up the chain and hit an enterprise up? What are your thoughts on that?
Steven Grossman [00:02:57]:
I think the vendor side has done what they do. Right. But if the clients are not understanding it and recognizing it, they’re not going to prioritize it, right? We always think of it, we think of cyber. It’s always on our mind, right? Your average manufacturing business or accounting business or what have you, it’s not top of mind until something happens. And every tech vendor in the world has an SMB sector, right? They have a channel that works SMBs. They go through channels in order to sell the SMBs and they’re really focused on that targeting, understanding that perhaps it’s a little bit less profitable, but the sales cycles are much shorter. If you think about the world and SMBs, large enterprises and government, everybody knows government has the longest sales cycles in the business. SMBs have the shortest sales cycle because they don’t have the formality, they don’t have the red tape that the large enterprises have.
Steven Grossman [00:03:45]:
But by the same token, they don’t get it very often depending on who’s running the business and where they come from and their background and how management views it.
Karissa Breen [00:03:55]:
So would you say given your career in the space, is that gap of not getting it closing or do you still sort of think the gaps is as far wide as it was historically as it is today?
Steven Grossman [00:04:05]:
I think it’s tale of two cities, right? I mean, I think some get it and the regulatory landscape is forcing them to get it. So I’m in insurance right now, but you know, financial services in New York State, they have New York State dfs. You can’t ignore it. Right? But in those areas that are not necessarily regulated, they’re not necessarily putting the focus on it because it’s not impacting them until something happens. I mean, heck, if you just look at, look at the news from last week, I don’t know if you saw the news about the Louvre, you know, that they had security audits and security reviews that were, that were ignored and you know, they discovered passwords on their security systems of Louvre. Go figure. And so, you know, the, the landscape in terms of SMBs really depends on what their business is and what the priority is. Right.
Steven Grossman [00:04:46]:
Nobody would ever go without a cfo. They would never go without an accountant or outside counsel. Very many of them are going with the same, you know, two man shop out of their basement to run their IT and their cyber by extension.
Karissa Breen [00:04:57]:
Yeah, and that’s an interesting point. So would you say as well that going back to your comment around having a CFO, etc, do you think this is one of those things that again, maybe, and I’ve spoken to a lot of people that are in these SMBs that it’s like, yeah, but I just don’t kind of know what the money I’m spending with this security person, like where it’s going, it’s, you know, it’s expensive. Do you think as well it’s a little bit of out of sight, out of mind. Like people just think I can’t necessarily see it, touch it and therefore I don’t really necessarily know where my money’s going. I’ve just heard that a lot from people over the years. So how would you sort of combat that and saying like, it’s definitely important to have a security person. Do you need an enterprise size O? No, but you need some level of security or maybe it’s even a fractional size O, which is what we’ve seen often in the market. So what are your sort of sentiments around that, Steven?
Steven Grossman [00:05:50]:
Yeah, absolutely. I mean typically when I’ll get a call from a friend or a former contact in the industry saying hey, I want to get involved with this, who should I call? What should I do? It’s very often either one of their friends just got hacked and got hit with ransomware, got hit with other issues. They went to a conference and they saw a larger firm and more substantial firm who got hit and it raised the antenna to the issues. And at that point you’re right, it’s really very much a matter of education. And Most of these SMBs don’t want or don’t need a full time resource to manage it, but they do need a source for the education and they do need somebody to structure the process. It’s really that recognition and that prioritization that’s the first step. Because once you have that number one, everybody else in the firm, right, all your employees see that management is prioritizing it. So they’re going to prioritize it.
Steven Grossman [00:06:40]:
And number two, if you get the right people on board, the right vciso and the right MSP to help you along, that really is the first step to making it happen. And from there it’s a step by step process to checking the boxes and filling in the blanks. And as I mentioned, the regulatory landscape right now, it’s increasing year by year and you really can’t avoid it. Right. So an industry, maybe it’s not regulated in and of itself, but again, just relying on New York State. Right. New York State has statewide mandates. Right.
Steven Grossman [00:07:09]:
For whatever business you’re in. If you don’t get to it yourself and manage that risk yourself, the government’s going to kind of force you to do it anyway. And I often compare it to people. People don’t want to spend money on insurance either. Right. You don’t want the fire insurance, you don’t want the liability insurance. You’re probably never going to use it, thank God. But you know what? Sometimes you do.
Steven Grossman [00:07:28]:
And it’s a matter of risk management. And the risk landscape has gotten so large now, especially for SMBs that aren’t keeping their eye on the ball, that you really can’t ignore it anymore.
Karissa Breen [00:07:39]:
Yeah, that’s interesting. The apartment complex that I live when I move from Australia to here, you have to get renters insurance. You don’t really need that in Australia, but you need it here, as you would probably know. Anyway, long story short, a couple of weeks into living here, I’m not on the first floor, but the whole first floor got flooded. Apparently all these people inside the apartments all ruined because of the water damage. So it definitely does happen. But in my lifetime I’ve never seen that. But it does happen.
Karissa Breen [00:08:02]:
So luckily I’m not living on the first floor and I have the renters insurance.
Steven Grossman [00:08:06]:
Welcome to the South.
Karissa Breen [00:08:07]:
I’m learning that as I’ve been here now over the coming weeks. So I want to talk about regulation now. I’m from a country that’s heavily regulated now, depending on who I speak to. And I’m keen to get your view on this, Stephen. Some folks say they’re against it, some say they’re for it. It’s forcing people’s backs against the wall. But then there’s that old adage around. Sometimes you attract more with honey than you do with vinegar.
Karissa Breen [00:08:31]:
So what’s your sort of stance on regulation?
Steven Grossman [00:08:34]:
I think it’s a balance. I think it’s a balance. And as we’ve been discussing, very many industries that are not necessarily Directly regulated, don’t step up and do what’s right. And it’s not only endangering their own businesses, but it’s endangering all the customers data and sometimes by extension, their customers. The regulations, I think, are good to raise the visibility and to raise the attention. When they get out of hand, obviously it becomes more of an impediment to the business than not. But as long as the regulation is in line, you know, essentially many of these regulations are just trying to implore a business to employ best practices, right? Very, very often it’s motherhood and apple pie, so to speak. If you’ve been in a large enterprise and you’ve worked in a large enterprise, these companies don’t need the regulations in order to raise the antennas there because they understand the risk.
Steven Grossman [00:09:21]:
They’re exposed, you know, that much more because of their size and shape. But in the small business, very often you need to have the regulations to give you some structure around it. And that’s why it’s really important to have the right resources. I’m blessed to have management that recognizes the importance of cybersecurity and compliance, and they prioritize it. And as a result, that trickles down to everybody else in the company. And, you know, we’ve got a culture where our employees raise their own hands when there’s a question, raise their hands when there’s an issue, as opposed to bypass it or get around it. The regulations are there to help that process. And again, it’s a balance, right? I’m not in favor of overly restrictive or overly burdensome regulations, but those that are just keep kind of keeping you honest, I think are not a bad thing.
Karissa Breen [00:10:04]:
So I want to talk about perhaps maybe the reality of an SMB. So what I mean by this question, it’s limited budgets, it’s smaller IT teams, as we’ve already discussed today. But then also, how do we, or SMBs more specifically, prioritize cybersecurity and compliance? And then the other thing I really want to focus on as well is you said before, having the right resources. And a lot of that comes down to money. How much money do we have to allocate to fractional sisos, tooling vendors, whatever. But then how do you sort of draw more blood from a stone as an SMB? Because at the end of the day, like you said, no one likes paying for insurance. I don’t know anyone that wakes up thinking, I like paying for insurance today, same thing is probably going for cybersecurity as well. So how does that question sit with you, Steven, when I asked you like 10 questions.
Karissa Breen [00:10:51]:
But I’m just. My brain’s sort of going like all over the place because I think this is a really big topic that not a lot of people have great answers to.
Steven Grossman [00:11:00]:
It’s a real challenge, right? But the reality is that you have to resource what you need to resource, right? You wouldn’t go without deterring due to limited resources. You wouldn’t go without an accountant due to limited resources. And you shouldn’t be going without some level of expertise on the IT and cybersecurity side and compliance side as well, if that’s a requirement in your business. There are ways to skin that cat by going with fractionals and going with the right kind of msp. But ignoring it is a recipe for disaster. And there are many, many firms out there now that, that are kind of networks of CISOs that provide that fractional expertise. Many of the MSPs, and I think the MSPs are really the critical factor here. Again, you know, thank God, I’m blessed with an MSP that really gets it and really understands not only the bits and bytes and the technology, but they understand the regulatory landscape as well and kind of rise to that challenge.
Steven Grossman [00:11:52]:
But an MSP will only do what the client tells them to do, right? If their MSP hears from their client, let’s spend as little as possible and do as little as possible to create any friction in the business just to keep things running, then that’s what the MSP is going to do for you, right? And their bill will reflect a low price, but you get what you pay for. If that MSP hears from you that the cybersecurity is very important and hears from you that, you know, you want to be proactively in favor compliance with the regulations, then they’ll rise to that occasion and they’ll serve you in that way. I can’t tell you how many people I’ve spoken to just in and around both financial services as well as other industries that are willing to roll the dice, right? They’re willing to say, hey, we’re going to spend as little as possible. If something happens, we’ll deal with it. When it happens, you kick the can down the road and let’s worry about it then. Sometimes they’re able to deal with it then, and sometimes it brings them down. Rolling that dice is a dangerous game to play.
Karissa Breen [00:12:47]:
So if you’re an SMB, a lot of the times you may not know a lot about cybersecurity or even running, you know, a lot about it. So how does someone know, like, what’s a good sort of MSSP look like? For example, like, I don’t know anything about, like legal stuff, but I’ve got people around me that are lawyers. So it’s like these are the sort of things that you can look for. So there are probably people out there that are like, look, I don’t know anything about it or security, but obviously there’s different capability that certain MSSPs would employ versus others and cost and all these sort of things. But is there anything that sort of stands out for you that people can say, you know what? I listened to Stephen on KBCast and he made a really good point.
Steven Grossman [00:13:29]:
The key is that you can sense you’re not a lawyer, but when you speak to a lawyer, you probably got to that lawyer through a personal relationship that referred them, right? And so you’re coming in with some level of confidence. And then if you really listen to how the person speaks with you and really expresses their services to you. So, you know, some will come in and kind of give you the laundry list and the menu of services, some will get to know you better and be able to have that ongoing conversation with you to really understand what your needs are. And it’s important that to hear them going beyond the letter of the law, so to speak, and think more about the spirit of the law and what they’re trying to do to protect your business. Listen to them being proactive with you, right? Are they raising the issues with you or are you having to raise the issues with them and you know, get a sense of their expertise, get a sense of their approach. You know, Rome wasn’t built in a day in any business when it comes to cybersecurity. Listen to the structure and the methodology of their approach, understand their resourcing. There are very many SMBs, you know, grew themselves out of a basement and are still using the same two guys, you know, to support their IT services over the course of time, right? And sometimes you outgrow that original msb, sometimes you have to take that step up.
Steven Grossman [00:14:43]:
Just like when you had your buddy, the lawyer helping you out when you were starting out. But you know, you had to grow up to a larger firm when you became larger and your legal requirements became larger. And so being able to understand a methodology and approach and an expertise in both IT and cybersecurity is really, really important. But you can’t rely just on the MSP unless the MSP is providing you ESO level services. And by that I mean, you know, you’ll speak to any technology provider and the msps will tell you about vulnerability management, they’ll tell you about their sim and they’ll tell you about their different agents and technologies that they’ll install on your machine. But you know that doesn’t really mean anything to you unless you understand the structure that it’s trying to fit into. Right. And so having that vciso, having that fractional CISO to guide you or having an MSP that can provide that higher level guidance first and laying out a plan and laying out what your real risks and exposures are based on how you’re running and making a recommendation that’s in line with the size and the shape of your business is really important.
Steven Grossman [00:15:46]:
Right. One size does not fit all, both when it comes to security and cybersecurity and any other aspect of running the business.
Karissa Breen [00:15:52]:
So would you say as well, going back to your comment around growing up and I hear what you’re saying because after a while you know the firm that you’ve had that’s taken you to X level, you may need another one. Do you think people get a little bit like, oh, but couldn’t be bothered. I’ve, I’ve used these people for so long. Yes. Whilst I probably understand I do need a new firm that’s going to cater to the new capability and the new needs of the business and requirements, it’s just all too hard because it’s going to create upheaval. We have to get to know the new people. So do you think a lot of people just stay because it’s convenient and easier and less disruptive for their business day to day because they’ve got other things to do as well. Right.
Karissa Breen [00:16:29]:
They’ve got actually like sell their businesses. They can even pay for their mssp. So have you seen that happen a lot, Steven?
Steven Grossman [00:16:35]:
I have. I mean people stay because of the fact that they, it’s kind of a known entity. People stay because of their long term relationship. Right. It’s hard to make that switch since it’s like the old Seinfeld episode when he tries to switch barbers. Right. You know when you’ve been going to the same person and using the same person for years and years, that’s an important relationship and I wouldn’t suggest violating that relationship. But you have to have the frank conversations and again it comes from expressing the priority of cybersecurity and it Most of these MSPs can handle whatever you need to handle, coming from birth, so to speak, where they saw you growing your business and when you first started, you’re obviously on a much more limited budget than you should be after some number of years, right.
Steven Grossman [00:17:17]:
That they’re going to continue in that low budget mode of operation until they’re told otherwise, that they’re only going to go as far as you’re asking them to go. And so if you express the priority, you express the importance and you put the dollars behind it again in a stepwise fashion, you know, nothing, nothing to break the bank. But in order to apply the appropriate level of priority or other areas of running your business, most MSPs will rise to that occasion. But yeah, absolutely. I mean people hate change and people don’t like changing relationships and when they would been happy with support company.
Karissa Breen [00:17:49]:
So what do you think if you were to zoom out? Ultimately, SMDs don’t get about security, so we could say they don’t get a lot about security in general. But is there anything that really stands out?
Steven Grossman [00:17:58]:
Well, what stands out is that they don’t think about it in terms of the risk. Right. Cybersecurity is still thought of as kind of an extension of it. And as long as their PCs are running and as long as their files are accessible and they can get to their applications and, and you know, think things are kind of humming along, don’t ask, don’t tell, don’t, don’t bother me with anything else around that once they understand the risk, and again, that visibility, they’re not sitting and reading cybersecurity websites like we are. They’re not sitting and reading the different events in any detail. What they’re doing is they’re running their business. They know how to run their business, they know their business, they know the accounting side, they probably know the legal side. They’re not thinking about the risk that they’re exposed to.
Steven Grossman [00:18:39]:
Right? So that visibility usually comes, as I mentioned earlier, either from a conference or something that happens to them or something to, that happens to somebody close to them that raises the antennas to raise the priority in their head. But until, until that happens, until that light bulb goes off, you’re fighting an uphill battle, right? You’re. Because it’s not only the money that they need to spend to put the right controls in place so that their risk of exposure goes down, but it also adds friction to the business and nobody wants to add friction to their business. Right? And certainly the, the employees on the front lines, if they don’t see that priority coming from their leadership, then they’re going to do everything they can to circumvent whatever Controls you do put in place. If you block them from accessing files in one way, they’re all. They’ll email it to the personal account and work on it that way. You know, it’s not a fixed equation. Right.
Steven Grossman [00:19:24]:
That you really need to be able to raise the priority and to raise the visibility throughout your company so that everybody is working together. Just like they would raise a legal issue, just like they would raise a financial issue. That you want people thinking in terms of cybersecurity and just risk management in general.
Karissa Breen [00:19:40]:
Yeah. And that’s an interesting point because if they’re not cyber people, why would they be, you know, necessarily listen to this podcast because it’s not what they do day to day. So how do you think people, how do we start to engender like thinking with that risk based approach like you mentioned? Yes. Conferences. And if something happens to them or do you think it’s ultimately going to succumb to the fact of these SMB businesses will start taking cybersecurity more seriously when something actually does happen to them, them will it just have to get to that point? It’s more like, you know, when you’re a kid and your mom’s like, hey, don’t touch the hot stove. And then you accidentally touch it and it bends, you don’t do it again. So as much as your mom told you not to touch it, you’re curious and you did and you got burnt from it. So do you think it’s more, I mean, that’s a metaphor.
Karissa Breen [00:20:23]:
But do you think it’s sort of like that? And as much as you, and I hate to hear that that’s a thing sometimes it’s just the reality of the situation because these people are not cybersecurity people and they don’t think necessarily with the same lens.
Steven Grossman [00:20:38]:
Yeah. It’s a step by step process. So many SMBs are certainly going to keep doing what they’ve been doing. If they’ve been successful in their business, they’re not worried about cybersecurity. They’re going to keep running their business until something happens and then deal with it at that point. But certainly the visibility of it is getting greater. Right. And I think the visibility also on the personal level kind of flows into the SMB world more than it does the enterprise side.
Steven Grossman [00:21:03]:
Right. If one of the principals of a business has a personal issue with their identity gets stolen or their personal email gets hacked. Right. That raises the antenna for them. And having those kind of events and having those kind of signals certainly raises the visibility overall. All we can do in the industry is keep beating the drum, so to speak, and hope that they’re not waiting until an event happens. But it really becomes a matter of priority in your. In your business and how you’re spending your.
Steven Grossman [00:21:31]:
How you’re spending your money, right? And if you don’t understand the risk, you don’t fear the risk, then you’re not going to be motivated to spend the money unless you have a regulator kind of forcing you to.
Karissa Breen [00:21:41]:
So just doubling down on the. Spending your money, would you say, And I’ve seen this happen before, I don’t know what your view is on this, that SMBs were sort of spent money and things that it’s just too, too intense. Like some of the stuff is for an enterprise, not for an SMB. So like, in a perfect world, we’d have all these things, but some of it is a little overkill, perhaps, and maybe someone lured them down the path and they ended up buying something they didn’t need necessarily. Do you see a little bit of that? Perhaps there’s spending in areas that don’t necessarily need to be there rather than some of the basics being overlooked. Or. What are your thoughts?
Steven Grossman [00:22:13]:
I think the flip side is actually a greater challenge where they perhaps did spend the money, but something happened anyway, right? Cybersecurity is not a perfect science. And perhaps they invested in a more sophisticated email security, a more sophisticated endpoint security. And they still. And something still happened. They still got compromised, right? The machine still got infected, somebody clicked on a link and something still happened. At that point, there’s a level of cynicism that kind of sneaks into the picture and says, hey, you know, if it’s going to happen anyway, why should I bother spending money on this stuff? Right? And so that, I think, becomes the greater issue than the flip side of that.
Karissa Breen [00:22:46]:
Yeah, that’s an interesting point. So what would be your counter argument to that then?
Steven Grossman [00:22:51]:
Well, the counter argument really remains the same, right? You don’t not go to your doctor because you went to your doctor, but you still got sick. Right. Risk are out there if you hear too many stories. Somebody goes to a cardiologist and the cardiologist is in perfect health and the guy goes out and has a heart attack, Right. He doesn’t stop going to his cardiologist because of the fact that he had a heart attack. It really becomes a matter of understanding the risk and being able to proactively deal with the risk as opposed to reactively dealing with it. And that, that’s really, you know, I Think the overall challenge of the industry, right? Everybody’s understands the need to react to something that happens. They can’t always foresee the risk of it happening in the future and trying to prevent it in the first place.
Steven Grossman [00:23:30]:
Right. Preventative medicine is always the best medicine rather than trying to deal with things after something happens.
Karissa Breen [00:23:36]:
And would you say your caveat to that would be like, even if we get all this stuff, something still may could happen. Like there’s no 100%, it’s all guaranteed. There’s none of that. So do you think perhaps they know that, but it’s still annoying anyway because they spent money on something and something still happened and maybe they should have spent more and how long’s a piece of string all these sort of conversations and thoughts come in. But is that a thing or what are your thoughts?
Steven Grossman [00:23:59]:
Yeah, look, uncertainty is a part of life and uncertainty is part of business, right. I think the SMB side are more likely to shy away after something happens, despite spending the money because they’re not really thinking about it from the point of view of risk. Right. They’re thinking of the point of view of a tool at an event. Right. And so being able to, to think of things in terms of risk. Right. If God forbid, somebody has a fire, that doesn’t mean they’re not going to have a fire in the, in the new location tomorrow.
Steven Grossman [00:24:23]:
Right. The risk is still there. The need to prevent it is still there. You still need your smoke detectors and you still need your fire insurance. And same thing goes for cybersecurity, right. Just because something happened, you need to learn from those events and do a better job of mitigating them in the future. At the top of all of my board presentations says security is not a project, it’s a process. Right.
Steven Grossman [00:24:44]:
It’s an ongoing process that you have to on a daily basis. Not something that just like starts and ends with the implementation of a tool or some new process.
Karissa Breen [00:24:52]:
So what about SMBs in the regulated space? So often we hear, and you would know more than me, Stephen, on this, like, oh, it’s not just a tick in the box or you’re just checking the box. Obviously that gets security people offside because they, they as insecurity people see that approach as a little bit clinical and not very thorough perhaps. So what are your then sentiments? Would you say that a lot of these SMBs are being really clinical and just like let’s just the box ticked because we, you know, if something happens, we’re going to be audited, we need to do it for compliance reasons. What, what’s going on here?
Steven Grossman [00:25:26]:
When you deal with a business, you can always tell whether it’s a business that quote unquote does things, right or does things to, to check the box, right? And that not just cybersecurity, that applies across the board in terms of how they run their businesses, right? And the regulations typically don’t really ask for anything that’s too far afield when it comes to the actual requirements. But for an SMB, it adds a lot of friction, right? So even if they were willing to spend the money and even if they put everything in place, having to send out encrypted emails adds friction. Having to encrypt files adds friction. Multi factor authentication adds friction. It takes time, it takes effort, causes some confusion with some users, creates support requirements. Somebody gets a new phone, they need to get a new mfa. Mfa. The regulations themselves are not so much the issue as much as how the actual resulting implementations are viewed, right? If management is viewing the regulation as a burden and they’re just looking to check the box, or not even check the box and roll the dice, they’re asking for trouble, not only with the regulators, but they’re asking for trouble just because nobody’s going to prioritize it in the organization and something’s going to happen.
Steven Grossman [00:26:34]:
You can go for many years without a smoke detector and nothing happens. But God forbid, at some point if.
Karissa Breen [00:26:38]:
Something happens, okay, that is interesting. So going back to your comment around, you can sort of tell, is there any other sort of alarming indicators? You’re like, oh, we, this person’s going to just be a little bit clinical around the tick, tick, tick down the, down the chain to get it done. Is there anything that stands out to you?
Steven Grossman [00:26:54]:
Again, how they talk about, how they talk about the domain, how they talk about cybersecurity, that is usually the indication if you sit down with a client and the client tells you that they want to spend as little as possible and let’s just put the window dressing on to satisfy a particular regulation, they’re probably saying the same thing to their accountants and they’re probably saying the same thing to their lawyers, and they’re probably saying the same thing to any other aspect of the business that’s not core to their actual product. You know, it’s a dangerous way to run a business, but it’s a matter of you can pull the trigger now and be proactive. And at the very minimum, even if, God forbid, something does happen, your exposure to lawsuits and your exposure to the regulatory fines is that Much reduced because of the fact you’ve done your due diligence, right? Things happen every day across all domains. But if you’ve done your due diligence and you’ve made a reasonable effort to prevent them, then nobody can really hold you too responsible for things that happen. If you’ve done nothing, if you’re scrambling to go cobble together policies and to cobble together. So when you know the old Blazing Saddles fake town, right, when the regulators come calling, as opposed to being able to present them with the real stuff, then you just ask for trouble across the board.
Karissa Breen [00:28:05]:
So let’s switch gears and maybe let’s talk about leadership. Now, I’ve spoken to a lot of people on the show about building the right culture, et cetera, et cetera. But how do leadership sort of embed that? Cybersecurity isn’t seen as like, extra legwork, right? Because no one wants to do extracurricular stuff. People are overworked, they’re tired, they’re exhausted, costs are going up. So how would you approach this? Because it is important. We do need to engender it, but sometimes people don’t quite hit the mark, or people like, oh, it’s another thing I’ve got to do. Steven, what would be your sort of advice to approaching this problem?
Steven Grossman [00:28:44]:
I think being able to allow the right people to put the right information in front of the right people at the right time. And by that, I mean everybody has some sort of cybersecurity training. Everybody has discussions of it one way or the other. But if your management is clearly expressing to everybody that we’re spending all this money, we’re taking all this effort, and the reason that we’re doing this is because, number one, it’s required by the regulators. Number two, our company may not be here tomorrow if we don’t do this. Your job may not be here tomorrow if we don’t do this. This is. This is serious, right? This is important.
Steven Grossman [00:29:18]:
This is as important as anything else you’re doing across the board, then that kind of raises the attention of everybody in the firm. If leadership is vocal about the importance of cybersecurity on a constant basis, Right? And that’s not to say, right, the head of. The head of an insurance company is not talking about cybersecurity all day and all night. Right? But the firm sees that they put dollars behind the effort, and the firm sees they’re in compliance with the effort, and the firm sees that they’re hiring the right people, be it MSPs or be it VCISOs or full time CISOs or whatever other resources are required. And the firm sees that this is important to senior management. That trickles down. The way they treat the employees once something happens also is very clear. Right.
Steven Grossman [00:30:05]:
I make a point when somebody raises a particular issue to me that kind of came out of left field, that they were intuitive and attuned to, I make a big fuss about it, right? To let everybody know how important it is that every, you know, it’s a team effort that everybody has to step up to and we, you know, we try to gamify it a little bit as well, but you know, having everybody on board to build that risk managed culture. And I know I keep using risk management as an expression. It’s not something that we’re, that we talk about day to day on the front line. Right. I don’t, I don’t talk to adjusters about risk management in that way. You know, I talked to them about it in terms of risk to the firm and what we’re doing to mitigate that risk.
Karissa Breen [00:30:44]:
What about the term virtue signaling? Now what I mean by that is companies come out and say, look, we really care about your security. And then a big breach happens. Now I know it could happen to anyone, I get that. But sometimes I’ve heard from folks out there saying, yeah, I felt like the guy running the company, the lady running the company has just said it because the PR persons told us that and they need to appease media and shareholders and we really care about security and all that. So how does people get beyond perhaps being a little bit cynical towards companies out here saying we really take your security seriously? Because there’s a lot of like distrust happening a lot at the moment. Even with big businesses. Perhaps people just aren’t as trusting as they used to be back in the day. So what are your thoughts and on that? Because I think this is a big one.
Karissa Breen [00:31:29]:
I’m seeing it a lot online. I’m reading when, yes, a breach happens, but just more generally I’m reading to see what consumers are saying about these businesses, etc. Number one thing I’m hearing is what about our privacy? What about this? And how come they didn’t take our security more seriously? Those are things that even in, you know, the last 10 years that I’ve been in this space, I haven’t seen a lot of that up until recent. So people obviously are cluing onto the fact around cybersecurity for businesses. But I’m just curious to hear your thoughts on that, Stephen.
Steven Grossman [00:31:55]:
I think the proof is in the pudding, right? If speaking internally when you’re dealing with different people in the business, ask them to do things that are kind of working around your controls and working around your policies, and they see that you’re not taking it seriously, then they’re not going to take it seriously. Right? You can’t tell people not to put personal information into your team chat and then ask them, hey, can you shoot me that credit card number? Right? It doesn’t work so well because people see that you’re not serious about it. You know, in the public domain, I think it’s really very generational. I think the younger generation, because of social media, is so attuned to a lack of privacy, it’s a lot less on their radar. The privacy issue is a lot less on their radar until God forbid something happens, right? If you talk to my mother, she’s live a long life, she’s in her 90s. I ask her for a Social Security number for something, she’ll tell me, oh, no, don’t put it into the Internet. The Internet’s not secure, right? Which is, it’s just a different generational view of things and vendors that you’re dealing with and the way you interact with the vendors you’re dealing with are important. The point of view of virtue signaling you have to be your own best advocate.
Steven Grossman [00:33:00]:
And yeah, you’re going to see, see the things in the paper and you’re going to see things online, talking about issues at large companies. But you know what? Don’t use the same passwords across all your sites. Use a password manager, use multifactor authentication, use passkeys. Protect yourself because you can’t count on any of these companies to protect your information 100%. Because cybersecurity is not a perfect science, right? And no matter how, how hard any company is trying to to protect their customers, information, things happen, right? It’s not perfect. And so you know, you have to do everything you can on a personal level to protect yourself so that you’re protected if something happens within one of these companies.
Karissa Breen [00:33:36]:
And Steven, what would be your closing comments and final thoughts today?
Steven Grossman [00:33:41]:
I think my final thoughts are just to encourage SMBs that are perhaps not paying any attention to cybersecurity at all. To step it up and reach out to somebody who has the right expertise or everybody, everybody knows somebody, and to build that sort of security infrastructure and start to reduce your risk, ultimately it’s going to come back to bite you one way or the other within a short period of time. Right? Don’t rely on the fact that something has never happened before for it to never happen again.
