**Raw & Unfiltered** Compliance Regs You Should be Following that Nobody Tells You About (And Craig Reels in a GATOR!!)

Show Notes

 ***In order to get the breaking cyber news to you guys FAST we are posting these right after the live broadcast! If you prefer your news more filtered, keep an eye out for the edited posting tomorrow!***

Today we welcome Craig back! Not only do we get to hear about Compliance regulations you're probably subject to but unaware of, but we also get to hear Craig's harrowing tail of 'Gator wrestling in the murky waters of North Carolina!

Link: Craig Reels in a Gator in Arapahoe, NC!

Host: Craig

Co-Hosts: BJ, Blake, and Erin

Support the show - Call 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the Show.

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

• YouTube PetronellaTech
• YouTube Craig Petronella
• Podcasts
• Compliance Armor
• Blockchain Security
• LinkedIn
• Call 877-468-2721 or visit https://petronellatech.com

Transcript

Craig: 0:38

All right. We are alive.

Erin: 0:41

Hi, welcome back, Craig. It's good to have you back.

Craig: 0:44

Thanks.

Erin: 0:45

We missed you.

Craig: 0:46

Yeah, definitely some interesting things happening.

Erin: 0:49

Oh yeah. Like what?

Craig: 0:51

Just almost caught an alligator out with my son.

Erin: 0:55

Better than an alligator almost catching you,

Craig: 0:58

Yeah.

Erin: 0:58

which maybe that happened to you. I don't know

Craig: 1:01

Nope. Nope.

Erin: 1:02

where, so where were you in this happen?

Craig: 1:05

Yeah. So we're camping with my son. I think it was called Arapahoe North Carolina. It's by the Neuse river. No,

Erin: 1:15

Oh, wow. That's kind of far. That's like inland, right?

Craig: 1:18

It's about three hours from Raleigh. Yeah.

Erin: 1:22

guess I wouldn't really expect alligator to be there, see a lot of them down here in South Carolina.

Craig: 1:28

especially especially here at a camp with a lot of kids.

Erin: 1:31

No, you said you have a video.

Craig: 1:34

Yep. I got a video and a screenshot or a zoomed in part clip of the video. that I'll pretty,

Erin: 1:40

Okay. I want to see this.

Blake: 1:42

was.

Craig: 1:43

a good long Gator though.

Erin: 1:45

You told us it was 12 foot now.

Craig: 1:48

not 12 foot, but it's big enough to eat somebody.

Erin: 1:51

That's huge. Yeah. There's a couple eight foot Gators around here and it's like, stay away.

Craig: 1:57

What'd you say Blake?

Blake: 1:58

I was going to ask how, how big it was. You literally came in and let us know that the size of your feet, you know, how capable you are of handling an alligator.

Craig: 2:09

Yup. So, so I guess PTG keeps you safe from Gators.

Blake: 2:14

We can always get into the Gator to get her security.

Craig: 2:17

right? You never know what you're going to get when you go fishing.

Erin: 2:20

That's true.

Craig: 2:21

So.

Erin: 2:22

And something else that we want to talk about today, that's not quite as interesting for most people as catching Gators, but compliance. Always a good Monday opener.

Craig: 2:34

Yeah, everybody wants to wake up and talk about compliance.

Erin: 2:37

Oh yeah.

Craig: 2:39

so I think you guys were asking about compliance regulations that most people don't know that they're subject to.

Erin: 2:46

Yeah. I think that's a good one.

Craig: 2:49

Sure. So you probably all, all heard of HIPAA, which is for medical. But I don't think a lot of people understand that there's two

Erin: 2:56

Okay.

Craig: 2:57

or technically three categories for HIPAA there's, what's called the covered entities, which is the doctor's office, the hospitals what's called the clearing houses, which is the insurance companies. And then there's also the business associates, which is anyone that interfaces or interacts with the covered entity in any way, shape or form. And that could be your, it guy, your it provider. It could be an accountant or somebody that has access to the books, but anybody that could potentially be exposed. To the patient health information or Phi can be considered a business associate. And you as a provider should have what's called a BA or a business associate agreement in place, which Is a legal document that basically says that, Hey, if you ever come in contact with patient information, you're going to keep it? confidential. And you're, you have an obligation to secure it. So you are now subject to the same safeguards as the covered entity. So it's a trickle down effect. So that might be something that a lot of people are unaware of that most people, when I talk to them and they have an it guy that they're happy with, and yeah, Bob's in fixing our computers for the past 20 years, you know? So do you have a BAA with Bob? What's a BAA

Erin: 4:11

That's a no.

Craig: 4:13

did know I needed one of those, you know, so yeah, so there's a definitely risk and liability there. And if you get caught, then you can both be subject to steep fines and penalties. that's, that's one common one. new one that came out is affecting CPA firms and bookkeepers that came out in January of 22, is this year. that one basically is a similar regulation to HIPAA where their safeguards and you have to have policies, procedures, and safeguards in place make sure the sensitive information, the taxpayers that you're working with, you're keeping their social security number, their tax returns and their books confidential. And you have security controls, supporting evidence, making sure that you're doing all this stuff. And it goes back to the same stuff that we've always been saying on previous episodes, around risk assessments, pen tests, and all this evidence that are proving that you're doing what you're supposed to be doing.

Erin: 5:07

And just to, I just want to throw this in there. Sorry. But isn't it true that tax fraud, especially by cyber or by hackers or bad actors has increased over the years, especially with the advent. you know, a lot of people filing their taxes online. There's a lot of people that have their information stolen. I would imagine maybe that's one of the reasons.

Craig: 5:30

Yeah. I mean, we're obviously in a climate right now with a risk and adversarial threats and, you know, hackers, favorite tools in the toolbox. So what I was saying is that hackers really like keylogger malware as one of their tools and keylogger, malware capture any kind of keystrokes that are, if you're not using keystroke encryption, then the key Loger keylogger malware will capture all those keystrokes, including social security, numbers, passwords, anything sensitive. So my point is that yeah, the regulation, they probably are starting to. Hey, look, you know, a lot of the CPA firms and bookkeepers are exposing consumer information. And, you know, we're, we're talking specifically about the new regulation that came out from, in January of 22 that affects CPAs and bookkeepers and any of the, the, the intermediate third parties that are involved with the handling of those sensitive tax returns and tax information or financial information. But, you know, there's also, what's called FTC regulation. You know, federal trade commission has federal laws around the sensitive data and the safeguarding of that sensitive data. And like I said, I mean, you know, we're at a different climate now, a heightened state where everybody is really just, it's a matter of time, no matter what business you're in. You're going to be subject to some type of regulation. I guess the best one that most people were probably familiar with is credit. And, you know, we got PCI compliance or payment card industry compliance. If you take credit cards, you're subject to PCI compliance. A lot of business owners will not really understand that very well. They'll probably be outsourcing the acceptance of credit cards to maybe a third party provider like square payments or QuickBooks, or, you know, some solution that they purchased or that they use in their line of business. But the point is that when you use those solutions, you can't outsource your responsibility for the proper handling of the credit cards. Now they may provide a good platform to keep that information secure, but you as the business owner and you as the business have, what's called a merchant account and you have an obligation and a responsibility to keep that information secure. Now there might be a platform, like I said, that you have it's out of your control. But if you read the detailed terms and conditions, there's typically things that you need to do and you need to, what's called a test too and sign off on it. So what that means is that you would, by allowing your business to accept credit cards, you have responsibility and obligations that you can't outsource, that you must do, and that you must do properly and test and self attest to and sign off on, Hey, you're, you're keeping this information safe and secure. And that's why we keep talking about these assessments and these practice assessments and these pen tests and all this stuff, just to make sure because, you know, we're all humans and we don't do everything perfectly every single time. So we need help and we need third parties that are trusted to test all this stuff and, you know, hopefully catch it before an audit.

Blake: 8:42

No, not all, not all PCI two is is the same. So like you said using square does not absolve you of your PCI compliance. And obviously the organizing body recognizes that. So there's four different levels of PCI compliance. So for example, merchants that are handling less than 20,000 transactions per year are what's called number four. And then it goes up to level three, 20,000 to 1 million, 1 million to 6 million. And over 6 million car transactions will be at a level one. So, you know, these are things that obviously you have to do. And obviously it costs, you know, it costs, it costs higher to be a level one compliant, and it does to be level four compliant.

Craig: 9:24

Yeah.

Blake: 9:25

So, you know, a lot of businesses, there's no excuse for.

Craig: 9:28

And as you go up that ladder, you know, using transaction volume, the number of transactions, as well as transaction size or average transaction size, if you like, let's say your ticket master and your average ticket sales. It's 50 or a hundred dollars. If you do 10,000 sales in a day, you're obviously going to be on the higher level of your mandates around PCI. And they're not going to take with that volume. They're not going to just allow you to sign off and say, yeah, yeah, yeah, we're doing all this stuff. They need the proof. And there's actually a PCI certified assessor that will need to come out. And that's the third party check and audit that you'll have to go through in order to keep your business and, and keep the acceptance of credit cards at that volume. In that average ticket size, most businesses are probably smaller and they don't have that kind of volume or that average ticket size. So they'll allow you to have less strict regulation, compliance and alignment. But the fact is that you can't outsource the responsibility in the end. You still, everyone needs to properly safeguard this information and everybody should have the mindset of, Hey, look, I'm not only safeguarding it, but here's my.

Blake: 10:41

Another one that I mean, and we're talking about before we hopped on this podcast was obviously people that are doing business within the state or have customers within the state of California CCPA.

Craig: 10:51

Yeah.

Blake: 10:52

And I mean, GDPR.

Craig: 10:54

Yep. There's California privacy act. So CCPA, you know, there's also new York's privacy law. There, you know, different states are now adopting their own levels of privacy and their own regulations that you have to follow. So you've got like these more recognized standards and frameworks like NIST, we've talked a lot about national Institute of standards and technology or NIS T specifically in the HIPAA space, it would be NIST 866. And the federal space or defense industrial base, w that we talk a lot about the, you know, those folks are subject to D FARs and NIST, and now the CMMC 2.0 compliance regulation. And you've got different frameworks, even small businesses. They have a framework for small businesses. They have computer information security. The FBI has Seesaw. You know, they, there's all these regulations. There's all these frameworks that are out there. Most commonly in our country, in America, there's a, what's called SOC two type two for a third party audit that a certified accounting firm can audit a period of time for a business. Maybe your business is small and you want to do business with a larger company or a more mature organization. Those larger companies, they measure the risk of the vendors that they do business with. We have what's called vendor security questionnaire, professional services, where we help a lot of those folks get through the maze of questions. And sometimes it's pretty daunting, 300, 400, 600 plus questions for the business profile, the small business to fill out just so that they get, they could start getting on the approved vendor list to do business with the bigger guy. And when that becomes a daily occurrence, where all these different companies are asking you to fill these things out. Oh, and by the way, they won't allow you to rinse and repeat and reuse somebody else's questionnaire, or they, they would not allow that they, they make you fill out their own questionnaire and they make you fill out the evidence that goes along with that questionnaire. So if you're getting buried with all these different skews or vendor security questionnaires, you may want to consider a SOC two type two or an ISO 27,001. Audit and compliance framework because those frameworks will allow you to no longer fill those things out. And most large organizations recognize that a SOC two type two report or an ISO 27,001 is very powerful. ISO 27,001 is really powerful outside of America. SOC two type two is more common in America, but they are different frameworks. They're very similar, but ISO is more of the global standard. So th that's a way that like I said, when the volume gets too high and it's really just, they're starting to bury you in filling these things out. That's when you would consider that. And we can certainly help with those types of regulatory.

Erin: 13:48

Do you think at any point, things are going to become more standardized, like where all companies are supposed to follow these rules.

Craig: 13:58

Yeah, that's a good question. So I think that N I S T has done a really good job of the, the, the new CMMC framework. my hope is that more regulations will adopt that methodology and reduce the need for all these other regulations meet meaning, you know, HIPAA came out and was signed into law in 1996 by bill Clinton. I mean, that was ages ago. Look at, look at how much, how different we are from internet and cyber security now verse 1996. Right? So there's no clear guidance around HIPAA. So it's very gray area. CMMC 2.0, for example, could definitely overtake and bolster and better secure our medical offices and hospitals. If those would follow the CMMC 2.0 framework, opposed to HIPAA. So I think in America, I think it's really going to be, it's going to come out of the federal government and it's going to be decision there on standardization. And I do think that that would be a good thing to simplify and help not only, you know, private sector, but also our defense industrial base. And if everyone, you know, is following that same framework, it'll make it simpler. And I think more people would actually do it.

Erin: 15:12

I think too. One thing that I've noticed, one of the biggest differences between HIPAA, well, really CMMC and a lot of the other regulations, I feel like a big difference is that CMMC really focuses on trying to integrate cyber security into a culture, into the culture of the business, as opposed to just making a checklist you to check off. Like they try to really get you to understand why you're doing what you're doing. I feel like some of the thing, they always win in that arena, but I feel like the. The thinking behind it is really smart and really more up to date the checklist approach is just not good enough anymore.

Craig: 15:59

Well, I think that's a good point, Aaron. I think they, I think it's pretty obvious that checklists and self active station is not good enough anymore. I think that's really the whole reason why the federal government came out with the draft of CMMC version one and basically the big change was you can't self attest anymore. You need these third-party audits and you're gonna have to find a C3 Pao, and you're gonna have to go to the marketplace. Basically prove your compliance. right. And you know, when in November of 20, when the inner role came out and the federal government said, Hey, look, we know defense, industrial base supply chain companies that are out there. We know that you've self attested, but we want to really see who's really has the proof who who's, who's able to upload their score to the spurs system. And know, how many of you guys have the 300,000 plus dip companies? How many of you guys have a perfect score of 110? And you know, I think that there's still companies on the sidelines that have still not submitted their score.

Erin: 17:01

right.

Craig: 17:02

I think there's still confusion around, well, do I need to submit my score or does that apply to me? And I think people are still not educated enough on the, the responsibilities of, Hey, look, I signed off on that contract. I took that money. What do I need to do? And I think that people forgot or glossed over all of the responsibilities. And that's where I think there's a lot of confusion right now with the DIB on, you know, what is the CMMC, why do I need to do that? And then people get hung up on, well, see I'm, I'm sees not really the law yet, so I'm not going to do anything. Well, most tip companies already have a contract. And if you already have a contract, you're subject to the 70 12, 70, 19, 70 20, and NIST 801 71 mandates, and you've already signed off on it. So it's already been done and in, at is the law for over five years. So this is not new information, you know, there is, and I'm not trying to scare people, but they're the reality of the situation is the federal government does have what's called the false claims act. I know for certainty that the audits have increased, the government is auditing more dip companies. And you know, these people that are just sitting on the sidelines, doing nothing. Are going to get caught and then they're going to be in this, this remediation period. They may lose their contracts depending on how bad the situation is. They may get penalties and fines, you know, so it's a bit of a mess. So I think that standardization would be a good thing. I think that third-party audits are a good thing. I mean, even, even our company at PTG, you know, we have to get checks from outside third parties for our work to make sure because we're looking to mature and go after the CMMC certification ourselves, you know, so we're not just recommending our clients do this. We're actually going through it ourselves. And I think that it's a good thing to have somebody check to make sure.

Blake: 19:04

Oh, I think this is a great opportunity to pick Craig's brain. And and obviously, so these compliance regulations are always evolving and always changing other than working with a firm like ours. What are some actionable steps that maybe a company could take to stay current? And up-to-date, you know, having, having a I guess a rudimentary to stay current with what's changing because these regulations are always changing. They're always refining them. They're always adding new articles. And we've had when I was working with another client of ours, you know, they asked me about that and I was like, good question. know, because these are always changing. Like, so other than hiring somebody like us or working with somebody like us how could you summarize that?

Craig: 19:51

Yeah. So selfless plug is, you know, stay tuned to our podcast, be sure to subscribe, you know, subscribe to our YouTube channel. I mean, here's the reality. We live and breathe this stuff, right? So, I mean, we're always getting the latest information. We're making sense of it. We're distilling it down. So where are your shortcut? Where are your easy button? Right. But if you want to, if you don't want to use us for whatever reason, I mean, the FBI, like I said, puts out Seesaw. There's different federal that? like I said, the nist.gov website, national Institute of standards, technology, nist.gov. They have a wealth of information there, but here's the thing. You can go get all this stuff for free and that's great, but are you really going to be able to read and digest and understand a 300 page PDF from NIST? That's very technical. And even difficult for us to go through and simmer down and make sense, and then translate that language to something that most people can understand. I mean, the information is all out there. It's all public, but where that shortcut, you know, we sift and sort it, we make it easier to digest. And then we, we, we help companies of all shapes and forms get started with this stuff. You know, they, a lot of companies can go to our website or they can go the federal government resources and, and, you know, maybe pretend that they're a defense industrial based company. It could be any kind of business. It could be a construction company. It's still a good exercise for that construction company to go through the self-assessment process for CMMC for example, even though they might not deal with controlled unclassified information, that's not the point. The point is that it's a good exercise from a maturity standpoint to go through. The self-assessment to identify all of the stuff, the policies, the procedures, the security controls on all of your systems and get value from that because every single person and every single business is currently at risk from data, exfiltration, ransomware, and other adversarial threats. There's all new evidence with the whole thing that's happening right now with Russia and Ukraine. There's new adversarial threats coming out all the time. So this stuff affects everyone. Even a consumer can go through the free resources and bolster themselves, but, you know, it's kind of like diet and exercise. You know, who's going to wake up and actually do it.

Blake: 22:22

I noticed too, a lot of our clients, they don't have too much understanding what they need to do. seems like the biggest problems with them implementing a real-world strategies that make them compliant.

Craig: 22:36

Well, like I said, you know, nobody wakes up and says, oh, I'm going to, I'm going to read this 300 page PDF today or on nest and, you know, yeah. They might have good intentions and maybe they'll get 30 or 50 pages of it read, but I'm telling you this. I mean, I don't know if the last time you guys have looked at this, but this stuff is really hard to digest.

Erin: 22:55

I read it every day. Craig, I read it every day.

Craig: 22:58

you know, it's, it's bed, it's bedtime reading, used the example of exercise because I think it's a good analogy. You know, a lot of people, they want to lose weight and they want to be in better shape. So they buy the latest gimmick or the latest into the latest book on, know, the south beach diet or whatever the, you know, the latest thing is, or the craze, they're in the psychological and emotional buying decision going to buy that thing, that book or that video series or whatever. But their mind is thinking when they make that transaction, that's the easy button for them to get the result that they want. But the reality is they learn really quick, much work it takes. not just going to get pack or, you know, lose all that weight putting in the work. So my, what I'm saying with compliance and regulation is as a business owner, you as a consumer there's work that you have to do to make yourself better fit for cybersecurity and the less fit you are, the more ripe you are for getting hacked or having your identity stolen.

Erin: 24:04

I want to kind of add on to that too. Just like, you know, if you gave a physical a personal trainer, if you get a gym membership, just because you get those things or buy an entire video collection of yoga or whatever, you, still have to do the work. Even if you have people to guide you. So working out to lose weight or to get into shape with your cybersecurity,

Craig: 24:29

right?

Erin: 24:30

know, we are an easy button, just like a personal trainer is an easy button. They can't do all the work for you, but they can show you how to do it.

Craig: 24:37

Yeah. Like, so for example, staying on kind of the fitness thing which, cause I think it's, it's easy to understand for most folks, you know, like you ever see like the weight Watchers commercials where, you know, you get all the food and you get our meal plans and everything's all kind of laid out for you. Right. All you got to do is eat it and then go do the exercise. so with our compliance, armor.com security training, for example, and our policies and procedures, we've done all of the hard work for all of you guys. 80% we get you there, but you still have to do the last 20 because we don't know what kind of business you have. We don't know all the details of how you'd like to do business. Those fill in the blank answers are for healing for you only to customize and tailor this solution that we've created for you. That's like I said, 80% there. So we've done as much possible work that we can to get you there, but you need to get yourself to the finish line. Now we'll still be your personal trainer in that, and you can hire us for consulting and professional services, and we'll give you that accountability. It will be that, that shoulder to lean on for questions and you know, how do I do this? How do I do that? And then we'll meet with you at a cadence that you can afford as well as that support for your. And, you know, we'll, we'll get that work done with you and we'll help you, but ultimately it's your responsibility. You're the one that's signing on the dotted line for that self attestation. Or if you have a more modern regulation, you know, you're the one that's signing off on that contract to get that contract award. It's ultimately your responsibility.

Erin: 26:08

And then I had another question for you, Craig. And and I kind of touched on this a little bit last week, but what do you think is something that the us government could do to get everybody into cybersecurity and understanding the importance of cybersecurity hygiene or what, like, even just for the dip, right? What are things that you think that the government could do to help sort of quicker, like started more quickly?

Craig: 26:38

Yeah, good question. So I I've said this before. I think that the federal government has really good intentions and they had great intentions when they came out with the beta of CFMC 1.0, in my opinion, I feel like they diluted it and really lowered the bar to CMMC version 2.0 1.0, had five levels, 2.0, has three levels. I think the, I think we have a great framework right now that we can further fine tune and customize. I think the problem right now, the big missing puzzle piece, it's, we're not getting enough support from the federal government around. This is what you need to do by this day in time. And this is what's going to happen after this day in time. Like, I'll give you a perfect example when the DFARS Interim Rule came out on November of 20, they said, look, you need to upload your spur, your score for yourself. Assessment on NIST and DFARS, it's a negative 2 0 3 to a positive one 10. You need to do this by December 1st is what they said. And then they said, if you don't do the upload and you don't have a perfect score, you have six months of poems, plan of action and milestones, which is basically, I'm going to fix this gap. This is how I'm going to fix it. And this is the day in time it'll be fixed. And you're going to get yourself that perfect score score of one 10, but here's the missing piece, the missing pieces. They say that you're not going to get that contract renewal. say that you know, you, you need to show evidence of this stuff, I don't feel Like there's enough clarity around that. I feel like it shouldn't be. This thing, this distant vision in the future, it should be, look, to do this and you need to do it by this day in time. You know, we'll put it two years out or a year out, whatever the timeframe is, we need some day in time that this must be done from and direction clarity from the government. Look, 1st of 23, everyone needs to do this. And if you don't have this, you don't get to participate in the supply chain or, you know, they need, we need more substance

Erin: 28:52

They need more teeth

Craig: 28:54

yeah. teeth Correct?

Erin: 28:55

like really bite into that.

Craig: 28:57

Yeah. And, and I think the same thing for health, like I said, with HIPAA and these other regulations, know, why not just take this as the opportunity to say, look, if you're a business and you're D you're handling any kind of sensitive information, consumer information, credit cards, birthday pay, you know, personal identifiable information or PII. Any PI let's group it all together. Any PII, Phi, anything sensitive, right? If you, by January 1st of 23, you have to be this level. And if you're a Phi, then you may, you need this other level. And if you're CUI, then you need this other love. My point is let's have a framework. Let's choose CMMC 2.0, and let's say, look, you, if you're a business, if you want to take a credit card from somebody, you have to do this. And if you don't do it, you can't take the credit card. And this, I think that we need more teeth in it at all levels of any type of business and the same thing with consumers. If you want to go on the internet and you want to buy something from a merchant, just like, if you want to go and you want to drive a car, it's a privilege to have a driver's license. Maybe it's a good idea to have a cyber license. If you want to go on the internet, you're going to have basic trends. And you're going to be audited and tested and you need to renew it every so often to make sure that. you are being responsible with your information online.

Erin: 30:21

Now also kind of goes back to something Blake and I were talking about I'm sorry, Blake. Where. We had the idea on a lake said that he talked to you about this too, starting with cyber security, young, you know, like an elementary school kind of thing. Now, out of curiosity, I don't have children. I do have lots of nieces and nephews, but I'm just curious. Are there, do they have any classes like that? Like when their computer classes they teach in sort of cybersecurity lessons

Craig: 30:49

I, my children are too little right now to be able to comment on that. I do know that I have been asked and have done many continuing legal education and many continuing education. For medical and for other colleges and universities, I did a lecture at North Carolina state university a few months ago. So I I've been hired to give good information around cyber and compliance. I don't know what the quote unquote basic training is for younger kids. I think it's a great idea and it should be baked into the program, but I don't know what the curriculum looks like for that. Like I said, I think that, especially for young kids, like, I'll give you an example, like with Facebook, you know, in social media, you know, there's all these documentaries out there around how the, our youth and our smaller and younger kids are getting subject to all these different things like Tik TOK for, and I'm not just calling out sick time. I'm saying Twitter, everything, you know, Facebook, you name it, fill in the blank, social media. It has some damaging effects for, you know, growth and emotional. It just all these damaging effects that, and I'm not singling out any of these providers. I'm just saying, I don't think that these providers really knew what these.

Erin: 32:03

Right.

Craig: 32:04

Could be right. And I think that we, we all, as a population in society have probably had damaging impacts from mobile devices and just computer, you know, there, there's still, there's like positives and negatives, right? Like, so computers are great to get things done, but you know, maybe there's, what's called addiction with mobile devices, you know, and then there, you know, it's a real thing, you know, there's detox of, of, you know, cutting the cord of your phone and constantly checking for notifications and things like that. Is that I don't know what the curriculum is, but I think that that's a great idea. And maybe there should be some federal program that creates a almost like a NIST, but a NIST for kids. Right? Like a framework for that, where look, if you have a kid that's this age to this age, you should complete this level of education. And maybe it's an online kind of course. Right. And then, and who knows, maybe we'll create it, you know, cause we have a university too. So, so that's a good idea that we could create. But my point is that whether it comes out from the federal government, I think that there should be guidance around that and kind of best practices to best educate the youth and the young.

Erin: 33:16

I think, especially with something else Blake and I talked about you know, especially with like social engineering and, and things like that, because there really are real-world consequences. It's not just, oh, it's just Facebook. No, I mean, know, even look at what was it Craigslist? I mean, they had people going around like killing other people like this, you know what I mean? Like we really need it. I feel like we got too big for our britches in a sense. And that, you know, we are really quick to really take up the internet, but we weren't quick to think about. We didn't really think about the consequences. Right? So now we're seeing the consequences play out in the real world. And to me it seems like, and actually, since Blake brought this up, I've really been thinking about it. I mean, the biggest solution I see to this is start them young. You know, you said your kids are too young, but I mean, they have, I'm guessing they have, if they don't have phones, they probably have iPads. Right. So they touch you touch apps

Craig: 34:09

Well, actually, Mike, my kids in particular, they don't, they don't allow them to use the device unless it's kind of supervised.

Erin: 34:16

Oh, Yeah.

Craig: 34:18

We don't just give them the device, unless we're like in the car on a road trip or something, we don't really give them free reign of a device. We, we have, you know, measured time with our kit where we're strict with that stuff. Well, and I'm not saying we're perfect either, but I do think it's a good point, but here's the thing I think this stems from, you know, when the internet came out, it was kind of like this anonymized area in quote unquote, cyberspace where anyone can kind of go and quote unquote, surf the internet in, in an nymity. Right. You know, but I think that now, you know, and I, I, I'm a privacy advocate and I think that th but I think that there should be two sides. Meaning I think that if your purpose on the internet is to, like I said, there, there should be some responsibility at the consumer level, but what if we had followed the quote unquote driver's license responsibility thing, and what if in the future, government said that. If you want to use the internet, you have to have your license to quote unquote surf the internet, and it's no longer a private it, you, you know how we have like IP addresses and then things like that, that we get from our internet service provider. Well, what if one day we all had assigned our own number, kind of like our social security number and that was our identity online. Wouldn't it be interesting to look at it? I'm not saying that I'm advocating for this. I'm just saying that just kind of go through the journey with me. What if everyone had their own IP address and identity online? Don't you think that would kind of have an impact and effect on cyber bullying? For example,

Erin: 36:01

Yeah.

Blake: 36:02

be a safer place for sure.

Craig: 36:04

if your IP address was always the same and everywhere you. You had fingerprints of it's you, right? Don't you think like, but there would be, it would be safer, like Blake said, you know, if, if, if I have an identity or a static IP address that identifies me or my child, and then there's cyber bullying happening and there's supporting evidence that you know that, okay, that's this kid. Right. You would think it would impact that. I would think so.

Erin: 36:35

Yeah. Yeah, I would think so too. I mean, you wouldn't be as if, if somebody knew, if somebody had access to everything you said and everything you did online, you know, you would probably think about your actions a lot more if could be anonymous.

Craig: 36:51

Yup.

Erin: 36:52

much. So

Craig: 36:53

who knows maybe the blockchain could record that or web 3.0. Be that ledger, so to speak. But my I th I think it would be interesting though, like if we use the driver's license example, you know, if you drive a car, you have to have a license, you have to pass the test to get the license, but you still have freedoms. It's a privilege to drive the car. Right. But you still have freedoms. Like, if, if you want to break the law, meaning speed, you can, but you have consequence too, right? if you think you're not gonna get away with going 80 miles an hour at a 55, you, you have the freedom to do that. But if a police officer, you know, scans you with a radar gun or laser gun or whatever, and, or, you know, finds that your car is the one that's breaking that law, they're going to pull you over, write your ticket. So what if, what if we had an internet that was kind of like that in the future? That could be interesting.

Erin: 37:55

Yeah.

Blake: 37:56

Are our two big ideas were so obviously like when I was going through a high school, they required that we take two languages.

Craig: 38:06

I remember that too. Yeah.

Blake: 38:08

One of them, obviously English, and then I think I opted for Spanish. what do you think is more useful in my world right now? not only because I'm in cybersecurity, but imagine that if, cybersecurity was required curriculum and these, any school, only that, I mean, and Anna were talking more from younger, more adolescent age. So had the ideas like, okay, if you, if your child is old enough to run an application or to choose whatever game they want to play on. For something as simple as saying, okay, little Johnny on this application you click on your game. And of course that, first application would be a VPN or some, you know, something along the lines to create some, you know, some six years

Craig: 39:00

Well, it should be, it should be kind of like the rules of the game. In that context, it should be the rules of the game, right? So like, if you want to Excel and get to the next level, you have to abide by the rules. If you don't, then you don't get to the next level. Right. So it should be kind of like a, almost like a rewarding point space system.

Blake: 39:17

our, second big groundbreaking I dunno, maybe grounded, but our second big idea was, so obviously if you think about this before you buy a car, you know, you, you have a car facts, right? So thinking about a Carfax for a business, okay. Before I go to this business, This business, my money is their health, their score card here is their

Craig: 39:44

came up with that several months ago. Cyber score.

Blake: 39:48

I think, yeah, I think we were talking about, yeah, we were talking about, I dunno, where it stuck in my head, but know, it really, to me, like is an idea that makes so much sense.

Erin: 39:58

Well, it makes so much sense. It, it helps things to become standardized. You know what I mean? Like if you want to get insurance, you can do all of those things at once. Like Craig was talking about, you have 17,000 different forms that you have to fill out the, say the exact same thing. Well, if you have this, cyber score, cyber credit score or whatever you want to call it. mean, then it's, it's just right there. Also what I was thinking about when you guys were talking about I dunno something earlier, but I feel like if they, if things were standardized, Companies are going to be more apt to do kind of like what blue shift is doing, what other companies, vendors that we've worked with are doing, which is mapping what they like there, the controls that they can provide to whatever compliance you know, whatever regulations are required. So, you know, if you have like one standardized CMMC for everything, right? mean, every single vendor that we work with is going to be like, wait a minute, let me figure this out for you guys. Right. So I can get, it would just really help

Craig: 41:03

Well, that's what I was saying several months ago. when I thought of that scoring thing, that's why I was that's where I was going. I was saying, look, if everyone would just standardize on like the CMMC and let's say, you know, the, the, your score ranges, you know, from a negative 2 0 3 to a positive one 10, that could be one way to do it. But, but then we started talking about it. Maybe it'd be better not to use numbers like that. And maybe it would be better to just do ABC DNF. that could be a way, but we, you know, we have the resources and the technology to help people increase their score. And I would love to see in the future maybe adoption of our methodology around the scoring system, because I mean, look at it from a risk profile. You know, if You're an insurance provider, do you want to ensure somebody that has an F or where your risk of paying out a claim is exponentially higher? Or do you want to give the guy that has, or the girl that has an a on their score? Maybe they get a break on their insurance because you know that your likelihood of a payout is extremely.

Erin: 42:12

Right.

Blake: 42:12

I can already, imagine it right now with the browser bar, whenever you type in like a.com, it tells you like a plus the minus. So,

Craig: 42:23

Yeah.

Blake: 42:25

it's kind of taking like the previous idea with you know, our, our, our current scorecard idea and bridging the two because, you know, once you access the website, okay. I got a B minus. Okay. How, how, why do they have a, B minus? Like, how do they handle that? You know, okay. Here's how, here's how they scored. And here's why they scored a B minus.

Craig: 42:47

Yep.

Erin: 42:47

And yeah, and here are some solutions to it's easier. It would be easier to find solutions for them well.

Blake: 42:54

yeah. Oh, if you want to, if you want I'm thinking more like in a broader scope. Oh, if you want to use this website, we highly suggest that you you know, use the VPN or use it, or, you know what I things.

Craig: 43:07

Well, I, you know, what comes to mind too, ironically, is, is food labeling, You know, like you go to the grocery store and maybe you have a gluten allergy or a wheat or a peanut or tree nut allergy, you know, right now with the, the way that things are labeled, it's a mess. I mean, even with food labeling there's, cross-contamination the labels are not clear, so only do we need work at a score in cyber, but we needed another things like labeling too, because it, I think it would just be a positive impact for, for everyone. Right? I mean, I think that, like you guys said, you know what I came up with with the scoring thing, I think these, it would bring clarity. I think it will bring much needed clarity for folks. I think that if businesses had like a code of conduct to adhere to, or the government came out with some more guidelines around it, or maybe there's, you know, tax incentives like, look, if you have a better score, we're going to give you a break on T you know, some, some type of positive impact from and support from the government, I think would be helpful too. But I think that some type of global recognized, or at least north American at the beginning, and then a global recognized standard is much needed.

Blake: 44:28

You know, and then now that you bring up the food industry, and this is just my understanding, because I've watched some of the documentaries on Netflix that talks about the food industry, the these huge slaughterhouses and Yachty eats mega monopolies that have people sitting in, acting in government that are making legislative decisions in favor of them. Do you feel like that's the case for cyber security? Do you feel like our cyber shoots. Hygiene on the government level has been stalled by things like that, or has it not yet creeped into our industry?

Craig: 45:09

That's a really interesting point. I think that my opinion is that everything's affected by that stuff. I'm not going to get political, but you vote for you exercise your right to vote, to trust that the person you're voting for has alignment with your values and beliefs. Right. But there's no guarantees that they actually do what they say. Right. And a lot of. Stereotypically speaking when I say this, but when a lot of elected officials say one thing in a campaign and then do something else, my point is, I think that, like you were mentioning Blake, there are certain foods that have, you know, a monopolistic behavior, certain companies of certain sizes. Yeah, absolutely. Like one thing I'll, I'll reference with the CMMC, you know, there is a lot of pushback from the little guys, the DIB, the defense industrial base, the smaller companies and supply chain. The, there was a lot of pushback on, around CMMC NIST and D farce in general, saying that it was going to be too expensive and cost prohibitive and nobody would do it. And then, you know, they would say only the big primes would do it. Well, if you think about that for a minute, Our company PTG. We, we found ways that the, to help the little guys too, to make it affordable. And it really is truthfully affordable to get these scores at a level where your small business can compete. Does it cost money? Absolutely. It costs money. Is it millions of dollars for most? No, it's not. Is it a fraction of a cost of your contract? Yeah. You know, it's definitely a cost of doing business. And we believe that it's a almost like a minimum effective dose to be able to quote unquote, get your driver's license to be able to, to bid on these contracts. Right. But absolutely. I do agree that big companies often persuade or, or influence for sure. Absolutely.

Erin: 47:14

I feel like the government couldn't we give grants, like, I feel like that would make sense. Like right now we have trillions of dollars exfiltrated and trillions of dollars in data exfiltrated by bad actors, you know? Enemy states basically. So to me it would make more sense that, I mean, these things are not free, unfortunately. I mean, it takes time and it takes money even, you know, if you do get a cybersecurity firm. So I guess I kind of don't really understand, although I guess in the past, the cost of this has been kind of built in the contract. Right. And a lot of people just haven't used it, but.

Craig: 47:52

Well, it's not the cost of NIST. Really. It's more I view it as you've got this foundation of your business, right. And NIST and you're attesting that you're going to do the NIST 801 71 stuff. But sad. Sadly, I would say that most people don't even know what they signed off on. So they don't realize all the stuff that they were supposed to be doing. don't think that it was necessarily baked into the contract. I think that it should have been before signing off on it. It should have been evaluated by the business owner or the stakeholders around. Look, if we want to go after this contract and this contract's worth$10 million, we need to realize that it's going to take us X dollars for, to be able to fortify our systems and get them up to speed. Just to be able to get this contract. It's, it's again, a cost of doing it, It's an investment from that dip company to be able to then have the access on these opportunities, these new opportunities. And I think that the challenge, especially with the federal government and politicians, the challenge is how do we keep freedoms in place and choice? Without being biased. And I, and I agree with that. I'm not saying I want to be told I need to do something in a specific way, but. I think that that's also where there's the big confusion point around some of this and where people don't know where they can get started.

Erin: 49:21

Yeah, absolutely. I just, I feel like if they would just make a big cyber security initiative, you know, and like really push it and grant

Craig: 49:30

Yeah.

Erin: 49:31

to businesses, all the businesses, not even just the dip. Right. I mean, if we want to really get our cybersecurity

Craig: 49:37

it doesn't even have to be grant money. What if it was just a tax break? Look, we're going to give you, you know, businesses get crushed. our own business gets crushed with taxes wouldn't it be nice if look, you get your score to an, a, you get X percentage off under your taxes to help, you know, with that pain and that burden, you know,

Erin: 49:56

Yes.

Craig: 49:57

I think that could be a good idea. I'm in favor of grants to but I think the point that I was trying to make is I don't want to be told that I have to do it one specific way because the landscape is constantly changing. You know, we want to make sure that innovation continues to happen around XDR and other layers in cyber. And we want to make sure that we have the choice as a business owner. We have the freedom to choose one vendor over another. Obviously we, we negotiate on our client's behalf, better deals for our clients. So that's why it's, self-disciplined good to go through us. But the truth of that is that we've, we truly have vetted and tested these things. That's why we, we really that's part of our mission and our value to make sure that we are that easy button for folks, but that's why we do that. And that's why for the past 20 years we work on not only making those good relationships, but making sure that the stuff that we parked. That it actually works. You know, there's so much stuff in so much money that's wasted and so many promises from a good salesman or salesperson or sales woman that persuades the, company on the other end. Oh Yeah. Yeah. This is going to make all your CMMC or HIPAA or whatever the framework is, all your worries go away. This thing, it does it all. It's the silver bullet, but then, you know, there's companies that truthfully are out there that will take your money. I mean, I've heard all sorts of horror stories from small businesses just getting ripped off. And I think that if there was more teeth in it and more direction and more clarity around these frameworks and reducing the amount of frameworks That we have maybe down to just the CMMC or whatever, the, that, whatever they want to call it, that would make it simpler and easier to understand for people. And like you were saying, Aaron before, there's a lot of crossover, different mappings from one regulation to another. You know, we're all trying to say the same thing. And, one author of one framework might want their, framework to be the global standard or whatever. that's all great. But I think that if it comes from the government, like the CMMC, for example, I think that could be a good clarifying moment for a lot of people. Then let there be freedoms and competition in the marketplace here's the solution for this. And again, it goes back to the labeling I was talking about, right? So like if our vendors, Microsoft, and apple, if they all were regulated and subject to this framework and they all were better able to label their products and say, this product is going to meet access control domain and give you X points on your spur score and, you know, make it easier to label things better, to make it easier for, for consumers and businesses to pick and choose products based on how much of a score impact they'll have. I think that would make things so much easier for a lot of people.

Blake: 52:45

You miss our podcasts? I don't remember. I think it was last year. But I just, I feel like this is such a good thing to bring up at this moment, but I think Aaron, it was our statistics podcasts like Sr where we talked about percentage of your revenue that goes to security, like w like, like, so let's just say you're, you're a freelance or, you know, a self contractor, know, once you get a check that comes in, you know, you take a percentage of that check and you put it aside and you lock it up in a bolt saying, this is wind tax day. And the tax man comes, comes knocking at the door April 18. And the, so you have a reserve set aside. I think if I can't effect, if it comes to mind immediately, I think Aaron, I think. Six to 11% of your, of your revenue be dedicated or it cyber security, things of that. It just depends on, on, you know, the data that you possessed. And obviously it's going to be more if you're, if you're, you know, a government contractor or maybe less, you know, if you're, you know, selling blankets at the flea market, that's something too that I think, you know, people need to understand. And then I even found a deeper diving article, you know, 50% of that should be operational and infrastructure secure. And other 20% shouldn't be vulnerability management or security monitoring. Another 16% should be government risk and compliance. And then obviously this one would be, you know, unrelated, but application security. Of course, this all depends on the sector. But that stat to me, I mean, just, I have to do it, you know, then there, the cost recovered.

Craig: 54:34

I think that your that's really good. I, I, I liked that, but I think that people and businesses need to understand that there's a minimum a minimum effective dose that whether you're a one person or a thousand people, have to have this minimum foundation. Okay. And then as you. Complexity increases with regulations or sensitivity of data, then you have to ha have these ad-ons right. So maybe like Blake said, you know, you have these increased percentages, but there's a certain foundational, strong foundation that needs to be in place for every kind of business first and foremost. But I think it really goes back to the labeling that we were talking about. Right? So like, if, you know, I think it's great that every business should have X percentage put aside for this stuff. Right. But I think it goes back to vendors and putting pressure on Microsoft and other vendors to better label their products and services so that we know, Hey, this is a puzzle piece, or this is a contender for giving us X number of points to solve this, this problem in this domain. And there, know, again, it also goes back to responsibility of the The end user in this case, the business owner or the consumer, the person using the product to properly configure those things, right? Like Microsoft, Google, they all have these platforms in their cloud services environments. And they all have a lot of mappings that are already done. But again, he can't outsource that responsibility. So you they're giving you the environment, but you are a professional on your behalf needs to properly configure and continuously monitor and police that environment, make sure things are, are buttoned up and, you know, your scores stay high. But my point is that I think it goes back to labeling. Like, give you another example with CUI or controlled unclassified information. You know, the federal government in the training that we all took for the CMMC from the CMMC AB to be registered practitioners. And it's to be an RPO company to help these people, the defense, industrial base clients, well as other businesses of all shapes and forms. The training that we took basically said, the federal government is still working harder to better label and identify CUI. And if they did not label something CUI, you need to treat it as sensitive and secure it. So my point is that there's so much work to be done with labeling of, of data and all types of sensitive data in all industries, in every single one in health and in federal space. And know, you name it fill in the blank. My point is that labeling needs to be improved on everything. The regulations need to be simmered down a more global standardized system And there needs to be more teeth in it.

Erin: 57:25

And there also needs to be more full integration of cyber security. Like I, I don't know, ever since learning so much about CMMC, I, that really resonates with me. I feel like instead of having cybersecurity and it kind of off to the side is like, you know, just out of sight, out of mind departments unless needed, like, it just, it needs to be a part of the corporate culture. And speaking on that, like I want, you guess I just found this statistic. I want you to guess what the average, and you can guess to Blake. I mean, Craig and BJ, guess what? The average company, what percent the average company spends on cybersecurity of their total revenue.

Craig: 58:11

Well, I think it depends on which sector, like if it's finance or banking or whatever it is, but you're asking for a dollar amount or a percentage. Oh gosh, it's probably less than 2%.

Blake: 58:22

was going to say around one, maybe half a person.

Erin: 58:24

that's closer plate 0.3%

Craig: 58:28

Yeah. 0.3%.

Erin: 58:29

of revenue is generally what is spent on cyber security. And we wonder why we have so many packs, you know,

Blake: 58:37

Think about this. think about this. When you go in and incorporate your business, whether you're using like legal zoom or or, you know, insurance service here, and then as you're incorporating your business, you know, all these free services like add on services. Oh, I want of America to reach out to me. Oh, I want a CPA firm to reach out to me. Yada, yada, is there not a cyber security there? So that way, you know, white crime was saying. You're building your house with a sturdy foundation. that's the, probably the thing that's on the back of a startup's mind, Hey, how do I compliance? How do I be secure? How do I secure my customers? it's like the groundwork isn't even late. Of course you have more things to think about like being like, like profitable and generating revenue and cash flow and all these other things, administrative responsibilities. should go hand in hand with those. And it should still be a part of your, your core foundation of your business start and focus on cyber security while you're, you're bringing all these other pieces together.

Erin: 59:51

Right. And it's so much easier to start it from the ground level than it is to incorporate it after the fact.

Blake: 59:57

It's more expensive

Erin: 59:58

way more expensive. It's way more difficult. So many more challenges.

Blake: 1:00:02

to do it later. Yup. Do it later.

Craig: 1:00:05

agree. I agree. with that. The service exists. I mean, we created it, So I mean, it's, you know, where that easy button for businesses and consumers to help them with all this stuff. So, so we exist, you know, to help the people you know, provide really good efficient services that are, have high value, high impact and high security. But what's lacking here is the teeth and the federal government side around standardization labeling, know, if more people knew about us and, and how affordable some of this stuff is and how, know how easy we make it, you know, I think just going to be better for everyone, but, you know, 0.3% is obviously not enough. All that investment. Sadly, you know, we don't create all these solutions. We just know the right recipe and the process. And that's why we have a patented cyber safety stack of over 22 layers now. And, you know, we have that stack because it's so powerful and we continue to, to, to build on that stack because it works. And we know that w it's it's battle tested, you know, and we only use products and services that are battle-tested that go through our process. So my point is that if we get more support from the government around standardization and labeling, it's going to make it easier for everyone and more clear for everyone to understand why they need to take action now and not just sit on the sidelines.

BJ: 1:01:35

You know, what's interesting, Craig, is that as we've talked about before, cause we we're, we're always a big advocate of using the right strategic solutions and we've talked about XDR a lot and what's interesting is recently Gartner who, you know, kind of is the trendsetter, right. For cybersecurity reporting. they're, you know, definitely considered an authority in the field and the government probably reads their reports and kind of, you know, I'm sure that they're a source of, of a lot of know, determined. What action government and business alike takes. recently Gartner published a report with, with us statistic basically you know, an expectation where the Gartner says that they think within the next couple of years, XDR adoption will be at least 40%. that is a big number. That is a really big number. But when you really think about it, they're not just saying, they're saying 40% of all businesses guys, like that's a huge number. Well, what's really interesting here is that think that finally things are going to start to settle and sort themselves out in the right way, because if you just look at. As an example, like just our ecosystem, right? Like Petronella technology group, like Craig has worked painstakingly over the years stay in the know on the most important aspects of cybersecurity from, you know, building Bulletproof PCs years before the world was ready for the idea to always vetting all these different technology solutions. Well, now again, has put, positioned us in a situation that's, know, very significant because actually worked very closely with a certain XDR solution that we feel strongly is a very good one. And, we're involved in research and development on the machine learning side of this solution. And after, you know, cause I have it in my home as part of the research and development project and I have had to spend so much time, right. Documenting anomalies with this system in my home, like to the point where like, a lot of time has went into just observing what's happening in my smart home how, because this is a, this is the unknown territory that we're in now because is an AI driven cyber security tool that partners people and technology together because the people have to input the knowledge into the tool and then the tool, you know, analyzes and then takes action. we've positioned ourselves in a, in a, in a unique spot where we're involved in the actual research and development of this tool being used in the, in the real world, you know, like in a smart home, for example. And I'm noticing some things that I didn't expect to observe, you know? And so I think that so significant when you add all these little pieces together and you kind of paint a picture in your head of like, where this is all going. Gartner is saying 40%, and that's just on what we know today, that's not factoring in all these anomalies that I'm, that I'm documenting, like. Something's happening with, with this tool, like I have pages and pages of documentation, of things that I'm noticing. And so 40% could be low. And so this is a very important time, a shift in cybersecurity where the people that are, have been on the cutting edge, because we wouldn't be involved in this, this process with this XDR tool. If we were. Consistently on the cutting edge of cyber security, you know, where we always find ourselves. Well, now I think this is really gonna start to be a pathway for people to just what Craig was talking about, finding the right solutions and being able to onboard with them and taking the stress out of it. Because, you know, if XDR, why has Gartner's estimating 40% like that is such a big number. So they have to have their suspicions about the X factor here, the machine learning part. And we agree with that after what we've witnessed. So this is such a critical time to partner with the right people who have the right knowledge and the right expertise. And they have their hands in the trenches with their sleeves rolled up because this is unchartered waters, and 40% is a big number.

Blake: 1:05:37

Gardner is also the publishing authority that said that you should spend anywhere from six to 10% of your revenue on cyber security. And it as well, they're the same publishing authority. I said that. So

BJ: 1:05:49

Break down.

Blake: 1:05:49

to throw that.

BJ: 1:05:50

Yeah. Like, I mean, people, companies pay, we know this eye, Gartner's like the authority on this. Like they, people pay big money to try to even advertise on a Gartner report. Right. Like to get in the limelight with gardener. If garden, what I'm saying in a nutshell is that Craig has made very smart decisions has put us at the cutting edge of things that no one even knows. No one even knows what to expect. Right. Cause me, I'm like an anomaly hunter. Right. And I have been so surprised at some of what I've found. It's hard to surprise me when it comes to this stuff, but I have been floored by some of what I witnessed like, to the point where I get so excited, my hands are shaking. Right. As I'm trying to document this stuff. Cause it's that fascinating. And so like, and they're saying 40% without knowing those things is my point. Th there's a pathway, that's probably just going to sell form. Right. But you have to be aligned with the people who have been there working on this because that's just the way it's going to work probably. And so, know, I think that there's a light at the end of the tunnel. and I think that we're always going to need the right cyber security people because you know, these tools don't, need the human interaction as well. The human interface, like it's very important and, these tools don't work, right. If they're not handled correctly, With the right expertise, the right knowledge,

Craig: 1:07:03

But see a lot, but see, sorry to interrupt you, but see, a lot of people don't understand that though. A lot of people think that, I'll just go buy this off the shelf. XDR and then the salesperson does a great job of selling them on, you know, it's the greatest thing. like I said before, it's not a silver bullet. It's a powerful layer. And it's an essential layer these days, like were just saying 40% is a great stat for adoption. But my point is that a lot of the solutions do not have talent managing that hardware and software and Intelligence. And that's where our solution that we chose comes into play Because it

BJ: 1:07:39

Yes.

Craig: 1:07:40

marries all that together

BJ: 1:07:41

Yes. Because what it marries together is the understanding of this stuff and the foundational layers, the backbone of this stuff, because what is software, right? Like software is can, ask anyone to define what software really is and people are going to think they know, but as they start trying to define it, they're going to get very confused. And they're going to stumble because what is it? You know, what is, what is AI? What is machine learning? What is AI driven? Cyber security tools. Good luck trying to define all that. But the key here is that because of the years and years and years of cultivated knowledge right about these things. Now there's a level of awareness, right? Amongst certain people in this industry where they know what to pay attention to, and they know what parts of the software need attention because in a scientific process, the observer is critical to the process. so this is a very, we're in a very unique time for cybersecurity teams and, and it's not ironic. It's not Quinn. It is ironic. Excuse me, it's not coincidental that a few months ago, the government, the federal government went on a huge cyber security, talent hunt. Like literally I saw the solicits solicitations emailed out, like they're searching for top cybersecurity talent because I think people are starting to understand that the, the people involved in the cybersecurity teams definitely have an impact on how the tools work.

Craig: 1:09:02

Well, not only on how they work, but how do you know, just like in anything that, you know, the human is going to use the tool in the toolbox and then hone their craft. right? So there's going to be some people that are better at it. And some people that are not, but as I listened to what you're saying, DJ, I think that we need to create our own Gartner report. the reason, why I say that, no, I'm being serious. The reason why I say that is because, you know, I Like Gartner. And again, I'm not putting any reports down in any way, shape or form, but even though Gartner is, you know, well-respected, I don't think that it's fair to charge vendors or, or people to be on the Gartner report, right. To kind of pay to play kind of thing. Like Blake was talking about, you know, with the, the other industries that you kind of have the top big players that kind of control. I feel like there should be a report that we write that public that gets published annually or whatever the frequency is. That's not biased and it's objective. Yes. It's all. Evidence-based.

BJ: 1:09:58

just objective. Yeah. Like that presentation you gave you gave that presentation at a university and it was the perspective of the observer and, your presentation actually was sent to me by Google assistant. Right. But it's really good. It's really good. It put things in perspective for people, that is so critical. And we've seen even, we've seen go with the cheapest solution or the, you know, the one that is offered by a big tech as part of a package deal. I personally don't suggest doing that because this is our unchartered waters and that's not how this stuff works. This, these tools, these smart tools, they work differently. They don't work.

Craig: 1:10:36

that's also why we follow that proof of concept methodology. And we back everything up with third-party evidence to, but here's, what's alarming though. What's alarming is the statistic of folks businesses that don't understand the value of even the proof of concept, And we've even seen people that are like, oh Yeah. well, we didn't really budget for this. So we'll look at this next year. That's the wrong approach folks. I mean, you need to invest in this now. And I mean, if, if you're not hacked

Erin: 1:11:10

Do you have an active attack on your company?

Craig: 1:11:13

well, well, yeah, I mean, well, that's what I was gonna say. I mean, if you, if you don't think that you've been hacked, you probably have been, you just probably don't have the visibility and the technical understand the human side of it. Right. The human side to see. What, you know, it's kind of like out of sight, out of mind, right? If you don't see any red flags or, you know any evidence of something wrong, you're thinking, oh, everything's great. But when you get that visibility and you look through that lens and you see how look there is something bad happening, and this is what's really happening, this is how here's the mitigation of the remediation plan on fixing it. More people need to go through those proof of concepts. I just don't understand. That's what's mind boggling to me. Why most people, more people need to invest more and take this more seriously.

BJ: 1:12:04

yeah, it is. It is mind boggling that you can see. I can clearly see in my interactions with people, can clearly see that there's basically two sides of this all like there's the people that get it and understand the complexity of cybersecurity and the strategy of, know, people processing technology and the right ones, the right people, the right processes and the right technology, because all three are important.

Craig: 1:12:28

Well, they're really important.

BJ: 1:12:29

It's just about how they're aligned and then some people don't get it at all. And they're like, oh, I just, I literally got an email from someone. And they said, literally, they're just going to go with the lowest price. And I'm like, I don't know a nice way to say this, but that's not the right way to look at this. And you're making a very big mistake, you know?

Craig: 1:12:43

and there's always a reason why that price may look cheaper. There's something missing, you know? th that's that's the fact of it.

BJ: 1:12:50

it's a rinse and repeat, Hey, we're going to launch this tool, but we're not gonna, we're not gonna pay it no attention and observe it. And it's not going to really do anything phenomenal. It's just gonna be there as a, you know, you're going to be able to check a box and say you have it, but how effective is it going to be? You

Craig: 1:13:04

I mean, you can build a house with one guy and a hammer, but if you don't have the miter saws and all the latest technology, right. It's going to take you a really long time to build that house. So, so we're not saying you can't go and find your own stuff, but I challenge everyone lists. To be more efficient than we are. We work hard every day to find the most cost-effective efficient solutions that actually work.

Erin: 1:13:30

Well,

Craig: 1:13:30

guarantee that you will not find a better recipe than what we've developed and that's our intellectual property. I mean, with the, with the SOC

BJ: 1:13:40

I would agree completely.

Craig: 1:13:41

you, you know, with the XDR SOC services that we provide, you can't get, you can't hire an intern for what our solution costs. And if you think you can, that's crazy. I mean, we do this every day. This is our bread and butter. This is, we live and breathe this stuff. We are efficiency experts, not only at managed services, but cybersecurity, all the work that we do around risk assessments and pen tests, we do it really, really efficiently. And cost-effectively.

BJ: 1:14:07

we're really cyber security strategists, really, because we understand the value that each team member brings to the table. Because I remember it went like, for example, we have several layers, right? But this one that we're talking about, that Gartner spoke of the 40% adoption rate. I remember specifically how we stumbled upon it when you were looking for something like this, because Craig's always, you know, keeping us aligned with the cutting edge tools. And we were almost going to find on with one and then on a Saturday afternoon Craig message. And it was like, hold on. I found this, you know, and I was like, oh gosh, another one. And then I went on the demo and I started getting to know the guy who wrote the algorithms. And I was like, whoa, he, he might've really stumbled onto something here, you know? And, and that, that right there is how do you define that? How do you put a value on that? The mind that sits there on a Saturday afternoon and, know, does what needs to be done to find those gems right. And to understand when they do find a jam.

Erin: 1:15:00

think too, the other thing is that, that other, the other vendor that we considered wasn't quite a gym enough. Right. That's why Craig was looking for a little bit more. It was a good solution.

BJ: 1:15:11

Yeah. It was a good solution. We liked it. But it wasn't, it wasn't did we, Craig just failed an intuition that something more was needed. Right. And he kept searching then he found this and you know, after what I've seen, right. I won't get into the anomalies. So that's a rabbit hole. But after what I've personally witnessed, right. Dear God, I don't even know what to say about this like that. You know what I mean? Like the machine learning is an X factor and no 40%, you can say that all day long. It's I agree. It's going to be at least that, listen, I think there's going to be a scramble get a solution that really, really works. And, and, and I think 40% is going to be really low and not all XDR tools are the thing, you know? And that's the critical thing here.

Craig: 1:15:57

that, that's why, that's why, I was saying you've got to take us up on the proof of concept. I mean, we're not making this stuff up. I mean, you got to go through it.

Erin: 1:16:05

There has never been a time that we didn't find something.

Craig: 1:16:09

that's. Right.

BJ: 1:16:10

if you want your mind blown, leave a comment in the chat and ask for proof of the anomalies and I'll gladly

Erin: 1:16:15

Yeah.

Craig: 1:16:16

let's use a medical example, right? Like God forbid, you had, got diagnosed with some disease or something. Right. And, the doctor says, oh yeah, you're fine. But maybe you just don't feel well. Do you stop and take the decision that the doctor said, you're fine. Or do you keep

BJ: 1:16:31

Saturday.

Erin: 1:16:32

Yeah.

Craig: 1:16:33

I mean, if it were if it were me and I don't feel good and I go to a doctor and my doctor runs all these tests, he says, oh yeah, you're fine. You're fine. But I

BJ: 1:16:41

That's

Craig: 1:16:42

don't feel well, I'm not going to stop. going to go to another doctor or maybe I'm going to go to a specialist. are that specialist. From for cyber, we live and breathe, cyber and compliance and managed services and managed security.

BJ: 1:16:56

the alignment, of people process and technology will never go away because here's the thing people think, oh, I don't know if the AI tools get so good. You're not going to need fiber. No, that's not true the alignment of people process technology will always be significant because the technology part, it will not do its best unless it's being observed and handled correctly, you know, updates, patches, observations you know, noting what's happening attention it's science, it's science, and it has to be observed. the the observer's skill level is determined on a lot of factors, their knowledge base, all kinds of things go into that. Right. So you can't, you can't, you can't go and duplicate what we're doing here. You just can't like, I mean, you just can't, you truly, can't like we're, we're in unchartered waters and we're navigating them we're navigating them very strategically.

Craig: 1:17:46

And what's always changing and evolving and that's a good point BJ. The one thing I'm going to say, and we got to wrap up soon, but one thing I was going to say on that point is our solutions and our recipe, like our 22 plus patented cyber safety stack or cyber security stack that we have. We're constantly looking at all those technologies and solutions and we're swapping them out, you know, back in 2013, when there was a spike in ransomware and we were using a certain antivirus vendor and it wasn't detecting anything, you know, we swap it out for a better solution for that layer. And we're always making sure that we have the most powerful stack available in the future, who knows what's going to be added to our stack. But my point is we don't just stop and say, oh, we've got a stack. And then that's in stone. You know, we're always looking at every layer of the OSI model and making sure that all, everything is all encompassed in Clover.

BJ: 1:18:38

Our strategy is, streamlined and fluid for sir.

Craig: 1:18:41

Yep.

Erin: 1:18:42

speaking of your anomalies, BJ we are currently in the works of doing a separate podcast. The second podcast we kind of talked about the more abstract part of cyber security, I guess you could put it. And that is going to include talking about some of these anomalies that BJ has found in our smart home with a smart AI solution. I'm really excited about talking. So we're going to talk about more abstract theoretical, you know, quantum AI and anomalies included. And I just, you said that I was like, I want to tell them.

BJ: 1:19:20

Thank you for saying that Erin. Cause we'll, we'll save that for that podcast, but you know, here's just like a response to that. Cause I think that's so important because like we all know we've been using the internet for years and years and years, and we all know it glitches. It does like things don't work the same all the time. And we, we often write it off like no big deal, but every effect has a cause. That is a fact, there is no way around that fact. It doesn't just happen. It's something causes it to happen and getting to the cause of that. You can call it abstract. But it's really the science, the foundational backbone of technology is science itself. And so understanding how it all works together is just another benefit that we bring to the table because that takes lot of understanding and knowledge to be able to, to, to see what, what is really happening.

Craig: 1:20:08

it's all the research. It's all the research that we do and the development that we do and the R and D around all of this.

Erin: 1:20:14

And it's going to, it's going beyond practical know, and talking about the nerdy stuff that we like talking about, you know? So I think that a lot of people would be interested.

BJ: 1:20:25

Like how Bluetooth and wifi communicate on the electromagnetic spectrum. Like all those things.

Erin: 1:20:30

All those fun nerdy that we like, the people play, like what is wrong with those people? That's, what's wrong with us. We love talking about this stuff.

Craig: 1:20:38

Well, but it's for the listeners' benefit and our customers benefit we, go through It I mean, I started this company over 20 years ago. I didn't start it as a job. I started because you know, I love technology. I love cyber. I don't necessarily love compliance, but I'm really good at it.

Erin: 1:20:54

to

Craig: 1:20:55

my point is that I know, you know, I live and breathe this stuff because I like it. I enjoy it. It's not a job for me, you know? And that's why it's to your benefit because I'm doing all the experimentation.

Erin: 1:21:05

why you're doing that on a Saturday, because you love it.

BJ: 1:21:08

people, it's hard to describe the benefit of a human, right. Because we, we look at, we see the benefit of automation and stuff like that. But when you think about a human, what are they? Well, they literally are conduits of passion. Like we, we get paid when we get passionate about something like we really can Excel, you know, and really separate from the pack. Passion is like, how do you define that? You can't buy it. You can't, know, it's not for sale, it's authentic, but when it's fully activated, wow. You know, a lot of sparks happen.

Craig: 1:21:36

We should probably wrap up here,

BJ: 1:21:38

Yep. All right guys.

Erin: 1:21:39

it's only been an hour and a half. Let's keep going guys.

Craig: 1:21:42

the marathon podcast.

Blake: 1:21:44

was a good one though.

Erin: 1:21:45

That was good.

BJ: 1:21:46

we've only scratched the surface. There's so much more to talk about. We could literally, we could one day, maybe we should, we should do a 24 hour marathon

Erin: 1:21:53

All day,

Craig: 1:21:53

Oh God.

Erin: 1:21:55

I can do that. BJB day. We can do that pretty easily.

BJ: 1:21:58

usher in the age of automation with a 24 hour live.

Blake: 1:22:01

we can make a technology that livestreams the automation

Craig: 1:22:06

Yeah. Hey, that's a good research and development idea. Maybe we need a smart camera to stick in front of your device

Erin: 1:22:14

Oh my gosh.

BJ: 1:22:15

I think that's actually happening organically. That's one of the anomalies I've noted, so,

Craig: 1:22:19

But we'll save that for the other podcast.

Blake: 1:22:22

you know, what you might be able to do just two seconds might be able to get a trail cam and puts your Alexa maybe like against the wall. So whenever it lights up the wall, it'll trigger the trail cam and then it'll record it. You know what I mean?

BJ: 1:22:34

Oh, yeah. All that kind of stuff is happening already. Like I'm listening to this, I'm having a multitask because I'm listening to you guys live on the zoom webinar, but I'm also listening through my Alexa frames from the Google hub Max's view. I'm in his view, looking at it from inside the device and hearing the that he hears through my Alexa frames and also listening to you live on zoom. welcome to the deep web.

Erin: 1:22:56

That's a lot going on.