Compliance Regs You Should be Following that Nobody Tells You About (And Craig Catches a Gator!)

Show Notes

Today we welcome Craig back! Not only do we get to hear about Compliance regulations you're probably subject to but unaware of, but we also get to hear Craig's harrowing tail of 'Gator wrestling in the murky waters of North Carolina!

Link: Craig Reels in a Gator in Arapahoe, NC!

Host: Craig

Co-Hosts: BJ, Blake, and Erin

Support the show - Call 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the Show.

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

• YouTube PetronellaTech
• YouTube Craig Petronella
• Podcasts
• Compliance Armor
• Blockchain Security
• LinkedIn
• Call 877-468-2721 or visit https://petronellatech.com

Transcript

Craig: 0:38

All right. We are alive.

Erin: 0:40

Hi, welcome back, Craig. It's good to have you back.

Craig: 0:43

Thanks.

Erin: 0:43

We missed you.

Craig: 0:44

definitely some interesting things happening.

Erin: 0:47

Oh yeah. Like what?

Craig: 0:48

Just almost caught an alligator out with my son.

Erin: 0:51

Uh, Better than an alligator almost catching you,

Craig: 0:53

Yeah.

Erin: 0:54

which maybe that happened to you. I don't know

Craig: 0:56

Nope. Nope.

Erin: 0:57

so where were you in this happen?

Craig: 0:59

Yeah. So we're camping with my son. I think it was called Arapahoe North Carolina. It's by the Neuse river.

Erin: 1:06

Oh, wow. That's like inland, right?

Craig: 1:08

It's about three hours from Raleigh. Yeah.

Erin: 1:11

guess I wouldn't really expect alligator to be there, You said you have a video.

Craig: 1:15

Yep. I got a video and a screenshot or a zoomed in part clip of the video. that I'll post

Erin: 1:21

Okay. I want to see this. You told us it was 12 foot

Craig: 1:24

No, it's not 12 foot, but it's big enough to eat somebody.

Erin: 1:29

That's huge. Yeah. There's a couple eight foot Gators around here and it's like, stay away.

Blake: 1:34

I was going to ask how big it was. Let us know how capable you are of handling an alligator.

Craig: 1:39

Yup. So I guess PTG keeps you safe from Gators.

Blake: 1:42

We can always get into the Gator security.

Craig: 1:45

right? You never know what you're going to get when you go fishing.

Erin: 1:48

That's true. And something else want to talk about today, that's not quite as interesting for most people as catching Gators, but compliance. Always a good Monday opener.

Craig: 1:59

Yeah, everybody wants to wake up and talk about compliance.

Erin: 2:02

Oh yeah.

Craig: 2:03

so I think you guys were asking about compliance regulations that most people don't know that they're subject to.

Erin: 2:09

Yeah. I think that's a good one.

Craig: 2:11

Sure. So you probably all heard of HIPAA, which is for medical. But I don't think a lot of people understand that there's two

Erin: 2:18

Okay.

Craig: 2:18

or technically three categories for HIPAA there's, what's called the covered entities, which is the doctor's office, the hospitals what's called the clearing houses, which is the insurance companies. And then there's also the business associates, which is anyone that interfaces or interacts with the covered entity in any way, shape or form. And that could be your, it guy, your it provider. It could be an accountant or somebody that has access to the books, but anybody that could potentially be exposed. To the patient health information or Phi can be considered a business associate. And you as a provider should have what's called a BA or a business associate agreement in place, which Is a legal document that basically says that, Hey, if you ever come in contact with patient information, you're going to keep it? confidential. And you have an obligation to secure it. So you are now subject to the same safeguards as the covered entity. So it's a trickle down effect. So that might be something that a lot of people are unaware of that most people, when I talk to them and they have an it guy that they're happy with, and yeah, Bob's in fixing our computers for the past 20 years, you know? So do you have a BAA with Bob? What's a BAA

Erin: 3:28

That's a no.

Craig: 3:29

did know I needed one of those, so yeah, so there's definitely risk and liability there. And if you get caught, then you can both be subject to steep fines and penalties. That's one common one. new one that came out is affecting CPA firms and bookkeepers that came out in January of 22, is this year. that one basically is a similar regulation to HIPAA where their safeguards and you have to have policies, procedures, and safeguards in place make sure the sensitive information, the taxpayers that you're working with, you're keeping their social security number, their tax returns and their books confidential. And you have security controls, supporting evidence, making sure that you're doing all this stuff. And it goes back to the same stuff that we've always been saying on previous episodes, around risk assessments, pen tests, and all this evidence that are proving that you're doing what you're supposed to be doing.

Erin: 4:18

I just want to throw this in there. Sorry. But isn't it true that tax fraud, especially by cyber or by hackers or bad actors has increased over the years, especially with the advent. A lot of people filing their taxes online. There's a lot of people that have their information stolen. I would imagine maybe that's one of the reasons.

Craig: 4:38

Yeah. we're obviously in a climate right now with risk and adversarial threats and, hackers, favorite tools in the toolbox. So what I was saying is that hackers really like keylogger malware as one of their tools and keylogger, malware capture any kind of keystrokes that are, if you're not using keystroke encryption, then the keylogger malware will capture all those keystrokes, including social security, numbers, passwords, anything sensitive. So my point is that yeah, the regulation, they probably are starting to. Hey, look, a lot of the CPA firms and bookkeepers are exposing consumer information. And we're talking specifically about the new regulation that came out in January of 22 that affects CPAs and bookkeepers and any of the intermediate third parties that are involved with the handling of those sensitive tax returns and tax information or financial information. There's also, what's called FTC regulation. Federal trade commission has federal laws around the sensitive data and the safeguarding of that sensitive data. And like I said, we're at a different climate now, a heightened state where everybody is really just, it's a matter of time, no matter what business you're in. You're going to be subject to some type of regulation. I guess the best one that most people were probably familiar with is credit. We got PCI compliance or payment card industry compliance. If you take credit cards, you're subject to PCI compliance. A lot of business owners will not really understand that very well. They'll probably be outsourcing the acceptance of credit cards to maybe a third party provider like square payments or QuickBooks, or some solution that they purchased or that they use in their line of business. But the point is that when you use those solutions, you can't outsource your responsibility for the proper handling of the credit cards. Now they may provide a good platform to keep that information secure, but you as the business owner and you as the business have, what's called a merchant account and you have an obligation and a responsibility to keep that information secure. Now there might be a platform, like I said, that you have it's out of your control. But if you read the detailed terms and conditions, there's typically things that you need to do and you need to, what's called a test too and sign off on it. So what that means is that you would, by allowing your business to accept credit cards, you have responsibility and obligations that you can't outsource, that you must do, and that you must do properly and test and self attest to and sign off on, Hey, you're keeping this information safe and secure. And that's why we keep talking about these assessments and these practice assessments and these pen tests and all this stuff, just to make sure because we're all humans and we don't do everything perfectly every single time. So we need help and we need third parties that are trusted to test all this stuff and, hopefully catch it before an audit.

Blake: 7:26

not all PCI two is the same. So like you said using square does not absolve you of your PCI compliance. And obviously the organizing body recognizes that. So there's four different levels of PCI compliance. So for example, merchants that are handling less than 20,000 transactions per year are what's called number four. And then it goes up to level three, 20,000 to 1 million, 1 million to 6 million. And over 6 million car transactions will be at a level one. So, these are things that obviously you have to do. And obviously it costs higher to be a level one compliant, and it does to be level four compliant.

Craig: 8:01

Yeah. And as you go up that ladder using transaction volume, the number of transactions, as well as transaction size or average transaction size, let's say your ticket master and your average ticket sales. It's 50 or a hundred dollars. If you do 10,000 sales in a day, you're obviously going to be on the higher level of your mandates around PCI. And they're not going to take with that volume. They're not going to just allow you to sign off and say, yeah, yeah, yeah, we're doing all this stuff. They need the proof. And there's actually a PCI certified assessor that will need to come out. And that's the third party check and audit that you'll have to go through in order to keep your business and keep the acceptance of credit cards at that volume. In that average ticket size, most businesses are probably smaller and they don't have that kind of volume or that average ticket size. So they'll allow you to have less strict regulation, compliance and alignment. But the fact is that you can't outsource the responsibility. everyone needs to properly safeguard this information and everybody should have the mindset of, Hey, look, I'm not only safeguarding it, but here's my.

Blake: 9:08

Another one was obviously people that are doing business within the state or have customers within the state of California CCPA. And gDPR.

Craig: 9:17

Yep. There's California privacy act. So CCPA, there's also new York's privacy law. different states are now adopting their own levels of privacy and their own regulations that you have to follow. So you've got these more recognized standards and frameworks like NIST, we've talked a lot about national Institute of standards and technology or NIS T specifically in the HIPAA space, it would be NIST 866. And the federal space or defense industrial base, that we talk a lot about those folks are subject to D FARs and NIST, and now the CMMC 2.0 compliance regulation. And you've got different frameworks, even small businesses. They have a framework for small businesses. They have computer information security. The FBI has Seesaw. There's all these regulations. There's all these frameworks that are out there. Most commonly in our country, in America, there's a, what's called SOC two type two for a third party audit that a certified accounting firm can audit a period of time for a business. Maybe your business is small and you want to do business with a larger company or a more mature organization. Those larger companies, they measure the risk of the vendors that they do business with. We have what's called vendor security questionnaire, professional services, where we help a lot of those folks get through the maze of questions. And sometimes it's pretty daunting, 300, 400, 600 plus questions for the business profile, the small business to fill out just so that they could start getting on the approved vendor list to do business with the bigger guy. And when that becomes daily occurrence, where all these different companies are asking you to fill these things out. Oh, and by the way, they won't allow you to rinse and repeat and reuse somebody else's questionnaire, they would not allow that they make you fill out their own questionnaire and they make you fill out the evidence that goes along with that questionnaire. So if you're getting buried with all these different skews or vendor security questionnaires, you may want to consider a SOC two type two or an ISO 27,001. Audit and compliance framework because those frameworks will allow you to no longer fill those things out. And most large organizations recognize that a SOC two type two report or an ISO 27,001 is very powerful. ISO 27,001 is really powerful outside of America. SOC two type two is more common in America, but they are different frameworks. They're very similar, but ISO is more of the global standard. like I said, when the volume gets too high and it's really just, they're starting to bury you in filling these things out. That's when you would consider that. And we can certainly help with those types of regulatory.

Erin: 11:53

Do you think at any point, things are going to become more standardized, Where all companies are supposed to follow these rules.

Craig: 12:02

Yeah, that's a good question. So I think that N I S T has done a really good job of the new CMMC framework. my hope is that more regulations will adopt that methodology and reduce the need for all these other regulations meaning, HIPAA came out and was signed into law in 1996 by bill Clinton. that was ages ago. look at how much, how different we are from internet and cyber security now verse 1996. Right? So there's no clear guidance around HIPAA. So it's very gray area. CMMC 2.0, for example, could definitely overtake and bolster and better secure our medical offices and hospitals. If those would follow the CMMC 2.0 framework, opposed to HIPAA. it's going to come out of the federal government and it's going to be decision there on standardization. And I do think that that would be a good thing to simplify and help not only, private sector, but also our defense industrial base. And if everyone is following that same framework, it'll make it simpler. And I think more people would actually do it.

Erin: 13:05

I think too. One thing that I've noticed, one of the biggest differences between HIPAA, well, really CMMC and a lot of the other regulations, I feel like a big difference is that CMMC really focuses on trying to integrate cyber security into a culture, into the culture of the business, as opposed to just making a checklist you to check off. they try to really get you to understand why you're doing what you're doing. I feel like some of the thing, they always win in that arena, but I feel like thinking behind it is really smart and really more up to date because the checklist approach is just not good enough anymore.

Craig: 13:45

Well, I think that's a good point, Aaron. I think it's pretty obvious that checklists and self active station is not good enough anymore. I think that's really the whole reason why the federal government came out with the draft of CMMC version one and basically the big change was you can't self attest anymore. You need these third-party audits and you're gonna have to find a C3 Pao, and you're gonna have to go to the marketplace. Basically prove your compliance. right. And when in November of 20, when the inner role came out and the federal government said, Hey, look, we know defense, industrial base supply chain companies that are out there. We know that you've self attested, but we want to really see who's really has the proof who's able to upload their score to the spurs system. How many of you guys have the 300,000 plus dip companies? How many of you guys have a perfect score of 110? And I think that there's still companies on the sidelines that have still not submitted their score.

Erin: 14:40

right.

Craig: 14:40

I think there's still confusion around, well, do I need to submit my score or does that apply to me? And I think people are still not educated enough on the responsibilities of, Hey, look, I signed off on that contract. I took that money. What do I need to do? And I think that people forgot or glossed over all of the responsibilities. And that's where I think there's a lot of confusion right now with the DIB on what is the CMMC, why do I need to do that? And then people get hung up on, well, see I'm, I'm sees not really the law yet, so I'm not going to do anything. Well, most tip companies already have a contract. And if you already have a contract, you're subject to the 70 12, 70, 19, 70 20, and NIST 801 71 mandates, and you've already signed off on it. So it's already been done at is the law for over five years. So this is not new information, and I'm not trying to scare people, but the reality of the situation is the federal government does have what's called the false claims act. I know for certainty that the audits have increased, the government is auditing more dip companies. And these people that are just sitting on the sidelines, doing nothing. Are going to get caught and then they're going to be in this remediation period. They may lose their contracts depending on how bad the situation is. They may get penalties and fines, so it's a bit of a mess. So I think that standardization would be a good thing. I think that third-party audits are a good thing. even our company at PTG, we have to get checks from outside third parties for our work to make sure because we're looking to mature and go after the CMMC certification ourselves, so we're not just recommending our clients do this. We're actually going through it ourselves. And I think that it's a good thing to have somebody check to make sure.

Blake: 16:27

Oh, think this is a great opportunity to pick Craig's brain. so these compliance regulations are always evolving and always changing other than working with a firm like ours. What are some actionable steps that maybe a company could take to stay current? And up-to-date, to stay current with what's changing because these regulations are always changing. They're always refining them. They're always adding new articles. when I was working with another client of ours, they asked me about that and I was like, good question. Because these are always changing. so other than hiring somebody like us or working with somebody like us how could you summarize that?

Craig: 17:03

Yeah. So selfless plug is, stay tuned to our podcast, be sure to subscribe, subscribe to our YouTube channel. Here's the reality. We live and breathe this stuff, right? we're always getting the latest information. We're making sense of it. We're distilling it down. So where are your shortcut? Where are your easy button? Right. If you don't want to use us for whatever reason, the FBI, like I said, puts out Seesaw. Like I said, the nist.gov website, national Institute of standards, technology, nist.gov. They have a wealth of information there, but here's the thing. You can go get all this stuff for free and that's great, but are you really going to be able to read and digest and understand a 300 page PDF from NIST? That's very technical. And even difficult for us to go through and simmer down and make sense, and then translate that language to something that most people can understand. the information is all out there. It's all public, but where that shortcut we sift and sort it, we make it easier to digest. And then we help companies of all shapes and forms get started with this stuff. A lot of companies can go to our website or they can go to the federal government resources and, maybe pretend that they're a defense industrial based company. It could be any kind of business. It could be a construction company. It's still a good exercise for that construction company to go through the self-assessment process for CMMC for example, even though they might not deal with controlled unclassified information, that's not the point. The point is that it's a good exercise from a maturity standpoint to go through. The self-assessment to identify all of the stuff, the policies, the procedures, the security controls on all of your systems and get value from that because every single person and every single business is currently at risk from data, exfiltration, ransomware, and other adversarial threats. There's all new evidence with the whole thing that's happening right now with Russia and Ukraine. There's new adversarial threats coming out all the time. So this stuff affects everyone. Even a consumer can go through free resources and bolster themselves, but it's kind of like diet and exercise. Who's going to wake up and actually do it.

Blake: 19:15

I noticed too, a lot of our clients, they don't have too much understanding what they need to do. seems like the biggest problems with them implementing a real-world strategies that make them compliant.

Craig: 19:28

Well, like I said, nobody wakes up and says, oh, I'm going to read this 300 page PDF today or on nest and yeah. They might have good intentions and maybe they'll get 30 or 50 pages of it read, but I'm telling you this. I don't know if the last time you guys have looked at this, but this stuff is really hard to digest.

Erin: 19:44

I read it every day. Craig, I read it every day.

Craig: 19:47

it's bedtime reading, I used the example of exercise because I think it's a good analogy. a lot of people, they want to lose weight and they want to be in better shape. they buy the latest gimmick or into the latest book on, know, the south beach diet or whatever the latest thing is, or the craze, the psychological and emotional buying decision I'm going to buy that thing, that book or that video series or whatever. But their mind is thinking when they make that transaction, that's the easy button for them to get the result that they want. But the reality is they learn really quick, much work it takes. not just going to get pack or, lose all that weight without putting in the work. what I'm saying with compliance and regulation is as a business owner, you as a consumer work that you have to do make yourself better fit for cybersecurity the less fit you are, the more ripe you are for getting hacked or having your identity stolen.

Erin: 20:45

I want to kind of add on to that too. If you gave a personal trainer, or if you get a gym membership, just because you get those things or buy an entire video collection of or whatever, you, still have to do the work. Even if you have people to guide you. So working out to lose weight or to get into shape with your cybersecurity, We are an easy button, just like a personal trainer is an easy button. They can't do all the work for you, but they can show you how to do it.

Craig: 21:14

So for example, staying on kind of the fitness thing which, cause I think it's easy to understand for most folks, like you ever see the weight Watchers commercials where, you get all the food and you get our meal plans and everything's all kind of laid out for you. Right. All you got to do is eat it and then go do the exercise. so with our compliance, armor.com security training, for example, and our policies and procedures, we've done all of the hard work for all of you guys. 80% we get you there, but you still have to do the last 20 because we don't know what kind of business you have. We don't know all the details of how you'd like to do business. Those fill in the blank answers are for healing for you only to customize and tailor this solution that we've created for you. That's like I said, 80% there. So we've done as much possible work that we can to get you there, but you need to get yourself to the finish line. Now we'll still be your personal trainer in that, and you can hire us for consulting and professional services, and we'll give you that accountability. It will be that, shoulder to lean on for questions and how do I do this? How do I do that? And then we'll meet with you at a cadence that you can afford as well as that support for your. And, we'll get that work done with you and we'll help you, but ultimately it's your responsibility. You're the one that's signing on the dotted line for that self attestation. Or if you have a more modern regulation you're the one that's signing off on that contract to get that contract award. It's ultimately your responsibility.

Erin: 22:37

And then I had another question for you, Craig. and I kind of touched on this a little bit last week, but what do you think is something that the us government could do to get everybody into cybersecurity and understanding the importance of cybersecurity hygiene or even just for the dip, right? What are things that you think the government could do to help started more quickly?

Craig: 23:02

Yeah, good question. So I've said this before. I think that the federal government has really good intentions and they had great intentions when they came out with the beta of CFMC 1.0, in my opinion, I feel like they diluted it and really lowered the bar to CMMC version 2.0 1.0, had five levels, 2.0, has three levels. I think we have a great framework right now that we can further fine tune and customize. I think the problem right now, big missing puzzle piece, it's, we're not getting enough support from the federal government around. This is what you need to do by this day in time. And this is what's going to happen after this day in time. I'll give you a perfect example when the DFARS Interim Rule came out on November of 20, they said, look, you need to upload your score for yourself. Assessment on NIST and DFARS, it's a negative 2 0 3 to a positive one 10. You need to do this by December 1st is what they said. And then they said, if you don't do the upload and you don't have a perfect score, you have six months of poems, plan of action and milestones, which is basically, I'm going to fix this gap. This is how I'm going to fix it. And this is the day in time it'll be fixed. And you're going to get yourself that perfect score of one 10, but here's the missing piece, the missing pieces. They say that you're not going to get that contract renewal. say that need to show evidence of this stuff, I don't feel Like there's enough clarity around that. I feel like it shouldn't be. This thing, this distant vision in the future, it should be, look, to do this and you need to do it by this day in time. we'll put it two years out or a year out, whatever the timeframe is, we need some day in time that this must be done from and direction clarity from the government. Look, 1st of 23, everyone needs to do this. And if you don't have this, you don't get to participate in the supply chain we need more substance

Erin: 24:59

They need more teeth

Craig: 25:00

yeah. teeth Correct?

Erin: 25:02

really bite into that.

Craig: 25:04

Yeah. and I think the same thing for health, like I said, with HIPAA and these other regulations, why not just take this as the opportunity to say, look, if you're a business and you're handling any kind of sensitive information, consumer information, credit cards, birthday personal identifiable information or PII. Let's group it all together. Any PII, Phi, anything sensitive, right? By January 1st of 23, you have to be this level. And if you're a Phi, then you need this other level. And if you're CUI, then you need this other love. My point is let's have a framework. Let's choose CMMC 2.0, and let's say, look, if you're a business, if you want to take a credit card from somebody, you have to do this. And if you don't do it, you can't take the credit card. And I think that we need more teeth in it at all levels of any type of business and the same thing with consumers. If you want to go on the internet and you want to buy something from a merchant, just like, if you want to go and you want to drive a car, it's a privilege to have a driver's license. Maybe it's a good idea to have a cyber license. If you want to go on the internet, you're going to have basic trends. And you're going to be audited and tested and you need to renew it every so often to make sure that. you are being responsible with your information online.

Erin: 26:18

that also kind of goes back to something Blake and I were talking about. We had the idea on starting with cyber security, young, like an elementary school kind of thing. Now, out of curiosity, I don't have children. I do have lots of nieces and nephews, but I'm just curious. Do they have any classes like that? When their computer classes they teach in sort of cybersecurity lessons

Craig: 26:37

my children are too little right now to be able to comment on that. do know that I have been asked and have done many continuing legal education and many continuing education. For medical and for other colleges and universities, I did a lecture at North Carolina state university a few months ago. So I've been hired to give good information around cyber and compliance. I don't know what the quote unquote basic training is for younger kids. I think it's a great idea and it should be baked into the program, but I don't know what the curriculum looks like for that. Like I said, I think that, especially for young kids, I'll give you an example, with Facebook, in social media, there's all these documentaries out there around how our youth and our smaller and younger kids are getting subject to all these different things like Tik TOK for, and I'm not just calling out sick time. I'm saying Twitter, everything, Facebook, you name it, fill in the blank, social media. It has some damaging effects for growth and emotional. It just all these damaging effects that, and I'm not singling out any of these providers. I'm just saying, I don't think that these providers really knew what these.

Erin: 27:43

Right.

Craig: 27:44

Could be right. And I think that we all, as a population in society have probably had damaging impacts from mobile devices and just computer, you know,, there's positives and negatives, right? So computers are great to get things done, maybe there's, what's called addiction with mobile devices, it's a real thing, detox of cutting the cord of your phone and constantly checking for notifications and things like that. Is that I don't know what the curriculum is, but I think that that's a great idea. And maybe there should be some federal program that creates almost like a NIST, but a NIST for kids. Right? Like a framework for that, where look, if you have a kid that's this age to this age, you should complete this level of education. And maybe it's an online kind of course. Right. And who knows, maybe we'll create it, cause we have a university too. So that's a good idea that we could create. But my point is that whether it comes out from the federal government, I think that there should be guidance around that and kind of best practices to best educate youth and the young.

Erin: 28:46

Something else Blake and I talked about especially with social engineering and, things like that, because there really are real-world consequences. It's not just, oh, it's just Facebook. No, I mean, even look at what was it Craigslist? they had people going around killing other people like this. I feel like got too big for our britches in a sense. And that we are really quick to really take up the internet, but we didn't really think about the consequences. Right? So now we're seeing the consequences play out in the real world. And to me it seems like, and actually, since Blake brought this up, I've really been thinking about it. The biggest solution I see to this is start them young. You said your kids are too young, but I'm guessing if they don't have phones, they probably have iPads. Right. So they touch you touch apps

Craig: 29:25

Well, actually, my kids in particular, they don't allow them to use the device unless it's kind of supervised.

Erin: 29:31

Oh, nice. Yeah.

Craig: 29:33

We don't just give them the device, unless we're like in the car on a road trip or something, we don't really give them free reign of a device. We have measured time with our kit where we're strict with that stuff. Well, and I'm not saying we're perfect either, but I do think it's a good point, but here's the thing I think this stems from, when the internet came out, it was kind of like this anonymized area in quote unquote, cyberspace where anyone can kind of go and quote unquote, surf the internet in an nymity. Right. I'm a privacy advocate but I think that there should be two sides. Meaning I think that like I said, there should be some responsibility at the consumer level, but what if we had followed the quote unquote driver's license responsibility thing, what if in the future, said that. If you want to use the internet, have to have your license to quote unquote surf the internet, and it's no longer a private. You know how we have IP addresses and then things like that, that we get from our internet service provider. Well, what if one day that we all had assigned our own number, kind of like our social security number and that was our identity online. Wouldn't it be interesting to look at it? I'm not saying that I'm advocating for this. I'm just saying that just kind of go through the journey with me. What if everyone had their own IP address and identity online? Don't you think that would have an impact and effect on cyber bullying? For example,

Erin: 30:56

Yeah.

Craig: 30:56

If your IP address was always the same don't you think it would be safer, like Blake said, if I have an identity or a static IP address that identifies me or my child, and then there's cyber bullying happening and there's supporting evidence that okay, that's this kid. Right. You would think it would impact that. I would think so.

Erin: 31:17

Yeah. Yeah, I would think so too. If somebody had access to everything you said and everything you did online, you would probably think about your actions a lot more than if you could be anonymous.

Craig: 31:28

Yup.

Erin: 31:29

much. So

Craig: 31:30

who knows maybe the blockchain could record that or web 3.0. Be that ledger, so to speak. I think it would be interesting though, if we use the driver's license example, if you drive a car, you have to have a license, you have to pass the test to get the license, but you still have freedoms. It's a privilege to drive the car. Right. But you still have freedoms. If you want to break the law, meaning speed, you can, but you have consequence too, right? if you think you're not gonna get away with going 80 miles an hour at a 55, you have the freedom to do that. But if a police officer, scans you with a radar gun or laser gun or whatever, or finds that your car is the one that's breaking that law, they're going to pull you over, write your ticket. So what if we had an internet that was kind of like that in the future? That could be interesting.

Erin: 32:22

Yeah.

Blake: 32:22

our two big ideas were so obviously when I was going through a high school, they required that we take two languages.

Craig: 32:31

I remember that too. Yeah.

Blake: 32:33

One of them, obviously English, and then I think I opted for Spanish. what do you think is more useful in my world right now? not only because I'm in cybersecurity, but imagine that if cybersecurity was required curriculum any school, but not only that, and Anna were talking more from younger, more adolescent So we had the ideas like, okay, if your child is old enough to run an application or to choose whatever game they want to play on. For something as simple as saying, okay, little Johnny on this application you click on your game. And of course that, first application would be a VPN or something along the lines

Craig: 33:14

In that context, it should be the rules of the game, right? If you want to Excel and get to the next level, you have to abide by the rules. If you don't, then you don't get to the next level. Right. So it should be almost like a rewarding point space system.

Blake: 33:26

Our second big idea was, so obviously if you think about this before you buy a car, you have a car facts, right? So thinking about a Carfax for a business, okay. Before I go to this business, This business, my money is their health, their score card here is their

Craig: 33:47

Yeah. I actually came up with that several months ago. Cyber score.

Erin: 33:51

Well, it makes so much sense. It helps things to become standardized. You know what I mean? If you want to get insurance, you can do all of those things at once. Like Craig was talking about, you have 17,000 different forms that you have to fill out the, say the exact same thing. Well, if you have the cyber score, cyber credit score or whatever you want to call it. Then it's, just right there. Also what I was thinking about if things were standardized, Companies are going to be more to do kind of like what blue shift is doing, what other companies, vendors that we've worked with are doing, which is mapping the controls that they can provide to whatever regulations are required. So, if you have one standardized CMMC for everything, right? Every single vendor that we work with is going to be like, wait a minute, let me figure this out for you guys. Right. It would just really help together.

Craig: 34:41

that's what I was saying several months ago. when I thought of that scoring thing, that's where I was going. I was saying, look, if everyone would just standardize on the CMMC and let's say, your score ranges, from a negative 2 0 3 to a positive one 10, that could be one way to do it. But then we started talking about it. Maybe it'd be better not to use numbers like that. And maybe it would be better to just do ABC DNF. that could be a way, but we have the resources and technology to help people increase their score. And I would love to see in the future maybe adoption of our methodology around the scoring system, because look at it from a risk profile. If You're an insurance provider, do you want to ensure somebody that has an F or where your risk of paying out a claim is exponentially higher? Or do you want to give the guy that has, or the girl that has an a on their score? Maybe they get a break on their insurance because you know that your likelihood of a payout is extremely.

Erin: 35:39

Right.

Blake: 35:40

already, imagine it right now with the Petronella browser bar, whenever you type in like a.com, tells you a plus the minus. So,

Craig: 35:51

Yeah.

Blake: 35:51

kind of taking the previous idea with our current scorecard idea and bridging the two because, once you access the website, okay. I got a B minus. Okay. Why do they have a, B minus? How do they handle that? Okay. Here's how they scored. And here's why they scored a B minus.

Craig: 36:06

Yep.

Erin: 36:06

And yeah, and here are some solutions to it would be easier to find solutions for them well.

Blake: 36:12

yeah. if you want to use this website, I'm thinking more like in a broader scope. Oh, if you want to use this website, we highly suggest that you use the VPN or use it,

Craig: 36:21

What comes to mind too, ironically, is food labeling, you go to the grocery store and maybe you have a gluten allergy or a wheat or a peanut or tree nut allergy, right now with the way that things are labeled, it's a mess. Even with food labeling there's, cross-contamination the labels are not clear, so not only do we need work at a score in cyber, but we needed another things like labeling too, because think it would just be a positive impact for everyone. I think that, you guys said, I came up with the scoring thing, I think these, it would bring clarity. I think it will bring much needed clarity for folks. I think that if businesses had a code of conduct to adhere to, or maybe the government came out with some more guidelines around it, or maybe there's, tax incentives like, look, if you have a better score, we're going to give you a break on T some type of positive impact from and support from the government, I think would be helpful too. But I think that some type of global recognized, or at least north American at the beginning, and then a global recognized standard is much needed.

Blake: 37:27

Now that you bring up the food industry, this is just my understanding, because I've watched some of the documentaries on Netflix that talks about the food industry, these huge slaughterhouses and Yachty eats mega monopolies that have people sitting in, acting in government that are making legislative decisions in favor of them. Do you feel like that's the case for cyber security? Do you feel like our cyber shoots. Hygiene on the government level has been stalled by things like that, has it not yet creeped into our industry?

Craig: 38:02

That's a really interesting point. I think that my opinion is that everything's affected by that stuff. I'm not going to get political, but you exercise your right to vote, to trust that the person you're voting for has alignment with your values and beliefs. Right. But there's no guarantees that they actually do what they say. Right. And a lot of. Stereotypically speaking when I say this, but when a lot elected officials say one thing in a campaign and then do something else, my point is, I think that, like you were mentioning Blake, there are certain foods that have a monopolistic behavior, certain companies of certain sizes. Yeah, absolutely. One thing I'll reference with the CMMC there is a lot of pushback from the little guys, the DIB, the defense industrial base, the smaller companies and supply chain. there was a lot of pushback around CMMC NIST and D farce in general, saying that it was going to be too expensive and cost prohibitive and nobody would do it. And then they would say only the big primes would do it. If you think about that for a minute, Our company PTG. We found ways to help the little guys to make it affordable. And it really is truthfully affordable to get these scores at a level where your small business can compete. Does it cost money? Absolutely. It costs money. Is millions of dollars for most? No, it's not. Is it a fraction of a cost of your contract? Yeah. It's definitely a cost of doing business. And we believe that it's almost like a minimum effective dose to be able to quote unquote, get your driver's license to be able to bid on these contracts. Right. But absolutely. I do agree that big companies often persuade or for sure. Absolutely.

Erin: 39:45

I feel like the government couldn't we give grants, I feel like that would make sense. Right now we have trillions of dollars exfiltrated and trillions of dollars in data exfiltrated by bad actors. Enemy states basically. So to me it would make more sense that these things are not free, unfortunately. It takes time and it takes money even if you do get a cybersecurity firm. So I guess I kind of don't really understand, although I guess in the past, the cost of this has been kind of built in the contract. Right. And a lot of people just haven't used it.

Craig: 40:16

It's not the cost of NIST. Really. I view it as you've got this foundation of your business, right. And NIST and you're attesting that you're going to do the NIST 801 71 stuff. But Sadly, I would say that most people don't even know what they signed off on. So they don't realize all the stuff that they were supposed to be doing. I don't think that it was necessarily baked into the contract. I think before signing off on it. It should have been evaluated by the business owner or the stakeholders around. Look, if we want to go after this contract and this contract's worth$10 million, we need to realize that it's going to take us X dollars to be able to fortify our systems and get them up to speed. Just to be able to get this contract. It's an investment from that dip company to be able to then have the access on these opportunities, these new opportunities. And I think that the challenge, especially with the federal government politicians, the challenge is how do we keep freedoms in place and choice? Without being biased. And I agree with that. I'm not saying I want to be told I need to do something in a specific way, I think that that's also where there's the big confusion point around some of this and where people don't know where they can get started.

Erin: 41:32

Yeah, absolutely. Feel like if they would just make a big cyber security initiative, and really push it and grant money to people, to businesses, all the businesses, not even just the dip. Right. If we want to really get our cybersecurity

Craig: 41:46

it doesn't even have to be grant money. if it was just a tax break? Look, businesses get crushed. our own business gets crushed with taxes wouldn't it be nice if look, you get your score to an, a, you get X percentage off under your taxes to help with that pain and that burden I think that could be a good idea. I'm in favor of grants to but I think the point that I was trying to make is I don't want to be told that I have to do it one specific way because the landscape is constantly changing. We want to sure that innovation continues to happen around XDR and other layers in cyber. And we want to make sure that we have the choice as a business owner. We have the freedom to choose one vendor over another. Obviously we negotiate on our client's behalf, better deals for our clients. So that's why self-disciplined good to go through us. But the truth of that is that we truly have vetted and tested these things. that's part of our mission and our value to make sure that we are that easy button for folks, but that's why we do that. And that's why for the past 20 years we work on not only making those good relationships, but making sure that the stuff that we parked. That it actually works. There's so much stuff in so much money that's wasted and so many promises from a good salesman or salesperson or sales woman that persuades the company on the other end. Oh Yeah. Yeah. This is going to make all your CMMC or HIPAA or whatever the framework is, all your worries go away. This thing, it does it all. It's the silver bullet, but then, there's companies that truthfully are out there that will take your money. I've heard all sorts of horror stories from small businesses just getting ripped off. think that if there was more teeth in it and more direction and more clarity around these frameworks and reducing the amount of frameworks That we have maybe down to just the CMMC or whatever they want to call it, that would make it simpler and easier to understand for people. And like you were saying, Aaron before, there's a lot of crossover, different mappings from one regulation to another. We're all trying to say the same thing. And, one author of one framework might want their, framework to be the global standard or whatever. And that's all great. But I think that if it comes from the government, like the CMMC, for example, I think that could be a good clarifying moment for a lot of people. Then let there be freedoms and competition in the marketplace the solution for this. And again, it goes back to the labeling I was talking about, right? So like if our vendors, Microsoft, and apple, if they all were regulated and subject to this framework and they all were better able to label their products and say, this product is going to meet access control domain and give you X points on your spur score and make it easier to label things better, to make it easier for consumers and businesses to pick and choose products based on how much of a score impact they'll have. I think that would make things so much easier for a lot of people.

Blake: 44:33

I feel like this is such a good thing to bring up at this moment, but I think Aaron, it was our statistics podcasts where we talked about percentage of your revenue that goes to security, Let's just say you're a freelance or a self contractor, once you get a check that comes in, you take a percentage of that check and you put it aside and you lock it up in a bolt saying, this is wind tax day. And the tax man comes knocking at the door April 18. And the, so you have a reserve set aside. I think if it comes to mind immediately, I think. Six to 11% of your revenue be dedicated or it security, things of that. It just depends on the data that you possessed. And obviously it's going to be more if you're a government contractor or maybe less if you're selling blankets at the flea market, that's something too that I think people need to understand. And then I even found a deeper diving article 50% of that should be operational and infrastructure secure. And other 20% shouldn't be vulnerability management or security monitoring. Another 16% should be government risk and compliance. And then obviously this one would be unrelated, but application security. Of course, this all depends on the sector.

Craig: 45:51

I think that that's really good. I liked that, but I think that people and businesses need to understand that there's a minimum effective dose that whether you're a one person or a thousand people, have to have this minimum foundation. Okay. And then as you. Complexity increases with regulations or sensitivity of data, then you have to have these ad-ons right. So maybe like Blake said, you have these increased percentages, but there's a certain strong foundation that needs to be in place for every kind of business first and foremost. But I think it really goes back to the labeling that we were talking about. I think it's great that every business should have X percentage put aside for this stuff. Right. But I think it goes back to vendors and putting pressure on Microsoft and other vendors to better label their products and services so that we know, Hey, this is a puzzle piece, or this is a contender for giving us X number of points to solve this problem in this domain. And there, again, it also goes back to responsibility of The end user in this case, the business owner or the consumer, the person using the product to properly configure those things, right? Microsoft, Google, they all have these platforms in their cloud services environments. And they all have a lot of mappings that are already done. But again, he can't outsource that responsibility. They're giving you the environment, but you are a professional on your behalf needs to properly configure and continuously monitor and police that environment, make sure things are buttoned up and your scores stay high. But my point is that I think it goes back to labeling. Like, Give you another example with CUI or controlled unclassified information. The federal government in the training that we all took for the CMMC from the CMMC AB to be registered practitioners. And to be an RPO company to help these people, the defense, industrial base clients, well as other businesses of all shapes and forms. The training that we took basically said, the federal government is still working harder to better label and identify CUI. And if they did not label something CUI, you need to treat it as sensitive and secure it. So my point is that there's so much work to be done with labeling of data and all types of sensitive data in all industries, in every single one in health in federal space. And you name it fill in the blank. My point is that labeling needs to be improved on everything. The regulations need to be simmered down a more global standardized system And there needs to be more teeth in it.

Erin: 48:23

And there also needs to be more full integration of cyber security. Ever since learning so much about CMMC, that really resonates with me. I feel like instead of having cybersecurity and it kind of off to the side is just out of sight, out of mind departments unless needed, it needs to be a part of the culture. And speaking on that, I just found this statistic. I want you to guess what the average, and you can guess to Blake, craig and BJ, guess what? percent the average company spends on cybersecurity of their total revenue.

Craig: 48:56

I think it depends on which sector, if it's finance or banking or whatever it is, but you're asking for a dollar amount or a percentage. Oh gosh, it's probably less than 2%.

Blake: 49:06

I was going to say around one, maybe half a person.

Erin: 49:08

that's closer plate 0.3%

Craig: 49:12

Yeah. 0.3%.

Erin: 49:13

of revenue is generally what is spent on cyber security. And we wonder why we have so many packs,

Blake: 49:20

think about this. When you go in and incorporate your business, whether you're using legal zoom or insurance service here, and then as you're incorporating your business all these free services like add on services. Oh, I want of America to reach out to me. Oh, I want a CPA firm to reach out to me. Yada, yada, is there not a cyber security there? So that way, white crime was saying. You're building your house with a sturdy foundation. that's probably the thing that's on the back of a startup's mind, Hey, how do I compliance? How do I be secure? How do I secure my customers? the groundwork isn't even late. Of course you have more things to think about being profitable and generating cash flow and all these other things, administrative responsibilities. should go hand in hand with those. And it should still be a part of your core foundation of your business start and focus on cyber security while you're bringing all these other pieces together.

Erin: 50:20

Right. And it's so much easier to start it from the ground level than it is to incorporate it after the fact.

Blake: 50:26

It's more expensive

Erin: 50:27

it's way more expensive. It's way more difficult. So many more challenges.

Blake: 50:31

to do it later. Yup.

Craig: 50:33

I agree. with that. The service exists. We created it, where that easy button for businesses and consumers to help them with all this stuff. So we exist to help the people provide really good efficient services that have high value, high impact and high security. But what's lacking here is the teeth and the federal government side around standardization labeling, if more people knew about us and how affordable some of this stuff is and how easy we make it, I think just going to be better for everyone, but, 0.3% is obviously not enough. All that investment. Sadly, we don't create all these solutions. We just know the right recipe and the process. And that's why we have patented cyber safety stack of over 22 layers now. And, we have that stack because it's so powerful and we continue to build on that stack because it works. And we know that it's battle tested, and we only use products and services that are battle-tested that go through our process. So my point is that if we get more support from the government around standardization and labeling, it's going to make it easier for everyone and more clear for everyone to understand why they need to take action now and not just sit on the sidelines.

BJ: 51:48

You know, what's interesting, Craig, is that as we've talked about before, cause we're always a big advocate of using the right strategic solutions and we've talked about XDR a lot and what's interesting is recently Gartner who, kind of is the trendsetter, right. For cybersecurity reporting. they're definitely considered an authority in the field and the government probably reads their reports and I'm sure that they're a source of, a lot of determined. action government and business alike takes. recently Gartner published a report with us statistic basically an expectation where the Gartner says that they think within the next couple of years, XDR adoption will be at least 40%. But when you really think about it, they're saying 40% of all businesses guys, that's a huge number. Well, what's really interesting here is that think that finally things are going to start to settle and sort themselves out in the right way, because if you just look at. As an example, just our ecosystem, right? Petronella technology group, Craig has worked painstakingly over the years stay in the know on the most important aspects of cybersecurity from building Bulletproof PCs years before the world was ready for the idea to always vetting all these different technology solutions. Well, now again, has put, positioned us in a situation that's very significant because actually worked very closely with a certain XDR solution that we feel strongly is a very good one. And, we're involved in research and development on the machine learning side of this solution. cause I have it in my home as part of the research and development project and I have had to spend so much time, Documenting anomalies with this system in my home, to the point where a lot of time has went into just observing what's happening in my smart home, this is the unknown territory that we're in now because is an AI driven cyber security tool that partners people and technology together because the people have to input the knowledge into the tool and then the tool analyzes then takes action. we've positioned ourselves in a unique spot where we're involved in the actual research and development of this tool being used in the real world in a smart home, for example. And I'm noticing some things that I didn't expect observe. so significant when you add all these little pieces together and you kind of paint a picture in your head of like, where this is all going. Gartner is saying 40%, and that's just on what we know today, that's not factoring in all these anomalies that I'm documenting. Something's happening with this tool, have pages and pages of documentation, of things that I'm noticing. And so 40% could be low. And so this is very important time, a shift in cybersecurity where the people that have been on the cutting edge, because we wouldn't be involved this process with this XDR tool. If we were. Consistently on the cutting edge of cyber security where we always find ourselves. Well, now I think this is really gonna start to be a pathway for people to just what Craig was talking about, finding the right solutions and being able to onboard with them and taking the stress out of it. Why has Gartner's estimating 40% that is such a big number. So they have to have their suspicions about the X factor here, the machine learning part. And we agree with that after what we've witnessed. So this is such a critical time to partner with the right people who have the right knowledge and the right expertise. And they have their hands in the trenches with their sleeves rolled up because this is unchartered waters, and 40% is a big number.

Blake: 55:21

Gardner is also the publishing authority that said that you should spend anywhere from six to 10% of your revenue on cyber security. And it as well, they're the same publishing authority.

BJ: 55:30

We know this eye, Gartner's like the authority on this. People pay big money to try to even advertise on a Gartner report to get in the limelight with gardener. What I'm saying in a nutshell is that Craig has made very smart decisions has put us at the cutting edge of things that no one even knows. No one even knows what to expect. Right. Cause me, I'm like an anomaly hunter. Right. And I have been so surprised at some of what I've found. It's hard to surprise me when it comes to this stuff, but I have been floored by some of what I witnessed to the point where I get so excited, my hands are shaking. Right. As I'm trying to document this stuff. Cause it's that fascinating. And they're saying 40% without knowing those things is my point. There's a pathway, that's probably just going to sell form. Right. But you have to be aligned with the people who have been there working on this because that's just the way it's going to work probably. I think that there's a light at the end of the tunnel. and I think that we're always going to need the right cyber security people because these tools need the human interaction as well. The human interface, it's very important and, these tools don't work, right. If they're not handled correctly, With the right expertise, the right knowledge,

Craig: 56:34

Sorry to interrupt you, but see, a lot of people don't understand that though. A lot of people think that, I'll just go buy this off the shelf. XDR and then the salesperson does a great job of selling them on it's the greatest thing. like I said before, it's not a silver bullet. It's a powerful layer. And it's an essential layer these days, were just saying 40% is a great stat for adoption. But my point is that a lot of the solutions do not have talent managing that hardware and software and Intelligence. And that's where our solution that we chose comes into play Because it marries all that together

BJ: 57:08

Yes. Because what it marries together is the understanding of this stuff and the foundational layers, the backbone of this stuff, because what is software, right? Software is can, ask anyone to define what software really is and people are going to think they know, but as they start trying to define it, they're going to get very confused. And they're going to stumble because what is it? What is AI? What is machine learning? What is AI driven? Cyber security tools. Good luck trying to define all that. But the key here is that because of the years and years and years of cultivated knowledge about these things. Now there's a level of awareness. Amongst certain people in this industry where they know what to pay attention to, and they know what parts of the software need attention because in a scientific process, the observer is critical to the process. We're in a very unique time for cybersecurity teams and it's not ironic. It is ironic. Excuse me, it's not coincidental that a few months ago, the government, the federal government went on a huge cyber security, talent hunt. Literally I saw the solicitations emailed out, they're searching for top cybersecurity talent because I think people are starting to understand that people involved in the cybersecurity teams definitely have an impact on how the tools work.

Craig: 58:21

Well, not only on how they work, but how do just like in anything that the human is going to use the tool in the toolbox and then hone their craft. right? So there's going to be some people that are better at it. And some people that are not, but as I listened to what you're saying, DJ, I think that we need to create our own Gartner report. the reason, why I say that, no, I'm being serious. The reason why I say that is because I Like Gartner. And again, I'm not putting any reports down in any way, shape or form, but even though Gartner is well-respected, I don't think that it's fair to charge vendors or people to be on the Gartner report, right. To kind of pay to play kind of thing. Like Blake was talking about, with the other industries that you kind of have the top big players that kind of control. I feel like there should be a report that we write that gets published annually or whatever the frequency is. That's not biased and it's objective. Yes. It's all. Evidence-based.

BJ: 59:11

just objective. Yeah. That presentation you gave you gave that presentation at a university and it was the perspective of the observer and, your presentation actually was sent to me by Google assistant. Right. But it's really good. It's really good. It put things in perspective for people, that is so critical. Go with the cheapest solution or the one that is offered by a big tech as part of a package deal. I personally don't suggest doing that because this is our unchartered waters and that's not how this stuff works. these tools, these smart tools, they work differently.

Craig: 59:44

that's also why we follow that proof of concept methodology. And we back everything up with third-party evidence to, but here's, what's alarming though. What's alarming is the statistic of folks businesses that don't understand the value of even the proof of concept, And we've even seen people that are like, oh Yeah. well, we didn't really budget for this. So we'll look at this next year. That's the wrong approach folks. You need to invest in this now. If you don't think that you've been hacked, you probably have been, you just probably don't have the visibility and the technical understand the human side of it. Right. The human side to see. It's kind of like out of sight, out of mind, right? If you don't see any red flags or, any evidence of something wrong, you're thinking, oh, everything's great. But when you get that visibility and you look through that lens and you see how look there is something bad happening, and this is what's really happening, here's mitigation of the remediation plan on fixing it. More people need to go through those proof of concepts. I just don't understand. That's what's mind boggling to me. More people need to invest more and take this more seriously.

BJ: 1:00:53

yeah, it is mind boggling that you can see. I can clearly see in my interactions with people, can clearly see that there's basically two sides of this all there's the people that get it and understand the complexity of cybersecurity and the strategy of people processing technology and the right ones, the right people, the right processes and the right technology, because all three are important.

Craig: 1:01:15

Well, they're really important.

BJ: 1:01:17

It's just about how they're aligned and then some people don't get it at all. I literally got an email from someone. And they said, literally, they're just going to go with the lowest price. And I'm like, I don't know a nice way to say this, but that's not the right way to look at this. And you're making a very big mistake,

Craig: 1:01:29

and there's always a reason why that price may look cheaper. There's something missing that's the fact of it.

BJ: 1:01:36

it's a rinse and repeat, Hey, we're going to launch this tool, but we're not gonna pay it no attention and observe it. And it's not going to really do anything phenomenal. You're going to be able to check a box and say you have it, but how effective is it going to be?

Craig: 1:01:47

you can build a house with one guy and a hammer, but if you don't have the miter saws and all the latest technology, right. It's going to take you a really long time to build that house. So we're not saying you can't go and find your own stuff, but I challenge everyone lists. To be more efficient than we are. We work hard every day to find the most cost-effective efficient solutions that actually work.

Erin: 1:02:11

Well,

Craig: 1:02:12

guarantee that you will not find a better recipe than what we've developed and that's our intellectual property. I mean,

BJ: 1:02:20

I would agree completely.

Craig: 1:02:21

With the XDR SOC services that we provide, you can't hire an intern for what our solution costs. And if you think you can, that's crazy. We do this every day. This is our bread and butter. live and breathe this stuff. We are efficiency experts, not only at managed services, but cybersecurity, all the work that we do around risk assessments and pen tests, we do it really, really efficiently. And cost-effectively.

BJ: 1:02:44

we're really cyber security strategists, really, because we understand the value that each team member brings to the table. For example, we have several layers, right? But this one that we're talking about, that Gartner spoke of the 40% adoption rate. I remember specifically how we stumbled upon it when you were looking for something like this, because Craig's always keeping us aligned with the cutting edge tools. And we were almost going to find on with one and then on a Saturday afternoon Craig message. And it was like, hold on. I found this and I was like, oh gosh, another one. And then I went on the demo and I started getting to know the guy who wrote the algorithms. And I was like, whoa, he might've really stumbled onto something here, that right there how do you define that? How do you put a value on that? The mind that sits there on a Saturday afternoon does what needs to be done to find those gems right. And to understand when they do find a jam.

Erin: 1:03:32

think too, the other thing is the other vendor that we considered wasn't quite a gym enough. Right. That's why Craig was looking for a little bit more. It was a good solution.

BJ: 1:03:42

Yeah. It was a good solution. We liked it. But Craig just failed an intuition that something more was needed. Right. And kept searching then he found this and after what I've seen, right. I won't get into the anomalies. So that's a rabbit hole. But after what I've personally witnessed dear God, I don't even know what to say about this that. You know what I mean? machine learning is an X factor and no 40%, you can say that all day long. I agree. It's going to be at least that, listen, I think there's going to be a scramble get a solution that really, really works. And I think 40% is going to be really low not all XDR tools are the thing, you know? And that's the critical thing here.

Craig: 1:04:20

That's why, I was saying you've got to take us up on the proof of concept. We're not making this stuff up. you got to go through it.

Erin: 1:04:27

There has never been a time that we didn't find something.

Craig: 1:04:30

that's. Right. let's use a medical example, right? God forbid, you got diagnosed with some disease or something. Right. And, the doctor says, oh yeah, you're fine. But maybe you just don't feel well. Do you stop and take the decision that the doctor said, you're fine. Or do you keep

BJ: 1:04:45

Saturday.

Erin: 1:04:46

Yeah.

Craig: 1:04:47

If it were me and I don't feel good and I go to a doctor and my doctor runs all these tests, he says, oh yeah, you're fine. You're fine. But I

BJ: 1:04:55

That's

Craig: 1:04:55

don't feel well, I'm not going to stop. going to go to another doctor I'm going to go to a specialist. are that specialist. From for cyber, we live and breathe, cyber and compliance and managed services and managed security.

BJ: 1:05:08

the alignment, of people process and technology will never go away because here's the thing people think, oh, the AI tools get so good. You're not going to need fiber. No, that's not true the alignment of people process technology will always be significant because the technology part, it will not do its best unless it's being observed and handled correctly, updates, patches, observations noting what's happening attention it's science, and it has to be observed. the observer's skill level is determined on a lot of factors, their knowledge base, all kinds of things go into that. Right. You can't go and duplicate what we're doing here. You just can't, we're in unchartered waters and we're navigating them we're navigating them very strategically.

Craig: 1:05:50

what's always changing and evolving and that's a good point BJ. The one thing I'm going to say, is our solutions and our recipe, our 22 plus patented cyber safety stack or cyber security stack that we have. We're constantly looking at all those technologies and solutions and we're swapping them out, back in 2013, when there was a spike in ransomware and we were using a certain antivirus vendor and it wasn't detecting anything, we swap it out for a better solution for that layer. And we're always making sure that we have the most powerful stack available in the future, who knows what's going to be added to our stack. But my point is we don't just stop and say, oh, we've got a stack. And then that's in stone. We're always looking at every layer of the OSI model and making sure that everything is all encompassed in Clover.

BJ: 1:06:36

Our strategy is, streamlined and fluid for sir.

Craig: 1:06:40

Yep. I started this company over 20 years ago. didn't start it as a job. I started because I love technology. I love cyber. I don't necessarily love compliance, but I'm really good at it. I live and breathe this stuff because I like it. I enjoy it. It's not a job for me, and that's why it's to your benefit because I'm doing all the experimentation.

Erin: 1:06:57

why you're doing that on a Saturday, because you love it.

BJ: 1:07:00

people, it's hard to describe the benefit of a human, right. Because we see the benefit of automation and stuff like that. But when you think about a human, what are they? Well, they literally are conduits of passion. When we get passionate about something we really can Excel, and really separate from the pack. Passion is like, how do you define that? You can't buy it. It's not for sale, it's authentic, but when it's fully activated, wow. You know, a lot of sparks happen.

Craig: 1:07:24

We should probably wrap up here,

BJ: 1:07:26

Yep. All right guys.

Erin: 1:07:27

Let's keep going guys.

Craig: 1:07:29

the marathon podcast.

Blake: 1:07:31

was a good one though.

Erin: 1:07:31

That was good.

BJ: 1:07:32

we've only scratched the surface. There's so much more to talk about. One day, maybe we should do a 24 hour marathon

Erin: 1:07:37

All day,

Craig: 1:07:38

Oh God.

Erin: 1:07:39

I can do that. We can do that pretty easily.

BJ: 1:07:42

usher in the age of automation with a 24 hour live.

Blake: 1:07:45

maybe we can make a technology that livestreams the automation

Craig: 1:07:49

Hey, that's a good research and development idea. Maybe we need a smart camera to stick in front of your device

Erin: 1:07:56

Oh my gosh.

BJ: 1:07:57

I think that's actually happening organically. That's one of the anomalies I've noted, so,

Craig: 1:08:01

But we'll save that for the other podcast.