Identity in Cybersecurity Ep. 8 — The Visibility Issue

Plurilock CEO Ian L. Paterson and Larry Whiteside Jr, Co-Founder and President of ICMCP discuss the importance of two-way visibility, diverse hiring, automation, the cyber-skills shortage, and being a steward of data.

How do you source cybersecurity talent? Which skills or certifications actually make the best hires?

In this episode, Plurilock CEO Ian L.Paterson talks with Larry Whiteside Jr, Co-Founder and President of the International Consortium of Minority Cybersecurity Professionals, ICMCP. In this episode they discuss ICMCP, bringing diversity into the field of cybersecurity, building a strong team, automation and its impact on the skill shortage, and the focus on being the steward to other people’s data.

Host:      Ian L. Paterson
Guest:      Larry Whiteside Jr.
Length:      38:06

Ready to listen in? Click play below.

 

Larry: So, to give you context, ICMCP is an organization that I co-founded with some friends of mine in 2014. And at the beginning of February, I basically took over as president where I’d been on the board of directors. And so me taking over as president was in an effort to lead us into what I thought was going to be the new realm of change, an action that’s needed in order to really build diversity in the field of cybersecurity. So for me, that is by far the most important and passionate thing that I’m doing in my life besides, you know, having a family, being married, and raising kids. That’s, that’s the thing that really drives me day today.

Ian: How—so I’d love, I’d love to get your feedback on this—we hire on a pretty regular basis. Like, we’re always hiring university co-op students. Just kind of like an internship, typically taking in at least two new people per semester. Obviously, we’re a growing company—we have other positions that we hire for—what is the best way that I, as an employer in the cybersecurity field can emphasize, hiring minorities and women—how can I give them a disproportionately large or advantage relative to the white guy complex?

Larry: Yeah. So it’s really a visibility issue, right? It’s a two-way visibility issue. It’s the employer’s ability to have visibility into that talent pipeline and it’s the talent pipeline having visibility into the jobs that exist and are striving to do more diverse hiring, right? And so for you as an employer, I’d say partnerships. And so partnering with organizations like mine, partnering with organizations, organizations like WICS (Women In Cybersecurity), WIPS (Women In Security and Privacy) —those types of organizations who, who have members that fit the demographic of what you’re looking for, who are actively seeking roles.

It’s the employer’s ability to have visibility into that talent pipeline and it’s the talent pipeline having visibility into the jobs that exist and are striving to do more diverse hiring.”

Larry: And so, all three of those organizations I just mentioned have active partnerships in universities across the country and are doing things to try and be, what I’ll say is “the tie that binds those two collectives together” Both the community that is looking to get roles and get jobs in the field that are minority and female, and then both the companies that are looking for diverse talent. From my perspective, I want ICMCP to be one of the, if not the go-to entity, that organizations or companies who are looking to hire diverse talent in the cyber field go to and then, from a people perspective, for minority and women who are looking to uplevel themselves in the field of cybersecurity.

Larry: I want us to be the go-to organization because what I’m building is a skills assessment and training medium that is going to allow my members to assess their skills based on roles that they want. And so, I’m looking to create something that’s available for both entry-level, whether you’re coming out of high school, coming out of college, or transitioning from another career field—as well as those already in the field—to be able to say, “Hey, this is where I’m at today, here are the gaps I have in my current skill set based on what I want to be tomorrow, and here are training partners that, the organization has partnered with to give us free or deeply discounted training capability that if I were by myself, I’d have to pay 10x what I’m going to pay by being a member of this organization, right?” So I’ll give you an example.

Larry: One of the companies that I won’t mention again until we come out with our release is, their training is $2,500 a seat for their online training—and for us, I’ll be able to offer to our members for $125 a seat, right? And so when you think about what that means to somebody who’s trying to uplevel those skills and trying to get trained in certain areas to be able to then go and get this training that they normally wouldn’t be able to afford themselves. And if they went to their employer—if they have one—to be able to pay for this training, that would basically cut off their entire training budget for the rest of the year— snd that’s the only thing you’d be able to be trained on is that one thing. And so, it’s that type of organization that I am trying to develop to create for the membership that we have that is actively growing.

Ian: So, the training and certification is a really interesting piece. I think one of the common questions that I receive/see online, like especially on Twitter, is certification. So what are your views on, on certs? And I’m thinking specifically around CISSP like, is that the one to start with? Do you recommend others? Obviously it depends on what you’re looking to do, but just from a general standpoint—what are you thinking?

Larry: So, it’s interesting. So I’m the anti-cert guy and I love ISC2—I love ISACA. I personally have zero certifications, and I got soured from them over a decade ago—two decades ago for two reasons. One, the MCSC was one of the first certs that hit market, and, I used to throw out junk computers and have them in my trash, and one day my trash guy comes and says, “Hey, yeah, I’m going to be doing what you doing I just got my MCFC” and that annoyed me, right? That was, you know, mid-to-late nineties. But then when the CISSP first came out, I actually had Harold Tipton, the author of the First Security Management Handbook teach a class of which I paid five grand per person for a two-week class for me and 10 of my employees.

I want ICMCP to be one of the, if not the go-to entity, that organizations or companies who are looking to hire diverse talent in the cyber field.”

Larry:And we went and took this class, and when we took the course, one of the things he said was as we went through the 10 domains that, “Hey, I’m not here to help you pass the exam—I’m just here to help you get familiar with the 10 domains.” And then as we went through the domains, then I started thinking of the applicability of what all those domains meant to me from a professional standpoint—I didn’t see the correlation, right? I don’t need to understand the origins of Diffie Hellman unless I was going to be a cryptographer, right? And so, when I started to look at all those things, and then I’ve watched the CISSP as well as some other certifications grow over the years and popularity, they became resume fodder and they became resume fodder for HR. And it was really only there because that was a way that HR could weed out right stack vs left stacks of resumes. So for me, it lost, it’s fervor—it really lost the attraction of why it was originally created. And then I also looked at the practice test and the ambiguity of answers, right? When, they would give you a question in the ambiguity of how the answers were, I just lost all respect for the certification bodies as a whole. Now, again, organizationally—they’re friends of mine. We partner with them because there is value to them from the standpoint of, I’ll say continued learning and showing an ability to grasp and learn topics and certain things, right?

I’ve watched the CSSP, as well as some other certifications, grow over the years and popularity, they became resume fodder and they became resume fodder for HR. ”

Larry: But, I think the long term value of them is dying off quite quickly. I think there are things starting to become more valuable—you know, SANS is growing for a reason— because the deeply technical aspect of not only their certifications, but the testing to actually achieve a certification is far deeper than anything other than maybe the CCIE.

Larry: But, add to that when you look at the certificate bodies that are starting to be created, right? So, CSA, the Cloud Security Alliance started going down the path of, instead of creating certifications—they’re gonna create certificates. And the difference between a certificate and certification is sort of a case in as this ongoing, CPEs and continue to do what we’ll call “the mind-numbing aspect of maintaining relevance of the cert” versus getting a certificate that shows, “Hey, I’ve got a competency in a particular area because I have a certificate, which is basically similar to a degree, right? But just in a small niche area, so the certificates—I think—add more value and lead to having more credence in the true purpose of what the goal is or was for certifications, which is showing competency.

Larry: Because at the end of the day, when you’re hiring someone, you just want to have a way to understand that they are competent in a certain area. And so if they’ve gained a certificate in a particular area, it shows competence. Where the certificates need to figure out their balance is what certificates did with the continuing education by trying to do something that makes it applicable to the certificate that was gained.

Larry:Because like with your degree, you graduated, right? I graduated with a computer science degree in ‘94. Don’t ask me to code today—if it’s not in COBOL and Fortran or something that, you know, I could probably pick up pretty easily—don’t ask me to code today! So the certificates, if you go get a certificate in some aspect of cloud security or some aspects of incident management or something like that, working through how you go through to if you got it two years ago, how is that still relevant today? How do you maintain some aspect of proficiency over time? But I’m not a huge certification fan because, I know, and—no offense to my alphabet soup folks—but I know a number of people who have the alphabet soup behind their name, that are good book readers and good test-takers.

But I’m not a huge certification fan because, I know, and—no offense to my alphabet soup folks—but I know a number of people who have the alphabet soup behind their name, that are good book readers and good test-takers.”

Ian: So, for somebody just coming out of school, wanting to get into the industry, there is literally an alphabet soup of certification to choose from. What’s your recommendation on a good starting point?

Larry: So, my recommendation to everybody is first off, it depends on what’s your—you have to define coming out of school. We are one of few career fields that are coming out of high school, you can still have a very good lucrative career if you take the right path early, right? And so for me, depending on what you’re coming out of directly correlates to what certificate or certification program you should go into to demonstrate capability. And that’s what it comes down to—demonstrating capabilities.

Larry: So, if you’re coming out of college, right? If you’re coming out of college, but you don’t have a technical degree—so going CompTIA and Security Plus is going to get you some of that baseline knowledge. If you are coming out of high school, similarly, a Security Plus is going to add some baseline knowledge and understanding of the career field—because when you think about it, some of the certificates, you’ve got to have a certain number of years in the industry—you’ve got to have recommendations from other entities. So the Security Plus is really a get your feet wet type of degree.

Larry: But, what I tell people is focus on showing some of the things that you do in your private time—if you are truly passionate about the industry, right? You’re going to have a home network where you, you’ve got Wireshark running and you are segmenting your network, and you are doing packet capturing and packet analysis and doing—in my early days, even though I was an officer in the military—I had 26 systems on my home network in a server farm in the basement. And I was running multiple windows systems and I was doing my own scanning of my network and breaking things. And so a lot of people who are truly passionate about this, whether they come out of high school and college, they’re doing more work in their private time—of practicing and playing and demonstrating and running Nessus in their private environments and doing all of those things that they don’t show.

Larry: So I tell people, if you focus more on that, right, focus more on these things that you’re doing and playing around with—do you have an AWS account where you’ve gone in and started playing with Kubernetes and other things inside of AWS, security architectures? Showing a lot of that goes way further than you getting a Security Plus eval, right? It goes way further going down this path because those are the things that hiring companies you want to see and understand.

Larry: What we’re battling right now in the industry as relates to entry-level positions is HR. And it’s—no offense to HR—they just, they’ve been operating in a certain way for so long. And it’s hard for every company, whoever the security leaders in that company—to have the business acumen and clout to be able to help HR treat security differently. And so, that’s a conversation that needs to happen because how can you be looking for an entry-level position with one to three years experience? Like those two things just don’t go together. But that’s a common factor we see. And it’s not that the cyber team or the security team is asking for that—but it’s part of the requirement that HR as, as relates to their, you know, quote-unquote entry-level positions, just put in there as a staple. Oh yeah. One of the three years and a bachelor’s degree in something. “Well, really? We don’t necessarily need that.”

Larry: If I got a guy who’s graduated high school. But has in his own house over the last two years, built a segmented networking, can get into detail aspects of, of network segmentation, packet analysis, talk deeply about Wireshark, go into things about scanning and doing all those types of things—can get into cloud architectures, right? That person I would hire before someone with a college degree, with a Security Plus all day every day!

Automation has become everything because the amount of data that has been thrown at security analysts is just overwhelming.”

Ian: So that’s an excellent segue into the employers side of hiring. I think that the stat I saw recently, it’s probably going up now, is a million cybersecurity jobs unfilled in 2020 just in the United States and going up. So if you’re required to staff up either an existing security organization or maybe you just get thrown into a new organization, you’ve got to build a team from scratch, what are the tips and tricks that you’re going to use to get that talent in there that you need to be successful?

Larry: Yeah. So the reality of what the job market is going to look like is going to change over the next few years as automation becomes more of a thing, right?

Larry: So first thing is I think the million jobs, I think there’s, it’s a combination of reality and—I don’t even know what word I want—I don’t want to say fake, but there’s some reality in some, you know, non-reality to it.

Ian: Are you saying this is fake news?

Larry: Ha! I hate to, I hate to use their words because of where it came from, but there’s some aspect of this, this overabundance of the jobs that they’re talking about, that they’re using based on statistics that have happened over the last 10 years as it relates to job creation and threats. And so the reality is, the introduction of automation into these worlds of cybersecurity that we’ve allowed because automation is not new, it’s just we finally gotten to the point of realizing that we can no longer stave off inside of security automation like we had been six, seven, eight years ago, because when Cisco introduced automation, originally when they brought bought Protego, and people were, and they were saying, “Hey, we can utilize this tool to create ACL rules and create firewall rules and our Cisco firewalls.” Everybody about lost their mind, like, “No way am I going to let a computer create rules in my security equipment. It’s the end of everything and I refuse to do it!” Fast forward to 2020 and now over the last three years, automation has become everything because the amount of data that has been thrown at security analysts is just overwhelming.

Larry: And, so I think that the combination of data growth in what we’re dealing with from a threat standpoint has got people pontificating that the number of jobs and security is just going to go like this when in reality, coupled with automation, it’s going to grow, but not quite at that rate. So when you’re hiring people, it’s a combination of helping to understand how much growth is reality, and then picking people that have a thirst for knowledge in our field, the people that are the most successful are the ones who are curious and have a constant thirst for knowledge, right? They don’t operate inside the box. They don’t do things just because that’s the way they’ve been told it’s supposed to be done.

The people that are the most successful are the ones who are curious and have a constant thirst for knowledge, right? They don’t operate inside the box.”

Larry: If you think about all the innovation that’s happened in security, it’s been people who have looked at old problems and said, “the way we’ve been solving them it’s not necessarily the best way for us to do it moving forward based on the things that are now available to us today.” Right? And so that’s what I look for when, and this is why I talk about people bringing up the things they do in their personal time as it relates to that curiosity in the field of cybersecurity—this one guy, who to this date may be one of the best guys I’ve ever had on my team—and this guy he had, he had an undergraduate degree. But his thirst for knowledge was so great compared to pretty much everybody I’ve ever hired in my 25 almost 30 years in this industry because he was running his own AWS environments, he was running his own environments in Azure. So there was nothing that I couldn’t really approach him with that he wasn’t already in his private time, tinkering and playing and doing things just because he had a thirst for knowledge and curiosity.

Larry: And so for him, he is a guy that no matter where I go in whatever role I’m in, here’s a guy I’m going to reach out to see if he’s available and see if he’s willing to come on board. Right? Because, and I told him in his one-on-one—if I could clone you today, I would clone him a million times over because he’s so—did he have any certifications? He had none. Not a single solitary certification. When I actually hired him, he was working in development, right? He was working in the DevOps team. Right? And doing some QA stuff. But when I hired him and his boss was the one who recommended him to me. And when I started talking to him.

Larry: And I recognize the level of curiosity that they had, and how much of his own personal time that he was spending trying to understand all the different aspects of security and all these different layers. I realized that this is a guy, even with no certifications, even with an undergraduate degree and nothing that has to do with the technology whatsoever. is going to be extremely valuable to the team. And he ended up being that great!

Larry: So, when I build the team, I look for more of those types of things versus the stuff that you see in front of you on paper. Yeah, sometimes job history is gonna play a part. Right? And you want to know if somebody has got, multiple less-than-year-stints in roles—you want to understand because there’s gotta be an aspect of cultural fit into the team where, I am a very personable guy and so I’m going to ask you—talk to you about not just, you know, work stuff or family stuff.

Larry: If you’re married, how’s your wife and kids, if you’re homosexual, how’s your spouse? I am interested in the whole person. So, for me, all of those, that thirst for knowledge and all of those things are one part, but the whole person is a part of it too, because I recognize that anything I ask them, you as an employee to do for me in this realm of cybersecurity because there’s no real hours set for us. Attackers don’t say “oh, you know, the hours are only eight to five, so I’m going to make sure I only operate during that window” —because that’s not reality. I recognize that anything I ask of them to potentially impact their family and so understanding them as a whole person is important to me.

Larry: So in every organization I’ve been a part of, I have a I have bi-weekly 1-1s with, with every one of my direct reports. And that 1-1 is a combination of going over tasks, right? Because I’m about task management, not time management right? Here a task that you’ve been given, where are you at with completing these tasks? Right? But then how is work-wise and then how was home life?. I want to know if your kids have been sick, I want to know if your spouse has been sick. I want to know if your spouse lost their job. Those are the things that, to me, matter to the whole person because if it impacts you personally—it’s potentially going to impact your job. And I want to be aware of those things because if I give you something that’s potentially going to impact your home life and you’ve got these other things going on, you’re not going to be the best you. And so for me, I take all of those things into account. So I’ve built—I think I’ve built some pretty good solid teams and I’ve been very thankful for the opportunities I’ve been given. And, it’s been fun. It’s been a lot of fun.

I realized that this is a guy, even with no certifications, even with an undergraduate degree and nothing that has to do with the technology whatsoever. is going to be extremely valuable to the team. And he ended up being that great!”

Ian: So, we’ve talked a lot about team building, which is important, I think if we were to zoom out a little bit with team being one component if you were thrust into a mid-sized financial institution, bank, hedge fund, asset manager, and hired as the CISO to help right the ship. What does your 30 60 day plan look like?

Larry: Yeah, So I typically— it’s funny. So every organization you go to, right when you are stepping into the CISO role, every one of them asks you for 30 60 90 right? And it goes sort of two ways. One, they give you a 30 60 90 guide plan of from an HR perspective—things they want you to do as a leader, right? But then they ask you for your 30 60 90 as it relates to what you’re going to do as the new cyber guy, on a personal or whatever, that leadership role is. And so for me, the first 30 days is really, relationship building.

Larry: When I step into an organization as a CISO, there’s a good and bad side to being the CISO. The bad side of being the CISO is you’re responsible for everything and own nothing. Right? But then, if you build the right relationships and you are a people person and you are someone who is an influencer, there’s a good side to that because then you owning nothing means and you aren’t also responsible to fix the things that are being done that need to be done, right? You are just sort of acting in an advisory role to help the organization move forward as long as you can develop a plan—to align those things. So for me, my first study there is 30 days is always about building relationships, getting to know who the leaders are, getting to understand not just who they are as a person again—me being a relationship guy, I’m understanding them as a whole person right? They have a family. They’ve been married X amount of years. They’ve got kids—but also professionally. How are they incentivized? Right? Oh, they’ve got $100 million P & L on this. Their bonus is this way if they hit their numbers right? Understanding all those things that incentivize them allows me to create plans on how to communicate with them best as it relates to risks that get identified in their environment.

Larry: Because then during that next 60 days, it’s discovery. It’s understanding because, and these things sort of run in parallel—while I’m doing this relationship building, I’m asking my team to gather all information related to risk. Right? About all the systems, all the technology and all the data sets and everything across the organization that I need to be made aware of, whether it’s from previous risk assessments that have been performed or whatever that may be. Or maybe it’s, “Hey, we need to perform a new risk assessment because this one is more than a year old”, right? But it is doing that data gathering so I can then, in that 60 days, come back and start breaking this out and say, okay, based on these relationships I’ve built, “I know John runs this business unit and Nancy runs this and the risks that were identified for these systems, problems that are John’s responsibility and directly correlate to his revenue and these correlate to Sue’s revenue and so forth.” And so once I, and that 60 days I start carving those things out, I started having those conversations saying, “Hey, so these are things that have been identified. Let me help you, move forward appropriately.

Larry: And because one of the things is, for the first two decades of this career field, we were looked at as “Offs or no”, the way we treated businesses and organizations was we focused on telling them what they could not do, right. They would come to us or we would find out that, you know, this particular business unit was going to go off, down down the right hallway and turn right. And they wanted to do these different things and we would say, “Nope, you can’t turn right.” And then we would go away, but we would never be putting ourselves in a position to tell them, or which way can they turn, right? They’ve got an objective, they’ve got business requirements that they need to do, and they’ve got $100 million P & L that they need to do because that’s their job, right? So what are we doing to help them achieve that?

Larry: And so over the last 10 years, we’ve done a good job as a field—at the executive level of helping our business leaders understand that we are their partner. And so for me, in that relationship building in the first 30 days, part of getting to know who they are is also part of letting them know who I am and saying, “Hey, not here to stop you from doing what you do. But as I learned about how they are incentivized, I then helped them understand how I can help them achieve those goals that they’ve got set, and achieving the profit goals and achieving their retention goals in a team, and achieving whatever those goals are that they’re being measured against. And how we can do that without creating risk, right? And so when they hear that and hear that we are aligned and that we, “I’ve got the same goals that you do, right?” and “I just want to be able to find ways to do it in a less risky way. If there are risks that are present in the way that it’s doing it now, but still achieving those goals,” they tend to be much more open.

Over the last 10 years, we’ve done a good job as a field— at the executive level of helping our business leaders understand that we are their partner.”

Larry: So when I come back in that next 30 days, we’re just now in the 60-day mark. They start looking and they start saying, “Okay, well, yeah, I didn’t know that these things exist. I didn’t know that this was an issue, or I was told about this before but I wasn’t given a way that I could —as we move forward, change it or fix it or mitigate it in a way that wasn’t going to negatively impact my ability to meet my goals.” And that’s when, and then that third set of 30 days is where we begin to strategize, okay—now we’ve created this relationship. Now I’ve had that information gathering. Now we’ve sat down and talked—here are the things I identified, right? And now I’m going to give you a chance to go back and sit with your teams to talk about this so we can prioritize these risks and then we can start building a path forward, right? We can start building our—what’s the low hanging fruit that we can do? What are some of the basic things that we can do right now, right? Or from an IT standpoint of, “Hey, CIO, do you have multi-factor on, on your cloud-based email? Oh no? Well, let’s—how about we implement that? Because that right away will mitigate the threat of phishing immensely.” Right?

Larry: But, you would be surprised at how few organizations—just for something that simple—have not done multi-factor on cloud-based email. It is mind-boggling to me because to me it is an easy button thing with low impact. Right. But, when they hear multi-factor because they, they don’t dive into it and they think because it used to be cumbersome. You got to have this key fob and “Oh, it’s a lot of overhead and there’s a lot of costs and it’s $50 per person for this…” People think that there’s a lot of overhead associated with it, even though technically it’s an easy button thing. So that last, that that last set of 30 days is really about then beginning to build that strategic plan to say, “Okay, this is what we currently know and where we’re at.”

But, you will be surprised at how few organizations—just for something that simple—have not done multi-factor on cloud-based email like it is. It is mind-boggling to me because to me it is an easy button thing with low impact.”

Larry: Or, “Hey, this is what we’re starting to learn more.” And now that we’ve built this relationship, being able to prioritize the, build the plan for the next 12-24-36 months of how, as you innovate—we mitigate risks that currently exist. And then as you innovate and you’ve shared your strategy with me of where you’re trying to go, I can help you mitigate risks and your new initiatives as you move forward while still achieving your goals.

Ian: Got it. So let me close with one final question and I’ll provide some air cover for this question. What is the highest stress cyber incident you’ve been involved with OR that you’ve maybe heard from somebody else and what were the takeaways from it?

Larry: Yes, so for me, I use the term, “if you lie with dogs, you get fleas, right?” And so I use that term because an incident I heard about— was one where a third-party healthcare entity was impacted in a way that even though the direct organization was not impacted. It was a third party printing and labeling company that sent out information to the wrong people. Well, the information they sent out was about someone’s clinical diagnosis that sort of gives you a “Scarlet Letter”—if you get where I’m going—so that clinical diagnosis, going to the wrong people created a huge uproar for this entity. And it created an uproar because now these people who have the “Scarlet Letter”—whose information is now public to all these other people that may or may not know them versus it being private and being sent to them—is now out in public and you can’t, you can’t pull that back!

Larry: Now, the entity that took the brunt for it was the larger entity than was responsible for the information. The entity, however, that had the incidents—the mislabeling because they had someone actually break into an environment where the database existed and swap tables. And so when they broke into the environment and swap the tables, theoretically as a joke, I guess, I don’t know—and that went out, of course, the people who were impacted went back to the larger entity and said, “Hey, how dare you. Why did you do that to me? How could you let this happen?” Well, the larger entity, of course then goes to a smaller entity that actually was the culpable entity who had the issue and said, “Hey, what happened?”

Larry: But publicly, no one knew that the smaller entity was the one that was culpable. Publicly—no one knew that the smaller entity was even a component of this overall process. Right? And so it’s one of those, you know—in today’s realm of third and now—ultimately fourth party risk, right? You can even use the Target scenario as a real-world example, right? That everybody knows about, you’ve got to think about—you’re downstream partners and the data that they access on your path or on your customer’s behalf, and what that interaction looks like. And you’ve got to start being able to hold entities you deal with—who deal with your critical information—accountable. You’ve got to hold them to the standards that you hold yourself to and that means sometimes you’re not going to be able to do business with a Mom and Pop shop. And that may be unfortunate, but based on the criticality of your data, your ultimate responsibility is to the data owners, right? And so you are just a data steward. Right? You are a steward of these people’s data, whether it be financial data, whether it be health data or any other PII—you’re just a steward of it. That’s utilizing it for a certain purpose, right? To the benefit of the data owner.

You are a steward of these people’s data, whether it be financial data, whether it be health data, or any other PII—you’re just a steward of it.”

Larry: But organizations don’t take things that seriously. So when they are outsourcing things, whether it be outsourcing to a call center in Europe. If you think about, maybe two years ago when there was the mass issue with the little, wiki popups on people’s websites that were being popped. So, it was a couple of third-party companies where that tool—they did not have good development processes in place that enabled them to really go through and secure that code—when it came down to it. So, now all of these third-party companies have injected this code into their web front end to give the appearance of a live person sitting there—only for that to be hacked. And now attackers have got this and asking questions and interacting with customers for all of these large entities, right? And so I think third-party risks and accountability is one of the biggest areas of risk that our industry is going to continue to deal with.

Larry: I see it attempting to get better but, there are entities putting so much, I’ll say, in the way of governance and other things that are—I don’t want to say dumbing it down—but taking it to a point where it’s making it almost impossible to get down to the level of technology—get down to the level of what you need to get to the real technological risks that organizations have. Right?

Larry: Because we’re still in this questionnaire phase. I can put a company together right now, doing whatever, and I can respond to a questionnaire that literally I have Fort Knox and I don’t want it. (Fort Knox may not be a great example, because Fort Knox got hacked too, by a buddy of mine.) But, I can give the appearance that I am pretty much as strong as they want to be. And so it’s until we get to a better model of not just at that station, but some real world. Right. So the bit sites and some of those guys have started it, based on, publicly available information that’s out there and open source intelligence. But we’ve got to take it to that next level and get a little bit deeper and begin to really understand from a third-party risk standpoint, the inner workings of a lot of these companies that we’re doing business with.

Ian: I love it. Larry, this has been phenomenal. Where can people connect with you online?

Larry: So I’m, I’m a pretty open book. So, LinkedIn, I’m on LinkedIn religiously or Twitter, so I’m Larry Whitesides both of them. So Twitter’s @Larry Whiteside on Twitter. And then on LinkedIn, I’m the only Larry Whiteside Jr. that exists, so it’s pretty easy to find me.

Ian: There’s only one.

Larry: So far.

Ian: Awesome. Thanks Larry.

Larry: No problem. Thanks man. ■