#304 Mastering Cyber Risk Management in the Boardroom with Terry Ziemniak

0:00:01 - Mehmet
Hello and welcome back to a new episode of the City Hall Show with Mehmed Today. I'm very pleased joining me from the US. Terry, thank you very much for joining the show. I really appreciate the time. The way I love to do it is I keep it to my guests and to use themselves and what you are up to. So the floor is yours. 

0:00:20 - Terry
Excellent, excellent, thank you. Yeah, so my name is Terry Ziemniak, based here in North Carolina, us. I've been in cybersecurity pretty much before. Cybersecurity was cool. 

So getting out of school I started up at a tech company and really my career Mehmed breaks into three kind of distinct phases. The first phase was about a decade very technical, very hands-on, so I was doing penetration, testing, security architecture, doing assessments for large organizations, breaking in white hat, hacking into some big international companies, really cool bits and bytes sorts of stuff. But at that point that was maybe 15, 20 years ago, the technology was moving really fast and I was kind of thinking about long-term where I want my career to go and working at a consulting agency. One of the salespeople came around and said, hey, we have customers asking about HIPAA. What's HIPAA? And for those that don't know, the United States, those are the other regulations in healthcare regarding protection of medical data. 

And at the time again, we were a very technical group and the sales said, hey, we have clients asking about HIPAA. Who wants to be the HIPAA guy? And I kind of raised my hand a bit Sure, I'll take a look at it. So I went through Mehmed and printed out the HIPAA regulations and for those that haven't had the misfortune of reading through regulations US regulations in particular but anyway there's a big stack of documents, not technical at all, and it was kind of gave me a new perspective to cybersecurity. So I went through those regulations and that kind of brought me to the second phase of my career, which is mostly healthcare, but really as a cybersecurity executive and a leader. So working with large organizations such as Sears and Kmart for the United States folks they'll recognize that as at the time a really large retailer and a large healthcare organizations across the US. The second phase of my career is as a chief information security officer. 

What I was doing there is really kind of helping translate the technical part of cybersecurity with the business side of cybersecurity and that experience really led me into the current phase of my career hopefully not the last phase, but the current phase of my career is as a consultant In the US we call it a fractional security executive or fractional CISO and really what I do is I bring all that experience along. Now back to small and mid-sized companies. Hey, let's help you small company deal with the risk of cybersecurity. So most people think cybersecurity, they think the technology, the bits, the bytes, the firewall, the encryption, and that's all certainly relative. But technology is not the only answer. No amount of technology is going to fix all your cybersecurity issues. So what I really do is bring on my executive hat, help companies think about cybersecurity from a business perspective and then work through. Now that we know our goal, let's work backwards and figure out what technologies, what are the controls we need to help protect our business. 

So that one is my career nutshell. 

0:03:30 - Mehmet
That's great and I love the last part especially. I think it's much needed today, terry, converting the bits and bytes, as you said, to something that the business folks, they can understand. Of course we got to talk about this, but before you know we have a lot of things to cover actually. But over the years and with all this experience that you have seen, how did you see the role of whether you know in a full executive, like as a CIS, or in a full time perspective, or whether with what you are doing? How did you see this role evolve over the years? And what do you think you know are the major challenges that usually see those you know they face today? 

0:04:25 - Terry
Yeah, the evolution and the current difficulties really is part of the same conversation, as I think there's still a general lack of appreciation or shared understanding on how do we best manage cybersecurity for our businesses. In the old days, a lot of the terms and the phrases you'd hear that the security executives are dealing with was an ROI what's the return on investment for cybersecurity? So, hey, hey boss, I need a million dollars for a new set of firewalls because it's going to do this really super cool. Protection and executives are what's the ROI? Because in healthcare in particular, they say, well, maybe we can buy a new set of firewalls or we can spend that money on new imaging equipment for our patient. 

Business executives are asking and they shouldn't ask what's the right way to allocate our resources. So there was a big struggle years ago still in play. But the big struggle before was how do we convince the organization that security is necessary to help justify all of our spends? That's kind of morphed and matured as new and new CISOs come into play. So 20 years ago all the security executives were the technical guys and gals that bits and bytes, folks that really knew security, new technology but generally didn't understand business. So the security leaders 20 years ago became leaders because there are really good technicians and that's great and certainly added value. But there was very difficult conversations at the leadership level because the technicians didn't understand the business and the business didn't understand the technology. 

So shift fast forward down to where we're at. We're still at that point where security executives the good security executives can talk cyber as a business issue, as a business risk, maybe as a business driver, business conversations around cyber and to be able to be seen as a business executive, to understand the business, even to go through the effort to say, hey, I may be a great firewall guy, but am I a healthcare executive? Am I a retail executive? So it's really evolution, kind of. With the same problem is how do we slot cyber risk in the bigger group of all the other risks that businesses are dealing with? 

0:06:54 - Mehmet
Yeah, so sorry, you touched on something again. Very, very interesting, I would say. And the reason I'm saying this? Because some people, you know, I'm not sure if this is because the threats are evolving or because we did something wrong. So sometimes I talk myself to some executives and they say, you know what? Yeah, I know like I have to do this cybersecurity thing. 

I know that it's important, but you know everyone is telling me, now especially, you know the marketing buzz. Everyone comes, every single vendor, and say, hey, you know, like it's not matter of if, it's matter of when. So, and you know you feel that the field itself became going towards a commodity, although it should not be a commodity. I'm not sure if you agree with me, Terry like there's, there is a still a gap between, you know, the technology itself and the business outcomes. And despite myself, you know I keep talking about cybersecurity, especially, for example, for startups, for small businesses, and you know I feel like people are not still not getting it. Do you think, because there's a lot of talk outside, we're talking about cybersecurity a lot, or it's on the opposite, we're not doing enough to educate, you know, businesses about the real threat that are out there? 

0:08:31 - Terry
Yeah, I think actually the answer is both of those are true. The executives are hearing one perspective on cybersecurity. So, a they're not hearing the right thing and B we're not educating. So it's really two sides of the same coin. The problem, especially with the smaller organizations and the startups, is what's their source of information to learn about cyber risk? As a business leader, you should be dealing with financial risk and compliance risk and competitive risk and all the other risks that impact your business. Ask that same business leader how you deal with cyber risk. They're going to say well, I pay an MSP to manage my technology, or I just bought a cool firewall, or I just bought this one thing. Business leaders still haven't registered that this is a business risk. This is not a problem to be solved, but it's a risk to be managed. So I think the illness falls on a lot of people. But I see that as the big disconnect for small and mid-sized companies Again, not a problem to be solved, but a business risk to be addressed. 

And actually I started a lot of the conversations with leadership with a real simple question, and it's do you know how secure you need to be? Do you need to be Fort Knox? Maybe, probably not. Do you need to be irresponsible or do? 

0:09:57 - Mehmet
you want to be irresponsibly insecure? 

0:09:59 - Terry
on the other end of the scale, obviously not, but there's a big range of of space where you can say super secure, super expensive or, on the opposite side, insecure and really cheap. Really, what's that right level of security? And those sorts of conversations typically get the business leaders to pin at their mindset a little bit and think about it's a risk, it's a spectrum, and help them think through those sorts of processes on the management and realization that this is a risk. So, yeah, it really comes down to the business leaders don't understand the problem because, frankly, we have not explained it well to them. 

0:10:43 - Mehmet
Absolutely I agree with you on this one Now, especially for the startups and maybe small medium businesses. I know that you talk about this and maybe you can explain it more. Of course, I know exactly where you're coming from. How cybersecurity, especially when it comes to compliance, if they do their job, actually it might be a positive value add instead of seeing it as a just something. They have to pay something on the negative side in their PNL. So can you explain this more, terry? 

0:11:20 - Terry
It was interesting. I've often talked to companies and we say, hey, what are the risks to your business? You're worried about emails, you're worried about partners you deal with, you're worried about whatever hackers from China or Russia, whatever it may be. All these outside things are presenting a risk to your business and most leaders conceptually get that. But then I say now stop for a second and think about it. If you're going to sell to someone else, you are that other party's risk. They're looking at you the same way you look at your partners. So the better you can do convincing your prospects and your partners and your clients that you're secure, then definitely to your point and that cybersecurity can be a value add. It can be a differentiator. 

I remember speaking to one of my clients a couple of years ago the CEO, as we started up, and one of the questions I asked her is hey, why do you want to be secure? What's the driver to bring me in and help you build your security program? And she started off as a healthcare organization started off well, it's the right thing to do. We need to protect patient information Like God check box. That makes sense. Then she followed right behind it. She goes. But, terry, let me tell you this is gonna be a differentiator for us. When we have sales calls, we're gonna talk about security. We're gonna talk about the value add we provide to our clients because we are a trusted commodity. Now to get to the point where the clients trust is another conversation. But the realization that security isn't just a negative, but security can be a leader in those sorts of conversations, is absolutely the mindset you should take from that. Take that cyber risk and pivot it. You gotta fix it anyway. Let's go ahead and pivot it and take it as a business driver for us. 

0:13:10 - Mehmet
Now, one thing also that usually, often when I talk to people which I think there's a confusion about it when it comes and you touch on the regulations like HIPAA, by the way, we teach people even here you know about HIPAA, although like it's only applied in the US, but there are, like I would say, adopted version globally for each country, probably to protect patients data. Same thing applied to, like, finance sector, banking with PCI, dss. If you are having a SaaS company, you need also to have maybe your SOC too, also as well. Now in the conversation which is very interesting people they tell me yeah, yeah, we know, like we should care about this. But they say, when it comes to data protection from privacy perspective, there's this idea that already the data is collected by others, right? So when you use your browser, you have the cookie, so already some information is shared. I tried to explain to them okay, this is something maybe you can think about on the marketing side, but you need to think about really the consequences of you being a healthcare not complying with something like HIPAA wherever you are in the world. 

So in the US it's HIPAA, in other parts of the world it might have a different name. Same thing, for example, I know in the States, for example, especially in California, they have. You know, there's California Privacy Act, gdpr in Europe, which applies, by the way, even if I live here in Dubai, it still applies to me because if I'm dealing with someone who is an EU citizen, I need to protect. So what are the consequences, teri? Like I want to convey this message, what are the consequences of not complying with these measures, other than, of course, maybe from sales perspective? If I tell them, hey, I'm HIPAA compliant as a healthcare tech company, that makes sense. If I am in the FinTech, I could tell them I am PCI DSS. But what are the other consequences if I'm not doing these checkmarks? 

0:15:19 - Terry
Well. So there's a couple of things to that. There's the consequences of willful non-compliance with regulations is gonna depend on the regulations. So in the HIPAA space it would be civil fines, prosecution, listing on the office of civil rights, what they call wall of shame. California has its rules and again, there'd be civil penalties, meaning kind of lawsuits and fine sorts of things. 

But, frankly, if you're a small company out of Dubai or Mexico, whatever it may be, and you're partnering with a US company and you're not HIPAA compliant, I don't think the office of civil rights is gonna come hunt you down. But that being said, let's take a step back and talk about why you need to be HIPAA compliant. You don't need to worry about necessarily the government coming to hunt you down if you're outside the US. You need to protect yourself from your clients and your clients to protect themselves from you. So when you're an outsourced development company working for a healthcare company in the US so you're off shore from the United States perspective you're doing a coding for some HIPAA compliant piece of software that a company has, again, they won't sign a contract with you until you can show them all your ducks in a row. So when we talk about how secure you have to be. You've gotta be secure enough to convince your partners that you're not a risk to them. Your partner's gonna come and say show me your HIPAA compliant. Show me you have a SOC too. Show me your PCI compliant, gdpr, all the regulations and the alphabet soup out there. So your risk really again isn't so much the government but it's your partners and your inability to do business. 

The good news is it provides a lot of clarity. So in the old days when you signed with a healthcare provider in the US or a bank or whoever it may be a government entity in the US, they'd give you a giant list of like 500 questions saying show me, do you encrypt, do you back up, do you train your users? So a big list of questions. Lists still exist. They're getting a little smaller, but it starts off often with prove to me your HIPAA compliant, which would be perhaps a third party assessor. Show me your SOC too, audit. So those regulations and the audits and certifications you get makes the review a lot quicker. 

And when we talked earlier about security being a business driver, that's exactly what we mean If you come to the table to a US client and say, hey, not only can I write code for you, not only can I manage your computers or whatever service you're offering, but I have a third party assessment saying I'm HIPAA secure and I've already got my SOC too. So again, as a business driver, you can say let me show you my security story, let me show you how complete and thorough that we've managed cybersecurity. We're not gonna be a risk to you client, we're gonna be an asset to you. So those really are the drivers is consider security a value add and it's an exercise you're gonna have to go through. How do you value out of it? 

0:18:39 - Mehmet
Absolutely. One more thing also that I talk to business owners sometimes and start off founders Like guys don't think you are safe because the bad guys after they are after the big fishes, big fishes, right. So I see this misconception happens a lot. So let's talk a little bit, teri, about what everyone today and every single, I would say, even security vendor they repeat this across whatever part of security they're dealing with. They start to talk about resiliency in business and they start to talk about how to have the business resilient. So, from your experience, what makes my business really resilient? Like? Is it like covering the preventive part, covering the response part, which one I should me, as a business owner or start a founder, should be focusing on to make sure that my business is resilient? And just for the audience, when we say business resilient means like if you have some attack, you can actually stay in business. So what you can tell us about that, teri? 

0:19:56 - Terry
Yeah, that's the evolution of cybersecurity risk management. Instead of making it, or instead of the goal being that we want the incidents to go to zero, the pivot has been we want the incidents to be as infrequent as possible. We want them to be the lowest level of impact as possible. All that being said, when something bad happens and it will how do we survive as a business? So it's really that pivot of risk management. So business resiliency, as you mentioned, really is a statement of how does our business survive when something bad happens, and again, it's the evolution to business risk. Cybersecurity is a business risk. So, to work through that exercise, it really comes down to, again, not technology, not firewalls, but what does our business do? Let's go back to our mission statement. 

Our mission statement is we do XYZ. What are our critical business processes? If our email goes down, can we survive? Probably. If our payroll goes down, can we survive? Maybe, maybe not. If our core services go offline, can we survive? Maybe, maybe not. Do we have contractual obligations? Do we have a regulatory obligation? So the quick way to think about business resiliency is start with a business impact analysis, meaning what's the critical stuff that we do, and then take that one step further. If we know these are the five most critical things we do as a business. How do each of these survive? Or technologies down? 

0:21:46 - Mehmet
Right, I love this. Now another question, and maybe I am here today acting as the voice of, you know, of business owners, even, like some, some CISOs also as well. The question I hear or let's say that's a question, it's like a remark. They say, okay, fine, we get it, we understand, but there are a lot of vendors out there and we don't know exactly, because all they're talking almost the same language, right? So we don't know where to start our, let's say, resilience strategy, from where we should start it. So, of course, as you mentioned, we are not talking anymore about the firewalls and you know the IDP and IDS and all these stuff. So this was back in the days. So there we talk about strategy, but to have this resilience strategy, there must be some, I would say, best practices to to follow. So where, like, we can start and correct me if I'm wrong? I think maybe the, the NIST, is a good place, for example, maybe to go and find some, some stuff over there, right? 

0:23:07 - Terry
Yeah, I was actually going to recommend that. So those that aren't familiar, nist is is a US government body. It's technically a national institutes for standards and technology, but they kind of write all the the particulars to support regulations. So when HIPAA talks about encryption, nist will define what is encryption. When HIPAA says you have to do a risk assessment, nist says here's what a risk assessment looks like. So on the same lines, nist has all sorts of great documents, honestly not an easy read. So if you're a business leader, right, you're welcome to read them, but your head's going to explode. Try to read some of these documents. They're not easy documents to read. You kind of have to understand that just a bit and it takes a while to get through them. But NIST does have great guidance on business continuity planning, disaster recovery, disaster preparedness. They have all sorts of great documents. It's a difficult read. 

Now the good news is all things that we talked about. But, matt, we talked about compliance. So HIPAA, pci, iso, whatever you've got compliance strategies you have obligations for cyber insurance says you must do certain things. Maybe your local regulations say you have certain requirements. All these outside influences on your security program are helping you understand what's the right level of security. So all these outsiders, if you listen carefully, help you understand where you need to be. They all overlap. Hipaa says you must talk about. They say disaster recovery, but business resiliency is kind of in that space. Your cyber insurance is going to talk about that a little bit. Your local regulations are going to talk about that. The contracts you sign with your clients are going to talk about it. They're all sort of talking about the same thing. So if you get all your ducks in a row from a again in this case HIPAA point of view, your contracts point of view, your cyber insurance point of view you're going to be 85% of the way there anywhere. You're already talking about a lot of the same stuff. So it's not all unique and novel perspectives. It's really kind of tying these things together and that's where I'd leave you with kind of a buzzword. 

But that is a framework. So a framework is an outline of everything you need to do in the cybersecurity space. Probably the most prevalent one, at least in the US, is what's called the NIST CSF Cyber Security Framework. Frameworks are excellent because it gives you a holistic view of everything you need to do in the cybersecurity space. It talks about a lot of what we touched on business resiliency, risk management, educating leaders. That's all in this framework. So you talked about kind of how do people start looking at disaster business resiliency? Start with the framework. The framework is the broad structure and you're going to iteratively work through this structure and talk about leadership and you're going to talk about user education and you're going to talk about your processes and you're going to talk about your backup Utilize a framework that's really the best way for companies to build a meaningful cybersecurity program. 

The big difference, being a framework, is a known quantity, a trusted structure review as opposed to well Terry says we're secure, we're good. Well, Mehmet says we're good, we're good. You and I have valid opinions, but this framework is a broad structure. So, if you want to read anything in the NIST space, read about the NIST CSF because, again, it's a holistic, broad overview of what you really need to do to protect your business. 

0:26:47 - Mehmet
And then I think about that, why I mentioned because, although, like, it's written in the US, but it applies everywhere, like it doesn't have, you know, any geographical, I would say, limitation. 

0:27:00 - Terry
Yeah, not only that, Mehmet, but everyone ties to it. So all your vendors, all your contracts, everyone's going to reference NIST. It's kind of a universal standard these days. So when you want to start talking apples and oranges, if you're selling to companies or whatever it may be, nist is kind of that common language that a lot of organizations are using, so it'll help facilitate your cybersecurity discussions as well 100% and even it makes, you know, decision making much easier for at least both the business and the technical people. 

0:27:32 - Mehmet
I would say, like this is from my humble experience. Now, terry, like maybe people we mentioned about the threats, we mentioned about what's happening, what are you seeing? Of course, for the past maybe two to three years, the biggest threat out there was ransomware and you know everyone was talking about ransomware. Are you seeing? You know, of course we are still seeing ransomware events, but are there any kind of threats? I would say that you are seeing anything that is emerging now with the you know of course, because most of the people. 

Again, they became like aware about ransomware A lot of vendors. They did good job of spreading this message. So what are you seeing in that space? 

0:28:19 - Terry
Well, I tell you two things in that space. One is the trends and threats don't change significantly year to year. So if you wanted to know what you're dealing with today, it's most likely the same stuff we were dealing with last year and the year before that. There's small changes and they go up and down Cloud technology over the past 10 years, ransomware over the past 10 years, phishing attacks over the past 10 years they're kind of all there and they all stay there because, a they're hard to fix, b the bad guys are pivoting and Cloud risks 10 years ago are going to evolve and change as the bad guys find new ways to exploit it. So there is not a huge turnover year to year. As far as the threats, it's a lot of the same common attacks and it's what we used to call cyber hygiene. What are the basics? The basics are still there. You've got to patch, you've got to train users, you've got to have good passwords and if you want to look into that and recommend to your listeners, go look at the trends that the cyber insurance companies produce. 

So if you want to see, in my opinion, the best source of what's actually happening, what's causing the most pain, go look at what the cyber insurance companies are telling us, because they're the ones actually paying out. When there's an incident, a client has a problems, they submit a claim, the insurance company reviews it and then pay out if appropriate. Those are the most meaningful trends you're going to get, because the businesses may be reluctant to report to the government when they have an issue or report to the media when they have an issue, but the insurance pays them back, so they are notifying the insurance company. So insurance company annual cyber reports are an excellent way to tell what's actually happening out there in the real world. So that's kind of a general review of threats. But I will tell you, one of the new hot ones, of course, is AI. So I'm not sure if you have a bell or buzzer or stars AI. Let's talk about AI, the risks I see in AI. I would summarize it from a cybersecurity executive point of view as data governance. 

0:30:35 - Mehmet
Data governance being the idea of where's our data? What is? 

0:30:40 - Terry
it? What are our obligations to protect it? Who's responsible? True source of information the kind of whole data management concept when people are getting in trouble with AI is they're blasting out data they shouldn't be blasting out. It's like sending it, you know, posting on Google information that shouldn't be out there. So the management of that AI risk really comes around. Data governance Again. Can we put information in a chat GPT? Should we be using Microsoft Copilot? Whatever it may be, and it goes further down to intellectual property rights ethics and there's a lot in that space. But it's a data risk, as I see, which, when I make security programs, I usually talk about data protection programs, cyber privacy, data governance. To me that's all one ball. But latest hot topic, ai, it's a data governance problem. 

0:31:41 - Mehmet
Two interesting things I just want to share with you, to your point that things doesn't change over from year to year. The other day, you know, you know I still receive them sometimes they called the Nigerian Prince scam, right. So one guy was asking me okay, like I don't think there's someone doesn't know that it says scam and you know, every single email gateway they flag them as a spam or junk, whatever. Why do they still do it? I said you know why. Because I am sure these guys this is how they operate. They are like going to. This is why it's called phishing. 

In this sense, this is how I explain to people. Of course, like it's ph, not F, but I said it's like you go to the ocean and you try to catch some fishes, right, so there are like millions, you just need one, you just need one victim and they did their job and I think they are running on autopilot. So they keep doing the same thing again and again. So, yeah, this is what one of the things why the attacks stay, they don't disappear. It looks like this, but of course, the techniques might change, right. 

0:32:52 - Terry
Yeah, it actually gives us a good pivot conversation point. My met talking about how are the threats changing? So now they're using generative AI to make better phishing campaigns. Yes, so training people. I know even in my Microsoft outlook I'm getting more and more junk email and phishing emails. A year ago it was pretty clean and Microsoft did a great job, but the ability to use AI to generate meaningful messages, you know it's harder for these filtering systems to pick up those messages. So old threat, new technique 100%. 

0:33:29 - Mehmet
just, I want to add one thing here, I think, which is related to AI. I think they need to. I use AI a lot like I use chat GPT. I started exploring with Gemini, which used to call bar, but you know like I don't copy paste everything that it gives me still, although, like, english is not my first language. But you know, I want to prove free but I still need to add my thing and I think a lot of people, unfortunately, in sales campaign, they relied heavily on it, which made the life of the Spam engine much harder. To your point, I have noticed the same thing Now on the other point that you mentioned, terry. 

Now, as a an executive or as a CISO, I can have a policy saying, okay, I got a block chat GPT at work, but you know, when I go home as an employee, I sit on my own laptop, tablet, my phone, whatever. I still can't give information which I should not give to AI. So this is something I believe it's in, I mean, it's awareness, and you know like how they would know who did that. It becomes very complex to me, which is, I'm not sure like what do you think about this from from data risk management perspective because, of course, within the organization, I can put measurements. I can, you know, we know this, we can know what they are doing. Right, we can know what employees are doing, but when I go on my own device and I start to do what I do with chat, gpt or whatever other generative AI product, so how we can control this theory, I think it's very hard, right. 

0:35:16 - Terry
It is if you get to the point where a user at home on the personal computer or on a work computer has sensitive data, you know you're kind of game over. They just hoping that the employee makes good decisions and at that point you're kind of lost. You're not going to win that battle. I think the battle should happen a couple steps back and prevent the data from getting onto the laptop. So I'm a proponent back to the data governance concept of especially small, midsize companies and startups. If you've got important data medical, financial, individual data, sorts of records put it up in an isolated box and don't ever let it come down. Because if you can say with a higher level of confidence that our consumer records never make it down to Terry's laptop and you can say that medical data never makes it down on the METS laptop, then your cybersecurity gets a lot easier. In fact, when we talked about doing third-party risk assessments for prospects and clients, they're gonna ask you that. They're gonna say where is the data at? 

If you can show that your data stays up in this production bubble ideally in the cloud, with all the protections are on it and it's impossible to get down or nearly impossible, because impossible is a tough word. If it's nearly impossible to get the data out of the environment. It's a much easier conversation. So, in the scenario you talked about, don't let the data get down, so put it in the bubble, in the cloud production bubble. But to make that work you gotta make sure you understand the business processes. Hey, met has to get in and he's gotta use a spreadsheet to do whatever on our data. Great, understand the business need. Build a solution in that cloud bubble that MET can do his work, but he can't pull the data down. So back to data governance keep the data in that bubble and never let it come down. 

0:37:16 - Mehmet
This is exactly the answer I wanted, teddy, because I'm trying here to shed some light, especially for the startups and small businesses, because they are agile. I can understand, of course, and maybe they say, okay, you know what. Like, yeah, let them use their own thing. They don't even maybe sometime have time actually to think about this, but it's very important, very risky, and the reason I tell them usually as I start up, every single thing you do is your IP, right, so it's your intellectual property. 

You need to protect it the best way. You don't want someone to take your code, your plans, and just have it freely on Dropbox, onedrive, whatever it is you know. So you need to put some measures. And then I start to tell them okay, there are some. First you need to decide, as you said, how and who should have access to what. Put the measures, follow the best practices, and then you will have. Of course, we cannot deny that nothing will happen. No one can claim this, but at least, as you said, you make it more hard to have such incident in the environment. So this is very, very important one over there Now. 

0:38:29 - Terry
And I would add to that one more point Make sure you differentiate stuff you care about versus stuff you don't care about. If you keep, you know, google documents, for example, or Microsoft Office, your salespeople, your business folks have to do work and there's sharing and documents are going to haul over the place. Let that stay there, but just say we're not putting important stuff in Google Vox. We're keeping our important stuff up in our production CSP, whatever that may look like. We're gonna highly protect the cloud environment. But Google and Office we care about, but not a lot, because there's nothing super critical in there. So if you can kind of partition that, then Google does not have to be super secure. Google can just be kind of good enough. Keep your cloud super secure, keep your data in that cloud environment. That allows you to have a more agile, dynamic work environment in the. 

Google space and in the Slack space. If you don't have sensitive data in Slack, your other tools, your JIRA, whatever else it may be, keep your important data out of those tools, and that allows you to use the tools more than anybody. 

0:39:36 - Mehmet
Absolutely 100%. That's again back to where we started all this conversation. It's about the awareness and educating people about that. Now, as we were coming close, two things that just I want to ask you. First, how are you seeing the future of this industry, the cybersecurity industry, and for someone who might be on the verge to start their career in cybersecurity, what advice? Is it, you would give them. 

0:40:15 - Terry
That's a good question. I would say realize that cybersecurity is not a tech-only space. So I actually have a friend of mine I knew back in college and she had a degree, I think, in nutrition or something like that, back with me back in the 90s. She now is a security analyst for a large organization. Security has certainly a need for technical skills, but it's also has kind of the other half of cybersecurity is contracts and people and auditing and risk and project management and all those other skills that are required out there. So number one is realize it's not just a tech-only path. In fact, I think tech may be a little easier to manage and to source than the non-techie skillset. So someone that knows how to read a policy and translate it into an audit, execute the audit. Someone that knows how to go through a SOC2 audit, someone that can interface with your client and respond to a third party risk assessment, the prospects, asking questions do you have the right people to answer those questions? So again, once realize that there's a couple of different patterns. Two is you don't have to start in security to be a security person. Again, people are transitioning. I've hired poly side people, political science people in my non-techie side. I guess those are kind of the key points. 

I think looking forward, following the business models, is realize that more of this is gonna be outsourced, the better. Certain pieces are gonna be outsourced. Monitoring is a big one. Monitoring 24 seven security operations and monitoring is hard and it's expensive. A lot of that is getting outsourced. So you'll consider that from a career perspective If you're looking for a big company. That may not be the case for small companies. I also think, frankly there's a lot of business opportunities. So my clients generally don't have 24 seven staff to do monitoring. There's a lot of business out there for a good service provider that can do that monitoring and perhaps bundle the monitoring in with their IT services. So whether you're a business leader or an IT service fighter, consider that kind of bundling those offerings together. 

0:42:45 - Mehmet
Yeah, so this is. People are building what we call them security operation centers. So this is everything any alert that comes related to your organization. So it will be someone available there and just to shed some light, as you said, it's not an easy task because it's not about just someone to watch, because you need someone also to act, response, analyze. So it's a long journey over there, terry, like where people can learn more about you and your offerings. Yeah yeah, thank you. 

0:43:24 - Terry
So, again, I'm a fractional security executive, so I help companies think through cyber risk and how to manage it. A lot of what we talked about is what's the right level of security for us, how do we get there, how do we use cyber as a business driver? So if you're interested in hearing more from me, my website is northwonderscom, so North Wonders, and hopefully I think there'll be links provided, so happy to talk to anyone who may be interested. 

0:43:53 - Mehmet
Sure, I will make. Always I put the links in the show notes, so definitely we will be doing this. Terry, like really I enjoyed the conversation, especially when it comes to cybersecurity and small, medium businesses, startup. It's something close to my heart, so thank you very much for sharing your insights and your experience with us today. I really appreciate that. As I mentioned the links that Terry mentioned, they will be in the show notes and this is usually how I end my episode, so this is for the audience. 

If you just discovered this podcast by luck, thank you very much for passing by. I hope you enjoyed. So please do subscribe and share it with your friends and colleagues and, if you are one of the loyal fans and followers, thank you again for all your messages, all your encouragement. I really appreciate that. And, final thing, I always repeat it If you have any idea, you're doing something special. You are into a field that we talk about whether it's tech, cybersecurity, startups and all these topics and you want to share that with the audience, please reach out. We can arrange for that. I would be more than happy to discuss it and thank you very much for tuning in. We'll meet again very soon. Thank you, bye-bye.