AI's risks to small business EXPOSED. How Attackers Adopt Early 🎯 Artwork

Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

AI's risks to small business EXPOSED. How Attackers Adopt Early 🎯

March 16, 2025 • Cyber Crime Junkies. Host David Mauro. • Season 6 • Episode 57

🔥 New Episode Alert! 🔥

A powerful conversation, David Mauro teams up with former Intel Security Executive and experienced CISO, Matthew Rosenquist, to break down the ai risks to small business. Discover AI in social engineering, importance of communication in security, and business communication in cyber security, making businesses more vulnerable than ever.

Key Topics Covered:
✅ Generative AI vs. Agentic AI — What's the Difference?
✅ How Deepfakes Are Changing Hiring Risks
✅ Why Security Leaders Must Master Business Communication

💬 "Attackers maintain the initiative."
💬 "Deepfakes are a big issue now."
💬 "You need to make a business case."

🔍 Learn how to align cybersecurity strategies with business goals and communicate value to stakeholders effectively. Don’t miss this insightful episode!

🎯 Watch Now 👇 #AI #Cybersecurity #BusinessSecurity #GenerativeAI #Deepfakes #RiskManagement

Send us a text

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

00:00
AI Risks To Small Business
02:34
Understanding AI: Generative vs. Agentic
05:37
AI in Cybersecurity: Tools and Techniques
08:28
Impact Of AI On Business Risk
11:22
Deepfakes and Their Impact on Hiring
14:12
The Challenge of Measuring Cybersecurity Value
18:13
Communicating Cybersecurity Value to Stakeholders
20:59
The Role Of Security Leadership
23:51
Metrics and Measurement in Cybersecurity
28:39
The Future of Cybersecurity and Business Resilience
33:52
The Evolving Role of CISOs
38:09
Bridging Security and Business Goals
42:52
Crafting Effective Business Cases
47:39
The Importance of Storytelling in Security
52:33
Understanding Risk Appetite and Metrics

AI's risks to small business EXPOSED. How Attackers Adopt Early🎯

🔥 New Episode Alert! 🔥

Key Topics Covered:
✅ Generative AI vs. Agentic AI — What's the Difference?
✅ How Deepfakes Are Changing Hiring Risks
✅ Why Security Leaders Must Master Business Communication

💬 "Attackers maintain the initiative."
💬 "Deepfakes are a big issue now."
💬 "You need to make a business case."

🔍 Learn how to align cybersecurity strategies with business goals and communicate value to stakeholders effectively. Don’t miss this insightful episode!

🎯 Watch Now 👇 #AI #Cybersecurity #BusinessSecurity #GenerativeAI #Deepfakes #RiskManagement

Topics: AI Risks To Small Business, Risks of AI On Small Business, Impact Of AI On Business Risk, The Role Of Security Leadership, AI In Social Engineering, Importance Of Communication In Security, Business Communication In Cyber Security, Gen AI And Security Risks, Impact Of AI On Small Business, Problems With Cybersecurity Today, Communication Issues In Security, Security Issues In Business Communication, Security Issues In Business AI Use, Security Risks Of AI For Business, Business Security Risks Of AI, Difference Between Generative AI And Agentic AI, AI Effect On Risk Management And Cyber Security, AI, Generative AI, Agentic AI, Cyber Threats, Deepfakes,

Speaker 1 (00:01.507)
you

Speaker 1 (00:08.878)
All right, let's talk about something that's changing the game faster than anyone expected. AI risks to small business. Now, we've all heard the hype, right? AI is making business easier, faster, smarter. But here's the thing. What if I told you attackers are getting smarter too? And they're using AI even faster than the good guys? That's right. In this episode, David sits down with Intel's original security leader and experienced CISO, Matthew Rosenquist, a guy who's seen it all, to break down the double-edged sword of AI.

We're talking about how deep fakes are used in social engineering, tricking hiring managers, impact of AI on business risk, and the role of security leadership. Matthew doesn't just talk theory, he shares real world experience, what is actually happening today. So if you're serious about protecting your business and want to know how AI fits into the picture, stick around. This is one conversation you won't want to miss.

Welcome everybody to Cybercrime Junkies. I am your host, David Morrow, and in the studio today is Matthew Rosenquist. So I want you all to meet Matthew. He's a CISO, Chief Information Security Officer, industry advisor, sought after public speaker, advisory board member, and an industry veteran with over 25 years of hands-on experience from his prior executive role at Intel where he succeeded for...

20 plus years where he launched and drove their security division to steering high stakes cyber crises. He has seen it all and now he serves as Mercury risk and compliance as CISO and helps drive various initiatives for the industry overall. Matthew, welcome to the studio.

My pleasure to be here. Great to talk again.

Speaker 2 (01:53.218)
Yeah, I'm extremely jealous of your location in the US and the glorious views that you have, but I've got the sunlight off the dumpster by the county jail over there and we got snow, like it's all good. I'm just teasing.

Everyone has a different view of- Everybody- Yes. That's your perfect view. I'm okay with that.

Got a thing.

Speaker 2 (02:20.334)
Right. Absolutely. So a couple of things that I would love to, to, to get your insight on since we last spoke, which was about two years ago, it looks like AI is kind of a thing. It was just starting then, but it is really permeated the vendor space clearly because everybody that plugs anything in to the wall is now made of AI. Like, have you noticed that like everything is AI generated?

Like every marketing deck out there, has to say AI.

has to be, right? Every cybersecurity appliance has got AI built into it because we can't, you know, it's not cool otherwise. But let's talk about AI for a little bit because I would like to hear, cause I hear different views from different leaders in the industry. Some people are saying it has made quite an impact so far. Some are saying it's beginning to, but it's not there yet. Right. And there's a few that are like, I don't see it at all.

They're like, I'm just not like, love generating pictures with it and doing some, some other advances of generative AI, but I'm not seeing it in the cyberspace. So walk us through what you're seeing, what you're reading. You research it and you see it from a perspective that is so unique.

Well, AI is a really, really big topic. And often when we throw around that term AI, because it's so catchy, we're talking about things like generative AI. And generative AI is a subsection of deep learning, which is a branch of machine learning, which is one of several branches of what we would consider AI. So the first thing we have to understand is we're looking at the tip of the iceberg.

Speaker 1 (03:59.534)
Our vernacular right now in common terms, when we talk about AI, it's a tiny little sliver of what potentially could come. So if we narrow our view just to that and we talk about generative AI, and maybe even we want to talk a little bit about agentic AI, which is kind of that next little sliver that's coming into view, we can still see some incredibly interesting things happen. And I get why some

And define, I don't mean to interrupt you Matthew, I apologize, but define agentic AI for the listeners versus generative AI. Because I think most listeners are used to using generative AI, but agentic is like agent based.

Yeah. So when we think of generative AI, we think about, you know, chat GPT that's writing an article for you or summarizing a webpage. that even chat GPT is termed multimodal, which means it can do images, it can do video, it can do voices. And we're seeing a lot of gen AIs work in those spaces. When we talk about a gentic and it really comes back down to the word agent.

think of it as a system that can leverage other systems. My favorite example is Iron Man movies, right? Jarvis, where he's talking to Jarvis, whether he's in his lab or in the helmet, and he will give Jarvis a, go do X or I need Y. And Jarvis will break down the problem. What do I need to do? What resources? What are the restrictions?

You know, and it will go off to other tools to make those pieces happen and bring it all together for that end result. So an example for agentic AI that you can actually experience now is you can go to a website that's enabled with an agentic AI and go, Hey, I need to travel to Indianapolis next week. Can you book me some good flights and a hotel and a rental car? Okay, great.

Speaker 1 (06:07.35)
And the agent at AI will realize, okay, this is your time zone. This is where you're going. These are the dates. I'm gonna go scan and try and find the most affordable flight and the most convenient flight for your hours. And I'm gonna check your schedule to make sure you can get to the airport and you don't have a meeting or anything. And I'm gonna come back to you with a list and go, hey, these are the three flights I recommend. Which one would you like me to book? Great.

I've also got these rental cars. And by the way, I can book you at a hotel at the airport or next to the venue you're going to be. What's your preference? The venue.

That is customer service. Yes! It's your private assistant.

And that's where we're seeing a Gentic, your personal agent really come into its own. And we knew this was coming. We've been talking about this for a while and it's, you know, the same of being, you know, singular module versus multimodal, right? The same thing. This is just an extension beyond that, except it can use non generative AI tools in addition to generative AI tools. It can use other things.

Right? can log into your bank account, right? And cut checks to your, your, your debtors or, debtors or.

Speaker 2 (07:20.044)
Right. So now is that, how is that impacting? I see how it's impacting our lives and our daily lives. In cybersecurity, there's obviously convenience on one part of the scale and then security on the other, right? Generally speaking. And there has to be a balance and that balance can move, right? But with with agentic AI and with generative AI to a degree, like in phishing and stuff.

I've seen it used by threat actors, right? And rolled out. What are we seeing from defenders? are we able to, you know, when I think of like a SIM platform and analyzing logs and finding anomalies, like is AI getting us better at that? Is it a manual task? Is it a task? Sometimes we miss things.

But first off, we have to understand AI, regardless of whether it's generative or agentic or the next, it's a tool. And if tools are useful, they get used a lot. We saw generative AI become very useful. And so people both on the defenders and the attacker side use it. Right now we see, we don't have too many agentic tools out. It's just starting.

So most of the tools are really around generative AI, data aggregation, some other things. The attackers are very open and adept to embracing any kind of tool, right? Whether it's AI or anything else, any kind of tool that helps them do what they're trying to do. And if that steal money from you, great, any tool that can help them, they're going to use it. Defenders as part of that cycle,

and it's one of the severe restrictions we have, we don't have free money and time to go off and explore tools where there's no problem yet. So we typically wait for a problem to arise. Then we go, now we have justification. We're going to go figure out, let's get or build tools. And it takes time. You don't want to create something that does more harm than good. So we're risk averse in that space where the attackers don't care, right? We're going to adapt it. And if it breaks, cares?

Speaker 2 (09:34.698)
Well, when you think of the scale of adoption of technology, threat actors, hackers generally are far early adopters, right? Way ahead. They will try things immediately. And even if it doesn't work, even if it does work, they might want to break it anyway. Like that's the mentality. Right. That's the mentality. That's how they think. Whereas, are more of the early majority, late majority.

Right. They want things vetted first. want to make sure that because their job, their overall job.

and right

project that craters your company, right? That's the wrong direction. The attackers have that lead. They maintain the initiative. In combat, we call it the initiative, right? And then the defenders, respond. And right now, the primary tools in the AI space are generative AI. And that allows them to do two things, attackers to do two things really easy. And what I mean really easy, I mean, like in 20 minutes, go grab an AI tool and now their capabilities are better. One,

It allows them to be more professional. And if you're going to be doing, for example, social engineering, very, very popular because it works. Being able to talk in local language is really intense.

Speaker 2 (10:50.19)
I've seen it firsthand too, right? I mean, emails come to a local Cincinnati industry specialist and it's talking their language. I mean, used to be, you know, remember like back in the day, look for spelling errors, look for context. There'll be some broken English in there. All that's been gone for years now. Like that's gone.

behind does a great job

Speaker 1 (11:09.772)
The linear!

Speaker 2 (11:18.956)
Right. It is really, really good.

And you can then do things not only better, right? In scale there, you can say, Hey, I need to spoof a FedEx email and the Gen. AI will generate a perfect image and the logo and everything and have the wording just right, put in the correct links and everything else. the quality of what they can produce automatically jumps up, which is scary for us defenders and victims. The other thing it allows.

It allows a scalability of attacks because it can now do this very quickly. instead of having an agent in some world, third world country, having to type this out and only be able to send out a few hundred of these. You can have, you know, pools of computers doing these and send out millions. So millions of high quality going out. And we're going to see evolutions beyond that to where, and we'll see it by the end of this year.

It won't be generic. It will be specific to you. It will be calling references to what you did last weekend because it's following your social media page, things like that. And that will become even more difficult, one, to detect and filter and two, to truly understand is this malicious or not. It gives the attackers the advantage. And now that they have that advantage, we get to the back half of that cycle.

Right.

Speaker 1 (12:44.586)
As soon as we see more impacts because of this, we can't just hire 50 more frontline tier one analysts to try and filter all this stuff out. It doesn't work. It doesn't scale. It's not affordable. It's not a good business decision. We need a better tool. Well, the tool that's creating all this stuff can also that same technology and innovation can be used potentially to detect and filter that stuff. So by default, we are now in a position where we have to elevate

to the same level of the attackers using very similar tools. And those who fail to do that will be overwhelmed and severely impacted by the attackers because they maintain that initiative.

Absolutely. Quick side note, I met with a business owner of a small business and they were hiring for four positions and asked them what, you know, what, you know, how technology challenges do they have, whatever. And they went on and said, well, I don't know if you're aware of this thing, like AI and in hiring is a big issue now. And I'm like, no, walk me through it.

and they weren't talking about from the recruiter end, right? They were explaining to me AI deepfakes and how they they'll do a job post. They will get resumes that are not only good, they're perfect. They're perfect. Like this person has all the right experience in exactly what we do. And then they get on a team's call or a zoom

Perfect.

Speaker 2 (14:21.87)
And sometimes the interview doesn't match up. The person is there. It matches the background check that they did because that's a stolen identity, right? So it matches the background that they did, but they're not able to actually give some of like more color facts around what actually happened and how they did these projects that actually would be so relevant to us. Right? So that's where they're falling right now. But, um,

I was shocked to actually hear that that was the biggest challenge. mean, this is something we've been talking about in the industry for years. mean, the FBI warned about it back in July 22, but this is becoming, I mean, it hit a small business in the Midwest. Like that's pretty much mainstream at this point then.

Deepfakes are a risk, but we need to keep an eye on there is fear because it's interesting and sexy to talk about it. And then there should be fear based on, what are the real numbers telling us? Do we see deepfakes impacting companies? Absolutely. We see it in the hiring process. We see it in a business email compromise, basically fraud, know, I'm going to masquerade as a CEO, transfers, you know, all this kind of things. We do see it in there, but it's a

transfer

Speaker 1 (15:37.922)
really small percentage, very small, minuscule small. It's a lot of manpower. The traditional methods actually work a lot better, right? The SMS phishing, the email phishing, the phishing where it sends you to a webpage, get your credentials and log in. There's a lot of automation behind that. And that's where the vast majority of attacks are actually still coming from because they're easier, they're faster, they're more scalable and they still work.

That's way I've always. Yeah.

Speaker 1 (16:08.332)
And if you're an attacker, why would you stop that and try and effort these high manual processes of trying to get this deep fake in and it becomes simply a discussion about what's more cost effective to the attacker and to them, unless you are have a specific target.

If they, yeah, it depends on maybe what their motive is. Like if their motive is to actually get the job and they're working at like a call, one of those call centers and their job, their goal is actually to get the job and then do enough for a year until they get fired for a year and then just draw the income. And that's the actual crime. Okay. That very well could be like their, their, their motive. But yeah, you're right. That is not the bulk of data breaches.

But they're not using deepfakes. What they do, and I'll tell you how to do it if you want to get into this because it's really easy. You can go out to these markets and simply hire an expert. And there are these crime forums and you can hire them for, you know, hundred bucks and they will then take the interview for you. Right. It'll be on the phone. Maybe it'll be with a video. It might be a little blurry.

You know, bad connection.

There's always some socially acceptable excuse.

Speaker 1 (17:30.956)
Yeah. And they'll answer every question perfectly because they're an expert, but then you, they drop out of the picture. get there. You get the job and you don't show up to meetings, whatever you're going to get paid for a few weeks to a few months. And then they're going to fire you, but you do that at seven or eight at a time. Right. One of my clients actually had this come in and I had trained the, the company about this. so the engineering manager.

you've got to actually.

Speaker 1 (17:58.124)
He went and interviewed somebody, perfect candidate, right? Perfect candidate. the first meeting they had, he came in and actually came on a video bridge. And this was the first time he saw him and started talking. And the manager said, your accent, it's different. Can you tell me, and started asking him a couple more questions. And this guy went blank and ghosted, never came back. Right. But he knew, he knew.

that this was a likelihood and he spotted it and you know, kudos to this engineering manager. He was on it and he called immediately called me. He's like, Matthew, yeah, exactly what you said happened. And you know, we vetted him on day one. have not even cut him a check yet and he's not getting one. He's done right. We didn't even send him the laptop yet. He's not getting that. So, but yeah, it's easier to do that. It's a small investment. can contract with people to be that interviewee.

Good.

Speaker 1 (18:55.01)
They make the money and the criminals get the job and they get the longer term split out of it. So that we see a lot.

But I do agree that when you think of the hacker mind and you think of the motive, they really are looking for what they can scale, what they can get the most traction out of. that's a very manual. That is more fraud for smaller groups that are being targeted or that are targeting, et cetera. So really what we're seeing is the leveraging and scale of it.

And so when we're talking about that and we're talking about communicating that to business owners, like how do we explain the value of cybersecurity to stakeholders in a business, CEO boards, things like that. You've talked quite a bit about value being a blind spot in cybersecurity and I'd really like to your insight.

Yeah. Unfortunately, trying to communicate the value of something that may not have happened yet, something bad is really, really challenging, right? You can say, Hey, I can protect you against something which may or may not occur. And even if you do invest me, you believe me, right? And you give me a million dollars or $10 or whatever, and I go Institute something, put something in place and nothing bad happens.

And nothing happens.

Speaker 1 (20:24.686)
nothing would have happened anyway. And it was just a waste of that million dollars. Or did I actually say what would have happened twice?

Yeah, what do you say to that? That's a really good point. And that is something I see in the industry all the time. mean, it's, you know, people are looking at you like, OK, I see. But is it belts and and and suspenders? Is it all of like, we doing too much? mean, we haven't had a breach yet or we haven't had anything bad that we couldn't handle. Why? Why? Why do I have to do this? So what do you say to them? How do we do it?

Hell.

Speaker 2 (21:02.99)
How do you explain?

risk appetite. Businesses already deal with all sorts of risk. They deal with competitive risk and financial risk and market risk. So from that perspective, it's not like they're coming to the discussion with nothing. They can see on the news, hey, one of our competitors, very similar to us, just got hacked. I was working with

They were down for 23 days without production. Like it's, it's not just about the data that gets stolen or blackmailed for it's about the entire impact and every call.

different. Some are more worried about the data. Some of it is regulatory. my gosh, they're going to shut us down if this happens. Others is, it's our brand. Others is, hey, we're trying to expand out to this market and now we won't be able to. All that effort, all our planning, right? There's many different potential risks. So every organization is a little bit different, which is kind of why you need an expert to come in and help you. Okay. What are those primary pain points? What is the realistic risk?

And

Speaker 2 (22:28.004)
Push, fine, they push.

Speaker 1 (22:33.354)
So there's a lot of FUD out there, fear, uncertainty, and doubt. And we have to be able to filter through that. And that's why having a great CISO, having a great security leader that can have those discussions, that can understand the real risks, that can understand the actual value of security initiatives. And it won't be all or nothing, right? Which a lot of boards sometimes want, hey, we need security. So we want zero security impact. We want zero risk. We don't understand all that. We just want zero.

Well, that's really not possible, right? Even if you gave me 10x what your company makes in a year, you still can't reduce it down to zero. And you probably don't want to do that. So it's not zero. It's not 100. It's somewhere in the middle. Let's figure out what that is.

So that raises a really interesting topic and that is in every other department, and I don't care how large or how small the organization is, they will always be able to have metrics and be able to quantify things. They'll be able to say, HR can come in and say 11.4 % of our workforce is currently looking for another job.

Sales, it's all about metrics, right? We are 14 % off our quarterly goal, right? And every department, and then security gets there. And generally, from what I hear from business leaders and business owners is they go red, yellow, green-ish. Like, what?

And even that is ambiguous, right? Red, so what that we would get attacked that we did that we're going to lose more than we thought or not at all. mean, what does that mean?

Speaker 2 (24:14.946)
Yeah, so there's, I mean, there's a great book that I've got about measuring cybersecurity, but the math was hard and I did it. So I'm very proud of myself that I did it.

book? book? Which book? Is it Andrew Jockwees or is it Black Swan? Which one? No, it's... Andrew Jockwees. So Andrew is awesome. And he's been in the cybersecurity metrics game probably longer than anybody else. He's one of the original people as part of a cybersecurity metrics forum group about 20 years ago. these... Wow. Popmines.

It is Andrews.

Speaker 2 (24:50.322)
first finale.

And I was fortunate enough to get invited and basically I presented my doctoral thesis to them and they tried to holes in everything and it was great. And I got invited to, got to be part of the team years and years and years ago. But it's tough because again, as we're talking about it, you can't in almost all industries, you can measure success, right? You can measure it. How much did your sales go up? How much more money did you did, did net profit or things of that sort?

So cool.

Speaker 1 (25:21.066)
In cybersecurity, you can't, the only thing we can measure is what bad things happen. And it's like in physics, you cannot measure cold in physics. You can only measure heat. You can't measure darkness in physics. can only measure light. And in cybersecurity, you can't measure the things that didn't happen, right? The things you avoided or minimize. All you can measure are the things that

did the bad things, the pain, the inconvenience, the things you wanted to avoid. And so inherently it is a much more difficult proposition in being able to quantify what we call the return on security investment, the ROSI. It's not impossible. And that's actually what I kind of did my informal thesis on is how do you measure that? And there are virtually no good ways out there to be able to do

you start with a baseline? Do you start with like a baseline of here's where you are today?

Baselines only work if your rate of chaos or change isn't very high. So for very static environments, getting a baseline that works great. The insurance industry, right? When you look at earthquakes, 100 year floods or whatever, they have actuary data, which means data of stuff that actually happened. And they see it's pretty constant. And that's how they know how much to charge you because they know how often it's going to happen. So they...

run metrics like, you know, annual rate of occurrence and, and single loss expectancy to calculate annual loss expectancy. And that works great as long as you don't have a lot of chaos in the system. If that line, that expectation is varying in orders of magnitude, your model goes out the, out the window. And we actually talked with the insurance industry almost 25 years ago.

Speaker 1 (27:21.664)
And we said, Hey, the level of chaos here, you know, the, actuary model simply does not work. And they kind of brushed us off and said, you guys don't know what you're talking about. We have the best actuaries in the world. We do this. This is our, this is our industry. We can chart cybersecurity, no problem. And they failed every year since and they've now.

You mean the cyber insurance? Yeah, the cyber insurance industry. Yeah, that is not fair. Fair. Very well.

Isn't it? And think about it. When you buy a normal insurance industry, let's say, insurance policy, let's say a home insurance or business insurance, there are some exclusions by default. Right. Act of war, for example, because you can't really predict that and that can cause damage. Right. You know, act of deity, whatever one you believe in, it's a, you know, consider an act, you know, a tornado comes down or whatever, or something weird, right. They will exclude that.

because it's certain levels of chaos. And when it comes down to war, which is interesting, it comes down to a very, very highly unpredictable element, people.

And that's what we see in cybersecurity. We see this very dynamic, very intelligent, highly motivated, very capable set of threat actors that are embracing innovation and they are creating such chaos that being able to do cybersecurity metrics based on trending fails every time. And it has, you can do it for short periods of time, but not for long periods of time.

Speaker 2 (28:59.596)
You could do it like during a certain campaign, right? Like through threat intelligence, you see certain campaigns that are targeting certain things with certain tools. You know, this is coming like the move it breach and like there are certain things you can identify and hone in on and get pretty specific, but being able to look at the past and say we have an X percentage of likelihood that that'll happen next year. That's virtually impossible, isn't it?

It is impossible now. It's impossible based upon the orders of magnitude that you're willing to be wrong. So there are many organizations that'll come and say, Hey, you know, if you're in the manufacturing industry, the chances are that you're going to have a distributed denial service attack one in 40 this year. Yeah. I mean, if you look at all the numbers and aggregate it from the last two years and yeah, okay, sure. But the individual experience will greatly vary.

Some companies won't have it for 20 years. Other companies, you're going to have it five times this year. So you're going to be off by orders of magnitude. And it's great for directional discussions, but for very specific, it falls away very quickly.

Yeah. What? I mean, that raises to me the, that, that bolsters my belief from that, that not all breaches are created equal, right? Like there are, I mean, there are some, and we get involved in the recovery or I'm talking to a business owner who had one and they, they were prepared. They had eyes on glass and they were able to detect pretty quick. Yeah.

hurt, but they were up and going back in an operational pretty quick, you know, matter of a few days, maybe a week. Like everybody like they're able to recover from that. It's, okay. They learned a lesson, but they were prepared upfront. So it was manageable. And then some are like, it's never going to happen. And then, and then it happens and it's six months later, they're still down. Like it's, it's nine weeks later. They're still down. They're like, I had no,

Speaker 1 (31:11.48)
All the data back, they'll still miss transactions, they'll still have issues. But to bring it full circle, when we talk about value, that's actually one of the ways you can talk about value and how CISOs should be talking to the board. It's not all or nothing. We're going to find that optimal range. But now let's get into that next layer. Because I talk to a lot of boards and we go through these exercises with the CISO.

No, they really don't.

Speaker 1 (31:40.678)
And I'll throw out there and go, hey, board members, are you okay with once every three years losing a million of your customer records? Because if you are okay, your security budget can actually go down. And they're like, I'd love our security budget to go down because it keeps going up every year, but no, we're not good with that. okay, okay. Well, what about 500,000 every four years? And we start having these discussions.

And invariably somebody says, I want zero. Okay, great. It's going to cost you 50 times the revenue of your entire company. And I can get you to zero, right? Or I can just turn off all the servers. I can get you to zero that way too.

I was going to say we could just unplug.

And they're like, no, okay, no, no, no, no, no. All right, it's more than that. So let's have that conversation. Let's think about that. And then we can talk about recovery. If we do get hit, let's say a denial of service or a ransomware, are you okay with being down for two days? And they may go, yeah, yeah. If it's just two days and we're back up and running, yeah, we can do that. Okay, this is what it's gonna cost for that. And then somebody will go, well, you know what?

We could be down for three days and would probably still be okay. How much would that reduce our expenditure and security? I can bring down the cost or the friction to our users and everybody else down to this level. And you start to now see at the executive level, the C-suite and the boards going, this is what I do. I do trade-offs for business. Now I start to understand security and now I've got some dials I can turn.

Speaker 1 (33:19.904)
I can lead this organization. can set the goals. The CISO is going to go execute to them, right? But I can set those goals. And from a CISO's perspective, if the expectation is zero bad things will happen, you're living on borrowed time because you're going to lose at some point and you're already brushing up your resume. You already know it.

Right. But if you have a situation where the board or the C-suite, the CEO goes, yeah, you know, 50 records lost, you know, once every nine months, 50 records. Okay. Sure. mean, I, you know, great. When we have a data breach and 48 records are lost, it's not the career ending move. Right. You go and go, hey, we had one loss in the last, you know, nine months. It was 40 records. And that's well within our goals. Win. That is a win.

for a CISO and if you're not positioning yourself as a CISO where you can show wins, all you can show are losses. So you have to have that intelligent discussion and both sides of the CISO, the security people and the leadership people have to come together to be able to understand it.

What are a lot of CISOs focused on when they're talking about boards? I mean, I mean, when they're talking to boards, what are they, are they mostly saying, is it too technical? Most times is it, is it that they're explaining our tool sets or our sock or our outsource sock, whatever it is, they caught these vulnerabilities. We fixed X number of vulnerabilities. we caught, you know, we stopped 15 breaches by

this, this and this because we caught them after they got in and we got them out or something like

Speaker 1 (35:07.694)
So I'm gonna make a whole bunch of people, my peers very angry with me, but truth is truth. So there's no growth without pain. So let's talk about that. There are some excellent CISOs out there that know how to communicate with boards. They're on boards, right? And they do very, very well. I was just talking with Rinky Sethy and she's fantastic. We just did a podcast together. Great. But you're talking a sliver.

That's what my goal is.

Speaker 1 (35:36.146)
of the vast majority of CISOs out there had those capabilities. The vast majority of CISOs, my brethren, right, have come up through the technology ranks. They were an engineer, they were an architect, and then they were an engineering manager, and then they were a security architect, and then they, and eventually they were elevated to a CISO role. And at that point, their whole background is technology.

and they see it in alerts and code and vulnerabilities and this and that, they are only looking at part of the problem. So they don't tend to look at the processes. They don't look at the policies. They don't look at behaviors. They don't actually truly understand who's attacking them or why, right? But they're looking at the defensive technologies and that's what they're really good at, right? I mean, really good at, there's a reason why they were elevated compared to others.

But that isn't the whole picture. And now you put them in a position of business leadership. When you have a C and an O at the end of your title, you're not a technologist. You are now a business leader and you put them in front or as part of an organization of these business leaders making business decisions and they don't have the skills. They don't have the vocabulary. They don't understand how

these groups operate and they need to operate well. And so the least worst case is the CISO is quiet and just absorb things, but really isn't adding anything to it. Other people are speaking for them. Okay. The worst case is they are flooding a audience with technology and charts. And this is how many alerts we had, and this is the firewall rules and all these things. Boards aren't technical. They're not supposed to be technical.

And so you are then alienating yourself. And I get called in by boards to help translate with the CISO. I help mentor CISOs. And if you're going in and I had one CISO the other day, they were going to go present to the board and they had 63 slides that they wanted to present.

Speaker 2 (37:46.958)
Let me stop them right there. That is not a good way of engaging an audience ever. Let me just let me fire up this monitor. Is everybody able to see? I've got 63 slides off a bunch of crap that nobody cares about. Yes. I think the issue is too. They're too close to the fire.

Before you started!

Speaker 2 (38:13.59)
Right? Like they are, they want to report on what they're seeing as opposed to understanding the context that security plays in the overall business. And then when the business is talking about initiatives, how will security play in that role and identify that and show a last time we met, you were running this initiative, security was going to play this role. We did that and we executed under budget or we did that right at budget. Right. And it's like,

That's what the board wants to hear. That's what's interesting. Like their, their interest is the initiative. It's not the security piece of the initiative. That's a component of it, but the goal is the initiative. So identifying we were part of the initiative. We did our part. We came in as we said, here's the other initiative. Yeah.

Well, has to be tied to that business goal, right? To the initiative, just like you're saying. And so if a security person is going in there and talking about all these alerts or, we closed 57 critical vulnerabilities. That's not what the board's like. Okay, my primary goals are expansion into Europe, maintaining my margins, average selling price and revenue per quarter. Tell me, okay, you've done all these

you say vulnerability, how has it impacted any of these things? And if you can't bridge that discussion, right? If you go in and say, closed 57 vulnerabilities, that means nothing to them. That's interesting. Show me a chart. I don't care. If you go in and say, I protected our ability to be able to expand to Europe because we're now compliant with their cybersecurity regulations. Got it. That is a-

business value you've just shown that securities contributed to. don't care how many lines you had to fix. You enabled that initiative, that business initiative. Now you're

Speaker 2 (40:01.432)
You're right.

Speaker 2 (40:09.102)
Exactly right. We made sure that we were compliant with all the controls so that we could expand our CMMC business. Well, the CMMC, like whatever it is, or we attain level two this year as opposed to level one because we did all of these controls and managed all these.

marketing materials and that's 11 % uptick in closing business deals because we have 11 % boost. love it. I love it. That's my return on investing in you and your security purpose.

Exactly, right.

Speaker 2 (40:41.098)
or the organization's offerings can have a premium version that comes with more privacy and more security attached to it, right? And you find new ways to go after net new logos for the organization, that type of.

Well, you're talking even about a more advanced level. Most of the CISOs really focus on preventing loss, right? And then you get the kind of next generation ones that go, okay, I know I can't prevent everything, so I'm also going to minimize losses that do occur. So I'm going to be able to have resilience and recovery, all these kinds of things. And that's great. Again, there are tiers above that. You touched on a few of them. If you can contribute to competitive advantage,

We're not talking losses. We're not talking competitive advantage. How do you differentiate your company's products and services compared to everybody else? That helps with market share. That helps with average selling price. That might help with margins, right? You can take it notches above that and go, we may actually be able to contribute to more revenue, right? That good, better, best model. And we've seen that work out. We've got a freemium model that everybody goes into, but we need to get them up to that next paid model.

Exactly. Maybe adding some security features or trust or confidence that differentiates us will move people from freemium to paid. Now you're contributing to that, right? So there are many tiers, there are tiers beyond that where you can generate organic revenue too. I've seen that with some companies who do really creative things. So, you know, but that's a journey. We're still at step one.

Right. That's an evolution on the scale of the Gartner scale. That's over on the right side. They've clearly evolved, but most organizations are over on the left, right? And most organizations are still struggling. So what are some of the guidance that you provide them when you're mentoring them to help them make internal? Is it really understanding like, you know, Harvard's got a great class, how to make an internal business case class. Like they have a whole class dedicated to it. It's brilliant. And you can take it online. It was one of the

Speaker 1 (42:25.998)
and they're struggling.

Speaker 2 (42:46.06)
best things I've taken since I got out of Like it was really good. And like they've codified, basically they've created a framework around making an internal business case. And it's, it's just brilliant because if you follow it, you find that people tend to say yes on your initiatives, right? Cause it really considers all the different factors so that when you're weighing the decision, you're able to see everything because doing nothing is still a decision, right? It is pointing that out.

Have metrics behind it, even if you're gonna do nothing,

Exactly. You don't want to do this? That's okay. Here's what's going to happen. X percent, X percent, X percent. You've got metrics behind it. Yes. Yeah.

It's the same thing here with cybersecurity. It's a little bit different than a lot of people try and use IT models for this. Certain types of tornado graphs, which are great. There's a twist with cybersecurity because in IT, if you adopt the IT models for business justification, it tends to work on the premise that you're dealing with obstacles. Technology debt, technology obstacles, whatever it is. And you have to allocate resources to solve those obstacles, right? Get past them.

Cybersecurity adds a different element to that, which is a human threat actor that is just as smart or smarter than you, that has more resources than you, and is highly motivated to do things that are going to negatively impact you. So there is an entirely different component because you have an intelligent adversary. But the general premise of you need to make a business case, yes, that is one of the first things that I talk about.

Speaker 1 (44:22.73)
In fact, you hire me tomorrow and have me come in. The first question I'm going to ask the CISO. What are your cybersecurity business goals? What are the goals to the board that have approved it and the CEO and the C-suite all know the same? What are you delivering? Right. And if you, and if they say, I'm delivering a new seam and we're changing out the firewalls and everything, I'm like, Nope, that is tactical. That may be an objective or a mission you have, but that isn't the goal.

There has to be a reason for investing that time, that money, that effort, and the friction you're putting your customers, your suppliers, your vendors, and your employees through, because security always comes with some level of friction. What suggests-

That's the opposite part of the scale from convenience, right? Convenience, no security on things. We can freely use it. Like it works great. It go fast, break things, right? On the other side is clamping things down and causing friction so that you can continue to do this, right?

And if you don't have goals that everybody agrees to, then you're going to be introducing friction that people don't respect or want. You're going to be consuming resources that may actually be better spent somewhere else. And that's a detriment to your company, your shareholders, everybody. So, you know, we always start with, do you have good goals? That's number one. The other thing, especially in talking at all levels, other than other security people is you have to be able to tell a good story.

love that. That is one of the things. A friend of mine is one of the CISOs with Zurich and he always talks about stories that are told to boards and leadership and being able to tell a good, you know, bear in the woods story or like something like, you know, the bears, the hacker, we got to get out and you know, like something that at least they're like, okay, kind of a corny story, but I get it.

Speaker 2 (46:28.46)
Like I get what the what the proposed initiative is going to do for us.

And depending on how good you are at it, right? It can be tremendously powerful. So I had one client and he said, Hey, I'm going to be talking about all these vulnerabilities and, you know, us potentially getting hacked and everything. And I said, you're going to lose them. said, I get it. I can see those vulnerabilities. I know what systems they go to. I know the dependencies you have on that. I know how it's going to impact. I know what the attackers are going to do with that access. I get it. But your audience doesn't.

So we switched that around and I had them instead go in and say, hey, here's our top three risks. The first risk is from, so I'm gonna change it up a little bit so don't give me anything away, is from organized cyber criminals that are particularly targeting our industry, let's say healthcare or finance or whatever, our industry. And they're using these methods, they're using social engineering to do all these bad things. And at the end of the day, they end up.

taking down the company for days or weeks. That's our first one, right? Are these organized cyber criminals, they're not the ones in the hoodies in the basement. They're a professional business. They have HR departments, they're hiring. And here's risk number two and here's risk number three. And the board members go, I get it. Okay, this really bad group of people are targeting in our industry, they're using these things and this is our big risk.

Okay, that's our number one. Okay, okay, got it, got it. And then, yeah, and we're closing these gaps. We've got a program. We're gonna reduce our risks by 80%. It's gonna take four weeks. We're on it. We're gonna come back. We're gonna talk about that. And they get it. And if you would have instead gone in with the five pages of vulnerabilities in various systems, they would have been lost, right? You can't go in with an Excel spreadsheet and scroll through CVSS ratings. You just can't. But you told them a story.

Speaker 1 (48:31.126)
and it resented, they didn't have to be technical experts. They didn't even have to be security or risk experts. They get it, right? You now have their support. Even if they don't understand what you're gonna do, they know you're on it and they know you know what you're gonna do. They're just gonna hold you to the end result. And it worked out great.

It really makes sense too, by going in front of non-technical executive authorities and explaining, know, our job is to keep you out of the news. Our job is to defend against a foe. Let me explain who that foe is and explain how they're doing it, who they are, you know, how, you know, you can't rely on

the FBI to help protect you, can allow them to maybe help you out afterward. But most times they're just there to kind of say, wow, you should have done a little bit more.

Like it's another country, man. Like guys who do this to you are in another country. We can't touch them anyway. We'll hold your hand while we wait for the servers to spin back up. you know, but I think painting that picture and really explaining it is brilliant. Right. And then having metrics behind doing nothing. Right. Having metrics behind the status quo.

I'm gonna go right away.

Speaker 2 (49:57.048)
so that people know that you are flying blind or you might have a risk appetite of this, but what you've been doing now is really had you appear for risk. So I just want to bring it down to your level of risk appetite, right? And then finding metrics and ways to measure that, right? Which is tough sometimes.

Actively measure that. Right. I typically go in and it's not uncommon because I'll look at their metrics and their dashboard. I would say for almost every client I've ever had between 70 to 80 % of the metrics, they're pretty, they're absolutely worthless. Right. And so my number one question, whenever I pick out a metric, I will go, what decision does this help somebody make? And if they say, it shows, nope, stop right there. That's not a decision.

Right? What decision, even if it is, Hey, we're doing the right thing or we're doing the best thing now. We're not going to change. That's a decision. Okay, great. Tell me what decision, because if it does not support a decision, it may look pretty, right? It may seem really cool and make you look cooler. Your department look cool or whatever. It's worthless. You are wasting time generating that metric. And then you're wasting audience time by trying to report that it's somehow meaningful. And it.

isn't. And the metric I hate the worst, which looks so cool, though, right? I'm sure you've seen this. You know, you have a map of the globe and you see all these live attacks coming in, you know, different IP addresses from different countries and different colors and it's

It is sex. That's the quintessential threat map, right? It is threat Everyone one. They all have one, right?

Speaker 1 (51:45.454)
And everybody. I've talked with vendors about it. We bought a company that had it, you know, in their lobby. And I'm like, this is eye candy. It's worthless. It's worthless. No, it's awesome. All our customers love it. I said, you're marketing to something. But from a practicality perspective, it means nothing. And I said, you see all these attacks here coming from Asia right now, right? Live. What are you going to do about that? Are you going to close your networks to Asia?

Well,

What are you going to do? It's interesting to watch. You could sit here and be mesmerized all day long, but you will not make a fundamental change because of some individual or group of attacks. You're not going to do it, which means this is worthless.

That's exactly right. It's like when anybody wants you to get involved in a business and they're like, but this industry is a billion, a $50 billion industry. Don't you want a piece of that? I'm like, that's not real. what you have to know what this business does. How is this business going to market? Like it's about narrowing the scope of the focus really.

We have enough distractions in cybersecurity. We need to focus on the real things, the real attackers, the real risks, and not be sidetracked.

Speaker 2 (53:06.624)
And I don't know if you can answer this, but when you're looking to measure an organization's risk appetite, right? And what are some of the things that you generally look at? Like I know it's going to be different for every business, but what are the things that you generally want to want to start tracking so you can put some measurement behind?

Yeah, so it all goes back to the discussion of goals, right? So what kind of industry are you in? Are you in an industry where your most critical thing is your intellectual property, or is it the uptime of your web page for services to your customers or whatever? But in general, regulatory compliance, normally there's a critical metric around that. And the more regulations in your industry, the more important that particular metric is. So regulatory compliance typically falls in somewhere in that, for greater or worse.

Uptime of services for most organizations, that is very important. I have worked with some that are like, no, we shut down at five o'clock. You know, we manufacture stuff and we only operate half shifts. So if someone brings us down for a week, okay, so we'll run full shift for another week. That's fine. Right. But uptime typically is some type of metric around brand or embarrassment, right? Hey, we, you know, our webpage got hacked and they put pornography on it.

Right. I worked with a client that had that. Right. Yeah. We don't want that to happen again. That was really bad. Our founders are very conservative and that

And that's going to be very and that'll be very in like company specific, right? Because, you know, like people are always like, well, the target breach happened and they bounced back. I'm like, Target is not in the trust business. Right. If it was if it was a law firm, right, all the frigging clients would have left and gone right next door to one of the other hundred like one of the other million lawyers out there and just go into them because they invested in cybersecurity. You guys didn't. Right.

Speaker 1 (55:00.462)
Exactly. And I've worked with some lawyers, some firms, and had those exact discussions, right? They're like, my name is literally on the front page. It's literally there! That's my father's name as well, so I don't want to hear it from him.

It literally is their And their name is-

Speaker 2 (55:17.39)
That's exactly right. It's all about reputation.

So sensitive data, right? Exposure of that. Many times integrity of transactions. That can be a big one. And that typically is one that people don't look into. And it can be some of the most impactful. Integrity of transactions. So some financial transactions, order transactions, things of that sort. We just had a cryptocurrency exchange get exploited for almost one and a half billion dollars.

What's that again? What's that again? yeah!

Speaker 2 (55:48.43)
$10, yeah.

It's they were able to compromise the integrity of the transactions that occurred.

So they were able to manipulate the blockchain as the transactions were. Those are some smart guys.

Yes, they are. They were able to actually hack into cold wallets, which is the de facto standard for the most security. And they were able to get around that. Right. It's the equivalent of an air gapped network, if you will, in the normal world. People think it's impervious and it's not. Cold wallets impervious. No, it's not. And we now have a $1.5 billion data point to show that that is not the case.

You know, again, every organization is different, but you tend to fall into those confidentiality, availability, integrity, clients, brand reputation, things of that sort, depending on the business. you know, having a handful of goals, you don't want 10 or 15 cybersecurity goals. I think the smallest number of goals I've ever had with a client or myself has been three. And the most I've ever allowed has been six and the sixth one was temporary.

Speaker 1 (56:56.999)
It was cleanup of some bad stuff that needed to get taken care of from, which is one of reasons they called me on, you know, resolve that issue and then we're down to five.

And then you set a time frame, you reach those goals, you set the metrics of the milestones. And it's basically like your rock for the quarter. And then you come back and you report on that. It's a great way of communicating.

Right. It's never about zero risk. It's about an acceptable level of risk. So you might have to come in and say, Hey, yeah, this bad thing happens. the next sentence out of your mouth should be, and it was within what we expected to happen. Right. So our models aren't off our models right on and right where we expect it to be. The next conversation that happens is.

Are we comfortable? we still comfortable with that? And some people will go, no, no, no, no, no, no. We need less risk. I want that to happen less often. Okay, great. Guess what? The spending now goes up and it's justifiable. Right? The friction is going to go up because I got to Institute more security programs, right? Or maybe.

Well, I have studied negotiation sales for 35 years and I will tell you that is leverage. Like if you're able to say, okay, we agreed here, we had a couple of bad things happen, you guys still okay with that level of risk appetite? They're like, no, no, no, we don't want that to happen. Okay, then my initiative is what I wanted in the first place and that is additional resources.

Speaker 1 (58:27.79)
bring that up, no you can't say i told you so you can't say i told you so you can't let them know it, they'll think it, they'll go he told me this

You can

Speaker 2 (58:37.794)
Yeah, exactly. Now you never that's the $64,000 comment or question. You never asked that one, right? You always wait till the end, right? No, that's brilliant.

situation happened by the way, if you want a good story here, one of the things I did at Intel is I managed M &A security, right? I built the team and managed it. And I would have to report out depending on the size of the project. I did over 120 mergers, acquisitions, divestitures, site closures, co-locations all over the world. So, but typically for the larger projects, I would go in every two weeks and I would go to the management team and cybersecurity was not even on their radar at the beginning, right? We don't even want to hear from you. And so I

Boo yah!

Speaker 1 (59:17.496)
push my way in. And I would give a real quick report out. And one of the things I would say is here are our top risks, right? This is the impact that I think that it would have if it was compromised. And these are the recommendations. I've got some recommendations if we want to mitigate those risks. Well, they were interested in the recommendations, right? They looked at that and said, okay, Matthew, we'll see you in two weeks, right? And after a couple of weeks, I would come back and I would go, okay, here's our top person. By the way, last week we did have an incident.

And it was this, and it caused this amount of damage or issues. And one of the team members said, you know, after about two or three times of this, they said, that's what you presented last week, right? You said that was going to happen. And, know, I politely said, yes, you we've had, you've had five different incidents and in every single case, it was something that I had let you know about ahead of time. Now you own the risk so you can accept that these impacts are going to happen. My job is to let you know.

That they're going to probably happen and that you have options. up until this point, you're not interested in the options. That's fine. You own the risks. You've been duly informed and they're like, okay, hold on, hold on, hold on. from.

Because what they want is they want zero incidents and spend the least amount of money, right? We know that's what they want and we don't blame them for wanting that. The issue is how do we make it happen because we can't make zero happen. But how do we advise them of you're at this percentage of this risk? And that's really where the where the storytelling and everything really helps communicate.

And it built my credibility because there was not an incident that happened that I hadn't predicted that this was one of the most likely things to happen.

Speaker 2 (01:01:10.336)
Yeah, and there's no BS factor. There's no misalignment. It's that's way to handle it. I should really coach see, so I don't know what you're doing during your day job, but you really should. I think you got some good ideas there.

But from you

Speaker 1 (01:01:24.642)
From then on, I would go in and present and they're like, okay, go ahead and take care of those risks. We will sign off on whatever it is you need to go take care of those risks and the bad things stopped happening. the next project, same group of people, yep, Rosenquist is going to present, we're just going to approve that and let him go do what he does.

That's phenomenal. will, Matthew, we will have links to your information sites, your company in the show notes. Thank you so much for your time. I want to be respectful of your time. I will tell you, I always enjoy it not being the smartest guy in the room. And I always like having you on because I know I'm not like I'm learning. Writing things down. Every time, every time.

You f***er!

You're on, I learned so much, it really helps. So thank you so much for your time. Thanks for your insight. Keep doing what you're doing and we will talk again soon. Thanks buddy.

My pleasure.

Speaker 2 (01:02:30.318)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award-winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.

People on this episode

David Mauro

Host

Cyber Crime Junkies