Transcript:
Connor Swalm: Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security. And welcome to Gone Phishing.
Hey, everyone. Welcome back to another episode of Gone Fishing. I'm your host, Connor, CEO at Phin, and I am joined once again by a friend of mine, Jimmy Hatzell. He's the VP of revenue at CyberQP and the democratically elected warlock of privileged access management. And if you don't know what that means, you should listen to our previous episode that we just had Jimmy on, where we talked about everything, Pam, because he was wonderful. He taught me a ton about it. You can learn a ton about it, too.
Jimmy Hatzell:
I'm doing amazing. Doing great today.
Connor Swalm:
What are we talking about? We've had you on. We've talked about privileged access management. We talked about AI, some of the dangers that it could potentially pose to people who are using it, some of the benefits it could pose to not only businesses, but individuals if they learn to. If they educate themselves and learn to use it properly. And today we're talking about another topic that is the future of cybersecurity bleak? Is it a bleak future? Is it a bright future? What would make it bleak or bright? And I'll let you take it from there.
Jimmy Hatzell:
Yeah, I mean, it's definitely gray clouds. But we got an umbrella, I think, and there's pockets of sunshine here and there. There's been more information and data created in the last two years in the history of mankind. And we have an exponentially, logarithmically larger amount of information to protect every single year. And the talent shortage gets bigger every year because there's more pieces of information to protect. There's more technology adoption. There's faster Internet.
There's all of that's getting bigger and bigger, 10x, 20x, 100x year over year. But the amount of people we have to actually be experts in cybersecurity with, like, say, ten years experience to run a cybersecurity program, that number is very small because they would have need to enter cybersecurity as a field ten or 20 years ago. So we only have the inputs are ten years behind on the outputs of what we actually need.
So, say, we have a talent shortage of, say, like, a million people, depending how you ask. I don't know. I'm just using big numbers here. We can't train a million people on ten years experience in a year. It's going to take ten years, and by the time those ten years go by, we're going to need way more.
So the problem is going to continue to get worse because of that. And there's great technology and great tools that can help manage that and get better, but there's always going to be a shortage of people. And that's why MSPs are uniquely positioned to either co-deliver or deliver cybersecurity services themselves and sort of manage all of the different tools and technologies. Because you are out there dealing with customers. You have the front lines. You're the people that they're going to call if they have a cybersecurity problem. You can't just call 911 for cybersecurity. You call a local computer help near me and an MSP pops up on the screen and you're like, hey, my screens have a ransomware thing. They say I need to pay them Bitcoin. We have our financial audit tomorrow. I need help right now. No IR firm is getting those calls from the local accounting firm. It's an MSP who's going and figuring that out. So I say all this to comment on the fact that the cybersecurity problem is going to continue to get worse, which I would say the future is bleak when you look at that from that lens. But from an MSP perspective and a cybersecurity, someone like you and I out here helping people every day, trying to get the problem a little better, there is a lot of opportunity for us, and I think good will always prevail over evil. At the end of the day, it just might take some time, but we're getting there.
So I don't think it's like doom and gloom. Let's give up. It's going to be hard, it's going to be challenging, but we can make a difference. And by, you know, whether you're an MSP or you're working, like myself as a cybersecurity vendor, like you, Connor, like, we're helping people get secure, we're helping them protect their business, their livelihoods, their jobs, pay for their kids, that type of thing. That's the reason I'm in cyber, right? Because I feel like it's the way that I can make a real difference in the world, because I'm good at it. Not to brag, but I know cybersecurity in general, and I feel like I can make a big impact because there's such a big problem to work on. So, yes, it's bleak, but it's good for us. I guess that's what I'm trying to say.
Connor Swalm:
Well, it's like you said, there's spots of sunshine and we have some umbrellas. I always go back to explaining to folks who aren't insecurity or don't understand it directly. It's like, why is this such a big problem? And I always go back to the defender's dilemma, is a defender has to be right all the time, forever. An attacker has to be right exactly once at any point in the future. And if that attacker is right and that defender is wrong, well, congratulations, you just got hacked. And if you have proper tools in place, if you have privileged access management in place, the hack is limited in scope, and it's not going to be an incredibly big deal. You still have to deal with it, but it's not going to be the end of your business.
However, if you're not knowledgeable in security or you're not working with an MSP that is an expert, or a vendor that is an expert, you could be on the phone calling your local computer repair guy saying, why is this message on my screen? And why do I need owe them several thousand dollars in bitcoin? Can you tell me what a bitcoin is? That's probably what their first question is going to be. So I always go to the defender dilemma, but I completely agree. Like, the talent gap, the millions, one, two, three, I can't even conceptualize what a million people would look like. It's like an entire city of people that's just missing from the workforce. And like you said, it's only going to get worse.
Cybersecurity is becoming a bigger field, and people aren't being educated fast enough because they're not joining the field quick enough. How can solutions keep up? How can the solutions they use, or how can the solutions MSPs use? How can they keep up and keep security in a place where everyone's not getting hacked all the time?
Jimmy Hatzell:
Yeah. I said this in the last episode, but you got to follow a framework, right? You got to align your business to some guideline or reference. It's like gap accounting, right? If you don't know where your numbers are and you don't have some standard for doing your accounting, then who knows how reliable it is? But if you can align to CIS or NIST and then you have a guideline to go forward and then you need to do continuous improvement, because I guarantee you, if you go to implement one of those frameworks, you're not going to get through the whole thing right away, and you're always going to be working on it forever and ever. So cybersecurity is an ongoing process. It's not a tech, right? It's not a product. Cybersecurity is a product. It's an ongoing process that is going to get MSPs are always going to be swapping things in and out, and they're always going to need to be improving, and they're always going to need to be retraining end users and they're always going to need more security. It's just dedicating the time to it and committing to continuously improving. I think security vendors in general or cyber people, are over arrogant and often talk down to small businesses or other IT professionals, say, oh, you don't have this. How could you not have this cybersecurity? You don't even know what you're talking about. You blah, blah. And that puts people off. We need to meet people where they're at and help rise them up. And I think part of the problem of why the average security posture is very mature is because it's so intimidating to bring on any cybersecurity in general. And there's an immediate gut reaction from cyber vendors to say, well, you need everything right away or else you're going to get hacked and it's going to be horrible, when really, it's like, hey, you're here, right? And you want to get to there. Here's the steps we can do along the way.
Here's what three months looks like, here's what six months looks like, here's what nine months looks like. And we need to change the way that everyone looks at and talks about cybersecurity to be from that friendly helping mindset, because that's what we're here to do, right? We're here to protect people. We're here to help people.
Connor Swalm:
Cybersecurity is, in my mind, a technical field, like up there with all the STEM fields that you'd learn in college or higher education. And sometimes the judgment that you feel from those people is very palpable. And I do see a lot of that. I also see a lot of the opposite. I see a lot of people who understand exactly like you're talking about. It's like you can't get from zero to 100 in a day. And trying to convince someone that's exactly what they should do is completely bonkers and also usually incredibly expensive. So if you're trying to talk to a small business, who are the people who need the most amount of security at this point? And you say, hey, I need you to double your expense budget next month and every month thereafter, they're like, no, screw you, I'd rather get hacked.
That's not what they're going to say, but they're just not in a place where they can do that. So, like, starting of like, here's what we're going to do for. Here's the baby steps. Step one, step two, step three. Here's three months, six months, a year. I think that's incredibly wise. And there's a lot of people that think that way, but I think a lot of MSPs, if MSPs are listening right now, approaching a conversation with your clients like that, would probably make them feel way more secure. Feel more secure, not necessarily be more secure, but at least the feeling would be there, and then you can work on it after you've created the relationship. I think that's some really wise advice. Thank you.
Jimmy Hatzell:
Got advice every once in a while.
Connor Swalm:
You save all the wise advice for all the podcasts and then all the bad advice you leave unrecorded.
Jimmy Hatzell:
Yeah. Then I'm like, you should totally jump off that roof, man. You won't hurt your legs.
Connor Swalm:
Aim for the bushes. Aim for the bushes.
Jimmy Hatzell:
Aim for the bushes.
Connor Swalm:
Last question we'll wrap up with then. Should MSPs be taking a larger role in security than they currently are? Are they approaching it? Are they aiming too low? Are they aiming too high? What's your perspective on that?
Jimmy Hatzell:
I mean, I just think MSPs are the only solution to the cyber problem for small and medium-sized businesses. They're not able to do it themselves. So MSPs have to do it. So pick a framework, start aligning yourself and your customers to it, and move forward one step at a time. And there's going to be MSPs who are under-prepared or under-trained to take on that task. And there's going to be MSPs who succeed really well and are doing amazing work. But it's what we got right. The average small five-person company, or ten or 15 or 20 or even 100 person company, they can't afford to bring on start a security operations center in house. So they need an MSP to go and help them and guide them in their security and their IT.
Connor Swalm:
Yeah, the enterprise vendors aren't going to look at small businesses because they're not profitable enough, and the small business owners are so busy running the small business that they can't do it themselves. So, MSPs. This reminds me of a quote that I've said I think on this podcast before by Winston Churchill, never give up. Never give up on something that you can't go a day without thinking about. Never give in. Accept the convictions of honor and good sense. Never yield to force. Never yield to the apparent, overwhelming might of the enemy. I don't know if that inspired some people today, but sometimes I read that and inspires me.
Jimmy Hatzell:
I feel inspired.
Connor Swalm:
At least one person feels inspired.
Jimmy Hatzell:
Thank you.
Connor Swalm:
Any last second advice for folks trying to understand a little bit more about security? Or maybe if they wanted to learn a little bit more about Jimmy Hatzell, what would you give to them?
Jimmy Hatzell:
Oh, no. Connect with me. Happy to connect on, you know, it's okay. Wherever you're at with your security a, it's an ongoing process, and you don't have to pretend like you have it all figured out, because nobody really does.
Connor Swalm:
If anyone shames you and you're listening to this, Jimmy will come personally kneecap them for you.
Jimmy Hatzell:
Any pocket mulchers out there, any pocket.
Connor Swalm:
Mulchers out there for sure. And we'll have Jimmy's LinkedIn. We'll have contact information in the show notes. So if you'd like to get in touch, if you'd like to connect and learn a little bit more about him, you can. Or just ask him some more interesting questions like I have today, this is where I learned a lot. So thanks for joining us, Jimmy. It was a blast having you on again.
Jimmy Hatzell:
Thanks. My pleasure. Thanks for having me on.
Connor Swalm:
Sweet. Once again, Connor, CEO at Phin and I was joined by the great Jimmy Hatzell, VP of revenue at Cyber QP and also the democratically elected warlock of privileged access management. We're making that stick, by the way. We're making.
Jimmy Hatzell:
There you go. Yeah, you're going to get me in trouble on that one.
Connor Swalm:
I'll see you all next time. Thanks for joining.
Connor Swalm:
Thanks so much for tuning in to Gone Fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin security at Phinsec IO. That's P H I N S E C . IO. Or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time.
