Introduction
I will soon be transitioning out of the military and heading back to the New England area. My background is in offensive cyber (ie: hacking), using that experience in both the Intelligence Community (IC) and the special operations community. I come from a small team that was required to do a lot, so I have broad experience, which includes cybersecurity, software development, infrastructure design, networking, and more. This site will be aimed primarily at cybersecurity.
Background
- I am interested in starting a cybersecurity company and this site is to see what type of need exists by sharing relevant information.
- Reach out via the Contact Us page and I will try to answer your questions, either in a blog or through a phone call (it won’t cost anything).
- The catch: Just be open to answering some questions regarding what your needs are as a business.
- No credit card. And if I suggest A.I. is the solution, you will get reimbursed
Why the Focus on Small and Medium Businesses?
I’ve spent years working on the offensive side working for a well resourced organization (ie: the US government). I know what the difference is between the Hollywood (and frankly, the cybersecurity industry) portrayal of cyber threats, and the reality. My perspective is likely not the mainstream cybersecurity opinion, which stated shortly, is that while cybersecurity is important, it can be accomplished in a cost effective manner. I don’t think this opinion is popular because it is not in the best interest of the cybersecurity industry. On the offensive side, cyber is expensive. It takes a lot of money to build out an effective organization. And it’s just as expensive on the defensive side. I think it’s expensive for three reasons:
- Tools – The tools are expensive, some more so than others. Particularly with the introduction of AI into products, because now a company needs to pay for the up front cost of training the AI model that they use.
- People – The people that use the tools and understand the technology are well compensated. Most cybersecurity tools don’t fix problems, they notify a human that a problem may exist, so humans are needed to fix the problem…and there can be a lot of potential problems.
- Luxury – People in tech love their tools. And there is always a new and shiny tool that is coming out that does that one extra thing that would make their life so much easier. And that tool is part of an ecosystem that you are now tied into. And that tool and ecosystem require training. If you don’t provide training, you will struggle to keep people compared to a company with a bigger training budget. But then that person who pushed for that initial tool now leaves your company, and the new person has their own favorite tool, and you need to repeat the cycle.
If you don’t know the language, or the questions to ask, you may find yourself out of your element. You ask something like, “well, what if we don’t do that”, and the response is something like “you could do that, but it leaves your network exposed to being breached”. Being faced with an Armageddon alternative, you agree; as you don’t want to risk the entire company’s existence with a cyber attack.
My Approach
To tell a quick story, a few years ago I spent a few months in a beach town, and there was this beach bar that I enjoyed. The way it was built was a noteworthy, particularly in contrast to the massive concrete hotel next to it that looked more like a bomb shelter. Tropical storms and hurricanes were common in this town, but this bar, located on the water, was built more like a shack than anything else. I jokingly asked the bartender if the idea was to build the bar in so that it would be cheap to rebuild, with the expectation that a hurricane would knock the building over, and the bartender confirmed my joke. I was a little surprise, but after thinking about it, it started to make sense. The owner’s opted to build the building with the intent to survive a tropical storm, and maybe a low category hurricane, but beyond that, they took a chance on something worse happening. And if it did, they would rebuild the bar. Rather than try to withstand a category 4 hurricane and constructing the building with those expenses, they built the building to survive the majority of storms, but if an unusually strong storm came through, the building was cheap enough to rebuild.
The model of that beach bar largely exemplifies how I think small and medium businesses should build out there cybersecurity. You may be the large concrete hotel that can withstand the direct hit by a category 5 hurricane, but there are a lot of companies that don’t need to do that (my assumption is that most find themselves in this category, whether they know it or not). Where this analogy doesn’t hold up is in the repairing of the building. Rebuilding is still a timely and costly process in construction, but that is not the case with networks and computers if they were designed with being rebuilt in mind.
Reason for this approach
I do believe that cybersecurity is important. But an organization’s cybersecurity response should be equivalent to it’s risk. A small company with 5 employees doesn’t need to protect itself against an Ocean’s 13 type heist, and neither does it need to protect itself against a nation state (ie: China) deliberately attacking it. If cybersecurity is ignored all together due to either its cost, or complexity, it leaves an organization open to low hanging fruit type attacks, which can cripple a company. Cybersecurity should be inexpensive enough, that the downside of not having it is obvious. That way, you don’t have to constantly justify an expense, that you can’t see the value of, until it gets cut.