How Smaller Companies Can Mitigate Cybersecurity Risks and Comply With the New SEC Rules

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:36  

Hello, Justin Daniels here I am a partner at the law firm Baker Donelson, I work in tech transactions, and mergers and acquisitions. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

 

Jodi Daniels  1:03  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and established customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com.

 

Justin Daniels  1:40  

Well, I just want our listeners to be aware of, Jodi was in New York last week speaking at a art-related type of conference for artists and other folks. And they had this really cool picture of her right below this quote about how privacy is not about fines and compliance. It’s really about a fundamental human right. If you haven’t seen the picture on Jodi’s LinkedIn feed, it’s really cool because it really encapsulates the mission of Red Clover.

 

Jodi Daniels  2:05  

Well, that was very kind, it was a lot of fun to be at that conference, because some of you might know, but I used to do musical theater and sing and before Glee was a show and cool. And now our younger daughter does the same, and it was really, really nice to be in a room full of arts, organizations, and digital marketers from the fine arts to visual arts to performing arts and we need more art than ever. So, while I would love for you to see the quote and learn more about privacy, please also support your favorite arts organization.

 

Justin Daniels  2:41  

And let us know by messaging Jodie on LinkedIn, if you want me to create a ChatGPT lyric for a privacy song, and maybe Jodi will sing it acapella.

 

Jodi Daniels  2:52  

You never know. You never know. All right, but today we’re going to come back to the universe of privacy and security.

 

Justin Daniels  2:59  

Yes, we will. And today we have a terrific guest we have Brian Haugli, who has been driving security programs for two decades and brings a true practitioners approach to the industry. He has led programs for the DOD, Pentagon, Intelligence Community Fortune 500, and many others. Brian is a renowned speaker, an expert on NIST guidance, threat intelligence implementations and strategic organizational initiatives. Brian is the contributing author to the latest book from Wiley, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework. Lastly, he is a professor at Boston College in the Woods college advanced studies master’s program in cybersecurity. Brian, you had me at NIST. Welcome to the program.

 

Brian Haugli  3:46  

Thanks for having me.

 

Jodi Daniels  3:48  

Well, Brian, can you share we always like to start by understanding how people got to where they are today and tell us what you’re doing at SideChannel today.

 

Brian Haugli  4:01  

So I’ve I’ve been in this field since high school, I got started right out of high school, working as a pen tester and then just kind of working my way up through the ranks, you know, I genuinely enjoy computer work, IT work, I’m, at the core of it, really just a problem solver. And to me, technology has always been something to either build or break and generally just kind of solve problems around. So, this field just seemed to kind of have a calling for me. And interestingly enough, you know, you can actually make money at it. So it’s kind of a nice, nice twofer where you have a passion that actually pays so that’s that’s it’s something that I did not I did not intend to go into this field. I wanted to be a history teacher — a high school history teacher and I we were just joking kind of off camera about how much I read you know, I love reading about history and I just yet I love reading. And that’s what I wanted to go do. And I always wanted to teach kids about history and make sure that they had the right understanding of history. But then I fell into, I literally fell into this. I got recruited into it and just stayed with it because it was paying, and I kind of never really looked back at going going to college to pursue getting a degree to then end up trying to become an actual, like high school history teacher. So I stayed on this path. And, you know, it brought me through the Department of Defense, I ended up going to the DOD, and working, working there for about 10 years across a couple of different agencies and programs leading. Most of the most of the time, I’ve always kind of found myself in a leadership role. So you’re kind of working up from being on the very technical side to go into the, to the policy side to eventually eventually leading overall programs for the Defense Department. And then I had a Fortune 500 that was here in the Boston area that scooped me up and hired me to come build and lead their program. So I had already been working a lot on NIST, since its inception, implementing it at Pentagon, and then getting the opportunity to be one of the first Fortune 500s to implement the NIST CSF up here, it’s probably one of the first companies to implement the NIST CSF. So yeah, that was that was kind of it. I did that for four years, until I launched SideChannel. SideChannel’s entire purpose was initially to work with nonprofit organizations. In fact, our first client was a nonprofit. And my original co-founder, and I wanted to legally insulate herself to be able to basically support and help a CIO that was a friend of his, and because they couldn’t afford the budget to hire on someone like us, you know, like my starting salary, as a CSO on the East Coast is, you know, three $400,000 base pay plus, you know, bonuses and stock and everything. It’s, it’s not financially feasible for most organizations. So a nonprofit came along and was like, Hey, we really need this type of help. And, you know, hey, we’ll pay you, you know, just as he’s travel and, and, you know, some some consulting, to just give us a hand and give us some advice, you know, we don’t want to take advantage of you, because you’re, you’re doing this on the side. And that started it. And I was like, wow, you know, kind of looking around like, wow, there’s a real underserved market here. Nobody is really helping mid market, nobody’s helping small business, emerging tech startups, no one’s helping nonprofits, they’re left to their own devices, yet. It’s the exact same risks that enterprise have within cyber. So, you know, it seemed like a really good business opportunity to just focus and build a consulting firm, centered around supporting this really underserved market, you know, just have done the enterprise thing. That’s cool, I want to go work on something else. Now that has some meaning. And I was the entire intensive SideChannel. And then, over the last five years, it’s just exploded. Because our thesis, or our hypothesis, whatever it is, I’m not a science guy. So I always picked the wrong term there. But our idea and bet was, was right, that if you go and work and focus just on this underserved space, the mid market, and small enterprise mid market and below, there are not a lot of people helping them, therefore there’s a lot more opportunities for you as a business to be able to deliver. And, you know, you don’t generally face a lot of competition, and we don’t, which is really nice. So it’s been it’s been great. And it’s just focusing on pretty much everybody outside of the Fortune 1000 on helping them identify their cyber risks, build a mature and maturing cybersecurity program to address those cyber risks and be able to articulate that to whoever’s asking.

 

Jodi Daniels  9:04  

Well, Justin, I know that you want to talk about security and history today. It’s going to be very challenging, because Brian, share two of your favorite passions, actually three ways of reading, history, and security.

 

Justin Daniels  9:20  

You’re right.

 

Jodi Daniels  9:20  

I know.

 

Justin Daniels  9:21  

I lit up when he said he wanted to be a history teacher, because I want to do that and then show up as a different historical character like every week.

 

Jodi Daniels  9:30  

That will be fine. Well, Brian, I’m excited to dig in. We have the same philosophy in terms of mid market because that Red Clover, we’re seeing the same thing, just on the privacy side. Lots of organizations actually first tackle security and then they seem to come along for privacy, but I know we’re gonna get a little bit deeper into that soon.

 

Justin Daniels  9:49  

So talking a little bit more specifically about SideChannel. Can you talk a little bit about how they specifically help their clients with cyber compliance because I remember meeting one of your SideChannel professionals working on a deal where it was a private equity backed company that seemed to bring you in to be helping them with multiple for portfolio companies.

 

Brian Haugli  10:10  

Yeah, we have, we have a lot of different avenues. It’s amazing. You know, I never thought the people that you kind of have set up kind of in Channel Sales, you know, what those are I, I’ve always been a buyer. And I’ve always been a practitioner, I’ve never been on the sales side until I started this company. So I’ve learned so much about, you know, how do you get what you offer in front of people. And, yeah, the private equity groups, VC groups, a lot of law firms, CPAs. And insurance brokers are our largest Channel Sales to their clients, because they’re generally the, they’re in the position of trust, where you’re a trusted adviser to that client, or you have some type of significant influence into them, you know, in the case of private equity, or Venture Capital Group, where you can really kind of steer the direction that that that that end asset needs to take. So for us, it’s been, you know, once we get into one startup, you know, the PE, or the VC firm, this has happened a number of times, like, Wait, who’s helping you with your cyber program? Oh, hey, can you do that, and these other, all these other assets that we own, or we influence, so that’s brought us, you know, tremendous amount of business, and, you know, just more exposure kind of brand, but essentially, you know, my focus on delivery for this type of work, right, so we’re now actually the largest virtual CISO provider in North America. And the reason that we are is because I believe experience matters in this role. And we do that because I only hire former chief information security officers, people who’ve actually done the job at an enterprise or commercial level, when you kind of go out to market a lot of the competition that I see, and I don’t really consider them competition anymore, or people who say, Hey, we’re a VCISO provider, and you look under the hood, and it’s, you know, one, maybe two people, they’ve been a director level at most, or they are a CIO, they’ve never, they’ve never been an actual chief information or a CISO at an organization. And I think, like law, or privacy, having explained real experience in this field, to be able to steer how you build a program influence the leadership at an organization to adopt and support the cyber program that’s gonna go in place that matters, that experience matters. Like if you’ve never briefed the board, how are you as a vCISO expected to go brief your customers board about risks in terms that they’re going to understand if at most, you’ve done, you know, it’s very technical level types of role, you don’t have an executive presence? So that’s been our differentiator. And that’s, I think what really matters when you’re building a program, is that real, you know, experience, the executive presence, the ability to actually lead and mature program. So you know, we look at, basically cyber program as a service, it’s the governance that needs to go into place, the risk assessment needs to feed into the governance, being able to truly identify what the gaps are being able to mitigate the gaps, finding the right risk management solutions, whether it’s, you know, acceptance, or mitigation, transfer, or avoidance. Although, I argue now, today’s there’s no way anybody can actually avoid cyber risk if you’re plugged into the Internet. So that one’s kind of out, we’re left with really three risk management solutions. So our clients view us and I think the way that this should be done is, if we were your full time CISO, what would you expect out of this role, but you don’t need us full time because you can’t afford it. And two, you probably don’t have enough work to keep us interested, professionally, to stay here. And that’s probably why you see a lot of midsize organizations fail to not just not only fail to hire, but also failed to retain a CISO once they hire them, because there’s not enough for that role to be really involved. And then you start kind of layering less, like lower level work, that’s professionally unfulfilling. And you know, as a CISO, I don’t, I don’t want to be answering third party risk management questionnaires. I don’t, I don’t don’t expect me to manage a firewall. That’s not what this job is. You know, people are looking for an all rounder, and they want to give them the CISO title. And that just doesn’t work in this field. So hey, take somebody for 40, 20 hours a month, who is in that role is the rest of your money and fine and resources towards engineering and architecture, you know, technical execution, things that are more in line with somebody who’s mid level or junior level who can action on it.

 

Jodi Daniels  14:50  

Any thoughts?

 

Justin Daniels  14:53  

Makes a lot of sense to me. I can’t tell you how many times I’m the one after I handle a breach and I’m the one telling them who to get have to rebuild or start from scratch to build a whole program.

 

Jodi Daniels  15:05  

Brian, one of the things you had mentioned was about 20 to 40 hours. And one of my questions too, is going to be for mid-market company thinking about hiring an outside firm, what was the time period that they might want to think about? from a budget perspective? If it’s not enough to fill interest level from a full time? What is sort of that right part-time amount? And Did I hear correctly? Did you say about 20 to 40 hours a month? So maybe is that like, a quarter of a person? For them to just sort of mentally think about?

 

Brian Haugli  15:38  

Yes, so what we’ve done is we’ve actually productized our services, and we have subscription to what we do. So we sell and you know, all of our contracts are on an annualized basis. And our clients, actually, we have very long-term retention our clients generally because they’re not growing fast enough to be able to justify the finances to hire a full-time CISO. So our clients sign with us year over year. Cyber is not something that you’re like, Okay, I did, you know, I got you for three months, at 40 hours a month, you’ve implemented all this stuff. Thanks. Bye, good. You know, we got it from here. It doesn’t work like that. In fact, we’ve had clients who thought that, and we’re like, Okay, keep our number, because in three to four months, you will call us back. And, you know, we’ll happily have you come back, because you thought you could run it yourself. And they do. So, yeah, I think, you know, it’s, it’s kind of all size dependent, and complexity dependent. You know, if you’re in a highly regulated space, you know, if you have a lot of customers that are kind of demanding of your security posture, if you have a very interested board, or if you are, you know, kind of what I view as post post breach, right, where the digital janitors have come in, and cleaned up, and now you’re sitting there going, I don’t want to go through that, I wish I had the program in place that would have stopped this or had something in the first place, build me that. So you know, 20 to 40 is kind of on the low end, I mean, we’ve got clients that are doing 80 plus hours with us a month, because they still can’t afford to get the right type of talent. And it’s, it is cost effective for them to do that. So I can’t say, you know, this is what’s going to work for everybody. But generally, you know, figure this is going to be an ongoing risk, unless you’ve somehow figured out how to remove cyber from your operational risk register. And if you have, please tell me how you’ve done that, because 25 years in this industry, I don’t see anybody who’s ever has. And, you know, what’s the, what’s the landscape look like? You know, are you trying to just meet and build to a program? I mean, a framework are you in over your head with a number of different regulations that you have to meet? You know, I feel pretty bad for publicly traded companies that are in the finance sector, or the insurance sectors that are domiciled in New York, because you have the SEC, the FTC, and New York State, Park 502 All to deal with. It’s like the trifecta of regulation. The good news is they all they all just ripped off NIST CSF. And they’re pretty much all the same controls. But even still, you have to report to three different entities.

 

Justin Daniels  18:20  

Speaking of one of the legs of your regulations from hell in New York, I wanted to talk a little bit about the the SEC cyber rules. It seems from my perspective, and we’d love to hear your perspective is publicly traded companies and in particular, their privately held third party vendors don’t appreciate how the new cyber rules really fundamentally shift. Not only disclosure, but how you have to start documenting and handling in preparation for incident response. Could you talk a little bit about you know, what you’re seeing about how companies are thinking about the new SEC cyber rules?

 

Brian Haugli  19:02  

Yeah, so the first part that has, has shocked me shouldn’t shocked me, because I’ve been through this rodeo before with regulation. You have an organization, you have organizations that are now held to a new standard. And you have a lot of vendors out there who have quickly read the cliffnotes version of the regulation and come up with ah, this is what you need to do. This is that is all you need to do. And we can do that for you. So case in point I have a I have a potential client. Still don’t know yet what I’m still watching to see which way they go on this. But they are a indicator of others that we’ve now talked to who had been made to believe that all you have to do with the SEC regulation is get your act together around reporting incidents. And that’s only one of the components of the of what the SEC has called for in their final rule. In fact, I think that’s the easiest of the things to do that the SEC has asked for. The volume of the requirements actually centers around your ability to articulate what you have in place around your risk management, your governance, and kind of other aspects of, of your, your strategy, not just the incident disclosure component. And that seems to be missed, because the headlines, the news, the talking heads, and everyone’s honing in on this incident response component. And it’s like, Okay, once you understand what you have is an incident, and you have something that you can declare, because it’s material. Here’s your timeline. And literally, here’s who you have to submit that to. The rest of the requirements are centered around, you know, what type of risk management assessments have you done? What type of standards do you have in place? What type of strategic roadmap have you developed? How do you actually look at risk management? Who’s in place to do this? And you measure third parties, your internal, what policies and processes do you have documented? What type of board oversight do you have? There’s so much more to what the SEC has called for than just incident response, yet everyone focuses in on the IR component. So it’s, I think it’s interesting because people are jumping to and only gonna focus on the areas that they’ve heard about, that they can kind of wrap their heads around, but they’re missing kind of all the rest of the work that needs to be done. So the way that I’ve looked at what you need to do is, you can basically say, hey, to be SEC compliant, you can say these words, we have no cybersecurity program or process in place, that would make you legally compliant. If you said that in a queue with what the SEC is expecting because you’re you’re being very transparent to the shareholders, right? And you’re saying inside of your risk factors on your on your 10 filing, we don’t have these things in place. Okay, good. But nobody wants to say that sentence, right? Everybody wants to be able to articulate Oh, we have, you know, we’re doing all the things well, when you reverse engineer what’s being called to be called on to be outlined and disclosed, you start unraveling and seeing really a program that needs to be in place that hits a lot of different components. That program needs to needs to exist, it needs to function, it needs to not just be like, Oh, we did that once, three years ago. And I think it’s still in place, oh, we wrote that policy, it’s on a shelf somewhere, we’re good. We have a policy, like an auditor coming in, you know, they’re gonna look and say, Okay, two bad things happen. When auditors come in, they look and they see the date to the document that you created was yesterday, or the date on the document was three years ago. And in between nothing has ever been done, nothing’s ever been looked at. So the SEC is going to expect in disclosures. My belief is, you know, you’re showing you have a program that you’ve put in place, you’re constantly nurturing and maturing. And you are you have something that’s underneath each of these disclosure requirements. I mean, there’s like 14, components inside of 106, B, and C, that call for you to say you’re doing something, you have to articulate what that something is. One of the five is the only thing it has one. It’s like one line, where you basically say, if we had an incident, I’m going to file that in AK, here’s what that incident is, what your 10s your regular filings, those are going to have to have all the 106 rules. And you’re gonna have to say in every single Q and every single K, what you’re doing, and if I remember anything from talking with SEC folks, they don’t like to see that you said the exact same thing as last time, if it comes up, you can’t just copy and paste and be like, Okay, you’re maturing your cybersecurity program. Interesting. You know, that’s, that’s gonna be very transparent. I think for folks come March, when they start reading the majority of these as they’re written. T

 

Justin Daniels  24:08  

The one thing I wanted to just socialized with you and our viewers is, you know, we had in the last month, the ransomware cases with MGM and Caesars. Clorox was another one where there were disclosures. And one of the interesting things that I’m seeing, or at least in my head is, let’s say you have a ransomware case, and you pay $15 million, like Caesars did and then you’re going to file that with the SEC and say, Hey, we paid the ransom. We got our network back. We’re going to trust that the threat actor isn’t going to put that money that that data on the internet. What’s the SEC to stop them from turning around and saying, You know what, you paying the ransom. The FBI doesn’t want you paying it. The Biden Administration doesn’t want you pay in it. The SEC just turns around and whacks him with a huge fine for having done that and is a kind of backdoor way of regulating the payment of ransom because in my experience, Brian, I have yet to have a case where the client doesn’t decide that it’s the better business decision to pay the ransom than to try to even restore from backups if they can. Love to get your thoughts on that. I know I said a lot.

 

Brian Haugli  25:16  

Yeah, no, this is this is great. This is an area where I think I run counter to a lot of my peers on if you should pay the ransom. So the first question is, Is it illegal to pay the ransom? It’s not illegal, is it?

 

Justin Daniels  25:28  

It is not unless you are paying it to somebody on the OFAC list then it would be.

 

Brian Haugli  25:33  

and you have to know that right? You have to you have to know and there has to be public. Right? And you have to know that they are, you know, on the OFAC list.

 

Justin Daniels  25:41  

Actually, if you found out six months later, they got put onto it. That could be a problem. But generally, before you pay the ransom, you’re going to do all the diligence to really find out because if you don’t, then it’s money laundering, potentially.

 

Brian Haugli  25:54  

sure. So let’s let’s assume that they’re not on the OFAC list. It’s not illegal to pay the ransom. Yes, the FBI frowns on it because law enforcement doesn’t want anybody to support criminals. Right? The Biden Administration, or any administration doesn’t want it because they support the Department of Justice. Where where I usually kind of run counter to my peers on do you pay the ransom or not? Is there is an ROI to the business of being a hacker and being bad. So this is a business for them. Right? So first, we have to accept and understand that this is no longer some kid in his mom’s basement doing this. These folks have benefits, they go on vacation, they have health insurance and PTO. The forward groups are not just the developers of the software and everything have sales quotas, they have, you know, they have to meet certain KPIs. There is an ROI, there’s a return on investment, and there is a business that is running on the other side of this thing. So if I put myself now in the bad guy shoes, and I’m reporting, you know, ransomware, and I’m doing all this, is it good business? For me to go back on my word? Is it good business, for me to not give up the decryption key? Is it good business for me to take the money from the target, and then turn around? So you know what, I’m going to dish out all of your data anyway? No, it’s not. Because that gives a significant amount of negative brand damage, or just just negative brand and brand damage to what I’m trying to do. Because I want to make sure that the next guy or girl pays, and I want them to trust me that I’m not gonna divulge their information. Right? So it’s not good practice business practice for me as an attacker, and as a ransomware. Gang to actually go back on my on on what I’m saying. There actually is honor amongst thieves here. It’s crazy. But the reality is that, you know, that I think the reason that people don’t believe that is because they still believe this is some kid in his mom’s basement. Like, no, this is a business and their business is getting into your business. So the faster that organizations really think about ransomware groups and attackers as a competitive business to them. And what you would do to thwart that, how do you defend your addressable market? How do you defend your customer base, your, your edge, your product edge? How do you defend your intellectual property from a competitor? The more you think about that in terms and applying it to the bad guys, the better off I think you are paying the ransom, to me is the last resort. If my backups aren’t good, okay, I have a couple of choices. Either I go down, and availability is down. And if I’m in manufacturing, that’s incredibly difficult because I can’t materialize time. And manufacturing is based on time. Right? If it’s, you know, anything else centered around availability, you know, that’s hugely impactful, I have to factor in that what’s gonna get me up faster. Do I pay the ransom and I get access back to all my stuff? Do I try to restore from backups? And then it’s a technical, you know? Hope, honestly, or for most organizations, that seems like hope still that they’re there. DR On there BC planning, it was actually done well, and actually works. You know, if you don’t have backups that can restore you to a known good state, or even work in the first place, you know, what choices do you have left? You’re running a business. This is a business decision. Do you pay to get access back to everything? Or do you start facing the consequences of being down? That’s a business decision, and as long as it’s not Illegal, I think it rightly still sits with a business to be able to make that decision.

 

Jodi Daniels  30:07  

Well, in addition to needing good, strong security measures for cybersecurity rules for backup, so that you have a plan in case this very unique situation happens to you, there are also privacy laws that require people to have good strong security measures globally and a growing trend here in the US. And Brian, I was curious if you can share a little bit about how you’re seeing privacy come up with the companies that you’re working wit?

 

Brian Haugli  30:32  

So it, it’s generally coming up with our larger, larger clients, right after we’ve kind of stepped in and become the VC. So we brought in some engineering support, and we started rolling out some capabilities. And that as we’re learning more about the customer, and their objectives and their goals, you know, it’ll it’ll inevitably kind of show up all of our clients that are probably over a billion in revenue. This, this comes up on the on the heels of kind of month two of our engagement on security, where they’re like, Hey, since you’re here, and a couple of questions about our privacy program, can you help us say, Well, we have a CISO there and their specialty is not privacy, we can work with privacy, folks. We love GCS. GCS are generally our biggest champion, and our clients. They’re the ones who are probably the the most forward thinking when it comes to cyber risk. That is not someone who’s within under the CIO, or this is an organization. So we love the GCS, and they’re generally like, hey, we need to kind of do this. We were working with outside lawyers, outside counsel, but there’s some technical components here that we don’t really feel we have our hands wrapped around, can you help us and, you know, we’ve, you know, we’ve brought in that capability because I don’t want my CISOs doing that, and delivery, they already have something they need to focus on. So we have to kind of introduce, you know, this, this other function, but it’s, it’s very tied together, you’ve got, you know, again, I’m not a privacy, like expert like I, you know, people say I am on on NIST and cyber frameworks, but I know enough to know that we can support it. It’s relevant to aspects of what we’re doing, it relies on aspects of what we’re doing. But I can’t lead. You know, if you hired me personally, to come do it, I couldn’t lead that aspect of a program, I’m going to tap on someone, such as yourself to step in and lead of what those are, and then rely on me to say, Hey, Brian, you know, we’ve figured out where all the data is, or the PII is, you know, these are the requirements that X, Y and Z states or XYZ regulations have on this type of data for this type of client, can we make sure that those protections are in place, I can do that. But figuring out the high watermark on notifications, figuring out the high watermark, on being in multiple states, that’s like, kind of the thing I’ve seen is, you know, the number of different states have a variety of different requirements. And of course, none of them are exact, there’s some overlap, some are more stringent than others. You know, like you would look to me to interpret NIST guidance or regulation, I would look to you to tell me, okay, what are we supposed to look like over here? Right? How is that supposed to be structured, you know, it helped me help you kind of thing. So it definitely comes into play. I think the mid market, like when you kind of start going downstream, smaller organizations, it’s coming up less and less, except in health tech, startups. So we see, you know, this is usually one of the things that comes out, like immediately in an engagement with a startup. And we have a number of them that are in the healthcare space, or health tech, where they’re creating a platform. And it’s like, yep, we have PII. Or we’re going to have PII, or we’re going to interoperate in touch PII. So how do we have to think about this as well. So that’s generally the only ones where we’ve seen kind of startups thinking about it out of the gate, everyone else tends to kind of get to it, which I can’t believe that there can’t be privacy requirements in FinTech solutions or other startups and other areas. Until you kind of get to a larger size. So that scares me as a consumer. You know, I think a lot of what I’ve done over the last five years, has given me a real interesting insight into consumer and business products that have I mean, honestly, there’s this stuff isn’t thought about first or second or third. And as a buyer, you know, that’s kind of unnerving. Because of like, you know, Have? What do you mean, you’re not thinking about security? I mean, there was a, there was a home. There was there was a home security system company that we talked to three years ago that, you know, they had already been in play for years. And you know, taking in, you know, personal information because it’s attached to the person’s home. And given the nature of what a home security system does, it wasn’t ADT, but like, something like that. Very, very like that. Who is protecting your house, you’re relying to protecting your house? Have you thought about cybersecurity, and given the nature of how their product was built and designed, you would hope that was kind of day one, you know, consideration? Nope. You know, years into building, they’re like, Yeah, we haven’t really built a program yet. I’m sitting here going, I don’t want any of my friends to buy your product. Because I have the insight into knowing what you’re not doing. And that scares me. There was a health educator or a mental health, there was an education platform that we talked with, and they were like, Hey, we cut our budgets, you know, times are tough, but we’ve rolled this product out to so many schools, and we know parents love it. But we’re cutting back on the entire cybersecurity program. And I went over to a friend’s house, and they had a printout of this company’s product, because they were using it at my friend’s kids school. And the parents, my friends were like, Oh, we love this product. It’s great. It helps makes so easy between the teachers and the students and the parents. And I was like, hey, FYI. They just cut their entire cybersecurity budget to protect everything that you’re relying on, that goes into that platform, FYI. And we had like a really honest conversation about like, how do you think about that, now that you know that? You know, what does that change your view of? And it does, it does change your view, as a consumer, you’re like, wait, I figured, and it’s the same story, every time I’ve kind of kind of brought this up. Oh, I would have thought that they would have done this already. I thought this is just like part of their culture and their capabilities. I thought this was just like, you know, built into their product. There’s a lot of assumptions, that products that are out there that we rely on and use. Cybersecurity is one of the first things that’s being addressed, because it’s an expectation, and it’s almost kind of demanded as people. And yet, you know, it’s it’s actually not it’s not one of the top things it’s addressed, kind of when people are building products.

 

Jodi Daniels  37:31  

As very true, we could probably have an entire cocktail conversation about all the interesting companies and stories that we have seen. The good news for us is, I suppose we have a lot of day job security to try and continue to help all these companies on it.

 

Justin Daniels  37:48  

So Brian, when you’re not helping companies, figure out cybersecurity. What do you like to do for fun?

 

Brian Haugli  37:58  

I’m boring now. I used to be a pretty competitive bike racer. And then COVID hit and since USA Cycling falls under USA Olympic rules. That all got shut down. So we couldn’t even train as a team. All the races got shut down. So I’ve been off the bike for way too long. And I unfortunately picked up golf and I don’t really like golf. So I don’t do that anymore. It’s cool. I like being outside. I think that’s the thing I liked the most but, you know, I read a lot. I’m surrounded by books. You know, I generally just like read things that aren’t cybersecurity-related. So, I mean, I just finished Malcolm Gladwell’s Tipping Point for like the second time. So you know, like that Jocko Willink’s books on extreme ownership and leadership. Really enjoyed reading a couple different series from him. And I’m a huge Kerouac fan. I could read anything by Jack Kerouac actually changed my teacher back in high school. That one we’re, you know, they’re kind of doling out book reports, I think it was junior year. And you kind of go through the list and it’s like, there’s stuff on that you’ve seen right Gatsby. Tail two cities. Again, I’ll read that read that read that, you know, like a lot of stuff on the reading list. Like I had already read for fun. And there’s stuff on there. I was like now I’m not going to read it. And I still remember Mrs. Maddox. God rest her soul. She she took out Jack Kerouac On the Road and handed it to me it was like Brian, you’re going to enjoy this. I’d never heard of him before. She was like you are really going to enjoy this book just based on like who you are and like your nature kind of, you know, your your zest for exploration, and you’re gonna like this. And it changed my entire world. Books I think books do and that day it. And that led me that that book probably let me grow more as a person than anything else I’ve ever read or done, just based on, like, how he wrote that book and everything else. So, yeah, I mean, besides reading, you know, I’m been married 17 years been with my wife now 20. We met in college, you know, we’ve got a beautiful, you know, middle school aged daughter, you know, spending time with them, supporting them. And just kind of being a dad. And, you know, I’m, I’m the CEO of a company. So, you know, there’s a lot that needs to happen in that role. And we’re also publicly-traded. So I have quite a bit of responsibility in that position to not only my employees and our customers but also the shareholders. So I’ve had quite a bit to do, and I genuinely enjoy it. I like building things. So this is a new challenge. People kind of always asked me like, hey, when you’re done with SideChannel, and whenever that happens, you know, where would you want to go be a CISO at? Like, where are you going to go back to being a CISO at. I’m like, I’m never gonna go do that job again. Like, I’ve no, I’ve like, I’ve now built two pieces aside, like, we’ve designed and developed and launched two pieces of software. I’ve built a multimillion dollar services company, like, I’m gonna go do something like that, like, I’m not gonna go work and be the Chief Information Security Officer at some Fortune 500. Like, that’s such a monolithic job to me now, like, that doesn’t seem exciting. So yeah, I mean, we work, I mean, we’ve got two software products, RealCISO and Enclave. So my CTO and I, who he and I have known each other since seventh grade, he was in that same class that doled out those books, he saw me grow as a person. So yeah, hanging out with him, you know, just nerding out on technology and problem solving. I mean, that sort of stuff. So I don’t know, I used to have a much more exciting life. But now I’m in my mid 40s. And I feel like I’ve kind of slowed down and become boring.

 

Jodi Daniels  42:03  

I’m not sure I’d say boring, I think just different interests in different priorities. If people wanted to learn more about the software products and SideChannel and you, where should they go?

 

Brian Haugli  42:14  

Yeah, so sidechannel.com is our website. But probably the best spot is on LinkedIn. You can follow me on LinkedIn, I post quite a bit on there, it’s it’s probably my favorite outlet. It’s probably the only way that I can still try to be a teacher is through that platform. I don’t really favor any of the other ones. LinkedIn seems to be the best one. But we also have a YouTube channel. I have a YouTube channel called CISOlife where hopefully I can have you all on our video and podcast and talk more about what your organizations are, are focusing on. So we’re just kind of conversationally, just chit chat about cyber issues, what it’s like to be a CISO, things to think about. I get a lot asked a lot about career advice for from college kids. Given just like how I came into this role, so I tried to talk quite a bit about that, like how to think about the role different roles in cyber, because there are a lot of different roles. But yeah, so sidehannel.com and Brian Haugli on LinkedIn, the easiest thing to do.

 

Jodi Daniels  43:16  

Well, we are so glad that you stopped here today to share more about your story, the different challenges in cyber worlds and more about being a CEO. So thank you so much.

 

Outro  43:28  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.