Keith Novak is the Co-founder and CISO at Intentional Cybersecurity, an advisory firm supporting clients with cyber risk needs using penetration testing, control validation, and cyber due diligence. Keith drives the company’s growth and success by delivering high-value cybersecurity advisory assessments. A seasoned veteran in the industry, he’s worked with clients in all sectors and verticals. Before founding Intentional Cybersecurity, Keith led the global cyber risk advisory and strategy practice for Kroll, a leading cyber risk management and incident response firm. Keith is one of the few cyber professionals with experience in technical operations and business strategy, adding value to any cybersecurity team.
Here’s a glimpse of what you’ll learn:
- Keith Novak shares his career trajectory thus far
- Privacy and security in the cybersecurity industry
- Are companies complying with data transparency?
- Preventing privacy breaches
- Making improvements to multifactor authentication (MFA)
- How the new SEC rules will affect private companies
- The risk of deploying new technology without considering privacy and security
In this episode…
The SEC requires companies that have experienced drastic fiscal changes to submit a Form 8-K. With the number of data breaches in recent events, we will likely see more 8-K filings. How can organizations be more proactive about protecting their data?
Cybersecurity expert Keith Novak explains humans are still fallible regardless of how flawless their security program might be. Therefore, it’s imperative to train helpdesk personnel to be steadfast in confirming identities. Keith suggests significant improvements to the multifactor authentication process, such as asking for passphrases or employee IDs. He also shares that private companies do not fall under SEC, NYDFS, and NEIC requirements and are not obligated to report breaches. However, boards do encourage cybersecurity services, including risk assessments. Individuals can practice risk assessments, as well, by adopting a healthy dose of skepticism. Don’t shy away from asking why your social security card or driver’s license is needed.
In this episode of the She Said Privacy/He Said Security Podcast with Jodi and Justin Daniels, Keith Novak, Co-founder and CISO at Intentional Cybersecurity, discusses how privacy and security relate to cybersecurity. Keith explains the significance of data transparency, how individuals and companies can protect themselves from data breaches, and suggests multifactor authentication (MFA) process improvements.
Resources Mentioned in this episode
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors’ website
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: email@example.com
- Data Reimagined: Building Trust One Byte at a Time by Jodi and Justin Daniels
- Keith Novak on LinkedIn
- Email Keith Novak: firstname.lastname@example.org
- Intentional Cybersecurity
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media.
To learn more, and to check out their Wall Street Journal best-selling book, Data Reimagined: Building Trust One Byte At a Time, visit www.redcloveradvisors.com.
Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.
Jodi Daniels 0:22
I’m Jodi Daniels here, I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional and provide practical privacy advice to overwhelmed companies.
Justin Daniels 0:35
Hello, Justin Daniels here I am a corporate M&A and check transaction lawyer at Baker Donelson. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.
Jodi Daniels 0:58
And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and check out our best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, today is going to be super fun.
Justin Daniels 1:37
Yes, because you’re here.
Jodi Daniels 1:39
Ah, that was so sweet. That might be true, but it’s also going to be really fun because we have a really awesome, longtime friend.
Justin Daniels 1:49
I just want our viewers to know that that comment will get me maybe about five minutes in goodwill until my next transgression. Maybe just two and a half. Alright. Let’s talk about today’s guest. Someone that I’ve known for a while and I really got to start in the industry. So today we have Keith Novak, who is a founding partner of Intentional Cybersecurity. He is responsible for steering the company’s growth and success by overseeing and delivering high value cybersecurity advisory assessment and testing services. Keith, welcome to the program. How the hell are you?
Keith Novak 2:27
Doing great. It’s great to be here. And spouses aren’t supposed to have so much fun at work, by the way. I don’t know if you figured that out yet. It only happens during this one little block of time, then we’ll go to our separate.
Jodi Daniels 2:41
It only happens during this one little block of time, then we’ll go to our separate. Yeah. Well, So Keith, we know a little bit about you, but our audience does not. So can you share how you got to where you are today?
Keith Novak 2:48
Yeah, absolutely. Appreciate the opportunity to be here. I actually got lucky. And I say that meaning so I was not as a student, right, I was not a person who wanted to go to college after high school. And I didn’t really enjoy the education experience. But lucky back in the early 90s, I had a good friend who worked for AT&T and I live in New Jersey and AT&T as a really big presence out here. And he was actually working for a very small part of the TNC called Commvault systems, which has ultimately spun off into one of the largest backup solutions in the industry today. And he was actually working in shipping and receiving and I needed a part time job. He offered me the opportunity to come in AT&T and work in shipping and receiving and saw the opportunity to leverage AT&T And what they were actually building and installing which was backup solutions. They were the first in the industry. So I really got a chance to sit and learn about Unix systems. Many of us probably don’t even remember Unix systems but really got hands on building and deploying and shipping all those systems. And that really started the career where I spent three years there as a customer engineer, and then actually moved into healthcare, which was as you know, highly regulated environment. And I had a bunch of different roles I got to build networks and wide area networking and that’s a window started to come about and all those things so I really got lucky in a timeframe where technology started in its infancy and really started to take off and so I got an opportunity to just be a part of it ultimately went to college much later in life to get my degrees but it was a good run and I really enjoy the healthcare space but after about 20 years doing break fix helpdesk the CEO calling you every time this spam filter didn’t block a you know a bad message and allow to a fake message through that that I got turd info place tired picking up that phone on a regular basis. And I had a friend who was going to a company called curl, who’s one of the largest Incident Response firms in the industry. And security really came about HIPAA was adopted. And that really, in my mind was one of the first regulatory components that drove sort of the privacy, which we’ll talk a little bit about, and security. And so that sort of piqued my interest. But changing from keeping things running the lights on to how do we now protect all of this data and information. And that really drove me into the cruel. So I took an opportunity accrual, where I built proactive services. So they’re an incident response and investigation firm. I built their pentesting, it was really the first pentester when we got started, and then doing things like VC so and risk assessments and advisory services is fantastic. So I got to spend 10 years there really learning about breaches and legal components, Justin taught me a lot on the on the legal side of things. And then 10 years in the consulting space is is a long time you get burned out. And one of my former staffers decided to go out on his own and start a company called intentional cyber. And after 10 years, it was a great opportunity for me to step away from that grind, and really get back to doing the work that I love, which is helping clients get better out security. So that’s sort of the long winded version of how did I end up where I am today?
Justin Daniels 6:38
That story resonate with you, Jodi?
Jodi Daniels 6:40
It does. A lot of that story resonates with me. And did. You’re up? I am? No,
Justin Daniels 6:52
You don’t want to be up?
Jodi Daniels 6:53
No, that’s you. Do you think I wrote this question for audience?
No, no, no, I’ll take it. It’s all good. We’re gonna be flexible. So Keith, coming from a cyber background, how are you seeing privacy come up more and more in the context of the cyber services that you provide?
Keith Novak 7:15
Yeah, that’s a great question. I think, look, fundamentally, you can’t have privacy without security. Right? They have to go hand in hand. And I think what’s really interesting, and you actually noted this a little bit earlier, is there’s more and more laws being adopted at the state level. And there to two areas where we sort of see our clients coming is one that they they don’t understand all of the laws, they they look at it as there are a multitude of things that they need to do, but they don’t really need, they don’t know where to get started, right how to get started. And so we typically take the tact of let’s build security, right, let’s make sure you have a mature program where you can actually protect the data that you have, and then start to help them understand what are the laws that they have to comply with? Everyone’s familiar with GDPR, I think because it’s been around so long, and there are financial penalties for not complying. And so we hear a lot of references back to GDPR. But we’re not seeing a real focus on some of the state laws other than the California law, which has been around for some time. But I think people to this point, are still a little bit trying to figure out what does privacy look like from them, for them in sort of the United States, right, and all of these various components. So there’s still confusion. And so we try to help them figure out, where do you start, right? How do you eat an elephant? It’s one bite at a time, right? Let’s start with the security, then let’s start to get an opportunity to talk about privacy. What are the states that you actually have to consider? And then how do you go about that, and then introducing consultants or, or companies that can actually helped them start to build that program? That’s really one of the very first things that we’re seeing pretty consistently for the small, small to midsize clients. Right? They’re still trying to figure out what is this need for them?
Jodi Daniels 9:06
It’s interesting, you say that a lot of companies are familiar with GDPR. I talked to a company I think those that have been doing business internationally are familiar. But if you’re a company who is entering that market for the first time, or you’re getting maybe you kind of stayed under the radar and your customers, maybe you’re in the b2b space, and your customers start asking you questions, because I’m still talking to a lot of companies who have absolutely no idea what it is that they have to do. And they’re coming in because customer a gave them a contract, or now for the first time, they’re expanding beyond the US over there and they didn’t realize, oh, wait, that that means I have to pay attention to all that too. So it’s, um, I do think it’s interesting. And my view has always been and I think this will happen, and then we’re gonna get to this, but I won’t steal your thunder from a vendor ecosystem where are those big large law I’ll keep pushing down the requirements to all the smaller and midsize companies that are helping to fuel the engine, you know, in that vendor ecosystem.
Keith Novak 10:09
I think when I say familiar, I mean, they’ve heard of the term. Right? And I think that is a lot of the state laws don’t get the notoriety, right. I think CCPA does. GDPR Absolutely. Did you know it’s been in the news, it’s been around for some time. These other state laws, as they become adopted, are just sort of telling up. There’s not real fanfare anymore, it’s just one more. And so when I say familiar with something like GDPR, it’s they’ve heard the term, it’s not that they’re actually meeting any of the requirements, data processing, the complexity with which they find themselves having to comply, is really a challenge when they’ve taken that. And normally it is, they have already taken the step to do business in an international place, or someone. This is a great example of this as we have a startup. And one of the things for them is that they are doing a lot of data collection, right. So they are taking all kinds of information when somebody signs up. So full, full, personally identifiable information, right driver’s licenses, they were pulling all of this data, storing it, because hey, they’re thinking it has value to them as a business, right? So they’re just sort of doing mass data collection. And then we tried to do a data map. And I, you, I’m sure you can appreciate this. We said, Okay, well, you know, we know the data that you’re getting, and now tell us where it goes. And when you start to figure out all of the solutions, the hub spots in the CRMs. And we’re experts we’re exporting to here. And we have a third party who picks up and you try to draw some semblance of a chart that shows where the data is flowing. You realize that to them, they think there’s future value in the data, but they never took the step back to say, Do we have a purpose to have this data? Right? What are we actually using, for how long are we retaining this data? And, and when you start to draw this picture, it’s just a web. It’s just a spider web, and it sort of grows and grows. And then they realize sort of the place where they are of how are we going to comply with privacy laws right there. They’re operating in California, clearly, they have California data, right? And then add on all of these other components. So that’s what we’re seeing is not a real understanding yet, of the challenges that they face. They’re, they’re still looking at it from especially from a startup, you adjust, you make it work, right? You make it work. And then you figure out sort of maturity later, which is a lot of times we’re coming in as they’ve reached the point where they are a viable business. And now they want to actually start to think about what are the things we need to do from a compliance perspective from a security perspective? Because we’re, we’re a legitimate business and people are asking questions, and Justin is smiling, because this is what he does all the time. Right?
Justin Daniels 13:09
I’m smiling, because now I’m gonna head into our next question, because or they meet you because they had a date.
Keith Novak 13:17
Jodi Daniels 13:19
What’s the laugh, with the words data breach and laughter aren’t supposed to go into?
Justin Daniels 13:25
It’s just it happens so often, because now we’re going to ask you the question of, hey, what can we learn from the latest rounds of hacks MGM and Caesars? I actually got to go on the TV to talk about those. They seem to be getting a lot of notoriety, since people seem to think casinos have great security. What can you tell us about what we should learn from yet more hacks?
Keith Novak 13:52
So if we look at it from sort of the technical details of what happened, ultimately, it was a phishing, right? It was somebody social-engineered a third party into resetting multifactor authentication. And so the reality is, no matter how good your security program is, the human is still the weakest link, right? So if we look at it from a technical perspective, that is, that is the one thing that always stands out to me. And that and, and as a pen tester, I actually love the social engineering part, because that is something that we do pretty regularly. Call in, pretend to be an employee. I reset my password before I left for the day, I got home, I can’t log in my daughter’s sick, I can’t come to the office. Right, get them into this process of not thinking and sort of resetting a password and an MFA token and the like. So, so from a technical perspective, that’s the thing to think about. I think what’s interesting, though, is working in incident response for 10 years and you certainly know this. There are breaches that happen all the time, and I worked on many of those for name brand companies, right? They never make it to this they have never made it to the news, I should say, right now you have this 8-K filing that’s required, I think you’re going to start to see much more in the news, and people are going to be more aware that these things are happening pretty regularly. So I think, notification, right? In healthcare, we’ve had this for years. By the way, if you had a breach of over 500 people, you get to put your name in the paper, right? That’s been around for years. We’re starting to see that now with the public company. So, you know, it doesn’t surprise me that they were compromised. I think what’s interesting is the social engineering piece. But uh, I think the 8-K filings now with this new SEC reg is gonna really open things up quite a bit.
Justin Daniels 15:43
So Keith, I really want to hone in on this point. And here’s a question that I have for you. And maybe there isn’t an answer. But this is why cybersecurity me is can be so tough is, you know, one of the biggest issues that you and I’ve seen a lot is they social engineer for a business email compromise, and you wire money to the fraudster. And you don’t figure it out for a month and the money’s gone. Well, what most companies do is okay, I need a cell phone number, I need to call somebody to verify that that person sent me an email. And those are the wire instructions. But now we have AI and deep fakes where I can really impersonate Jodi’s voice or somebody’s voice, and it really sounds like them. I don’t know what I’m going to tell companies to do. It’s almost like you’re gonna have to have a secret written down password. This is my email. This is Justin, here’s my, you know, does the dog go in the wind? That’s our golf raise up? What do we do with that kind of thing? What would we tell people? What’s that going to be that multifactor authentication for that now?
Keith Novak 16:45
So that’s actually a great point. And so when when I talked a little bit about the thing that we like to do from a social engineering perspective, which is impersonate an employee, because the thing that it takes into account is that you have had, you had to have thought proactively a passphrase, an employee ID some type of token that I can share with you that no one else would know, ahead of time to basically thwart that attack. Right. So in this case, well, we typically tell those companies that have been victim of us social engineering them about an employee ID, do you have an employee ID, no one else would know that, right? It’s not going to be on a public website, it’s probably not going to be in your email. Right? The idea is to come up with some type of token, right, that you can share that only that person knows. That’s, that’s half the equation. The other half is enforcing your helpdesk, or the team that’s responsible to do password resets. To never go against someone who doesn’t know that, that piece of data, right? I’ve had that opportunity where they asked for an employee ID, and I just use my daughter’s sick Hold on one second, Honey, I’ll be right up. I know you still I know your head hurts. I’m getting the Tylenol, I just need to reset my password. Just give me two minutes. By the time I got back to the person on the helpdesk, they’re like, Okay, sorry, no problem, no problem, I just reset your password. Here’s your temporary password. It’s you have to teach. And you have to enforce that if a helpdesk person is not comfortable resetting a password for some reason, they have to be able to sort of run that up, they’re not going to get in trouble for not resetting a password, that that is definitely something that needs to be evaluated. But to your point, it’s going this is a cat and mouse game. Every time we get good at security, attacker is going to come up with another attack vector, right. That’s why you see zero days now coming out right? Before it was just spray and pray phishing emails. Now you’re seeing people burn what we call zero days, attacker groups spend a lot of time trying to identify vulnerabilities in a system. And then they know that once we’ll what we call basically burnout, once they use it, they’re not going to be able to use it anywhere else. But they’re being forced into this place where they have to start to find deeper critical vulnerabilities. They can’t just rely on the standard phishing anymore. So it’s gonna it’s going to be more complex as time goes on AI makes that even more difficult.
Jodi Daniels 19:22
You were mentioning how with the new SEC rules, we’ll see more news stories because of the requirements for filing. What do you think these new rules will have on private companies?
Keith Novak 19:35
Yeah, you know, the cyber security industry at large we really focus on on a term called awareness. And so we talk about training and awareness, right even even the public just making them aware of breaches and the types of attacks that people are, are sort of working through it. I think the SEC rules may not directly impact a private company, they may certainly have an impact if that company looks to go public or raise funds. Right at that point, they’re going to have to sort of be IPO ready. So I think it’s going to start to bleed a little bit into those organizations. And in fact, we’re starting to see companies who don’t necessarily need to meet SEC and NYDFS and NEIC requirements, but they’re asking specifically, can we map their compliance? Are they compliant? Do they have the incident response? When should they have the controls in place? They’re thinking about it, which is good. And I think the rules create an awareness in an industry where it’s going to have some impact, I do not think you’re going to see private companies reporting their breaches, unless they absolutely have to clearly, but I do think boards, specifically, are really interested these days. And we are getting a lot of push on the proactive services side, for the from the boards, to do a risk assessment to really get an understanding of where they are from a security and privacy standpoint. So from our perspective, I think that’s going to bleed a little bit in a positive way, for sure.
Jodi Daniels 21:17
That makes a lot of sense. I also think, in addition to the board piece, I think the public company pressure to a vendor in this space is going to require some of those private companies to really shore up their security measures. So I think it’ll be interesting to see how that cycle and an impact might influence any responses that we see. And even if breaches might go down. I don’t know, I think it’ll be interesting. I think the cycle is going to really impact each other. Interesting. Well, that’s where we have I saw with GDPR, in California, where you had companies had to comply, and then you had smaller companies say no, I’m going to wait. And then the big company says to the small company, I won’t do business with you until you comply. So here, it I think is going to be I think the evaluation of companies and their security measures will change. It will take some time, it will be tomorrow. But I think that’ll start to pass through the ecosystem.
Keith Novak 22:21
I think we saw that with CMMC. Oh, where these large companies holding major contracts ultimately are pushing those controls down to the smaller mom and pop shops that that supply.
Justin Daniels 22:36
So I kind of do this a little differently than the two of you. And here’s why. So when I read the regulation. Regulations, specifically states, the publicly traded company has to notify within four days what is considered a material breach, but when you read the rules, what is in scope is Hey, publicly traded company, if your data or your information systems are owned or managed by some third party, private vendor, and they have a breach, that will trigger potentially, your requirement to notify the SEC. So what I expect to happen come December, if I’ve got my GC hat on for the publicly traded company, and let’s say, Keith and Jody are in my ecosystem. Hey, Keith and Jody, this is our new security and data protection addendum, you will notify us within 24 hours of the breach. And this is the very specific types of cooperation and data that you’re going to have to give us because we’re going to have to make a materiality analysis because you have our customer data, if you don’t want to comply with this, because we need it for the SEC Rule, then we may not be doing business with you. And that’s why I think a lot of privately held companies don’t really understand what’s coming for them in December.
Jodi Daniels 23:52
I don’t think it’s total disagreement. I think it’s just a different angle.
Justin Daniels 23:59
We’ll see, I just Oh, and then the other part for the benefit of our audience is, now if I’m a low level IT person, let’s say in the publicly traded combat, it’s like, Hey, I think this is a problem. And they the company doesn’t do anything about it. And that’s the root cause that ripens into the breach. Well, now they could tell the government the SEC under the whistleblower law, get paid by the government and the company gets sued that way, and now you’re into derivative lawsuits with shareholders on top of potential personal liability for certain officers, because these class action lawsuits will go after the officers personally, and that’s why I’ll be really interesting to see if this is really the game changer, or if it’s more like CMMC, but it’s kind of set up that way. We’ll just have to say. Alright, let’s move on. I’ve done pontificating, maybe we’ll have an A show where you’ll just interview me and I can pontificate people.
Keith Novak 24:51
Yeah. That was God. That was Justin’s way of saying I’m an attorney without actually saying I’m an attorney.
Justin Daniels 24:58
Oh, she’s well aware. I’m thinking one moving along. Okay. You kind of alluded to earlier when you talk to companies, and they’re collecting data with your data map story, which was a good one. And you share a story about companies who deploy new technology and not thinking about privacy and security at the time of their deployment. How often do you see that? And is there a good story to have around that?
Keith Novak 25:25
Yeah, sure. So actually, my neighbor came over yesterday, and he’s a lieutenant in police force. And he gave me an interesting story about how they are starting to use drones. And I know this is near and dear to your heart, Justin, drones with video, where if there is a report of say, an active shooter, they will actually take a drone directly to the location and actually start to shoot video. And he actually, what’s interesting is, he actually started to talk a little bit about the privacy concerns, right, what they’re, they’re told what they can and cannot record. Right. So your flight path is over a bunch of people’s backyards. Right? The some of the considerations around that, right? What are you taking video for so that’s an interesting one that literally just came out of nowhere last night, he always has interesting stories, as you can imagine. But on that same note, sort of video surveillance, I had not seen the capabilities of security cameras in a few years. And we were recently at a client location. And they were showing their video surveillance capabilities. And like I said, I hadn’t seen what these systems can do in a number of years. And what was amazing to me is, not only do you have the standard, you know, ability to monitor different areas, but you could basically type in, show me everyone that has a red backpack, or a blue jacket, right, and Nick can search back a period of time, and literally bring back all of this data to a screen, you can zoom in and the whole like. So that’s one interesting thing, think about the privacy perspective of just that is in your offices, right. But also they have cameras facing the streets, right? So you’re, you’re also getting license plates, as people pull in and out of the driveway, right? Maybe a taxi drivers turning around or something like that. The ability, right? All of this capability was really interesting to me at first, because I’m a nerd. And I love technology and the ability to hone in on these things. There’s also the capability to identify a face. So if you have someone who’s come to your building, and they’re not supposed to be there, you can literally say if this person is seen on a camera, email and alert, that’s some pretty amazing stuff. But have you thought about it from a privacy perspective? You know, have you notified your employees? Are there stickers that we used to in healthcare, we used to put stickers up, you know, video premises being recorded and the like. And I think that’s a sort of an afterthought. It’s the technology first. And this is where sort of the worlds collide from a privacy and a regulatory perspective. And so, you know, we just, we just asked, What have you thought about creating notices and all of that, and it’s good, it’s top of mind, though, they’ll get that sorted out. But initially, they didn’t. So the capabilities of technology are really fascinating. But where it converges from a regulatory perspective and a privacy perspective, I leave that to you. I’m just — I get to look at it. That’s some pretty cool stuff.
Jodi Daniels 28:35
Well, Mr. Attorney, what say you?
Justin Daniels 28:39
Having worked on this specific issue with cameras, been asked about statutes. You can’t talk about video cameras without talking about the features, like Keith talked about, once you start making the cameras with facial recognition, you have a very serious surveillance tool. And so when I talk about it, I always say what is the one thing we can all probably agree on when it relates to trying to protect kids in schools is the surveillance cameras. But in our efforts to really narrowly focus on the public safety issue, what doesn’t get discussed in mist? It’s the issues about privacy, and security. And then you have, you know, on private property is, you know, they get your picture and whatever is that a search and seizure because remember, you don’t have the same expectation of privacy when you’re in a public street. But it starts to get a little dicey when it might be in a mall where you’re asked to go there. They have common areas too. But then let’s say they put facial recognition because retailers are having all kinds of people go in their store and steal stuff. So the way they’re combating that is that we’ll put cameras and facial recognition in there. Well, now you get into Well, somebody’s been illegally accused because facial recognition is imperfect that the discriminator gets did wrong with a lot of minorities. And that’s why I’m glad you brought this up, Keith, because you can go down a whole rabbit hole of issues and you don’t want to find out that you’ve done all this once your cameras have been up for a year, and you have a problem. And I see that happen a lot.
Jodi Daniels 30:14
What he said that’s why it’s the he said she said,
Justin Daniels 30:18
But you just said he said,
Jodi Daniels 30:19
I know. I bring I have nothing else to add. Wow. Now keep you know a lot. So you have some interesting neighborly conversations and sounds like but perhaps you might be also offering said neighbor, any special cyber tips. And we always ask everyone, what is your best cyber tip that you would offer in a backyard barbecue and cocktail party when your random neighbor comes over
Justin Daniels 30:43
walking the dog for walking the
Jodi Daniels 30:45
dog. That’s what it is. Welcome my buddy. Well, when he’s walking the dog, he’s gonna be talking to the dog for you. So then he doesn’t have to give a tip.
Keith Novak 30:53
That’s true. Actually, that’s our time when I walked the dog that’s you know, I, I think a lot of people revert to sort of MFA or you know, some password managers. Honestly, the best advice I would give for people is adopt a healthy level of skepticism about everything about why are you asking me for my social security number on my HIPAA form? Because it shouldn’t be required, right? I shouldn’t have to give that to you. When if you walk into a store and they ask you for your driver’s license, and you have no reason to give them your driver, there’s no reason for them to identify you. Ask the question, right? Or say no, be willing to say no. If you get an email, and you don’t know whether it’s fishing or not delete it. If it’s really important, they’ll find you another way, right? Adopt a healthy level of skepticism. I’m just a skeptic at heart. I think maybe because I I’ve been doing this for so long. But I think that’s the most important thing. It’s not there is no silver bullet to security, right? MFA, AI, NextGen, XDR, MDR. All of these things are really great in tandem, right? All of these things go a long way to helping an organization become secure. But if you could trick the one IT person in your third party to reset privileged access MFA enrollment, all of this goes out the window, right? You spent millions of dollars on security solutions, and literally a 10 minute phone call with the IT Helpdesk person that said, I left and I can’t get back in can you reset my MFA? That really goes to, to my heart, I would say skepticism most important.
Jodi Daniels 32:45
I don’t like it. It’s funny you said about the email. Because I will often tell people, if you get that spam number that comes across and you’re not sure who it is don’t answer the phone. And if it’s really urgent, they’re going to leave a message that they’re a real person. And they’re going to call you that you haven’t missed anything. People kind of know the situation where it is and they will, they will find you if they need to.
Justin Daniels 33:08
Like the Terminator.
Jodi Daniels 33:10
I don’t know about that one. Just gonna say if someone calls you and you didn’t pick up right away, they’re gonna leave a message. They’re gonna text you, they’re gonna find you somehow, if they’re real.
Justin Daniels 33:19
My new mantra is going to be when it comes to privacy and data collection. Just say no.
Jodi Daniels 33:24
I know. I’m thinking that phrase. We could bring it back. Yeah, sinister is that say? Just say no.
Justin Daniels 33:28
Yes. Maybe we’ll have the Nancy Reagan ChatGPT bot for that whole program.
Jodi Daniels 33:33
See that? That could be a really good Cybersecurity Awareness Month.
Justin Daniels 33:36
Yeah, we are heading into October. Alright, enough of the husband and wife banter. So we need to ask you, when you’re not doing your cybersecurity and building your entrepreneurial venture, what do you like to do for fun?
Keith Novak 33:50
Well, being that I live in New Jersey, and we’re now starting to dip into the 50s pretty regularly here. I’m looking forward to skiing this year. My 13 year old got her skiing last year and she has really taken to it. So we have plans to do a bunch of trips away. And so that’s actually what I’m really looking forward to. Summertime. Beach boat fishing. Wintertime though skis downhill, having some fun.
Justin Daniels 34:18
Where are you going to go skiing?
Keith Novak 34:20
We’ve got plans for New York, Vermont, New Hampshire, and have some of my old colleagues have moved out to Colorado and Utah. So we’re gonna plan to two trips this year out west so I’m really looking forward to this is gonna be a great year for skiing for us. Hopefully we get snow with this. Oh El Nino. You never know. Right?
Jodi Daniels 34:43
Yeah, that’s true. I think it might be snowing down here. I’ve been told we’re gonna have that icy sleeting kind of winter so you can come down here and just ski down the hills. Alright, keep this have been delightful. Where can people find you? To learn more and connect
Keith Novak 35:02
Yeah, so the website is best: intentionalcyber.com My contact is out there feel free to reach out anytime. My email address is KNovak@intentionalcyber.com Happy to talk through anything that you may have going on.
Jodi Daniels 35:21
Well, Keith, thank you so much for stopping by it was as always very insightful. Thank you, Keith.
Keith Novak 35:28
This is a lot of fun. Thanks for having me. Really appreciate it.
Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.