Signed | The EDR Was Running. The Ransomware Still Won.

Dave Chronister has been doing penetration testing and incident response since 2007 — back when Fortune 500 CIOs called it a novel concept.

In the years since, he's walked into breached environments where the EDR was running, the MDR was installed, the SOC 2 audit had passed, and none of it mattered.

This conversation covers the gap between what companies think they bought and what they actually have why tools become the program by default, why compliance audits and security programs are two different things, what AI is actually doing to enterprise risk profiles right now, and what the organizations that survived a ransomware encryption event had that the ones who didn't were missing.

If you're responsible for a security decision, this is the conversation to have before the next one.

Is your security program real, or is it just theater?
The gap between a real security program and a collection of tools doesn't show up in an audit. It shows up during an incident — when it's too late to fix cheaply.

These eight questions come straight out of this conversation with Dave Chronister, founder of Parameter Security. Each one maps to something he's actually walked into. Answer them against what you know to be true right now — not what your vendor told you at signing.

1. Do you know which findings from your last security assessment are still open?
Dave has had a Fortune 100 client for four straight years. He pulled the year-one report and the year-four report side by side. Almost identical findings. Tools were bought, renewed, and re-certified the whole time — and the actual exposure never moved. If your remediation list looks the same as it did a few cycles ago, the program isn't the problem. The follow-through is.

2. When did your EDR last fire — and who responded?
Not whether it's installed. Whether it's being acted on. In recent insurance data, more than 60% of ransomware encryption events happened at organizations running a leading EDR. Detection without response doesn't stop an attack. If you can't say when it last fired and what happened next, you don't know if your coverage is real.

3. Is your MDR running in active response mode, or monitored mode?
These are not the same thing. Monitored means alerts get logged. Active response means someone acts on them. Dave has walked into environments where MDR sat in monitored mode for years while the client believed they had full coverage. Ask your vendor directly which one you're paying for, and get it in writing.

4. What does your SOC 2 certification actually cover — and what does it say nothing about?
SOC 2 audits whether your processes are documented and followed. It does not evaluate whether those processes protect you. A company can pass SOC 2 every year and carry the same critical vulnerability the whole time. If SOC 2 is your primary answer to "are we secure," that's the gap.

5. Do you know which AI tools are already running in your environment — and what data they have access to?
Shadow AI is already inside most organizations. A tool that entered your environment as a productivity assistant may now have access to email, internal documents, customer records, and approval workflows. If you don't have a current inventory of what's running and what it touches, you don't have an AI policy. You have AI usage.

6. Who actually owns the risk when something goes wrong — IT, the CISO, or the board? IT holds the tools. The CISO advises. The board carries the fiduciary responsibility. Dave's seen the scapegoating pattern up close: a CISO with no real authority gets blamed for a decision the board never seriously evaluated. If your C-suite treats security as an IT line item, nobody with budget authority is actually deciding what risk is acceptable.

7. Have you defined what a win looks like before your next renewal? Most companies don't know what "fixed" means before they buy. They implement, assume it worked, and move on. What specific risk reduction is this renewal supposed to buy, and how will you know if you got it? Walking into a renewal without that answer means negotiating blind.

8. What is your responsibility in this — specifically, in your seat?
This is the question Dave wishes every client asked before the engagement even starts. Not "what's the vendor's responsibility" or "what's IT's responsibility" — yours. Most people outsource the answer to a vendor or a department and never come back to it. If you can't state your own responsibility precisely, that's the gap an incident will find for you.

If two or more of these stung, that's the program talking, not the tools.

Tools get bought in response to a checklist or a renewal deadline. Programs get built in response to a defined risk.
The full conversation goes deep on where that gap actually comes from and what it costs the companies that don't close it.

Chapters
00:00 — Why security awareness campaigns don't change buyer behavior
08:14 — Theater clients versus clients who actually want help
14:00 — What the pen test findings look like four years later
19:30 — Why tools become the security program by default
26:35 — What SOC 2 actually audits and what it ignores entirely
37:20 — Why 60% of ransomware victims had a leading EDR installed
44:50 — MDR in monitored mode versus active response — and why it matters
52:00 — The real risk of AI inside your organization
1:01:00 — Why the vendor selling the control shouldn't validate it
1:09:00 — Who actually owns the risk when something goes wrong
1:45:00 — The one question Dave wishes every company asked before buying anything

What We Mentioned

NIST Cybersecurity Framework (CSF) — nist.gov/cyberframework
NIST 800 series — csrc.nist.gov
NIST AI Risk Management Framework — nist.gov/system/files/documents/2023/01/26/AIREF1.0.pdf
SOC 2 / AICPA — aicpa-cima.com
CMMC — dodcmmc.us
PCI DSS — pcisecuritystandards.org
HIPAA / HITECH
Qualys — qualys.com
Tenable — tenable.com
Microsoft E5 / E7 security stack — microsoft.com
YubiKey — yubico.com
Parameter Security — parametersecurity.com

About Dave Chronister

Dave Chronister is the founder of Parameter Security. He started doing penetration testing in 2007 when most companies hadn't heard the term and has spent nearly 20 years walking into environments after the breach to find the things the audit missed. He's unusually direct about what tools actually do and what they don't, and he's seen every version of the gap between what companies think they bought and what they actually have.

LinkedIn: https://www.linkedin.com/in/davechronister
Company: https://www.parametersecurity.com

About Signed
The IT market is built for sellers, not buyers.

Signed is the podcast for the buyers. Host Max Clark, CEO of ITBroker.com, sits down with CIOs, CFOs, operators, and founders who’ve lived inside real enterprise tech deals — the ones who can tell you what actually determined whether the deal worked, not what the deck promised.

New episodes weekly. An ITBroker.com podcast.

Full Transcript

Creators and Guests

Host

Max Clark

Founder & CEO of ITBroker.com

What is Signed?

The IT market is built for sellers, not buyers.

That's why 80% of tech buyers regret their last major purchase. Deals take longer than they should. Teams get locked into platforms that don't fit, contracts they can't escape, and vendors they wouldn't choose again. The pitches, demos, and analyst reports are built to close deals, not help buyers make the right one.

Signed is the podcast for the buyers. Host Max Clark, CEO of ITBroker.com, talks with CIOs, CFOs, operators, and founders who've lived inside real enterprise tech deals — the ones who can explain what actually determined whether the deal worked.

Plus weekly Playbooks breaking down the moments that matter most: renewals, M&A, compliance mandates, office moves, budget cuts, and the specific plays that separate buyers who get it right from those who regret it.

If you're responsible for choosing, negotiating, or living with the consequences of enterprise technology, this show is for you.

New episodes weekly. An ITBroker.com podcast.

Max Clark (00:00)
years ago I was running a data center fiber business and I had a hospital client and they had a ransomware. you're talking about a trauma facility where they're like shifting people out of the, know, like ambulances are showing up to take them to other hospitals because they were so shut down.

and I'm talking to the CIO and I'm like We stock spare equipment like this is not in our scope We will figure it out afterwards I will send a team to your facility with gear to get you back online And he's telling me he's like, ⁓ no We need to bring in people and do an assessment first and figure it out. I'm like figure out what your firewalls don't

Your switches are down, your routers are down, your servers are down. Everything's down. Like everything, like what are gonna assess? mean,

Max Clark (00:41)
I'm Max Clark. This is signed. My guest today is Dave Chronister, founder of Parameter Security.

And today his firm does, well, a lot of people call pen tests, really vulnerability management and assessments, AKA a company bought a thought they implemented the tool, is it actually running or not?

These are pages of questions I walked into this with thinking I was gonna ask and very quickly the conversation shifts. And instead of talking about tools and technology and solutions, you're gonna hear a discussion about policy implementation and risk management. I'm gonna get Dave on again in the future. We're gonna talk about the other stuff as well. For right now, let's talk about the actual gaps in security policy and security operations and what this might mean for you.

Max Clark (01:35)
let's just start at the top, which is when you walk into a new client for the first time, before you've started anything and assessments kicked off, interviews, you're just there talking to people. ⁓ What's the first thing that tells you I'm here to actually do real work or this is just theater work? Because there's a separation between those two.

Dave Chronister (02:01)
Yeah, I would say over the past 10 years, the with the sea level becoming a lot younger or more my age, I should say, or more computer savvy ⁓ is the openness about what their actual concerns are or the understanding of why they're doing it. ⁓ Typically, if I have a client that says something along the lines of, know, we're we had a competitor that got hit with ransomware.

very concerned about it, or we have PCI or HIPAA compliance regulation responsibilities, but we're not really sure if we're doing it correctly. That's typically going to be a client that we can help that's looking for help. We still do every once in while, well, my IT guy says that we need to spend more money on security, but I don't know. So we're bringing you in to try to figure it.

⁓ Again, with security, the problem is you're preventing. The idea is preventing or to minimize ⁓ any sort of damage. So you don't necessarily see the fix or preventing the issues.

Max Clark (03:17)
We're going to go off the rails already. We're on question two. I've been asking this question for 10, 15 years now, which is, how do you sell security to somebody who's not actively buying security? This is a big issue in the industry, it's, know, SDRs are out campaigning for different security tools, and CISOs are getting pissed off because people are cold calling them on their cell phones, and companies aren't investing in tooling. But what I've seen as an outsider in that sphere is,

Dave Chronister (03:19)
Alright.

Max Clark (03:48)
that you can't educate somebody into purchasing security. You can't tell them all the stats out of the DBI or you can't you can't share like, you will have this happen. This is the average cost of an event. And as a result, X percent of companies are going to fail within this period of time. Like that doesn't seem to move the needle at all. so, know, when you like we need our IT guys said we need to spend money. Right. And now we want to find out if we need to spend money. But, know, as you said, it's it's about preventing

an invisible thing from occurring that's not quantified. What actually is moving the needle now for companies to do this? Is it just like, my competitor went out of business because of this?

Dave Chronister (04:31)
Yeah.

You know, it's real easy to say the automatic answer is you just don't sell to someone that doesn't want security. I would say for a certain group that are not even willing to have the conversation, there's a difference between they don't see the need for it or they don't understand it. And so the ones that don't see the need for it, like, I started years ago, I was always upset when I run into prospects like that.

Max Clark (04:39)
That's the default,

Dave Chronister (05:00)
Eventually you learn they will find they'll figure it out at some point or they'll go out of business. It's just the way it is. ⁓ What I've done a lot to help clients ⁓ or prospects is to really talk about number one, get rid of cybersecurity. I don't like the term cybersecurity. Are we protecting ourselves from cybers? Are we protecting cyber? I don't know, but we're talking risk, right? And if we're talking data, then we talk about, well,

It could be data that's on a piece of paper. It could be wherever. So let's manage risk. And what I've found is a lot of C-level understand risk from the financial standpoint and just having them understand. We're just trying to get your organization to the level of risk you want to be. And by the way, you're the boss. You're going to figure out how you want the business run. We're just looking at it from a technological standpoint or from a risk standpoint.

The other thing I've done is I used to do talks called Inside the Mind of a Hacker. It was an hour and a half of here are all the attacks, including here I'm going to do a phishing attack. Here is a ⁓ Trojan from the hacker side where you can see me turn on a webcam, listen to your microphone, watch what you're typing, and understand that the way you're set up right now, you'll never know that that's on your system.

kind of scares people into it. I don't try to do scare tactics, but it's the reality of what's happened.

Max Clark (06:28)
But when you see it, it's hard to unsee, right? Is the other side of it. You touched on it, but it lines up perfectly with where I've been for a while now, which is I can't, it's not my job to convince you that you should care about some piece of technology. Like actually, I don't care if you don't care about some piece of technology. It's like you have to decide that this is important for you for the business. Like, where are you trying to get to? And then it's like, okay, this is how we get there, right? You know, like.

Dave Chronister (06:30)
Yeah, exactly.

Max Clark (06:54)
You care about your phones. You don't care about your phones. You care about your network. You don't care about your network. You care about a cloud platform. I mean, I don't care. It's frustrating meeting on the outside watching like a train wreck about to happen. And you're like, how do you keep this train wreck from happening? at the end of the day, it's this is your stuff. Do you care about it do you not care about it? I ⁓ don't think that'll ever leave.

Dave Chronister (07:22)
Yeah. And you know, along those lines, this is also why I think we're talking, you know, we're, we're, we're guys from the IT in the nineties, early odds. And, know, we had the tail wagging the dog, but where it was IT is responsible for everything. And the thing I've really been pushing with my clients, with when I was teaching my students, when everybody is as IT, you are not the owner of the data. You're holding it. The

board, the management, the corporate owner, they are responsible for it. And I think when we start to get that mindset of it is the C level suite that's responsible for the success of it, there's a little more take more, a little more do care done by them rather than, well, the IT guy has it. It's always the IT guy, even if it's a female, but it's IT guy has it. It's like, number one, you're not giving them money. Number two, you're not telling them.

what you want to do, you're just kind of throwing it out there. you know, regulation has really helped with that, I think a lot with the sea levels.

Max Clark (08:32)
Good friend of mine years ago was running IT global IT for a business and, and somebody in the finance team came to him and was basically complaining how expensive like they were. And he's like, I don't know what you're talking about. I have a team of five. We cost nothing. I didn't pick this stuff. This is all you, you have X amount of people with laptops and software and all this stuff. You're expensive. Not me, but he got, he got pushed into this place of like really doing, ⁓ what I think everybody should do, which was like allocated costing, right? Like

Dave Chronister (08:51)
Right.

Max Clark (09:01)
It's not my budget. It's your budget. You know, I just I'm just facilitating it sure works, you know, but I my org is small I mean his point was his org was was was minuscule compared to the size of the total company and you know, like but this this idea of This idea is really funny. So I guess where to go from that is like give me an example of like a recent engagement where you walked in and you know

Dave Chronister (09:06)
Yeah. Yeah.

Max Clark (09:30)
Executive that brought you in the company brought you in thought that they had a gap like we kind of identified that we think you have a gap and you start digging into it and you find it's like ⁓ what you think you have is actually like just the tip of the iceberg and ⁓ What is what is what does that look like typically because I mean what people think they have is usually not what what they really have, right?

Dave Chronister (09:53)
yeah. So we had engagement, we'll say company a, ⁓ four years ago, I was familiar with their salesperson, just from not working. They had a ransomware engagement, brought us in to do DFIR. Then we started doing some advisory pen testing, right? So it's a two family businesses that merged the company B.

Owners of company B were part owners of company A. So talking about like, ⁓ you were talking earlier about, can't tell someone. So the CIO, who's also one of the owners of company A says to owner company B, you know, you really need to look at MDR and they got, now we're good. They get hit with ransomware the next week. So we come in, help them with the final.

root cause analysis, doing some MDR and doing a risk assessment. As we start going through it, we start to find out they're trying to run two companies ⁓ in different domains, but they only have one system administrator and one PC tech. And they're letting anybody, everybody run local admin. it just starts to pile up and you know, it's going to happen. ⁓ What I have found is people are over.

Right. And I have up until my recent ADHD ⁓ diagnosis dealt with anxiety and catastrophization. So I'm all uber sensitive about this. So instead of going, yeah, it's this, this, this, this, this. And I think especially some people that sell solutions can sometimes think they're helping, but just cause more, ⁓ more anxiety and more ⁓ just denial.

We start to talk about, you know, there's root issues. Let's get you on a framework. Let's start to talk about issues. Stuff that we know are problems but are fixable. Let's not make it seem the world's on fire if it doesn't have to be, you know, hey, maybe you should have one domain for both of your organizations because you just have just the right amount of people. you know, ⁓ things like that really kid gloves. ⁓

Because the other thing I've noticed is most CEOs, most management, they want to do right for their company. ⁓ And this is an area where they don't know what's going on. And as a business owner, can tell you, it's scary when people are relying on you and you have areas of weakness in your skillset. So really just trying to empower them to make better decisions, to get up to speed, and to be more comfortable with being uncomfortable.

has been the best way I've seen to handle.

Max Clark (12:52)
quick another segue here I try to keep on not not go too far off the rails but ⁓

You touched on this briefly. Let's just use pen testing as example, right? You brought in to do a pen test, which is ultimately you brought in to give them a report that says, you know, these are the things that we found that you should think about addressing and potential ways for you to address these. But then it's up to them to actually decide to do something about the pen test and actually implement it. And my frustration for years was

the disconnect between those two things. Like, here's what you should do and what do they actually do. And like that, like it's not my job to actually get these things implemented. It's my job to give you information, educate you. And what do you think, like just off the cuff, percentage of people that actually take a pen test or take these kinds of assessments and then actually implement a meaningful change in their organization? Or do you see a lot of people are just like, okay, thanks for the information.

We can't focus on that right now because of whatever reason for the business and we'll come back to it at some point in the future.

Dave Chronister (14:01)
Yeah.

So mine will be a little skewed because I'm dealing with a lot of regulated entities that are required to fix them. But it's probably, for me, it's probably 70, 80%. Interestingly enough, it's my larger clients that we have the issue with. We had a Fortune 100, we had a four year deal with, and at the end of four years, we looked at both the year one and year four reports and it was almost the exact same findings.

Max Clark (14:09)
Mm-hmm.

Dave Chronister (14:34)
And, know, their thing is, we're a battleship. It's hard for us to move. There's a lot of, know, what bureaucratic whatever. And you just sit there and you go, you go, okay, but you're a big target. But, you know, one of the things that we've always tried to do is, you know, people go, well, I want to start with the pen test. I don't know what I have and what I do. they go, maybe that's not the best place to start.

Max Clark (14:41)
bureaucratic tendencies, yeah. Change management, yeah.

Mm-hmm.

Dave Chronister (15:05)
Right. Maybe we just do a vulnerability assessment and just get you some easy wins, you know, or we'll have the companies coming and we want to do quarterly pen testing. Have you done pen testing before? No. Well, you're going to have the same results. It's going to look bad. You're spending a of money. I'll take it, but there's other things that we can do, you know, and it's really, there's a disconnect sometimes.

Pintesting, it's funny, I started this in 2007 and at the time it was called ethical hacking. The reason I knew about was because I was running a bank. I had to have it done. I went to meet a CIO of a Fortune 500 company here in town. I explained what we did and he goes, that's a novel concept. I'll let you know if I know anybody that needs it, right? This is 2007.

And now I will have people that are running like mom and pop shops, their telephone mail, you telephone order, the mail order, they'll go, I think I need a pen test. so you it's the pendulum swung the other side and it's like, maybe you don't at this point, maybe we need to look at some other things instead.

Max Clark (16:18)
Is it just because...

I mean, we see insurance companies require pen tests or like SSL cert companies that require a pen test annually. Is it just we've entered the lexicon where people are like, I need a pen test because for some reason that's gonna like secure my environment or check some box that some other company is gonna want from me?

Dave Chronister (16:39)
I think so. think there's a lot of that. think it's also, that's what people have heard before, penetration testing. You see a lot more, again, in non-technical talks. I went through a phase between probably 2014 to 2018. I was doing a lot of media on almost all the national news, CNN headline news on

every time that there was a hack. you know, and so it was like, was fun. It was sexy. It was whatever. I was speaking to C levels. I was, was doing a lot of that. So the education started to come in and because people know, pin testing is also ethical hacking. like, Ooh, we're going to get a hacker to do this. And it's like, well, maybe you need to look at your program first and then use it for validation. I think we've, we've

done the, going back to the inside the mind of the hacker, we've done the fun, sexy stuff, but people don't understand that there's actually more foundational work to do. Yeah.

Max Clark (17:37)
Right, right, right.

You know, I'm trying not to laugh too much, right? But you're like, are you running? I mean, we want to I love it marketing because we have to define the terms and redefine them every year. So that way somebody can get some kind of like marketing advantage. Right. So two factors in occasion becomes multifactor authentication becomes two step verification. Right. It's like, what term do you it's like, are you running it? No. OK, we should start by turning that on. I don't need to pen test you to tell you that you should be running this thing. Right. I had a

Dave Chronister (18:00)
Right.

Great.

Max Clark (18:16)
years ago I was running a data center fiber business and I had a hospital client and they had a ransomware. I think it was Petra. I it was Petra. And I mean, you're talking about a trauma facility where they're like shifting people out of the, know, like ambulances are showing up to take them to other hospitals because they were so shut down. And I was talking to the CIO, we got wind of it, you we were providing fiber into their building.

Dave Chronister (18:27)
Mm.

Max Clark (18:43)
We had no insight into their IT operations and I'm talking to the CIO and I'm like I have We stock spare equipment like this is not in our scope We will figure it out afterwards I will send a team to your facility with gear to get you back online like to get to like And he's telling me he's like, ⁓ no We need to bring in people and do an assessment first and figure it out. I'm like figure out what your firewalls don't

Your switches are down, your routers are down, your servers are down. Everything's down. Like everything, like what are gonna assess? mean, and unfortunately this hospital ends up folding not too long afterwards, but you could just see the decision like train wreck is going on. You're like, what are we focused on here? You know?

Dave Chronister (19:17)
Great.

Yeah. Yeah. Well, and you know, we, when we do IR engagements, it's like, Hey, we want to preserve evidence, but you know, there's, there's a certain point of you have to balance it. And sometimes people just don't get that. And I think some of it's horror stories people have heard about, well, you know, for example, with the hospitals OCR, which it comes in and finds them for not doing a root.

I was analysis or something. It's like, well, you know, if you had a plan when you went through this, some of the issues if you did tabletop, especially for your incident response would have solved a lot of these problems you may run into and may give you more realistic. I had an IR I dealt with and they were a tech company and they had, I think it was like 342 E-Rex full of servers in there.

hot, or a warm site, I guess, because they had to do a little bit of work. And they're like, we're going to get all these servers up in six hours. And okay, how many people are you going to do? We're to have 12 people working on it. Okay, you have three KVM switches. How are you going to do that? And it's just things like that. People just don't think about it. And again, back to your point of it sometimes isn't even technology. Sometimes it's management decisions.

How long can we be down? No, we're not doing this because it's too risky. And people just, a lot of times just don't think about that.

Max Clark (21:03)
I grew up in Los Angeles, so we had to the, ⁓ win the earthquake Hicks, like DR plan every year. And it was, and it finally, it actually, was frustrating for a lot of my career until I finally realized my job was just to give them the plan. And then the board could say, reviewed the plan, we're not doing it. And then when I, and then that was like, okay, I, you know, was like, I've done, I've done my job, right. But in the process, one of those years I was talking, there was an aerospace, big aerospace company, everybody knows the name, you know, in the LA area.

Dave Chronister (21:07)
Yeah. Yeah.

Right.

Mm-hmm.

Max Clark (21:30)
And they had a DR plan, was they were going to have their key personnel go to a parking lot and get on helicopters and fly. They were going to fly them out of the state to like their other facility, basically. Right. Which I mean, distance wise, you know, for these Helios, like it would work. And you're talking, I remember talking to the guy about this and I was like, so how many of these key people that you've identified have families?

Dave Chronister (21:44)
Yeah.

Max Clark (21:54)
like number one, and number two, how are they gonna get from wherever they live through the collapsed freeway system to the parking lot where they're supposed to take off? And you can see the look in the eyes of like, nobody's thought of that. Nobody's thought about that. Nobody's leaving their house and their kids and their spouse and be like, sorry, I gotta go and get a helicopter and book out of town.

Dave Chronister (22:04)
Right.

Yeah, right.

Yeah, I had a, I have two there. So I had a client, was a region, a small community bank over in the Illinois side rural community. And you know, we have tornadoes in the Midwest. So we're always talking tornadoes. And they're like, Well, I go, so let's tornado hits. What do do? And they go, Well, we close up shop and then we ⁓ open up over at the VFW.

Max Clark (22:35)
Yep, yep.

Dave Chronister (22:48)
Okay. ⁓ What are you going to do while the tornado is coming through? we didn't think about that. How are you going to get this stuff over? ⁓ yeah, we didn't think about that. Their idea was we're just going to go over to the VFW and we're good. And it's like, no, it doesn't work that way. ⁓ But was at the, when my bank I was at before I started Parameter was a small community bank.

40 miles, the headquarters of 40 miles north of St. Louis, 3000 people in that city. And that was the largest city we are all over. So interesting thinking that would happen. My boss, who was the owner of all the banks, his name was Donald. ⁓ I would always tell him, we need to make sure that the disaster recovery has more than just the technology. he got cussing, know, that's all it need Dave. Don't worry about it. We had a bank.

called Bank of Louisiana, Bank of Louisiana, Missouri, Missouri up there. And ⁓ it was one of those, think of like these old towns where downtown, every building's connected to each other. Right? And so, and his granddaughter was the bank president, and she calls me one day, one morning, she goes, one of the buildings collapsed, and they're not letting us into the bank until

Max Clark (23:57)
⁓ yeah.

Dave Chronister (24:13)
we, they are able to inspect every building. And I go, I don't call your grandpa, man. I, is, this is not me. And he calls, I go, the computer, I don't know how I didn't get fired for this. I'm like, Donald, the computers are running. What do you want from me? So, you know, it just, it's, things are not thought through. Yeah.

Max Clark (24:35)
So, you know...

How? I've been thinking about this one for a long time where it's like...

Coming from the world of internet and data centers and hosting websites and applications, not what we call SaaS, anybody that went through that era had at some point had a DOS attack. And so then collectively, we ended up with enough scar tissue of dealing with DOS attacks. You go out and you get some sort of mitigation system. And it just became a cost of doing business on the internet. You had to have a mitigation system in play. And so when we talk about like,

Dave Chronister (24:54)
Yeah.

Max Clark (25:16)
You know, these things get a little backup and recovery and business continuity, disaster recovery planning, and incident response, security. They're still siloed in industry speak, but they are all kind of like blurred together in some way. And how much of this is just collective scar tissue that people have to go through in order to go, it's important for us to test our DR, like have a DR plan.

and then test it or have an incident response plan and then test it or do a tabletop because the last company I was at or my neighbor's company that had this thing and unfortunate status, most of them fail afterwards. The companies go under. But are we just counting down the clock in terms of enough scar tissue and collective bad experiences before people just approach this differently?

Dave Chronister (25:59)
Mm-hmm.

Yeah. I, you know, unfortunately, I think it's one of those of companies that don't learn will be out of business. You know, unfortunately, ⁓ with, with some of this stuff, especially with exfiltration of data part PII and PHI, especially we all deal with the damage. Yeah. I think what I have found is organizations that have been hit and have been hit hard. ⁓ get it.

And there's there's an emotional I mean, it is I when I talked to a lot of the C level with these IRs, you know, I have guys doing the work now and I'm doing more counseling with them. You know, we will get through this, but let's make sure this doesn't happen again. Strangely enough, you know, time heals all and people's all sudden, you know, that client to ⁓

company B that we were talking about earlier, they got hit by the rain somewhere and we did the risk assessment became very apparent. They needed a security program. Once talked to us about VC. So, and then I was out of town, they were out of town and now they will not respond because they're just other other moving on. And I think that that's, that's real dangerous. Again, ⁓ it's also the framing from a technical standpoint is, you know,

Max Clark (27:22)
They've moved on. Yes.

Dave Chronister (27:35)
Business continuity and disaster recovery is not a technical thing. We're a technical civilization. But, you know, even when we're at the bank, it's like, OK, does everybody have a flashlight? Does everybody have pen and paper to actually write down transactions while we're down? I think if we can somehow get it out of the cyber world and that's again, this is why I don't like cybersecurity. We get it out and understand its business continuity instead.

You know, ⁓ I think it would change a lot

Max Clark (28:09)
So you touched on this briefly, right? ⁓ How much of this just is that companies being sold something, a tool, right? And then, of course, the tool not doing what they think it's doing. And then is that like ⁓ a vendor problem where the vendor is sold something that they just can't do or a buyer problem because we've got an education or understanding gap or integration issue? I mean, I see this all the time where they buy stuff and they can't get it working.

Dave Chronister (28:19)
Mm-hmm.

Yeah.

Max Clark (28:38)
We, you how does that dynamic play into all this? And like, and like, what's the cause there?

Dave Chronister (28:43)
I always laugh because when I first started the business, I talked to CEOs and they would go, well, we have a firewall, so we should be good. And I always want to do like a slow clap.

Max Clark (28:54)
This show exists because of what we do at ITBroker.com. If you're in middle of a real tech decision right now, new technology, vendor selection, a contract that doesn't feel right, an &A event that just landed on your lap, and so on, we help buyers like you get it right. Independent strategy, sourcing and contract negotiation, no kickbacks, no sales quotas, just someone in your corner. Schedule a call at ITBroker.com. Back to the episode.

Dave Chronister (29:18)
I think it is the fault somewhat of IT. It's residual from back in the dot com era of here, we'll fix it. And then marketing of...

Well, this will solve your issues. And we know that there is no tool that solves everything. ⁓ I'll ask clients when we do policy, what's your patch management? Policy. Well, we use WSUS or we use whatever other service. It's like, that's a solution. That's not the policy.

You know, when we get into a lot of organizations, we find that they're using a lot of technology they don't necessarily even maybe need to use, especially on the security side, investing so much on one area, not investing on the other area. And, you know, I can feel for them, right? I've been doing this since I was seven years old. I'm 50, right? I get technology, but a lot of these people don't.

And they're being told, well, I buy this, I buy this, I buy this. And it really is something where, again, when I got into this company, I would tell you technology would protect you. I really believe that because that's where I came from. Almost 20 years of pen testing, incident response. I'll tell you, it's the plan. you know, it is you need to have a blueprint for you to build that house.

tight, your MDR, all that, those are just ants. Those are the tools to build that house. But if you don't have that plan, it's not going to make any sense. And there's going to be unrealistic expectations. So, you know, the line I use with clients is we're risk management. We manage our risk. We do not eliminate risk. It's impossible to eliminate your risk.

Max Clark (31:21)
Boy, there's a lot. There's a lot to we can go into that with one might. Quick anecdote of your time, but we have a firewall. We're OK. I mean, after you do having having to do PCI audits for a long time, it was like we have to have a firewall between our web server application server and our database. I was like, OK, what's the point? The application server can talk to the database firewalls and allow that traffic. You know, like if somebody gets on the application server, they have access to the database like like the username and password connection string is in plain text on the application server. Like what are we talking about here?

Dave Chronister (31:29)
Yeah.

Yeah.

Right, right.

Max Clark (31:51)
⁓ okay. So I see this, you know, and I, I've, I wonder about this a lot too. It's like, how much of this is marketing and like, in like, like just like marketing lies have been pushed on people and then, and then just misconceptions of what things are like cloud, right? I've got my data in the cloud. It's safe. And I'm like, deletes a valid operation on your every cloud platform. Like your data is not safe because it's in the cloud. It's not backed up. It's, it's just there.

Dave Chronister (32:17)
Yeah. Yeah.

Max Clark (32:21)
And I think about and I talk a lot with people about defaults. Any sort of application, computer system, operating system, whatever it is, defaults are meant to be really user friendly and permissive and easy to interact with. And then you start talking about security policy or IT policy. And then they feel really restrictive because all of a sudden you're like, you can't do certain things anymore.

because we've changed the default because the default doesn't make sense. And it's of like any sort of sane operation, right? Because we don't want certain things to happen. We don't want you plugging in a USB drive into the computer. We don't, you know, like that's not a good thing for us. But then people are like, well, you've taken this thing away from me. And it becomes this very like personal emotional response of like, you've taken something from me. And I'm like, no, we've, we've taken the ability for you to shoot yourself in the foot away from you. You know?

Dave Chronister (32:53)
Yeah. Great.

Yeah.

Yeah. There's a lot there. So it's, think it's the framing that needs to happen. So, ⁓ you know, I think about cloud. So I would always refer to people. go, we have it in the cloud. That's good. Right. I get a lot of that. That's good. Right. And it's like, well, it depends, you know, I said, so let's, let's replace that cloud with the term someone else's computer.

So I am storing my photos on someone else's computer. Are you okay with that? Yeah, I'm okay with that. I'm storing my children's social security numbers on someone else's computer. How do you feel about that? Maybe not so much, you know? And by the way, my first zero day I ever created was a cloud infrastructure I took over with a browser. you know, it's like, ⁓ but it comes down to a phrase I hear a lot.

clients. Well, they wouldn't be selling it if it wasn't secure. And, you know, we kind of touched on a little bit. I am I am very, very ⁓ pessimistic about AI and ⁓ a lot of reasons, but a lot of it is they don't talk the risk. Now, I will say going back to our previous where we talking about marketing's fault, I will say it's gotten better.

I remember having a conversation with a antivirus company. The salesperson says, we are able to detect all viruses. I go, well, no, you're not. But anyway, there hasn't been a virus since 1990. You're not able to detect all malware. Well, yes, we are. No, here's a video of me doing it. I am not a developer. I was able to do this with pre-tools, right? ⁓

I have seen a lot of the newer companies come in and go, this should be part of a bigger security solution. But then they'll maybe make it seem, you know, then they'll add the marketing phrase pieces to it. And yeah, I think it's, it's good to be pessimistic about it. But again, that doesn't sell product, you know? And I think that that's the problem we're running into with non-technical executives. And, that even includes

These days there's still a lot of non-technical CIOs out there, you know?

Max Clark (35:40)
Yes, a lot most because it's a different job. mean you get to a certain size

and the job is about managing people on budget not necessarily managing technology, know, and that so don't I used to I used to have a lot of feelings about that. I have way less feelings about it now because I understand the you know, it's like ⁓ maturity right like I got old enough. just understand it. You know, I was at a pool party and ⁓ And ⁓ one of the guys there had his iCloud account was quote hacked and then he lost access to it. And of course Apple's like

Dave Chronister (35:46)
Yeah. Yeah.

Yeah.

Now.

Max Clark (36:11)
And, and it's funny because like somebody's talking about this, like, it's so terrible. And it's like, you're the IT guy here. Like, can't you solve this problem? It's like, I just, I, you know, I didn't even open my mouth. Like it's like, in my head, I'm thinking like, you have your passwords, probably like your child's name plus like a number, you know, and

Dave Chronister (36:23)
Yeah.

Yeah.

Max Clark (36:34)
And I feel really bad because in this case, he's lost a lot of photos. He's lost his photo albums. he had some financial loss with it, but not anything massively significant in terms of the guy's wealth. ⁓ But it's just like the, I'm just sitting there. I'm just listening to this conversation. It's just like the education awareness gap. It's so, like I didn't even, it's like you want to ask, did you have Apple two-factor authentication turned on?

Dave Chronister (36:56)
yeah.

Max Clark (37:03)
I know not to ask the question because the answer is no, because nobody knows this thing exists. It's just like, my account got hacked. It's like, no, your account probably actually didn't get hacked. You probably clicked on something and gave them the password, and then they just took it. I ⁓ deal with this with my wife a lot.

Dave Chronister (37:07)
Right.

Yeah. Yeah.

Max Clark (37:23)
You know, I'm like, what is my responsibility to you in terms of like protecting you from on the internet? And at the same time, how do I do that in a way that doesn't create conflict and strife between us? Because now I've restricted your ability to do anything on your cell phone. And I'm like, like, you know, finding that line is crazy. ⁓

Dave Chronister (37:38)
Right.

Yeah, you know, you along those lines, what I have found with the operating systems is the not necessarily misinformation, but the assumptions that are out there. I can't begin to tell you how many times for well, you know, Apple was designed for security. And it's like, do you think Windows isn't like

⁓ you know, or Linux by default is more secure. And so I absolutely not. It's pretty wide open. Like windows 2000, they got their butts handed to them because everything was wide open. And I'd say they've done a fairly decent job, but you know, it's, it's, we'll, we'll run into that with clients. am a big anti-Apple guy for a couple reasons. One, Steve jobs called him.

griped about my job when I was in the 90s. So I have a little personal animosity. I always thought that they were very, ⁓ you know, you couldn't build your own. mean, everything is that way now, but ⁓ it's like, you know, sometimes just because you're running Linux, but you've changed Mod 777 on everything doesn't mean it's secure. So let's actually dig a little deeper into this.

you know, Apple devices will run into that. Okay, you gave everybody Apple devices. What happens when someone quits and doesn't help you transfer that device? Now it's you don't have ownership of anymore. It's tied to their iCloud account, you know, and you go, that's just the financial aspect of it, you know, and

Max Clark (39:23)
It's.

I mean my version of that is every time you see a tech layoff and they're like, we're giving everybody your laptop and it's like, ⁓ it sounds really good from a PR standpoint. But the reason why is because it's an absolute nightmare to get all the equipment shipped back to you to image it, wipe it, and then do something with it. So like when you look at that actual total cost versus the value of your coop, if you're running an MDM, you just go delete, and that's it.

Dave Chronister (39:35)
Hmm

Mm-hmm.

Yeah, it'll be done.

But that's assuming they have an MDM, right?

Max Clark (39:52)
let's get into that in a minute.

OK, we'll come back to tools here. ⁓

Dave Chronister (39:59)
Yeah, yeah.

Max Clark (40:03)
We talked about a lot of your work being regulated in compliance, right? So you've got industries that were already regulated and in compliance, and then you've got customers and companies that are either being pushed into compliance for the first time or they're, ⁓ you know, they're downstream and it's a supply chain requirement for them because they want to ⁓ do business with a company. And so now let's take this in two parts. Like the first part is,

Dave Chronister (40:26)
Right.

Max Clark (40:31)
They show up and they say, I have to be SOC 2, I have to be PCI, I have to be CMC, I have to be HIPAA, know, compliant. What percentage of people going through that process actually in-depending sort of real security when they're done with it? know, and we can get into the specific compliances, you know, like I like to rail on SOC 2 a lot, but we'll...

Dave Chronister (40:51)
Yeah. well,

yeah, me, you me both, but I'm not a CPA. can't run one, but we're doing taxes at parameter security. Yeah, no, I, I think.

We will a lot of times, especially the older regulations, HIPAA, GLBA, things like that, people got dinged hard. And so it's like, we know that we are not doing it correctly. So what can we do to help? What can we do? It's almost all policy. It is almost all policy. They just have technology out there. They kind of maybe have it in their head, but what their policies are, but it's not out there, it's not formalized.

PCI is where we get a lot of brand new clients and we're about right. We won't be dealing with CMMC that way because we're going to be C3PAOs. So we'll just audit and get rid of the advisory on that. But I would say for a lot of the regulated companies, they get there. Now, ⁓ what we push though is it's a ⁓ security program and you are maturing.

So what I tell people is regulations, the least you need to do to not go to jail, right? ⁓ There's a little bit more to it. And by the way, there's more to it than just your regulation, you cause you start to talk to board and you go, how do you feel? Well, it says we should do this, but I kind of want to do it a little bit more secure. Perfect. That's, that's the way you should do it. ⁓ We also get a lot more clients these days. I'd say past seven, eight years.

that are just wanting to do the right thing. Yeah, you get vendor due diligence kicking in, but more than anything, we're getting really worried about this. Now we're having to pay co-insurance on cyber liability, we're getting all these people. And for them, it's quick wins, but keeping the distance, going the distance, ⁓ I would say there's a lot more failure rate there. They hit that point where they feel comfortable and then they just kind of let it go.

Max Clark (43:06)
to get to the point where people look at SOC 2 as a security compliance framework.

Dave Chronister (43:11)
What was the one before the GA's GSGA 70? You know, it's because CPAs are talking to the CEOs and it's a it floors me. It's it's not even a security. It will tell you if you have a fence and you open it and close it every day, then we'll tell you if there's a big old hole in it. It's a process. It's about we had to get SOC 2 compliant on our pen for our pen test last year. And that really

to be honest.

Max Clark (43:42)
This is because clients are demanding it from you. Are you SOC 2? Yeah. Yeah. Yeah. But this is thing that's crazy is like all of a sudden people decided like you have to have SOC 2 in order to do business because that's our checkbox we want to check. And then it feels like there's no thought process behind it of like in terms of like, what does this actually mean? It's like you're SOC 2, but you picked all the controls that you chose in order to be SOC 2. And I'm looking and then you have a company going, ⁓ they're SOC 2. They're fine. You're like, what are the controls that they're adhering to?

Dave Chronister (43:44)
We had ⁓ a large client demanded it. ⁓

Right.

At least max three times a week, I am on sales calls through the channel with someone that goes, we need you to do SOC 2. I'm not a CPA. Well, what does that have to do with it? A CPA is running the security and maybe 30 % of the time someone goes, oh, other times it just goes over their head. And it's just like, what, you know, I get it. There's some people do SOC 2 great, but it's, I think there has been for

for my industry, for the cybersecurity industry, a major issue with that, that we really just haven't marketed why we do what we do. And, you know, I keep preaching the word on the sock too, but it's tough to do. It's tough to do. Yeah. Cause yeah, to your point, now what people say is, well, I get it, but that's what they want.

Max Clark (45:00)
mean, at this point, it's kind of taken on, it's its own animal, right? I mean...

So, mean, is there any hope of like a saner framework or compliance requirements? mean, CMMC. Will CMMC replace SOC 2 like outside of defense and manufacturing and become like a saner framework for people to adhere to?

Dave Chronister (45:25)
I think if you want to be certified ISO 2701, which is a cybersecurity framework, you're actually building, are you on framework or you can't get certified for this CSF, but you know, you can do readiness assessments on it.

Max Clark (45:39)
Well, that's why I tell everybody before they start even

thinking about SOC 2. It's like go do a NIST CSF or NIST 700 or whatever, and pick one, because that'll give you at least alignment, like you have goals.

Dave Chronister (45:43)
Yeah.

Yeah, yeah. I mean, almost every regulations built off of NIST, the, you know, 800, the granddaddy one, but it's like, you're to your point of sock, you know, we'll do some readiness assessments and be honest, it's kind of one of my least favorite because we can look at certain controls, and then they go and do something completely different. And they go, well, why don't we pass? Well, this isn't what you selected when you met with us.

Max Clark (46:27)
I mean, is cat in the bag with this thing? there any way to fix this? And what I mean by that is like HIPAA. Okay, I'll take my two biggest ones that I have the most beef with when I'm trying to actually explain this. On the one side, it's HIPAA because now they've decided, people know they have to go out and get a BAA from all their vendors. And it's like, okay, you've got to sign BAA from whatever piece of technology infrastructure you're running, but have you read what the BAA actually says? And everybody was like, no.

Dave Chronister (46:49)
Mm-hmm.

No.

Max Clark (46:56)
Like

we have the BAA, we're okay. And the second one is SOC 2. I'm like, okay. So you have to get SOC 2 compliant because your customer is demanding it, or you only want to do business with companies that have a SOC 2 stamp because then you think that they're secure. But what does that mean for you? Sometimes I feel like the crazy person, like do I want to actually explain what the BAA is that they have received from fill in the blank infrastructure company means absolutely nothing to them? Because a lot of them say,

My favorite phrasing, what's the paraphrase in the BA? Our system could possibly be secure as long as you configure it correctly. And it's completely up to you in order to actually configure it correctly for it to be secure. And we have no liability to you whatsoever in your use, right?

Dave Chronister (47:34)
Yeah.

Yeah.

Yeah. It's a, it's security theater or we call it blinky light security. You know, you see something blinking and you go, okay, we're secure. But I think we have to reframe that to understand this as human nature, right? We're both old enough to remember. I maybe I hope I'm 50. So it's maybe a little older, but ⁓ having to do an atomic bomb drill and getting under my desk.

This piece of wood is going to protect me, you know? And there's a lot ⁓ of security theater that's been around for thousands of years. ⁓ I think the problem we have is a lot of people go, I'm just not good at technology and they turn their brains off. ⁓ Or, well, if everybody else is doing it, I'll be a joiner on that. And that's the problem with AI right now. No one's thinking about the risk and everybody's just doing it. ⁓

And unfortunately, I don't see an end to it. just, I think companies are wising up. think that's where, unfortunately, like you had said earlier is we just have, you get to the point of if you're not doing it, I just want to make sure you don't have my data or the data being by I love, you know, and, ⁓ and be done with it. And you're going to hit yourself out of existence, you know, and it's, it's, it's, it can be frustrating.

⁓ a lot again, I've been doing it long enough now where I'll have, I'll have some of my younger employees get upset and I like, you know, you can't save them all. And we have lots of good clients that really do want help focus your attention on them.

Max Clark (49:26)
For somebody that's going or starting through the let's say called SOC 2 process.

How do you help them get more out of it than just a lot of annual work? know, actually meaningful, meaningfully use SOC 2 to like improve the business as opposed to like, oh, every year we have to go through this audit again and now we've got a, you know, one or two people designated just to go out and collect evidence and we have to go buy these tool in order to have the evidence in order to do that. you know, how do we actually make this like a meaningful exercise for people?

Dave Chronister (50:03)
And SOC 2, that's hard. ⁓ Now, I think with any of them, any of these, it's good that it's not ad hoc, right? And to actually go, listen, if you're going to do this for SOC 2, worry about everything. Let's just go ahead and have one holistic security program to look at everything. So that way, you're not going, well, for SOC 2, we're doing this. The SOC 2 areas, we're doing this. For our SOC 2, we're doing this.

Max Clark (50:09)
Cough cough

Dave Chronister (50:32)
It's not efficient, it's not effective. And making sure that they have processes and policies that are not only secure, but make sense to them and aren't overly burdensome. And you can run into this a lot with change management or patch management, for example. And it's like, okay, well, how are you doing this? You don't have to do it the same way a Microsoft is doing their corporate.

But this may be a good point for you to start to look at what applications do you actually have on your systems and go through those processes that way. The problem with the Sock2 is it usually targets a particular product or service. And so a lot of people will compartmentalize it. And it's like, OK.

Well, you have this part under control, but the rest of your company is an absolute security nightmare. What happens when you can't turn the lights on to do that service? And that's the thing that always kind of is frustrating for

Max Clark (51:44)
I get these requests usually and it starts with tools, right? Because there's some checkbox that they have to go out and get, right? So we see a lot of cyber insurance renewals or, you now where it's like what SAT, SEG, EDR, MDR, you know, there's like some acronym on the form. It's like, do you have this? Yes or no? Like, I can't insure you if you don't have it. And... ⁓

Dave Chronister (51:49)
yeah.

You're gonna hurt.

Max Clark (52:10)
And that's creating an interesting dynamic as well, where it's like, OK, now I just need to go out and get some sort of SAT tool and implement it to say that I have it in order to check some box. And I always feel tension between, do we try to pump the brakes here a little bit and talk about what we're actually trying to achieve with this thing? And how do we implement something that actually does something meaningful for you? Or am I just helping you check the box so you can move on with your day? And.

Dave Chronister (52:36)
Yeah. Yeah.

It's, it's, it's that's playing it. Like it makes sense to make sure people are not only having a security program by actually enforcing it, but you know, going back to like the cybersecurity or the cyber liability insurance worksheets, it's almost like they created it. Knowing a non-technical person is going to be the ones not only filling it up, but reviewing it. So, you know,

Compensating controls are huge, right? And we look at risk and there's three things you can do with risk. You can address it, you can accept it, or you can transfer it, which means buying insurance. All of those are valid. But they take that out and say, you need to have a tool. And it's like, don't necessarily need that. PCI, when we were QSAs, we became PCI certified in 2014. Even back then, the regulation said tripwire.

You had to use tripwire for integrity verifier. It's like, why? I don't have anything that requires that. And yeah, tools are just, I like the term tool. I like that you're using the term tool. Tools help you accomplish something. Solutions is the word I don't like because a solution means your problem's gone. And in many cases, you may have reduced it to an acceptable risk, but that's not really.

Max Clark (53:53)
Yeah.

Dave Chronister (54:05)
gone

Max Clark (54:08)
It's...

I read a stat insurance company released and was talking about ransomware, you know, based on org size and on the very low end of SMBs was the average ransomware attack at $500,000 loss. It was like $480,000 or something. And, and the, but the, the, the next piece of it was, was fascinating, which was the percentage of ransomware encryption events that took place with a leading EDR in place, right? Leading EDR.

Dave Chronister (54:22)
Yeah.

Max Clark (54:42)
And the second part of that, and it was high, 60 plus percent leading EDR in place, ransomware encrypted. And the only firms that survived an encryption event were ones that had outsourced MDR in place that then saw and reacted fast enough. And it was interesting that I saw that this was published to me because I've been talking about this for a long time now where it's like, what's your actual goal of your cybersecurity? You talk about prevention.

You know, I've seen a lot of people that try to quit this to like, you're buying an insurance policy. And I'm like, it's not insurance. Insurance pays you after your house burns down, right? This is something different. And then it's like, well, what's the ROI on this tool? And it's like, I can't really quantify it. Like your business stays in business or goes out of business, but I can't really tell you, you know, it's like, how do you fit that, fit that gap? And now I just really try to explain to people, like, it really feels like your only goal here. Well, two goals, right? You're trying to prevent like, like really easily avoidable things from happening to you.

Dave Chronister (55:19)
Right, right.

Max Clark (55:43)
And then you're just trying to catch it as quickly as you possibly can, because dwell time's gone from 200 days to hours, right? How fast can you catch it and just fight it? It's like a very different approach now, right?

Dave Chronister (55:59)
Well, and you know, I would run into this years ago with WAFS for web application. It's like, I had, it was a fortune 100. was, I went into a speak at an event. I think it was like second or something. And I was going through the ways to get through attacks. And again, you know, I will tell you, I'm not a developer. I taught CH I taught CISSP for so many years. I can tell you the fundamental attacks.

Max Clark (56:06)
We

Dave Chronister (56:29)
code, maybe I can read it. you so I'm explaining the concepts. And someone goes, we just have a laugh. We're good. And it's like that's putting a bandaid on a gaping hemorrhaging wound. You know, it's like, we need to solve some of the issues first and not just have security theater again. Well, we have this, you know, that if they'll f with the MDR, it's, it's kind of tragic. had a client, they were in healthcare.

They would contact us every other year to do a policy assessment. No pen test, nothing. I had a client, a gentleman who used to work for one of my old clients reach out to me. He ended up being, had just become the CSO for the parent company. My client got hit with a ransomware attack. They had MDR and it was in monitored mode for years.

And they're still trying to figure out why. Well, they got rid of everybody. That was almost a year ago, and they're still preparing for OCR to come in. I mean, and we're still talking to their attorneys, right? is, it's, and you sit there and you go, well, you should just throw that money away.

Max Clark (57:51)
This is... Okay, so we...

I think for the average person, the experience becomes like this organization got breached. We all get free credit monitoring. And that's how they associate costs with these things. then you're like, attorneys are very expensive. And if you're prepping for some sort of fight, whatever it is, you're talking to attorneys. That's a real cost that builds very quickly for a company in terms of like, you know, like, and. ⁓

Dave Chronister (58:01)
Right. Right.

Yeah.

Max Clark (58:28)
It's, I don't care. I don't want to I want to talk about AI. I don't want to talk about this just yet.

Dave Chronister (58:34)
Okay.

Max Clark (58:39)
Okay, probably the biggest misconception I have to deal with daily is we don't have something a hacker wants. And it's like, no, you have money, right? Like you have everything. The only thing the hacker wants from you is money. It's in your bank account, it's in your resources. You'll pay to get your business back online, right? So yes, you have something. And the...

Dave Chronister (58:47)
Mm-hmm.

Well,

I would say also you have a platform I can now run other tax on to other companies where the FBI comes to you and not me.

Max Clark (59:10)
Right. Okay. That's a good point. then it's like, I'm not a target and it's like, well, are you connected to the internet? Okay. So your target. I mean, I deal with those two a lot, but AI is interesting because we have now we have AI being used to launch attacks. We have AI being used. I mean, AI, what is AI? Nobody really knows what AI is anymore. Right. We have AI being used to defend against attacks.

And then we have AI being deployed inside of the organization, which then creates its own risk profile.

Dave Chronister (59:45)
Mm-hmm.

Max Clark (59:47)
Where do you want to start?

Dave Chronister (59:50)
What is AI? 99 % of it's what we call agent washing or AI washing. It's not, it's not, I mean, AI is not even AI, right? It's LLMs, it's if then statements, but you know, we were, we looked at one of those AI pin testing platforms one time, just test it out and they're running Metasploit. There's no AI, there's no LLMs in it. So 99 % of what people are dealing with that's AI is not AI.

My talk this year, I have two talks. One is the hidden, it's actually I had for a while not so hidden risk of AI in your organization. And the other is, is the rise of AI and social engineering. And in the organization one, I'm very pessimistic. This is not something you should use. And then social engineering, I'm like, this thing's amazing to use. What's the disconnect?

Max Clark (1:00:48)
Mm-hmm.

Dave Chronister (1:00:49)
I'm an attacker, I'm burning bridges as I come through. If I tried to hit 50,000 people and it fails 30,000 times, it doesn't matter. I just move on. So AI is great because AI is not reliable. On the corporate side, one single mistake can cause you thousands, hundreds of thousands, millions. And by the way, I think people are going to find that it's more expensive.

and with hallucination rates outrageously high causing a of issues there. And there's a of legal issues we already talked about. yeah, you know.

Max Clark (1:01:25)
I mean, you're

talking about this. This is interesting, OK, because that tailing part of that segment to cut you off, you know, statement is, ⁓ OK, I can express this a little bit differently, which is if you have two employees ask the same question to your AI tool and they both get, and they get different answers, which is very common, what does that introduce in terms of risk to the organization, right? This is not a cybersecurity thing. This is just like AI risk and how you're deploying AI for your enterprise, right?

Dave Chronister (1:01:53)
Right. Well, there

was, there was actually a study that came out that said that experienced developers using AI were less efficient because they actually had to come through and validate and sometimes fix it. a friend of mine, Dave Kennedy, who runs trusted sec, he was, he's a big AI dude. And he just, they just Forbes just did an article on him. He's pulling, ⁓ anthropic.

because in his estimation, the newer models are about 75 % inaccurate and creating vulnerabilities. the amount, you know, I started going through this because I'm a business owner, I'm a small business owner, and there's this group of business owners called EO, Entrepreneurial Organization. It's almost like a cult. My building that I actually have my office in, all my employees are remote. They're all EO members, 150 of us, and AI this, AI that, AI this, and it's like you're...

Max Clark (1:02:35)
Yep.

Dave Chronister (1:02:49)
Where are your issues? Do you not see the issues? And so I started going through this to educate them and my clients and from legal ramifications to mistakes, there is many studies. Mellon University did one that showed 95 % of all AI initiatives

did not make it to production and the 5 % that did showed little or no ROI. And this is for large Fortune 500 companies. And you sit there and you start to go, what are we doing? Why are we pushing this? And kind of going back to when we were talking earlier about people not worried about the threats, it's like, well, it's that FOMO, right? It's, well, everybody else is doing it. You know, I had a conversation with someone who said, well,

⁓ Oracle just laid off 30,000 people to because of AI efficiencies. It's like they laid off 30,000 people to pay for a deal that they made with open AI. Meta is laying off 8,000 people to pay for it. They're not seeing efficiencies. They're hoping their whole company's on.

Max Clark (1:04:06)
Well,

and the other dirty secret is every company has a certain percentage of headcount they keep around because when they need to they can lay them. mean, layoffs are a fast trigger for our business. Like you can't get out of contracts with vendors. You can lay people off. It's a very fast thing. Oh, you know, we need some positive news for the stock market. Let's lay off 10%. We'll get a stock bump because we don't have anything else to report. I'm very cynical about this at this point. And there's a wave of AI-related

Dave Chronister (1:04:11)
Yeah.

Yeah. Right.

Yay!

Max Clark (1:04:33)
layoffs and you dig into it a little bit and you're like this is nothing to do with AI you're just using AI as the cover to then try to get the stock bump because you're laid off 10 % and yeah.

Dave Chronister (1:04:40)
It was COVID six years ago, right? It was,

well, this is it. Well, because of this, we have to lay people off. And it's like, no one talked, there's no empirical evidence that it's actually working for an enterprise. Now, something like a chat GPT for a particular person, like again, like I mentioned, just recently ADHD diagnosed, starting on a blank piece of paper is horrible. And before I got on the treated for this,

I would try to use it at the beginning and just to fill the blank page. But I quickly found it does not very eloquent in the way it speaks. It's incorrect a lot. And this is someone that understands it, understands the industry. And now you have vibe coding. have people that are just like, I can do this as well. When I joined this, this where my office is, they gave me the...

contract and the dude's a big AI guy. And I'm like, dude, your contract says that if I quit paying, you can't kick me out. So that's weird. Like, did you do this in AI? Well, yeah, it's amazing. It's like there's, I'm not even a contracts attorney. There's 10 issues here and you didn't even read it. That's the problem.

Max Clark (1:06:01)
I had this with my team internally. And by the way, I've tried to explain this to a bunch of different people, but I'll share my take on this with you. ⁓ You look through the iterations of tech and tech adoption, right? And we get to social media and really understanding growth in social media and this ⁓ reward dopamine system that comes back out of social media platforms. Well, tech platforms and companies understand this pattern of dopamine.

Dave Chronister (1:06:14)
Mm-hmm.

Yeah.

Max Clark (1:06:28)
You know, and then they've just applied it into AI, you know, these chat tools because well, they need adoption. They need DAUs. They need usage growth, right? And so, you know, the platform will manipulate you to keep your engagement high by design. And I noticed cases where, you know, same thing. know, SMB is funny. I love the term SMB because, you know, according to, you know, it's a thousand people, it's still an SMB, right?

Dave Chronister (1:06:35)
Yeah.

Yeah.

Yeah, yeah, right.

Max Clark (1:06:58)
Yeah, so we have a small company. We have an SMB. But I notice people on my team just completely outsourcing their brain to it. I'm like, you're here because you have a brain. If you stop using your brain, what are we doing? What are we talking about? ⁓

Dave Chronister (1:07:08)
Yeah. Yeah. Yeah.

That's where we're at with it. Well, quick interesting fact, ⁓ OpenAI did a study that actually showed that their platform and other platforms will come across more confident the more inaccurate it is. And it's, yeah.

Max Clark (1:07:29)
⁓ 100%. I

had an example with this one. I fly as a hobby. so we have the FAR AIM, right, which is the standard. And basically, a really big rule book that gets published by the FAA every year. And I was looking up something very esoteric. You know there's an acronym. There's a mnemonic for it. I'm like, OK, I don't remember the acronym. And there was some specific edge case I was looking up. And I was asking an AI tool. was like, what is the?

Dave Chronister (1:07:41)
Yeah.

Good night.

Max Clark (1:07:58)
What is the situation here and how does this apply? And the response it gave to me, I know it's incorrect. I'm looking for the actual specific reasons why I have to do one thing versus another thing. it's completely wrong. And I reply back to it, and my response is something like, that's not accurate. And it's like, you're right. It's not accurate. It gives me another answer. Completely wrong. And I'm like, what are we?

Dave Chronister (1:08:15)
Mm-hmm

And I don't know about you. I feel like I'm in Looney World when I start to bring this stuff up and people just look at me like I have five heads, you know? So along those lines, the way we're doing our business, we just, NIST just released, for anybody that's interested, the AI Risk Management Framework and its guidance. And we've created, we're about ready to release it in a couple of weeks.

Max Clark (1:08:34)
Yeah.

Dave Chronister (1:08:52)
AI risk assessment. But along those lines, ⁓ you know, we really had to create our policy and we do not, I do not allow, again, I say I, I'm the 100 % owner in it. So I'm kind of the benevolent dictator there. Do not allow any AI in any of our, or AI technologies in any of our billable work. Basically sales and marketing.

but it can only be used as a part of the process. And it's not only accuracy, but it's also people are paying us for our experience. And AI doesn't have our experience if then statements do not have our experience. And if we're wrong, that can be detrimental to one of our clients. so, you know, where do I see the future? It's like anything, you know, we've been around this again.

You know, we had it with cloud, we had it with SaaS products, whatever, virtualization. There will be specific needs for this, but it is not the game changer in the way people think it's going to be. I think it will collapse the industry because, you know, especially that Oracle OpenAI deal where Oracle has laying off 30,000 people, they have

taking their loans to the max, their APR and their loans have tripled to do this open AI deal where it's seven, was it $700 billion over the next 10 years, open AI is making 9 billion a year and has 130 billion in the bank. It's going to collapse everything. So.

Max Clark (1:10:38)
I was

reading the Bear Case for building gigawatt data centers. And it's like, we're going to spend $50 billion to build a data center. It's going to return this. And the forecast is like, it's going to make this much money per year. And it's going to be a two-year payoff. And again, it's like, I feel like the crazy person sometimes with these things, because you're like, the problem with tech is you cannot create a financial model using assumptions.

in any of these systems because what does it take to break the assumption? ⁓ what do we actually, how much resources do we need to train a model? you, know, deep seek through that completely out the window and you're like, we don't need the same amount of compute because we can just run the process slightly different. And you're like, okay, well, how does that impact your like $50 billion single data center, you know, build. so, you from a, you're talking about like risk management and risk assessments for AI.

How much of this is going to push into what we talk about classically is cybersecurity, or is this more like GRC at this point? Is GRC a cybersecurity function, or is it something different? And the C-suite, as it's being pushed on by their board and shareholders of how are you guys going to move faster with AI, everybody needed a digital transformation strategy. Now everybody needs an AI strategy.

What's the best case scenario outcome for us in risk management around AI, not in terms of the offensive and defensive standpoint, but just AI in terms of risk profiles inside of companies?

Dave Chronister (1:12:24)
if it, if it follows any other trend, there's going to be some very bloody incidents that will happen that will then cause people to wake up. the government to come in and go, we need to regulate this. ⁓ yeah. You know, I will say before I tear apart AI, I want it to work again.

I've loved computers since I was a little kid. I have an Agent Zero running on my data center in my house. I have a data center in my house. I have a full 42-E REC. I have local LLMs running on systems. I want it to work. I keep trying and it's just not working. ⁓ I think from the macro level, there'll be some massive issues that will happen.

especially with everybody just going to these general LLMs, the chat GPT, stuff like that. On a micro level, will be businesses starting to realize they're going to have incidents. No one's going to see, especially in the SMB route, that they're not saving any money because they don't know what they started with. No one's doing a formalized approach to it other than Fortune 500. And by the way, my Fortune 500 clients are the ones going, no AI.

no AI on our stuff. And it's like, you're right, good. We don't have it because they get it.

Max Clark (1:13:53)
Why is it that as we become older and older tech guys, and again guys, because, know, but present company, ⁓ it's like this really funny pessimistic attitude of like, I'm a tech ops, I'm a technology optimist, maximalist, acceleration dude. I 100 %

Dave Chronister (1:13:58)
Yeah.

Max Clark (1:14:14)
And the core of my being believe that technology improves the human condition and the more technology that we get, the better off the human condition is. And these are all good, positive things for society, right? Like I am absolutely that guy. But then there's like the other side of it, which is just the reality of deploying any sort of technology advancement and sort of, you like, you know, so, and like dealing with people deploying technology and managing it, you know, and you're like, ⁓ yeah.

Dave Chronister (1:14:29)
Mm-hmm.

The new hotness is the old hotness, And this word I'm thinking about, it's ⁓ Dunning Kruger. Kruger, Dunning Kruger. You know, and we may not know this technology, but we know what we don't know. We know we don't know stuff. And you know, I think it's probably you and I spending many nights and weekends away from our friends and families fixing stupid stuff. ⁓

Max Clark (1:14:42)
⁓ jeez, yeah.

Yes. Yes.

Dave Chronister (1:15:07)
But you know, I always get in trouble because people who I'm a tech person, I'm like, yeah, not really. True tech people, I don't see anybody excited or going, this is amazing. A lot of people are more like, are like, man, I'd love for this to work. It's just not working, but they're pushing it. It's kind of the pseudo tech people, like I'm a power user and this is great and I can do this. Who needs this?

Max Clark (1:15:30)
Yeah.

I'm running Cloudbot on my desktop and I gave it access to my bank account and you're just like, I know how this story is going to play out.

Dave Chronister (1:15:37)
it. Oh, oh, so. So so that you know,

and this is the part where I sit here and it affected me. So I mentioned my landlord, he's a wife, you know, remember, he had this space. And he's like, Hey, why don't you? Can you manage our network? I'll cut rent. I'm like, Yeah, perfect. No problem. They're doing it forever. He came down one day, he goes, I'm running Claude bot. This is great. I'm like,

Here's a national radio show I was on over the weekend talking about how horrible this is. You shouldn't do it. And he's like, I know it's great, right? And it's like, well, crap. Like you just put all of us in danger, including me. Okay. Segmenting myself off on the network, you know? And how do you handle that? Even when I've tried to talk to him afterwards, he just, he's just like, no, it's fine. It's fine. Looking at his life and his risk in his life, I go, I get it now.

But I think a lot of people are seeing dollars, a lot of people are seeing this and they're not, they are avoiding risk. It's not that they're not looking at, they're 100 % avoiding it and it's going to be dangerous. Hopefully it happens quickly before where it's too ingrained, you know?

Max Clark (1:16:56)
It's

I want to ask you some tools questions before we wrap up here. And actually, not specifically in tools, but let's say trends. ⁓

Dave Chronister (1:17:01)
Sure.

Max Clark (1:17:11)
there's always a push by tech marketing to try to invent new categories. Because if you can invent some new category that then gets analyst coverage, you're the first one to market, you get some tailwinds effects. So we go to EDR, to MDR, to XDR, to super DR, these things keep mutating on us. And then the second thing is this push between, and what I really am curious about right from your take, is this friction between, let's call it like,

Dave Chronister (1:17:15)
Mm-hmm.

Max Clark (1:17:40)
you know, best in class solution versus bundling and full stack, right? Microsoft is pushing E5 security. It's a full stack. It's a very efficient bundle. Now, you you look at the cost of deploying E5 security with their EDR and their seg versus, you know, other EDRs and segs, you know, the cost per user, cost per seat normalizes very fast. It's almost always like dead on, like, do you want to this tool or that tool? It's going to...

You know, there's some now there's efficiencies, obviously, if you're managing one admin console. But then I look at it and I'm like, OK, great. So now you've invested your entire cybersecurity program into a single vendor stack. Is that now a bad thing? Because you have no check and balance going on. How do you cancel people on this idea between?

You know, you're going to buy all these tools and you acquire all of them from one OEM because the one OEM is now either built or acquired all the stack to sell it to you as like the single point solution, you know, versus, Hey, we're going to use a different brand for this and a different brand for this. they do talk to each other, but you're, managing different tools.

Dave Chronister (1:18:43)
Right. Yeah.

You know, this always starts with risk assessment, whether it's a formal paper or it's not, you know, and I've run into that too, right? We're running 365 in the office. We're less than 10 people, right? I guess we're with part timers on 15, but

And we're running whatever is above E5. It's the new one, but E7, yeah. And former MCOC, don't even know why Microsoft doesn't have licensing anyway. Yeah, right. Yeah.

Max Clark (1:19:09)
E7.

I deal with this a lot. I

know it because I was just in the PowerPoint presentation trying to help somebody through like, what license tier do we get whatever thing from? And you're like, it's a 35 page document, right? Like, let's go figure this out now.

Dave Chronister (1:19:22)
Yeah.

Right.

Right. ⁓

Yeah. But you know, then we're running SIM. Why are we not running MDR? Because the SIM solution we have ⁓ has a sock. I personally know the person who designed it. And we tested it. And I think it comes down to something's better than nothing, and we mature it. So a company that has nothing. I'm going to start them with

just get this bundle because they don't understand the risk when you're maturing. You're not only maturing your program, you're maturing your people that are part of the program. That includes your C-suite. And then, you know, this is the big no-no that I have is ⁓ the person that sells you the control is not the person that validates the control. Right.

And we struggle with this because we'll write policy, you know, but then we're not the ones that are going to audit it. And this is why we don't sell solutions really. ⁓ But other than that, it's just going through it and saying, let's just start with this because it can get very expensive, very quick. And this is also where we have to truly understand your risk to understand what to pay for, because maybe

Microsoft Defender is just good enough because you have MDR and let's face it, antivirus is worthless as ice. ⁓ The one I'll get is, well, should I have DLP? I don't know. Because I get asked this stuff all the time. I don't know. I don't know your situation. Do you? Yeah, right. And maybe you do.

Max Clark (1:21:11)
Do you know what DLP is and how it works?

Dave Chronister (1:21:19)
But I'm not the one that should be asking you. should advise you. I can advise you on issues I've seen with it. I'm not going to give you a company to go for, but you know, it's questions like that, you start, go, let's just start with something. Let's get you to a level and then let's start to mature you. And I have seen clients that will start with something that's good for now, but once they understand,

the limitations. So I hate to pick on them, but Qualys. ⁓ Qualys is better than nothing. I'm not a huge Qualys fan. I like Tenable. I've used, well, yeah, I call them vulnerability scanners. ⁓ But you know, it's like Qualys is great. It gets you to where you are, but here's some limitations for what it does. And once they start to understand those limitations, then they can move to something a little more mature.

Max Clark (1:21:58)
So you're talking about the CSPM product specifically. Yeah. Yeah.

the thing that qualis, I'm in a similar boat, right? Where it's, and the other thing I like about qualis is it's very inexpensive to get into something that'll actually inspect your cloud platform and then align it with this CFS and kind of give you a.

You know, the things that it's like really basic stuff that people don't even realize happen. It's like, we made some, we made some policy change and like our S3 buckets are now this, or we did this and we didn't realize it. It's like so much change is happening so fast. You're like, do you have anything that's actually looking in and tracking this and just giving and you know, ⁓ I've, I've seen, you know, tenable has been through some stuff too, where it's like, you know, as they pushed into tenable one, I had

Dave Chronister (1:22:54)
Yeah.

Max Clark (1:23:06)
had a client that had aligned a lot of SOC 2 controls over a previous version of Tenable. And then they upgraded the new version of Tenable. And then their controls, like the tool change, they no longer had the ability to run their ending. like, OK, that's a fun, bizarro problem that we have to deal with now. ⁓

Dave Chronister (1:23:11)
yeah.

Yeah.

Right. Well,

and that can come down to where people's tools are their security program.

Max Clark (1:23:29)
Yes, in most cases I think that that's the truth, right?

Dave Chronister (1:23:32)
And then they go, well, we have to change how we're doing things because of the program. It's like, that's the wrong way of doing it.

Max Clark (1:23:38)
But this is

an issue. mean, you brought this up at the beginning, where it's like, what's your policy? And are you adhering to your policy? But how many organizations are actually writing their own policies versus just trying to copy a policy because they

they have to have a policy. like, you know, we've been told that we have to have a policy. So let's go out and copy, you know, a sans policy, you know, but now is like, is that policy actually deployed, implemented and managed inside the company? Or is it like, we have this policy in on a, you know, on the shelf, so to speak, that we can then point to and say, we have this policy.

Dave Chronister (1:23:59)
Yeah.

Yeah, let me give you a quick anecdote. Now I'll give you a quick lesson on policy and why it's so powerful. So I did that when I was at the bank. Really, I understood security from a system administrator standpoint. And I'll be honest, when I started this company, I look back and I was very naive on security, right? But we had six bank charters.

all going through GLBA. So we had regulators in every six months and I looked at our policy. Our policy still said micro computers and this is in 2002. So I got the best policy money could buy. And I remember as a Federal Reserve auditor named Carl Cooney, he is what made me realize it's not so bad to be an auditor. And he looked at it and he goes, Dave, this is a great policy. This is awesome, man.

Are you doing it? I'm like, ⁓ I was like 25, you know, I was a young guy and he goes, this is all you need to realize. If you say you're doing it, do it. And if you're doing it, say you're doing it. And you know, policy has gotten as weird. It's become almost biblical the way people look at it. And you know, we can, we use the term policy, but policy

to encapsulate everything, but policy is your management statements. So a wireless policy should be something along the lines of in order to provide mobile computers access in our organization, will use mobile, we'll use Wi-Fi capabilities that include accountability for connection as well as strong encryption methods, right?

That policy will be relevant today, tomorrow, five years, 10 years. Then where people start to get lost is the standard. The standard is we're going to use WPA2 with radius server, connected AD, whatever. And then you have your procedure, your SOP of here is how we set up that user. Here's how we configure the web. And when we start to work with policy, it's very daunting to a lot of C level.

Max Clark (1:26:18)
Mm-hmm.

Dave Chronister (1:26:42)
And when we start to talk to them about it, they get it at that point because they realize I don't have to deal with technology. I don't have to do this is my part. And then my custodians, the IT people who I said are not responsible for it, they put it in the technical realm. ⁓ So. Because people don't understand that, they will copy policy and then make sure it don't not implementing it or making it relevant to their situation.

So yeah.

Max Clark (1:27:15)
Okay, I'm gonna try to formulate a really good follow-up to this one. ⁓

Dave Chronister (1:27:20)
Haha

Max Clark (1:27:30)
There are...

We talked about beforehand. We talked about two-factor authentication briefly. And I still see a lot of tension between, oh, I'm my user, insider threat, intentional malicious act, accidental act, whatever it is. But there's still tension between. And I try to explain to people, your employees, you have to protect them because

You've got professional threat actors at this point that are going to take advantage of them. And it's not like this thing that you have to, just how we relate to it is different. But then we start talking about tools. Again, going back to tools, Policies are like, the thing I do like about SOC 2 is it forces people to actually invest and think about certain things of like, how do we actually track? The audit standpoint of it of, we need to be able to actually audit where people are logging in from to our network.

Dave Chronister (1:28:05)
Mm-hmm.

Yeah.

Max Clark (1:28:26)
And then you look at a tool and you're like, this tool gives me no capability to do that. We need a different tool. And then you get into better stuff, like pulling out VPN and investing in some sort of ZTNA. And we can talk about what's real ZTNA versus not, and what's a real STP versus not. But just the ability to be able to say we can connect to an IDP and then actually audit that access.

Dave Chronister (1:28:44)
Right.

Max Clark (1:28:52)
You know, and you think and, and it sounds so crazy, but it's like, is like a light year difference in terms of security posture and capability for that company. When it really gets implemented, you talk about it, you know, but, but so then you have the same thing where it's like that trigger was because the company decided that SOC two was important to them. And then in order to get to SOC two, they had to do something that forces this change. And you see a lot of other tools that are really single sign on two factor authentication. We can argue about pass keys. Are they good or are they bad?

Dave Chronister (1:28:52)
Yeah.

Max Clark (1:29:21)
versus hardware tokens. You give somebody ⁓ a YubiKey and then you say like, ⁓ try to go fish them with that YubiKey. Is it possible? Relatively inexpensive device to deploy inside an organization that eradicates a huge threat factor without even blinking. But now you have to have like top level policy decision change.

Dave Chronister (1:29:34)
Yeah.

Max Clark (1:29:48)
The thing gets enforced and pushed down on people and people will push back on like, this is a drag. I don't want to have to carry this thing around in my key chain. You know,

Dave Chronister (1:29:54)
Yeah, gets

lost and the person doesn't notice it right away, you know.

Max Clark (1:29:59)
Right, so how do help people help themselves with this stuff?

Dave Chronister (1:30:05)
You know, think organizations like yours are very helpful where it's more of a trusted person that is able to look at different solutions and be that ⁓ expert opinion. Because again, I can come in say this is an issue and I can help them understand the risk. But then when you start to get into the weeds, you know.

It becomes an issue. The other thing is, I, you know, again, we don't deal with this a lot because of the cost of our services, but if we have someone that doesn't have a technology provider, like why are you doing that? You know, I have a fractional CFO because I know I'm not good with numbers, right? I computers only count to one. I can't count any higher than that. So ⁓ being able to

Max Clark (1:30:54)
Hmm.

Dave Chronister (1:31:01)
start to work through that. is also where I like the cybersecurity, I'll say the security cycle of identify risk, determine controls, implement or manage risk, implement and validate. And then one comes back to manage evolving risk, right?

And one of the issues I've seen even back in my IT days is we don't know what a win looks like. We don't know what the solve looks like. We just go, well, this will fix our issues. Well, what are our issues? I don't know. Well, well, we know when it's fixed, I guess we implemented it. And so it's, it's, it's a guess. And like you said, any data, someone even just having a notebook.

just writing something down. Any sort of data is better than nothing. And we do this with financials, but for some reason in IT, we just go, no, we're good. They wouldn't have done it it wasn't effective or secure anyway. Yeah, it's a tough problem. I don't see it changing much, again, because people have gotten more ⁓ technologically savvy. I mean, when I first started in 90s, I had people that...

I people, would have their admins print out their emails, write, type it in. We're not at that level yet, but we're still dealing with the, I'm going to call it the HIPAA problem in small medium sized businesses. CEOs and C-level going, I'm too busy to worry about that. And with HIPAA, they made criminal fines to doctors too busy, but I don't know what we're going to do with small businesses.

Max Clark (1:32:46)
Okay, let's wrap this with a question here, which is, let's ignore the why they came to you or how they came to you.

What is one question when you wish people knew to ask you when they started down this process? So we can assume that's driven by an assessment. But what's something that people are not asking that they should?

Dave Chronister (1:33:18)
A thousand things come to mind. Yeah.

Max Clark (1:33:19)
I mean a lot, right? But like if you had to pick

one.

Dave Chronister (1:33:23)
⁓

I think it would probably...

have to do with what is my responsibility in this? Again, I'm dealing with a lot of, and I'm picking on my smaller, less mature organizations. ⁓ What is my responsibility? ⁓ Because like you said, and we've talked about this entire ⁓ interview, a lot of people are tool-centric.

A lot of people don't truly understand what their responsibilities are and what they're required to do in their position. They outsource it to IT or they think it's, well, we have a vendor doing it. It's not our issue. So, you know, on the C level, what is our responsibility? I think for the tech people is ⁓

What's a better way to document? ⁓ There's efficient ways to do documentation. It's a pain in the butt. But a lot of the issues we run into on pin testing and in IR is configuration issues and patching issues. And it was because stuff wasn't documented. ⁓

It's, you know, everybody's like, well, this is amazing attack. It's like, and they're there's it's a sophisticated attack. It's like, it is 99 % someone that put the wrong configuration in, or it's an outdated version of Adobe sitting on that system, right? It that's how always is. And it's documentation when it's solved that how can we document more efficiently and effectively.

Max Clark (1:35:13)
Okay, sorry, I lied. I'm going to ask one more question.

Dave Chronister (1:35:14)
Yeah.

Max Clark (1:35:16)
⁓ What is my responsibility in this? Very interesting question, right? And then we talk about like layers of, as you move up the organization, you have more responsibility to the organization. And ultimately, so you get to the top of the organization aboard, depending on how it's organized, then we start talking about you have a fiduciary responsibility to the organization and to the shareholders, investors, creditors, et cetera.

⁓ At what point so like you can there's I've heard arguments of like my fiduciary responsibility was to evaluate the risk and then decide whether or not The cost to mitigate that risk was worth it or appropriate for the organization You could and you know, like you know, we think we have a million dollar overhang and what cost us ten million dollars to plug You know like we can transfer that to insurance we can do whatever but we've evaluated that risk That's a really big outlier

in terms of that discrepancy. A lot of times it's like, we have an existential $20 million risk that we can solve with $100,000 or $200,000. at what point do we see the shift where boards and the fiduciaries inside these companies become personally liable for decisions that they're making related to how they're associating and mitigating risks?

Dave Chronister (1:36:37)
⁓ I think you're already seeing it in some ways. So again, when high tech came out, think it's 2010 for HIPAA, it gave teeth. And so, know, we're having problems with doctors. I'm not, I'm too busy to do this and they can go to jail now, depending on it. We're starting to see a lot of lawsuits against the board. Unfortunately, we've seen a lot with CISOs, which

when you start to look at it, I can understand it if it was a healthy functioning board and the CISO was rogue, but in a lot of cases is the CISO has their hands tied. And so they become the scapegoat. I think as this gets litigated more and more,

Unfortunately, that's what it takes for the legal professionals to understand it and to start to see patterns, to ask questions. ⁓ And they're good at it, but they have to understand it. ⁓ One of my attorneys I work for is the former US Attorney General for Missouri. He is now at Bill Barr's firm. I don't know technology, but I can see patterns.

And I think that's where we're going to see it now.

The problem we're still running into is the CISOs could still be reporting to the CTO. It could still be reporting to the CFO. ⁓ They may not have any powers there. So they're actually not CISOs themselves. So I think where you may start to see some more proactive stuff on the security is maybe shareholders starting to sue companies that they do not have a properly functioning security.

program and things like that may start to happen after big breaches. But yeah, that's a tough one. I don't have a clear, concise answer on that one. The one thing I will say, though, ⁓ we're talking about the board. But I have that discussion with the IT people a lot. And the discussion goes along the lines of let them make the decision.

Max Clark (1:38:44)
It's.

Dave Chronister (1:39:02)
Not you. Well, they don't understand it. Well, then educate them. That's your job. That's what we are supposed to do is educate them. There's a lot more these days. I see a lot more pushback in the custodian, the IT side than I do on the board side. I think because a lot of board and a lot of CEOs understand the risk, they may be hiding their head. But IT is just a lot of them are burned out and just jaded about it. And I get it. I was there too.

Max Clark (1:39:06)
Mm-hmm.

Yeah, yeah.

Yeah, it's hard not to get there. Dave, thank you very much. It's fantastic. Really, I could do this every week and never run out of stuff.

Dave Chronister (1:39:36)
It was awesome, Max.

Same here.

This is my favorite part of the job. thanks for having me on and anything I can ever do to help or beyond. I'm happy to be there.

Max Clark (1:39:48)
Appreciate it, thanks.

Max Clark (1:39:50)
That's it for this episode of Signed. If you got something out of this, share it with someone in your world who's staring down a tech decision. A CIO, a CFO, a founder, a procurement lead, whoever. That's how the show grows.

Everything from today lives at itbroker.com slash podcast. Show notes, transcript, links to anything we've mentioned. If you're in the middle of a real tech decision right now and you want someone in your corner without the vendor bias, that's what we do at itbroker.com. Schedule a call on our website. Buy tech without regret. I'm Max Clark. Thanks for listening. See you on the next one.