Dive into the world of executive cybersecurity with BlackCloak, the ultimate protector of personal and corporate digital realms. Discover how their innovative solutions are transforming the cybersecurity landscape and securing the future for executives, high-profile individuals, and their families.
Welcome to another exciting episode of our podcast, where we dive into the fascinating world of cybersecurity and explore the challenges faced by businesses and individuals alike. Today, we have an extraordinary story to share, one that sheds light on the ever-evolving landscape of cyber threats and the innovative solutions being developed to protect us. We're talking about BlackCloak, a cutting-edge cybersecurity company that's changing the game when it comes to digital executive protection. So buckle up, sit back, and prepare to be amazed as we unravel the incredible story of BlackCloak and its mission to safeguard the digital lives of corporate executives and high-profile individuals. And don't forget to subscribe and share our show so that you and your network can stay ahead of the curve in this rapidly changing world of cybersecurity.
In today's episode, we're joined by BlackCloak's co-founder, Dr. Chris Pierson, and their Chief Information Security Officer, Daniel Floyd. Both of these experts bring decades of experience in system architecture, security operations, and cybersecurity strategy to the table. As they discuss the unique challenges faced by executives and their families in the age of remote work, it becomes apparent that traditional cybersecurity measures are no longer enough.
The conversation delves into the critical need for digital executive protection that extends beyond the four walls of a company. This is where BlackCloak steps in, providing comprehensive protection for executives and their families in their personal lives without infringing on their privacy. The aim is to create a hardened target around these high-profile individuals and their loved ones, safeguarding their homes, devices, and personal data from malicious cybercriminals.
As our guests share real-world examples of high-profile breaches, such as Twilio and Uber, it becomes evident that the personal lives of executives are increasingly becoming the soft underbelly of companies' cybersecurity defenses. By targeting executives through phishing attacks and exploiting their personal devices, cybercriminals are finding ways to bypass corporate security measures and access sensitive information.
In response to these evolving threats, BlackCloak offers an innovative solution that bridges the gap between corporate and personal cybersecurity. By taking a proactive approach and addressing the unique challenges faced by executives and their families, BlackCloak is redefining digital protection and shaping the future of cybersecurity as we know it.
Don't miss out on this thrilling episode as we delve into the cutting-edge world of BlackCloak and learn how they're revolutionizing the way we think about cybersecurity. Remember to subscribe to our show and share it with your friends and colleagues so that everyone can stay informed and protected in this ever-changing digital landscape.
Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-story
Guests:
Chris Pierson, Founder and CEO of BlackCloak [@BlackCloakCyber]
On Linkedin | https://www.linkedin.com/in/drchristopherpierson/
On Twitter | https://twitter.com/drchrispierson
Daniel Floyd, CISO of BlackCloak [@BlackCloakCyber]
On Linkedin | https://www.linkedin.com/in/daniel-n-floyd/
Resources
Learn more about BlackCloak and their offering: https://itspm.ag/itspbcweb
Connect with BlackCloak during RSA Conference: https://itspm.ag/blackcvnk8
For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverage
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
SPEAKERS
Daniel Floyd , show end, Marco Ciappelli, Show Intro, Dr. Chris Pierson , Sean Martin
Show Intro 00:15
Welcome to the intersection of technology, cybersecurity, and society. Welcome to ITSPmagazine. Every company has a story to tell from the small startup to the large enterprise. And everything in between. This is one of them. Knowledge is power. Now, more than ever
Sean Martin 00:41
Marco, it's time to repeat the future. The future of the future? We did good in the last future. So good. Let's, let's repeat it.
Marco Ciappelli 00:54
When is the future? Yesterday? Yesterday I was there like when is tomorrow and then. So right there, go figure. And this happened a lot in technology and daydreaming. I'm dreaming about a better future. You know, that's why my holidays were defined in society. But you know, now we deal with what the reality of things is, which is yes, it's a good reality.
Sean Martin 01:22
Well, the cool thing is we can control our future, as long as we take action, and you can only take action if you know what you need to take action on and think about it a little bit. And of course, the world of cybersecurity. at home and in the office, it's blending and becoming more complex and, and we need help, right, as businesses as security leaders, as the people working from home, we need help. And that's why our good friends at Blackcloak exists to help identify the risks and mitigate those risks and, and repeat the future that we actually want.
Marco Ciappelli 02:03
Right? I'm talking about somebody that has predicted the future a little bit. No, no, this guy here was introducing.
Dr. Chris Pierson 02:17
Hey, guys, how you doing? It's good to be it's good to be back with you. Marco and Sean, always good to be here.
Marco Ciappelli 02:23
Oh, it's good. And you brought a friend?
Dr. Chris Pierson 02:26
I did. I did. I, uh, your audience knows me. knows me. Well, but uh, but actually, for today's conversation, I wanted to make sure we brought in our chief information security officer, Daniel Floyd. So you know, 20 years where there were 20 years worth of a whole bunch of things system architecture, Security, Architecture, security operations, all arrests, and, and I think a two or three times system now. So I'm gonna I'm gonna, I'm gonna actually pass it over to him. Let him kind of introduce himself. So this audience is community. Everyone knows me as the co founder of Blackcloak. But Danny, go ahead and go ahead and tell people who you are. Yeah, well, it's
Daniel Floyd 03:04
great. It's great to be here. Yeah. So Daniel Floyd. I'm the CISO here at Blackcloak. As Chris mentioned, I started my career in systems architecture, did about a decade of network admin sysadmin. And then, you know, really got into cybersecurity, passion, really around pentesting penetration testing, exploiting networks and home networks in particular. And then, you know, more recently, I've been the focused on doing the more executive side of things as the seaso here at Blackcloak. So it's great to be here.
Marco Ciappelli 03:34
Very cool, Chris, and what's what have you been up to? I mentioned, we've been talking about this venture before, it was even a reality. And I made the joke about predicting the future. And now all of a sudden, you know, I know you guys are doing super good. And it's kind of like, Wow, thank God that somebody thought about it. So what's going on? Yeah,
Dr. Chris Pierson 03:56
I mean, you know, so So to reintroduce the topic, I mean, we are digital executive protection, Blackcloak protects your corporate executives, your high profile individuals, your board, your executive leadership team, those 50 7500 200 people at the company that are the the people that really have a larger attack surface than everyone else, except the nuance. You know, and you guys knew this early on, I mean, literally, early on sitting on a sofa with me back in the day, before anyone else knew we're going to do. The nuance of it is this, not inside the four walls of a company, you already got all that covered, you got plenty of great products and technologies and things you can leverage to protect the inside of the company. Blackcloak is digital executive protection for the outside for the other 12 hours a day for that that cannot be controlled or protected by the Cisco by the team by the folks there are protecting their privacy, their homes, their devices, their peace of mind and their personal life. And when I say them, I mean the executives and their fans. only husband, wife, spouse, kids, significant other, that whole enclave so that it really formed a hardened target around them. And, man, I mean, since you know, it's like the past few months have we got stories, and now a lot of the stories are public. But it's super exciting, you know, predicting the future, showing and telling the story of what we wanted to do what we were seeing, and now we're here and I think everyone sees this. And I was like, Huh, that's a risk, we need to go ahead and take control of.
Sean Martin 05:29
So Daniel, what the future is now? Right, so. So where are we sitting? What's the reality that executives are having to deal with? such as yourself?
Daniel Floyd 05:43
Yeah, so what you know, we just saw in, you know, very recently, in a very high profile breach that may have occurred with a certain password management company. And you know, the home networks are the targets we're seeing, again, the home network is the entry point for threat actors to gain access to corporate devices, corporate secrets, and pivot into the corporate infrastructure. So the four walls of the perimeter, the old moat, and Castle design, and network security design is a thing of the past, right, we have our entire C suite, high access employees, high privilege, employees are all working from home, their remote desking they're working from, you know, all over the world really. And then their their traditional network security in four walls doesn't does not work anymore. And we're seeing that the personal devices, personal networks are in play from a threat actor perspective, and it's definitely a valid attack surface that we're seeing more and more get hit.
Sean Martin 06:48
And what are you hearing from from some of your peers that have experienced this? Or? Or knows you didn't either had it or know somebody who has one of those things? What are some of the stories you're hearing from, from folks you chat with?
Daniel Floyd 07:05
It's sorry? What are some of the stories that we're hearing from
Sean Martin 07:09
that you're hearing from some of your peers that that have experienced or know somebody who has experienced this?
Daniel Floyd 07:16
Well, yeah, so you know, obviously, the biggest concern that we're hearing is, the traditional model of knowing where your assets are, knowing what your assets are, that you have to secure, goes out the window, when it comes down to your employees, working from home. You know, every home is what I call kind of a snowflake, even when you can you can baseline across your corporate infrastructure, you know, the types of devices that your executive team, senior leadership team is using, soon as they go home, that home network, you have 10 executives, every one of their their home setups is a complete snowflake. And what I'm hearing from, you know, pure industry, peers in the industry is, how do we handle that? Right? Like, it's hard enough having to figure out how to do asset control for the 10 offices we have? And how do I extrapolate that out for every single employee? And know that employee a has this type of setup or this type of equipment and be concerned about what's been what the attack surface is in those homes versus what employee B employees see or, you know, high privilege actions employees have across those different attack surfaces? And then also you have the their concerns really are? What can I access? And what what's the right level of separation of privacy and church and state between those employees, and what level of visibility it might even permitted to have. So it's really a problem of kind of the fundamentals of IT security, and being able to do, you know, asset documentation and understanding what even is at their homes.
Marco Ciappelli 08:57
And I think that's it. I love that you said this because I was gonna go to Chris with kind of recap in that concept that we've discussed many times on how you draw a line, when it comes to the company check in on you, which is what Daniel just said, and how you always said, you come in, you need a third party company to take care of that. So a little refresh on that approach for those that haven’t heard the story before.
Dr. Chris Pierson 09:22
Yeah, so think about it this way. I mean, every single every single employee has a health care, right, the company decided, are they going with you know, your mana or Blue Claw cost, whatever it is, they decided what plan they're going with and all the rest. They provide that to employees, a healthy happy employee population, even executive team population met at the Mayo Clinic booked to do physicals and extra special you know, AIRCARE there, but they've decided that they want healthy employees that the health and wellness there in their personal life will transcend back into the company, right? If the CFO is not dropping dead because a heart attack or a stroke, then you're going to have a much better corporate plan. In a corporate vision, but you have to have a Shem, that you can't do it yourself, you the company can't actually have your own pool doctors that you employ to go to their homes and do that it's got to be separated. Same thing on the cyber side. And we've seen this model in terms of physical security, in terms of healthcare in terms of number of different things. And so we basically took that same model that says, Hey, your executives are being targeted, nobody cares as a hacker a nation state, nobody cares that they're in their personal life, it's even better even easier to hack them there. Instead of $100 million worth of cybersecurity, we get $5 to cybersecurity, we have to contend with. And so what we do is this, we take over the other 12 hours of the day, we never touch a company device, company, server company, email, we never ever set foot inside the company, we have no data risk whatsoever to the company, because we have none of their data. We're keenly focused on the executive, their family, all their personal devices, all their personal addresses, phone numbers, the Data Broker all of that information externally, and all their personal homes, Let us secure that what I hear from CISOs each and every day and from other partners we have is man, this is a pain, I don't want to be on the phone with the CEOs husband or wife, I don't want to be on the phone the CSM CFOs significant other, it's not a good position to be in. And I don't want my team's time being wasted an environment we have no control over no controls in and don't really want to see any of that personal information whatsoever. We want to protect their privacy, we want to reduce our risk. We don't want to have the pain of handling it. And we don't want to have the expense of hiring 510 20 people that run around the clock shifts to go monitor our executives. And that's where Blackcloak comes in.
Sean Martin 11:41
And Chris, I mean, yeah, hopefully nobody has information out there that they don't want out public. But the reality is, it's out there. I mean, you know, Marcos MySpace, password. I remember that. Yeah.
Marco Ciappelli 11:59
I got it back, by the way. I'm reprofiling. So
Sean Martin 12:03
that's right. So I guess my point is, the company doesn't want certain people in their data space. But the reality is, their executives and high profile leaders have their information out in the public through their home network. And if you can get at it, so can the bad actors, right, so the so can the cyber criminals? So talk to me a little bit about that. And because it's not just breaching a system, which again, if there are little, little to no protections, that's one thing, but there's phishing and business email compromise and a bunch of other things that uses information. That's public, right?
Dr. Chris Pierson 12:46
Yeah. So when you think about it, the executives are out there. And then public purview they're supposed to be that's what they're paid for. Same thing with the board and some of the executive team leaders. Those individuals have an attack surface that is massively large people know what address they have with a cell phone is what their home phone is, with their email addresses. You can't remove it 100%, right, nothing's 100%. But you can greatly reduce it. So you mitigate some of the risks. But because of that, it means that their devices, it means that their personal email that you might be able to, you know, get to and send a phishing email to or their personal cell phone, you send a personal phishing message, it means that you can reach out and touch them and cause real world harm on those devices. It might be a financial risk to them, it might be a, you know, extortion, or ransomware risk to them, it might be that they actually compromised those devices to get into the company. So any one of those things are issues or reputational risk they'll give you let me give you two salient points, Twilio and Uber, right, just this summer, right? Obviously, September hacks occurred. And they happen because the cyber criminals targeted the personal cell phone number in Uber and Twilio. And in one, they targeted the personal email addresses of key employees at those companies, they sent them a flood of hey, you have to go ahead and verify dual factor verify dual factor verify dual factor just kept on flooding them. At some point in time, some employees clicked on that dual factor verification, they redid their username password from Deep Web dark web, and that enhanced it. And so as a result cybercriminals were able to sign in as an actual employee, that employee that they took over and get into and across the entire environment, probably number of controls in the inside that didn't work as effectively or as well planned, because they basically got access to everything. But it was a target the soft underbelly of the company, which is them in their personal life and get in. And as Danny said earlier with the LastPass branch you mean one of the four key individuals a wide open, right unpatched server Plex server running on a computer and you get the computer you get the key logger on the computer, you have the corporate credentials, you then go ahead and transfer on in into the company. I mean, it's just it's that's a law of lowest common denominators, right really is.
Marco Ciappelli 14:58
You know, I was just listening In a couple of news where now today everybody's talking about faking voice, so that you get to the next level of social engineering, it was just professor says pant like a box and maybe like 10 minutes, they do an entire different persona voice and impersonation. So it makes me think like, Daniel, we talk about the future is now but then there is the real, you know, the real future, the one that still has to happen. How, how's things moving with all this acceleration of AI and maybe expanding even the threat landscape? Not just because it's a home, but because we don't even know where the stuff is going. So anything that you can, you know, that you see happening now you can predict?
Daniel Floyd 15:46
Yeah, I think, you know, obviously, what we saw with the Lisa chat GPT really kind of exposed the masses to the capabilities of AI, and really brought it out to the world. The ability to do deep fakes and create what really realistic looking content, both from a voice perspective, but also from a visual perspective is going to completely change the game. And not only that is the ability to have AI or a solution like Chappie to GPC generate phishing emails, and generate really realistic looking password reset emails, and you know, that's going to completely change the game. And the kind of the the funny, interesting answer, and solution to it is probably going to be AI. On the other end, as we're going to see more defensive tools go into place to detect what AI on one end is generated to prevent AI from, you know, passing a filter on the other end. So some of the things that you can do now, I think, obviously, is some of the stuff that's been around for a while pin verifications, callbacks, everyone knows that you can spoof caller ID and call in. So instead of, you know, accepting someone calling in and saying, hey, it's so and so, you know, you say, Okay, let me call back at the number we have on file for you. And then validate them via some type of challenge response code that doesn't just rely on their voice, or them calling in and you trusting the caller ID number. So there's a number of kind of old school methods that you can use to still, you know, validate someone in that specific model.
Dr. Chris Pierson 17:22
And what's what's super cool about this, and I totally agree with Dan was super cool about this, especially as it relates to like, let's just say voices and Voice Recording, out of every single person at your company, the key people are going to be your executives. And guess what, you can't stop them from talking, every publicly traded company is gonna have the quarterly earnings calls, you literally have the general counsel, the CEO, the CFO, the who's who the most important people, as a part of the executive team are always going to be on there. You can't tell them, Don't talk Don't this, don't that. So a whole bunch of advice against it says, don't do anything in public. How are you gonna have that happen?
Marco Ciappelli 17:56
Right? Don't go on a podcast? Yeah,
Dr. Chris Pierson 17:59
it's just not gonna happen. It isn't going to happen. It's something that you have to go yet harden the human, you got to put in defensive measures, but you have to proactively know it's going to be there and get ahead of it. I totally agree with what Danny says. But it's just some of the some of the other controls around this are laughable. I mean, you have to get out there as an executive, you have to be a salesperson that can't sell I mean.
Sean Martin 18:22
So Tom, tell me and then maybe I don't know if both of you have something to contribute to this question. But the conversations you're having with organizations? I mean, so you're talking about bringing in a service to help them look externally at the risks that they have, through their, through some of their high net worth employees and executives and things like that? How do those conversations? Go, Chris? I mean, who are you speaking to? And then kind of where does this fit into their overall program? And then maybe Daniel, you can kind of speak to, well, how does that fit into maybe security, management and security operations wherever those connections are made?
Dr. Chris Pierson 19:09
So we when we take a look at things overall, right? Digital executive protection is executive protection, but it's the ones and zeros of it, right? So there's already models for when we're inside talking to folks at companies, we might be talking to the physical security side, the digital security side of it, we may be talking to General Counsel, HR, we may be talking with the CEO directly, because they're the ones that are being impacted the most by it. It's one of those things where the resounding call is a we don't want to do this ourselves. We don't want to get involved in this. We want it so we recognize and realize it's a problem. We don't have faith and confidence necessarily in terms of the degree to which the executives, board members, you know, all of these folks that are higher profile can protect themselves. And we want that risk reduced because we don't want to own it. And we also don't Have a whole separate arm that's just operating in watching and binding and binding there. That's not from a privacy perspective, something that is part of their values is what we're hearing. And it's most certainly not part of ours. And so that's how a lot of the conversations start. And once you get to the what do you do? And more importantly, what don't you do, how you don't write, harness any of their information, your remaining privacy secure and privacy agnostic and really shrinking that? Totally. I mean, those are conversations that they love, love to hear. And at the end of the day, that's fine. It's a partnership, like, yeah, we're tech enabled service, we're a platform where SAS all the rest of the day we're relationship, we have a relationship with the Cisco with the champion with the executives with the EAS, Danny and Danny's team has a relationship with all of those champions, they can call us have meetings with us any day that they want to, we are their partner, if they have an m&a that they're going to do, we want them to talk to us. And they all talk to Danny, when they have a riff that may happen, unfortunately, we want them to talk to you any ahead of time. So we can turn up our defense systems against the board and the executive team, the HR folks and leaders and stuff like that we are a partner, we're relationship person, we're a guide to the company, and to that Cisco, and that is so critically important. Sometimes beneath the tech, it could get lost. But at the end of the day, we're a relationship company.
Daniel Floyd 21:26
Yeah, and I think to capitalize on that, one of the, you know, I'm in a number of conversations and calls with the CISOs and security leaders of the organizations. And, you know, one of the common comments that I hear is, you know, I haven't trained staff, we've trained this InfoSec team, on our equipment on our technology. And to my point earlier is you don't know what's at our, at our employees homes, our senior leadership teams homes, and nor do we necessarily want them to be trained on those toys, we've brought them in and train them on, you know, you know, our specific EDR our specific platforms, you know, they may be active directory, joined Windows computers with, you know, CrowdStrike running on him and Cisco, you know, networking equipment. And then when you introduce a completely different home network with completely different technology, teams not trained on that. So, you know, at you want your team exposed to the privacy risks of your employees and their home networks in different devices that may be there and the things that may be on them, and BT you want them, you know, taking the risk on equipment they may not be trained on or technology they may not know anything about.
Sean Martin 22:38
And to that point, Chris, the kind of there's the technology piece and, and understanding how that works. But there's also the behavior, right? People will work a certain way in the office, they do completely different things at home. They're not being watched, right? So they do whatever they want. They they fix their own computers, they set up their own networks, they so the behaviors are different as well. I don't know if that that plays a role in I mean, companies don't want to see what somebody's looking home, right.
Dr. Chris Pierson 23:15
Yeah, I mean, what's what's most interesting there on the behavior side is this is that what we see across every single sector, and we have people in the financial sector, healthcare, retail, or defense, we got one of everything out there, you know, energy. One of everything, what we see is the behavior of executives, executive teams, board of directors, and those ELT teams, they all behave similarly, it doesn't matter whether you're the CEO of an energy company, or CEO or financial company. And the biggest behavior we see is they just don't have time for it. They are literally doing everything under the sun, that they can pour their heart and soul and energy into the company and into making it better and all the rest, they're always on, they're never off, there's never a second gear, or lower gear, I should say. And so their their behaviors are very, very much solidified on a, we don't have time to bind and bind this, we just want to make sure it's done. We want to work with you to make sure it's done. We want to make sure there's no friction in it. And as a result, we know we can get that reliance on a better state of cybersecurity. But, but you know, they always want to learn a little bit more and all the rest of their interest in that. But everyone starts out from that same grouping of they just the time element that it would take and be required to actually do some selves, they just don't have it. And so it's a little bit of a breath of fresh air. And the nice thing is this is that usually what they're used to in terms of pure cybersecurity is going to be loss of highfalutin controls, you know, sometimes more friction, more pain and all the rest and different policies and their personal life. That's not what they want. They just want to notice that they're safe and protected. And at the same time can do exactly what they want to do, how they want to do it. And remember, it's not just they themselves so that their entire family can do it is super important as a as a part of our mission and a part of what we actually deliver each and every day. Our team is Just you know, second to none second to none.
Marco Ciappelli 25:02
When it comes in mind the idea of concern, right? I mean, you, you, you're used to be treated in a certain way, but not just because you're special is because, again, you're busy, you can afford it, obviously, and you have to worry about other things, but your families, you can pay the consequences of it. So I like this idea that the company can just not do that. It's two different entity. I mean, it's, it's clear to me, but I do have a question for you. So my employees home has been breached. Now what?
Dr. Chris Pierson 25:36
Yeah. Yeah, you know, you know, what's, you know, what's so interesting about that is, you know, whenever the RSA submissions were due, I don't know, you know, July, whatever it was, you know, we submitted for, you know, this year, you know, so privileged to be able to speak again, but we submitted for a, you know, your poison breach has been breached. Now, what, we're good, whatever, six, seven months before, three months before, Uber, and Twilio, and seven months, or whatever it was before. LastPass. Yeah, we're gonna do a, I'm joined by my good friend, Jim srif. We're going to do a two hour learning lab, right to our learning lab. We do these each year on scenarios, so that we can prepare the next people coming up CISOs, Deputy CISOs directors, security operations, threat intel teams, analysts, compliance people, lawyers, everyone is welcome. We grab you into a room, we have a really, really great scenario this year, we always put in our few little favorite jokes in terms of the company names, their little parodies going on. But we're going to put you in front of a live real time compromise around an employee's home being compromised, literally, it's last pass written seven months, eight months before LastPass. And we're going to walk you through the scenario break you up into groups, assign people different roles, you might get to be a lawyer, you might get to be a security person, you might get to be a CEO. And really fun engaging, I think we're limited, I think we close the room at like 200 people as what I think we do, and we got two different stages to it. And it's a lot of fun. If you want something that is really exciting, really fun. We're Wednesday of RSA 830 to 1030 in the morning over in Moscone. And it's just going to be a lot of fun, you are going to work right we're not people that are people that don't come to this session that want to check email, you're going to be there, you're gonna be working, collaborating. And what's cool is, is that you actually take away the real plans for what you want to do next in a week and a month and a quarter and a half a year in in a year in terms of what you need to do. And you've collaborated with people that you wouldn't have normally met. And so you can also inside your group, like business cards are getting exchanged left and right there amongst the tables, people with different things. Oh, that was a good idea. Hey, you have a great mind in terms of this. Wow, the way you look at compliance with security architecture wherever is great. And it's really really kind of a quite honestly an intensive to our team building exercise. And it's Chatham House rules. So it's really great time and effort. A we love it. We're looking forward to it. We hope we I mean, we hope all your listeners will come. We hope the room will be packed. Usually each year we get a line outside the door. But it is it's really intense and fun.
Marco Ciappelli 28:16
You know, I've always dream about a danger, danger and Dragon some cybersecurity. That sounds like exactly.
Dr. Chris Pierson 28:25
If you want to think about it that way. Marco is great. Yes. We do. We run the RSA Dungeons and Dragons show there. Yeah.
Sean Martin 28:33
Well, I want to go to Dan and maybe you can he can bring in some some Dungeons and Dragons lingo. But I mean, as Chris was describing that I was picturing a tabletop exercise, even use the word table, right? This is so different from a traditional security management, security operations Security Response table top right, that most companies would deal with, what what are some of the other if you can highlight some of the main differences there, what people have to talk about and think about and who, who they have to talk with and talk about with them?
Daniel Floyd 29:05
Yeah, so, you know, one of the things that we actually, you know, offer when we do talk to the CISOs, is we could we could come in and actually assist with the seat with the tabletops part of the sock two type two compliance and other compliances that, that are required to do, you know, kind of thought exercises and tabletop exercises. And, you know, one of them is kind of a scenario where you have your employees and your high access employees. We put it out there on LinkedIn, we put it out there on the About Us page, right. So what the attackers are doing is they're gaming the game learning who the employees are, or if a new employee starts. Then going into the data brokers sites, pulling all the data broker information about that individual getting their personal email addresses. Usually, their corporate email addresses don't have as many data breaches, but their personal email addresses may have and then they're able to get passwords associated with their personal email addresses, and then pivot those into, say, their new corporate email address their VPN login, or office 365 login. So we can do a table exercise where we say, you know, we have a high access employee whose personal aol.com email is in a Data Broker site. And then it's also on a dark website with expose passwords. What do we do? Right? What is what's the what's the exercise here, it's actually led to a breach or, you know, it could potentially be an IP address that was identified on one of the dark websites as part of a different breach. And it allowed the attacker to then gain access into their home network, because they're using the same password on a VPN or a Plex Media Server. So we can do different tabletops exercises on how attackers are pivoting through these different types of, you know, Osen available materials to gain access into the networks.
Marco Ciappelli 30:57
So it makes me think something, and we know, I mean, cybersecurity, we started thinking it's all technology, and then we figure out, it's all the humans and technology, kinda. And when I think I working in the homes, and again, you know, all the things that say, Chris, it's how much you have to adapt the relationship that is normally the business relationship with these companies, when you're dealing with the individual, the family, I mean, is it hard to get them to all cooperate? I mean, are you? You know, I mean, it's a struggle is that they kid they try not to do things?
Dr. Chris Pierson 31:36
Yes, it's a really, really good question. You know, that when I said relationships early on, it really did mean it. It's like literally right from the start as part of Blackcloak. We have a kickoff call with that champion that Cisco their team, Dan, A, the director of our security threat Operations Center, salespeople, everyone around us rose, our customer experience officer. And we all are there on our side with them talking what things are happening in your area, what things are important to us making sure that we're making a unique experience that is deliverable to their unique executive. So we know about their executives beforehand. So we actually craft the plan together to go ahead and onboard their executives might be going through the EAS it might be these executive first these second, these third, whole process there. A lot of what companies actually do is they end up protecting the entire family. Because if right, if you have one sick kid in the household, everyone else is going to get sick. Same thing. If you have one virus laden, malware laden computer, well, guess what, you're probably going to have an issue on the other computers and on the network. And so right there, the key thing is that as part of our onboarding, we actually have a 15 minute executive meeting with those executives. Sometimes it's hard to be to meetings, because they're busy, they're global, they're traveling around the world. But we'll actually go ahead and talk to them about who we are, what we do, what we don't do, what information we don't share what information we don't collect, and we gain their trust their peace of mind. And then from there, it's pretty easy in terms of the significant other, and the kids, kids are actually pretty darn quick. They come on board super fast. And it's always that aha moment, when you get everyone around the table talking together, we'll onboard people one by one on board the entire family together, it really depends on that relationship with the Cisco, and knowing their executive team, and helping us make sure that the onboarding process goes smoothly, there are no onboarding ZZ that are the same as the next one. Everything is handcrafted, for that environment for those people down to literally each individual person. Are they technologically savvy? Do they have certain weak points, strong points, all the rest? Dan, Danny's Danny's team, and in griglia tone, our chief experience officer, they just, you know, just top notch in this area and our corporate account manager as well, just top notch?
Sean Martin 33:54
And is there? I don't know. different environments, more difficult, different industry executives, different. And I guess what I'm really thinking is more of a mindset. There. Yes, there's a technical piece there. But do most are what's kind of the ratio of I know I have a problem. Or I think I might have a problem or not me. I don't have any problems. And then for those how surprised are they when they find out that they do?
Dr. Chris Pierson 34:32
But they I don't know. And Danny, maybe you go back and forth on this a little bit. But I mean, I would say this is that by and large, all the sectors behave the same, right, executives behave very much similarly. I would say more so, you know, general counsel behave in the same manner CFOs behave in the same manner. So there's more parity among kind of the class of your job role, so to speak, in terms of how you actually behave within that subset, you know, was was really nice about what we do is we start with our intelligence piece and our intelligence engine gained their trust immediately. And so, you know, people aren't back on their heels, people are leaning in when they're working with that Blackcloak. And we can show them and tell them what we can really do and immediately fix it. So it's got to be on go beyond that risk assessment mentality of oh, here are your risks, or here's the bad stuff, we found. That stuff doesn't play so well, what's more important and where you immediately gain the trust, and it becomes a wow, I didn't know I had that. Wow, I didn't know that my email had logins from Russia. Wow, I didn't know that there was a separate DNS entry on my computer. And it wasn't me. You know, these are the things that immediately gain their confidence, and really show them the value early on. Obviously, the system gets value, right? They're getting value, but making sure the executives understand the value that they get super important as well, I don't know, Danny.
Daniel Floyd 35:57
Yeah, I think that you have some of the different types of individuals, right. So anyone who's ever been a victim of a cyber crime, whether they've had their email breached, or some type of financial fraud, they usually get it right away. Now they understand the importance of cybersecurity. For people who don't necessarily get it, because they're not as technical, or they've never experienced the type, any type of incident or event. You know, sometimes they're it's a little bit of a, you know, more tough, like, call the sale, but it's a tougher explanation to say why they may be at risk. But usually, once we meet with the team, and we can show them the amount of data that's available out there, or even just show them some of the things like how much data location data that your phone is sharing, and what's available just by showing them certain settings on the phone. Lots of lightbulbs go off, right? They're like, Oh, wow, that I did not know that my phone could know this much about everywhere I went or it was tracking all my favorite locations. Another example of that is a lot of people don't understand how important it is to secure their mobile carrier, right. So the Verizon login there, etc, login, you know, who cares if they can access my Verizon account? Well, then you show them what's available. If someone gets access to your verizon account, everyone, you've talked to all your call logs, all your text logs, if it's been over SMS, the ability to port out your phone number, the ability to do a sim swap, once you explain that to them, and show that to them, while you're securing the account with them. It really changes their outlook, and how they realize that this stuff is much more important and much easier to attack than what they thought it was.
Dr. Chris Pierson 37:33
And I want I want to keep an eye on where Danny said it was really short word for letters show. Can't tell. Right? executives don't want to be told they are smart individuals that are exceedingly smart, and what they're doing capable accomplish all rest, when you're able to bring them in so that everyone's on the same side of the table and able to show them the risks, show them the value, show them no harm. That's when the magic happens. That's when you gain their confidence. That's when you become their trusted concierge. It's that show. And it's got to be that way.
Sean Martin 38:12
And so speaking of that, and then looking at the different roles that the both of you kind of touched on. And I'm going back to your session at at RSA, Chris, what kind of folks do you really want in that, in that session, the 200 people there who really want and you want the legal and the ops and the HR? And who do you think you can get? And why does that matter? To have a mix? Yeah,
Dr. Chris Pierson 38:36
what we want our I mean, first and foremost, we want people that are wide awake at 8:30am with all the alcohol out of their system. That's not number one. Number two, we want people that are interested in the topic that actually say, hey, you know, this is an interesting topic. It just so happens that a few weeks ago, we read a story for about LastPass where this is true, and it's happening. Maybe I should update my risk registry, maybe I should come think about this differently. Maybe I should engage in a two hour tabletop learning lab session, where we actually go through a real scenario and learn something, bring something back all the rest, quite honestly wants some people from cybersecurity. And then we want some people on the infrastructure side. I want some people from compliance from legal. We want people across all different spans. We want people that are all different kind of not not ages, but all different types of levels of sophistication and expertise. And then places in their career. We and we actually do a really good job making sure that room is always always diverse. So we want people that are genuinely interested in this topic in bringing something back special to the organization saying hey, have you thought about this? Last year last year we did a cybersecurity Jenga one or cybersecurity Jenga and we did third party supplier risk and this was actually before the third party supplier global supply chain hacks that actually happened once again, kind of predicting the future. I don't know if you guys remember back goes back You remember when the guy that landed the drone on the White House lawn, we actually had put in for this speech and it was two weeks before RSA we did a Hey drone, legal and security issues. And then the guy lands the drone on the front lawn of the White House, you know, packed audience packed audience. So we do a really good job with that. We just want people that are there that are excited, energetic, want to learn something new, want to collaborate, this is a this is a laptops down, email down, get into the fray, learn something debate, discuss, you know, we just want people that are energized about the topic,
Marco Ciappelli 40:30
which you would hope that if people are up at 830, at RSA, they are interested in the topic to start with, plus you predict the future. So I'm expecting you given lottery ticket numbers, so they can win? Well, I don't I don't know. Give it a go. If we
Dr. Chris Pierson 40:45
if I if I actually think if I think I'm going to be good at that I might, I might keep that one to myself, we'll share the cybersecurity knowledge, I'm gonna keep it.
Marco Ciappelli 40:54
Fair enough, fair enough.
Sean Martin 40:56
While you if he can repeat the future, he may as well. You can use it and then share it and let somebody else reuse it. But in all seriousness, I just think if you go to the session, you get to meet Danny, right? I'm assuming Danny's gonna be there.
Dr. Chris Pierson 41:14
Oh, wait, we have a bowl of a bunch of people there from Blackcloak. So it'd be a good number of people to meet. But um, you know, in and around RSA Conference, my friend, Jim Street from Thomson Coburn, will be there. He and I partner we do these together in a in a non solicitous fashion, we're always there, you know, kind of getting ahead of the curve, what is late breaking what is new, what is something that actually is going to be something you haven't heard before? And like I said, we've been pretty darn successful on those topics that just somehow, you know, knock on wood, seem to come to the forefront.
Sean Martin 41:48
Super cool. Yeah. glad. I'm glad you got to another spot for, for doing this. This tabletop. I know. They're always a huge success in your sessions as well. We've had the privilege of talking to you over the years about the different topics you've you've brought to bear. And I mean, always educational, always informational. And most importantly, actionable, right? So Chris, and Danny, it's great to have you on. There'll be links in the notes to connect with both of you link to your session at RSA Conference link, the Blackcloak of those who can't make it can still still find you and all the good stuff that you're doing at Blackcloak to help them secure the executive at home.
Dr. Chris Pierson 42:34
Yeah, no, I appreciate it's always always good to see you shine always good to see you, Marco. I'm glad Danny got to experience some of this here with us today. Just you know, the team is phenomenal and knock them dead.
Marco Ciappelli 42:46
Absolutely. Another story with you guys with Blackcloak. So we are very excited. And, Shawn. This is part of our conference coverage. So we you know, we encourage everybody to check out what's going on a lot of new things. We had a conversation with some of the organizer, it's already up on the website, so you can check it out and get a preview of what's going to happen this year. And of course, meet Chris with Daniel. Meet Sean. The theme is Never mind me.
Sean Martin 43:20
I'm not remind you to better together this year. This is the theme so Exactly. Go well I will follow that. Alright, thanks everybody for listening and see you online or in San Francisco, wherever you might be.
show end 43:40
We hope you enjoyed this conversation. If you learned something new and the story made you think then share itspmagazine.com with your friends, family and colleagues. We hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society