Episode Summary

There’s always more to a cyber incident than meets the eye. MacKenzie Brown kicks things off with Wes Spencer, VP of cybersecurity strategy at CyberFOX and founder of Empath Cyber, to talk about what it’s like behind the scenes of a breach, the importance of empathy, and why attacks continue to plague organizations in the first place. Are we failing at cyber? Tune in for their insights on the MGM hack, Wes’ three steps for how MSPs and organizations can learn to manage risk, and why the eighth layer of the OSI model is politics.

Episode Transcript

MacKenzie Brown: Welcome, everyone. This is the first episode of Return of the Mac. I probably shouldn’t introduce myself with a singing voice, I’ll try to hold it in. This is our very first episode. This is episode one, it’s our birthday, it’s our anniversary.

We really hope you don’t forget that it’s our anniversary. And we wanted to put together a podcast. I specifically wanted to put together a podcast, not because I like to hear the sound of my voice, but because I’ve watched and listened to a lot of blogcasts or vlogcasts, I guess, and podcasts, around cybersecurity. And it’s not that they’re boring. They certainly aren’t. And it’s not that they’re not informative.

But I want to keep things casual, in a way, and I really want to focus—The entire ethos of this show, of Return of the Mac, is bringing in guests, experts that are comfortable having these real conversations and demystifying things in our industry that are often seen as more complicated, and it kind of excludes everybody else in society. So we’re gonna make it a little bit more open. I want to have candid, not catty, discussions talking about cybersecurity, around breaches—yes, I said the “B” word—the people that work within this industry, how this all affects you, and ultimately, the listener, the practitioner in security, the leader, the business owner, or any person that even enjoys podcasts.

Maybe not murder podcasts, because not a lot of murder happens in cybersecurity. Right, Wes? I think if we did an episode maybe on, you know, like what was the craziest cyber tech person, John McAfee? That might be a good one. But we’re not doing that today. That’s definitely not our focus.

The goal with this is we’re all faced with the reality of what cybersecurity is. I want to make sure it’s a household name. And I want to make sure that we are serving all the people in these conversations, bringing light to the discussion a little bit, that this is the reality we face. And this is the reality you face. This is reality I face. So let’s take this casual approach. But, getting real with it a little bit more.

So before I introduce myself and my guest, I’m going to put in our very fun sponsor reel here, plug it in now, thanking our sponsors for this episode specifically, Blackpoint Cyber and Cyber Fox.

Hi, my name is MacKenzie Brown. I probably should have started with that, but I think it’s better that I start with the why I’m here, and then you’ll remember my name. I am the VP of Security for Blackpoint Cyber. I am a little bit newer to the company, but I am having a blast already. Blackpoint serves the MSP community.

To be honest, I wanted to make sure that my first guest really encompassed all things of my path and my journey and how I got here. To this seat, these fancy background lights, and learning my 1080p methodology for how this podcast thing works. So I would love to introduce my guest, Wes Spencer. Hello, Wes.

Wes Spencer: Mac, thanks for having me on.

MacKenzie Brown: Well, without giving away all the good stuff, can you kind of introduce yourself for our audience?

Wes Spencer: I would love to. First of all, I can’t believe I am Episode One Guest. That actually means a ton to me, so thank you, you’re just incredible. When this thing is like, you’re winning Emmys or whatever the awards are that we win, for me to be able to say, I was on the first episode of that, that’s awesome.

So I am a cybersecurity nerd by heart, always have been. And over the years, I’ve become a little bit less technical, and I’ve learned how to speak the language of decision makers and speak the language of risk and learn how to communicate that to others that just don’t really come from that background. And I learned that that’s a unique skillset, and it doesn’t happen by accident. No one’s skilled at that normally. It’s something that, I’ve had years poured into it. And really, I think, if you boil so much of it down, Mac, I love the small business community and I love MSPs because they’re the heart and soul of it. And I’ve seen that they don’t have the resources, the skills, the expertise that the big orgs do that, you know, I’ve come out of, and you’ve come out of. And so there’s an altruism here to all of that. And I just, I love that opportunity. And so thanks for having me, and can’t wait to jump into discussion with you.

MacKenzie Brown: Yeah, absolutely. Should we talk about how we first met? Because really, there is a reason you are my first guest, because I would not be here or even at Blackpoint, to be honest, and meeting the MSP community without, I’ve heard your nickname, are you the mayor of the MSP community? Are you the president? The HOA president?

Wes Spencer: Well, I like to go—Yeah, you could call me the HOA president, I suppose. I typically go by dictator. I have this running joke of like, when I’m elected dictator, I’ll be your kind and benevolent dictator. All your cyber problems will go away. And I even created Dictator coin.com. I have my own crypto. I don’t know if you know that. Yeah, so I can make you, Mac, I can make you, right after this, a billionaire in Dictator Coin. And you know, it’s going somewhere. I’m sure of it.

MacKenzie Brown: In Dictator Coin?! I feel like that’s what all coin mining operations might actually start with. “I can make you a billionaire.” So let’s start there. Yeah.

Wes Spencer: I’ve sideswiped this whole podcast just to talk about Dictator Coin and pump it up.

MacKenzie Brown: Oh, and of course, my cat’s going to join me right now. And we will just ignore that she’s there for a minute.

Yeah, I mean, we first met, you came to Idaho, where I’m located, actually—public information—which is funny. Idaho’s a state in the United States. A lot of people don’t realize that we exist. It’s not Iowa or Ohio. I often get it confused for those because the words almost sound the same.

And you came and spoke at a cybersecurity summit. And then we met. And then you were like, hey, have you heard the MSP community exists? And I’m like, what’s an MSP? And I’m like, oh, wait, I know what that is. And then one step forward, we’re in Right of Boom. We’ll put in a plug later for the Right of Boom conference, I think. So everybody knows what that is. And I think everything was downhill from there. You really just opened up, I’d like to say, you’re my gateway drug, as they say in elementary school, to the MSP community, and ultimately to this new cyber role that I’m in. So thank you.

Wes Spencer: Well, I’ll you’re quite welcome. I mean, I didn’t do anything other than I heard you speak. And I’m like, holy crap, we have got to get her introduced into our community. So I remember beelining to you and I’d wait for a couple of people to finish chatting with you. I’m like, Mac, you don’t know me, but I do this podcast thing called CyberCall. And it’s got a whole bunch of these things called MSP’s. And I would love to get you on and just, man, it’s so cool.

I had no idea what was gonna happen with all of this, but you’ve been good for us. You’ve been good for the entire community and so glad you’re in and among us. When I saw you landed at Blackpoint, I just was so happy about that. So nothing but congrats and you’ve deserved everything you got.

MacKenzie Brown: Well, thank you. It’s been a wild ride, for sure. I think the question I’ll never forget too is being on stage and asking, to get everybody warmed up, I’m like, is Die Hard a Christmas movie? And I was shocked by the fact that people didn’t think it was a Christmas movie. I think actually it is a Christmas movie. Yeah.

Wes Spencer: Well, it is. I mean, we all know it is. Anyone else that—God forgive them, but it is.

MacKenzie Brown: There’s a Christmas cartoon book out there. You can look it up, on Die Hard. And it comes with a little hanging Bruce Willis character guy that you can put on your window. It’s like the new Elf on the Shelf. I mean, it’s not, I wish it was. Yeah, that’s how I like to start every talk, is just let’s give some sort of hypothetical question.

Okay, well, what we wanna do is take some hot takes or hot topics of the week.

Wes Spencer: So many people just like to be contrarians, you know? They just want to find something to argue about, even though they know they’re wrong.

MacKenzie Brown: And I’ve got kind of a spicy one that I’m gonna bring in right now for our hot topic of the week. And I gave you a heads up on this because it’s spicy because it’s, you know, the oven is still hot. It just happened. And coming from the incident response world, I think you and I both really value empathy and having an understanding of the reality of what it’s like to be in the situation that this is in.

So, MGM. Everyone’s kind of heard of this. MGM Resorts International, a global hospitality and entertainment company. What was it? $33 billion net worth, I think. Something around that. Such a crazy number. And Monday was such a crazy day when this started hitting the headlines. But ultimately claimed to have shut down all of its IT systems after a cyber attack. I think they were not using the word cyber attack originally, but now the headlines have gone loose on this.

They haven’t really disclosed any details about it, but others within the media and the headlines are believing that it’s been carried out by a ransomware group. I believe now it’s an affiliate of BlackCat or ALPHV ransomware group. Essentially, it’s affected all of its operations and at a global scale too, kind of across the country. They’ve closed their casinos, their hotels.

I mean, I read that MGM actually owns most of the casinos now on the strip and some of those hotels, which is, that’s insane. Like that’s bonkers. That’s massive. You know, when you talk about this, the reason why it’s not just, I think more people are focused on the organization. That’s to me the shocker here, is the size of this enormous network and enormous, just, you know, acquired level of casinos is insane.

In Vegas, Atlantic City, a couple other locations, they’ve suspended a lot of their gaming operations. I mean, Twitter is blowing up with pictures of slot machines still being down. Employees aren’t at work right now for obvious reasons. There’s a lot of unsubstantiated things, I believe, unsubstantiated, because the incident response investigation is ongoing. They’re still working. I mean, they’re still down.

And we’re filming this right now, it’s a Thursday. So that’s a long time and I can only imagine loss of revenue and yeah, just insane. So given that, what are your first thoughts on it, Wes?

Wes Spencer: Well, mine are probably wildly different than literally everyone else on this one. Let’s unpack this for a minute. So much to talk about here. So first of all, I saw it and I had a visceral feeling of dread and sorrow. Not for MGM. Right. I think most people look at this and say, oh, you big company, you reap what you sow, especially this, you know, gambling and gaming company, blah, blah. And I get it. Like, I’m not saying there’s anything wrong with that kind of attitude to some degree, even though we don’t know the whole story.

But I had my heart sink. And the reason I did is one of my really good friends who I went to high school with and college with is there, I shouldn’t probably say his title, but very high up in IT over there. And even at one point ran incident response for them. So I’m just in a different position in the sense of like, this is one of my friends and I know what these things are like. You know what these things are like. Your life is gone while you’re dealing with this. This is not a clock in, clock out. This is like, bring out the cots. We’re not leaving.

MacKenzie Brown: This is going to be a long journey.

Wes Spencer: Right. This is the pressure cooker. This is, every news media agency on earth is pounding their doors. This is angry customers left and right. This is, I mean, it’s a pressure cooker. And so all I did was I texted him and I said, “Hey man, you don’t even have to reply back. I doubt there’s anything I can do for you, but just thinking of you.” And he wrote back with one sentence.

And I just I’ll share the sentence because it’s such a baller sentence. So he goes, “We were bred for this.” It’s all he sent me. And that’s all I’ve said to him, that’s it.

MacKenzie Brown: Wow. It’s definitely a mic drop moment.

Wes Spencer: It’s a mic drop moment. And I do think Mac, though, it brings up maybe a bit of a bigger picture here. One of those bigger pictures that I see is, you know, these cyber attacks, they do happen left and right all the time. We know this, but people don’t care about it until it becomes tangible to them, till it becomes visceral, till it becomes real to them.

It’s like, you already got me thinking on crypto because of the whole dictator coin thing. It’s like NFTs. Breaches are like NFTs. Hear me out.

MacKenzie Brown: Oh wait, wait. Okay, okay, hold on. Let me prepare for this. This is not a stretch.

Wes Spencer: Yeah. So NFTs, first of all, do you own any NFTs?

MacKenzie Brown: No, I’m sorry. No, I don’t. I don’t I don’t wear Adidas and a hoodie and walk around like a gangster. I mean, I am a gangster, but…

Wes Spencer: Oh, I mean, yeah, you are. I’ll see if I can bring an NFT up for you while we’re talking here. But the whole thing is, I happen to own a few NFTs, not because they’re cool, but because they’re nerdy.

But most people say what you would expect, which is, that’s dumb. What’s the purpose of one of these NFTs that you have? Because they’re not real. They’re just images, you know, and you saw that Beeple guy sell that, you know, first 500 days or whatever, for like a billion dollars. And people are like, the Mona Lisa’s never even sold for that. What’s going on here? And they can’t wrap their mind around it because you can just see a picture of it. Like, why did someone spend a billion dollars for something I can Google a picture of? And I’m like, yes, but you can see a picture of the Mona Lisa. Yet when you go to the Louvre and see it in person, it’s a jaw dropping moment because that’s the actual one, it’s the physical tangible reality. Every image you see is just an image.

What do I mean by this in cyber? In cyber it’s the same thing. People hear breaches and it doesn’t affect them. Until Colonial Pipeline hit and they’re filling their car, the bed of their pickup truck, with gas. Until gas shoots to 50 bucks a gallon—

MacKenzie Brown: They’re selling gas, yes. There’s some Mad Max stuff going on right there, absolutely.

Wes Spencer: And then you see pictures—go ahead.

MacKenzie Brown: Or the ransomware attacks on the East Coast, right, that were hitting, where they had to redirect patients to other hospitals. I mean, people don’t really, I see what you’re saying, they just read the headline and some of the details and they certainly don’t know what the response world looks like, or should I say recovery world, honestly, the restorative side, of really what it means until they’re trying to go to the hospital because they broke their arm and they’re going to have to go to a different emergency room. Or like you said, they’re selling, dealing gas on the side for $10 a gallon. Well, that’s probably not enough, probably $20, but yeah, probably higher than that.

Wes Spencer: Yep. Probably even higher than that, right. And we’re seeing this with the MGM thing. Well, we’ll splice in some pictures into this, I’m sure. But I’m seeing these images of people waiting in line to get checked into their hotel room because everything’s paper. Like, there’s no digital system right now.

Now this is to some degree cyber resilience in action, right? They actually have a paper system to get people to check into a room. It’s not efficient, but—

MacKenzie Brown: Some organizations can’t do that nowadays.

Wes Spencer: They can’t do it. But yeah, when you see these long lines and these pictures of people like as far back as the image shows waiting in line to get in, no doubt they’re angry and mad. No one cares until they’re impacted by a cyber attack. That’s the thing. And you see this tangibility come out in this. And so that’s the big thing I wanted to chat about.

MacKenzie Brown: Yeah, I’m impressed that it’s probably the first cyber thing I’ve seen show up on TikTok too. I mean, we were talking about conspiracy theories and things that are going around on TikTok, but to be honest, like when it comes to cyber, you know, unsubstantiated thought processes, Twitters, sorry, not Twitter, X—we should plug in some sort of sound effect every time I say Twitter over X—but you know, we’re going to see a lot of noise.

And that’s the hard thing, is it desensitizes. We’re already desensitized to cyber attacks, to the B word, to breaches, to the things that go on in the world. Whether you are a parent driving their kid to school and you hear about it on the news, or you watch it on the Today Show briefly and then they move on to the next segment, or you’re an actual security practitioner, where you’re just in general maybe a little bit more pessimistic, but desensitized to the feeling of it.

And like you were saying, it’s way bigger than what people realize. It’s way bigger than a two-minute news segment, probably not even that long, or a one-minute time to read an article that gives no information. Or sitting on X and reading a bunch of posts about it like, oh, it was probably a help desk employee or a 10-minute conversation or it was phishing. And maybe, yeah, maybe that is the reality of it, but yet we’re still doing this opt-in world around cybersecurity and not—we need to sensitize it. We need to bring that emotional response a little bit back.

Wes Spencer: We do, and you know, the other thing I think is helpful is, we should use this as teaching and learning moments, right? So my LinkedIn, my Twitter is just eaten up with MGM right now, which, again, I don’t think there’s anything wrong with that. I don’t think there’s anything wrong with people, you know, prognosticating on how this could have happened.

Where we cross a line is when you start seeing vendors jump in and say things like, well, this wouldn’t have happened if you’d been using us, right? Like, Oh, if you’d used our training platform, then your people wouldn’t have clicked on that, or taken that phone call, blah, blah.

You don’t know that. And yeah, you see the ambulance chasers of the digital realm and no wonder no one respects our industry when we when we do that, and then sort of attack our own. You know, I promise you, there’s more behind the scenes of what happened here than we’ll ever know, because that’s just how these things are.

We were just talking about a major, major event that happened a few years ago. I won’t name the name of it, but I promise you, if you’re listening today, your data was stolen from this breach that I’m talking about. I just promise you, it was that big.

And I have a friend who was involved in that one who was running cybersecurity for them and he made a comment to me. He said, you know, there’s much more behind the scenes of this thing. And that’s the killer, is that everyone blames us for this Apache struts thing that caused it. How could you have let that happen? It was so simple. You could have stopped it. So obvious, you knew about it.

He’s like, yeah, but behind the scenes, there’s politics. And because of these politics at a very high level, that’s what led to this incident. That’s what led to us not dealing with it. And I can’t talk about that publicly.

And that’s sort of like, you know, there’s a layer eight. You know, you talk about the OSI layer, you know, the very top above application layer is political.

MacKenzie Brown: Layer 8 gag orders and NDAs. Yeah, gag orders, NDAs, and I’m sorry, your role is no longer needed in this company. We are reducing it to non-existence.

Wes Spencer: Yes. So I don’t know about you, but I think there should be a healthy degree of empathy that comes alongside all this too, right, of like, let’s not pile on overly bad, but let’s definitely talk about it. You know, that’s to me, the big story here is let’s be careful on how we say and what we say on this thing.

MacKenzie Brown: I mean, coming from the incident response world, I can’t tell you, especially when I was on call on weekends, getting on the phone with an attack that was escalated up to our team to perform an investigation.

And I have to put on this almost ER-like face and persona to a call, a video conference that would be in the middle of the night, 30 people around a conference room table that had been working all night long trying to see if their backup still worked or trying to pull off some semblance of trusted and secured assets that they could protect at that point. And I’m supposed to just come in and be like, howdy, duty, how you doing? Because they’re not doing good.

And that EQ that you’re talking about is so important. And it’s important not just when you’re in a position where you’re getting on calls like that and you’re working with people who are like, am I gonna lose my job? Was this our fault? We don’t know, because we’re about to go down a two week long investigation, so we don’t even know the root cause. Or how is this going to affect not just our jobs, but all of our customers’ reputation?

I mean, we’re gonna get into a lot of that with the topic today, but I see what you’re saying. I think we need to make EQ cool again, or bring it back. Especially in the cybersecurity community, it’s easy when you do certain jobs to start to become a little bit more hardened. But, no pun intended, but you definitely stop remembering the empathy part of it, which is also why I love that you’re my first guest too.

Wes Spencer: Aw shucks, but no, I think you’re exactly right. The other thing I’ll say about this one, too, and I’m sure we can move on, but it is a teaching moment for non-technical decision makers, right? They need to understand the correlation here between why—let’s talk about the motive behind the bad guy for a minute, right?

So the reason that they’re doing this, we all know, is to make you pay up to get out. Right. But the reality of these bad guys are doing, and you see this play out here, is they want to put you into pain so that they can entice you to pay them money to get out of that pain. Like the whole the whole premise of ransomware is temporary discomfort and temporary chaos to pay you to get back out of it so you can go back to operation normal, right? That’s what bad guys are doing. If it’s not ransomware, it’ll be something else.

That’s what they’re doing, is they’re financially motivated and so they’re saying well from a digital perspective, if I just shut your systems down and lock you out of them by encrypting everything, and you pay me to get out, I can give you this promise of everything will go back to normal, you’re gonna want to pay me.

And so I think it’s important that like decision makers understand that’s why this stuff matters, is because people say, well you know I’m not MGM, so I don’t have their kind of money and I don’t have any data they care about.

Well, sure, other people may not care about your data, but you care about it and you’re making business off it. And by the way, you’re—oh, I’m a $2 million business. That’s all, I’m not worth much. Well, did you know the average salary in Russia is like $14,000 a year, US, if you wanna compare it. So $50,000, $100,000, $200,000 ransom is life-changing money for those bad guys.

So we just really have to reframe all of this and understand you are a threat, and that’s why ransomware is the choice de jour because it works well to push you into pain, to entice you to pay.

MacKenzie Brown: And they have great customer service, probably better than an IT guy you might email because your mouse isn’t working. Like they will absolutely make sure that they’re able to assist you in all issues to make sure that you end up paying that extortion fee. It’s crazy. This is the world we live in. But I love it.

Wes Spencer: Well, if only we could switch them into making it Dictator Coin to pay, you know, because then we’d be rich.

MacKenzie Brown: I know, could you imagine? I think you would be retiring then at that point. You’re like, look, I’m empathetic, but in the same vein, look at this coin, gee, I’m making.

Wes Spencer: I think I minted like one quadrillion or some stupid number. So like, hey, man, all we need is to get it to one cent and then I can be a quadrillionaire. Eat that, Elon.

MacKenzie Brown: Just one cent. All right, so maybe I’ll plug it into the sponsor reel for people to go out, Dictator Coin, so Wes Spencer can retire forever and buy an island. Perfect, perfect.

Well, you know, I actually love this MGM discussion just because we’re bringing it down a level, we’re normalizing it. It does affect every person that would be listening to this in a way because we want to wake you up and make you realize like, this isn’t just cybersecurity. It’s not just “everyone’s responsibility,” but this is how the world is working now when it comes to a lot of these criminal organizations and syndicates that are basically extorting any sort of organization, business that you are going to solicit. So your data’s out there, this is the world, privacy, risk, all of that is going to start becoming a lot of more household venture names for people.

Moving on to our topic. And thank you again, Wes, for being here. I wanna get right into it. Our topic today is really a little bit of everything and anything that is going to be general cybersecurity of why, why is this going on? And I know that feels like a vague general topic for the first episode, but I wanna get everyone warmed up. I wanna get everyone hooked on this a little bit, so that we are not just demystifying some of these concepts, but we’re really breaking it down into a genuine candid conversation about why is this working?

So are we in a cyber hunger games? And Wes, are you and I volunteering as tributes essentially for the cyber hunger games? Are we failing at cyber? You know, coming from right of boom world, I could probably say, oh, yeah, we’re definitely failing. But I definitely feel the empathy and the EQ conversation or topic that we’ve been talking about there. And I feel like that brings me back to left of boom, but where are we going wrong?

Or are there things out of our control that impact the way that practitioners can do their job, the way that MSPs can do their job, and ultimately the way that small medium business, our governments, the SLTT community, how are they able to actually do their job in trusting, because maybe there isn’t budget, maybe there are politics, maybe we’re dealing with an enormous network that’s been hit with M&A over the course of five years, so at what point do you know what trust chains exist out there and what don’t? And yes, we still have a phishing problem.

So let’s create that visual first, lay of the land. It’s 2023. We have AI and ML, artificial intelligence and machine learning in every marketing pitch, of course. We have cyber syndicates and nation state groups with their own customer service processes.

Let alone, we have a full shelf of hacker opportunities for sale on the dark web, from initial access—basically they’re going to pay their way to get into your network because somebody already opened the back door—or they’re going to purchase your data that, likely when we’re talking about these ransomware attacks, that is unfortunately the reality of it too, is, if the data is taken, you can wait six months, it’s gonna show right up.

And then really have we normalized, regardless of the group, the effective attack campaigns of ransomware? And we have normalized that, and this is the lay of the land.

And cyber insurance as well, which Wes, you’re probably my expert there on cyber insurance when we need to plug it in, so people realize that. But before we do that, we’ve laid the land, here’s some

additional lovely stats I’ve pulled as a part of this landscape.

So far in 2023, there’s been an estimated 800,000 cyber attacks. And the number is still rising because the year’s not over. So cool, cool. Every 39 seconds, a threat actor targets a business’s cyber infrastructure or just infrastructure in general, I would imagine. And an estimated 300,000 new malware is created daily. And 92% of that malware is, drum roll please, not surprising, delivered via email.

So these are just some general stats I’ve told you. 2023, thank gosh, we have AI supporting us and security monitoring, but still 92% of malware are successfully being driven and delivered via email. So this is, did I mention this is not a murder podcast, but it’s just as depressing.

Oh, and a talent shortage, right? We have a major talent shortage. That’s kind of what a lot of Blackpoint does. Our business, to be honest, is realizing that there is a talent shortage that impacts everybody. So the stat I actually pulled on talent shortage was, the current stat is the cyber workforce peaked at 4.7 million people. Could you imagine? That’s a lot of people at Black Hat.

And last year it was at its highest level ever, which we’re actually expecting it to rise again next year. So more people in this fun cyber game. However, we have 3.4 million security professionals that are still seeking jobs and we’re expected a 20% increase over 2021. So these are, we’re seeking cyber professionals still. So a lot of unfilled positions.

I don’t know where the disconnect is, I can make assumptions and we can talk about that. But what are your thoughts on just these initial, like here’s the world we’re living in, here’s some stats, this is normal, we’re desensitized, we need more people working in it, we have a lot of open positions. What are your first thoughts on this? Like, why are we failing?

Wes Spencer: Yeah, I mean, when it’s presented that way, it doesn’t seem like things are going so well for us, right? It kind of makes us are we an embarrassment? Have we just completely failed from the beginning? I mean, one could argue that the whole reason this entire security industry came about was because of the genesis of how the internet was even created, you know.

It came out of DARPAnet, it came out of an open environment. Security was not built in from the beginning. It was a closed ecosystem, and then, I guess because of Al Gore, if we want to go that direction, it got opened up to commercial use and everything changed. And so are we still paying for the sins of the past?

Sure, but I actually take that a step back and say, why is it, Mac, that we still see so many breaches that happen, not because it’s some really crazy zero day, which happen and happen more often than not, but it’s because someone, you know, going back to MGM. If the reports from VX Underground are true, and they just literally made a phone call, why is it that in 2023 and 2024, I’ll just predict phishing is the number one or two attack vector and entry point? Why is that? Why is that after we spent millions and billions of dollars trying to correct and train our users?

So maybe it’s less about it being a cybersecurity problem and more about it being a human problem, more about it being an issue with us. And I don’t just mean like the low level employees that click on anything. I even mean security leadership. I even mean the leadership of the organization. And then that gets me thinking, and let me just trace this rabbit trail for a second.

What if it’s not, what if this whole, we talked about cybersecurity talent shortage and that’s true. What if we’re looking at cyber security wrong? I don’t have an answer. I’ve just been thinking about this lately. What if it’s less about cyber security being a tradecraft and more about cyber security being a skillset that we embed everywhere from the top down so we embed cyber security into the board itself? We actually have the board that speaks cyber, one or two people. What if we embed cyber at the sea level? What if we embed cyber at the mid management level? We embed cyber in everything we do.

Maybe we’ve been approaching this from the wrong perspective and we just, we say, oh, we need a cyber practitioner that does cyber in the org. Well, it hasn’t seemed to really affect too much. So I’m just thinking out loud.

MacKenzie Brown: Right? No, I completely agree. And my biggest thing too is we talk about things in this industry as if it is rocket science sometimes. And some stuff is, you know, we’re gonna go into like reverse engineering and decompiling malware and some of those things like, sure, yeah, that’s an expertise. But a lot of the things that we are looking at from a security perspective, monitoring, responding to, recovering, we can certainly lean on the IT guy to do that as well. And I think that there’s this misconception that cyber is almost more complicated to where other people in other roles can’t wear multiple hats.

One of my good friends in this industry is a CISO, but her entire background, and she’s worked her little back off to get to where she’s at today, to one of the largest hospitals now, and she’s amazing, like Beyonce level awesome. And she started in accounting, her entire background is in accounting. And I love, you know, that’s my big thing when it comes to diversity too, is different backgrounds because that actually benefits teams a little bit more when you diversify your background of education and how you look at things, especially in cyber.

But I think that we have to break down these conceptions that, you know, you have to have a cyber background in it because we all know what it looks like right now for academia and coming out of school with a cyber degree and going—once they get their first job, they’re basically learning everything from scratch anyway, the technology that we use…breaking down some of these barriers that we have people who don’t understand it, when they actually do understand it, that it is a part of their job.

And I started in my career working with IT guys and network engineers and networking teams. And I’ll tell you right now, a lot of them could have done the cybersecurity positions. They could have easily jumped ship, went over to the dark side and fixed some things.

I agree that we need to make a lot of the cybersecurity terminology and concepts at a higher C-suite level. So it’s not just executive buy-in. I shouldn’t have to explain it to you. They actually understand it.

And then you see the other side of it, where we have you know, this implementation of a curriculum at the elementary school level and at the middle school level, high school level, trying to get students who I think that is actually a good journey. I think that’s a good venture that’s probably going to pay some dues, but it’s not enough. I don’t think it’s enough. I don’t know. How do you educate everyone? How do you get everyone up to speed?

Wes Spencer: Yeah, you know, here’s what I’ve learned. It doesn’t happen overnight. It doesn’t happen in one conversation. You read any good marketing book and they’ll tell you it takes on average a message being sent to somebody in seven iterations before they start to recognize the brand. Same thing, I think, in cyber, like it might take five, six, seven, eight times of educating to get buy-in, to get understanding.

I share this story often and I’ll just share it again. I remember when I started at my bank, you know, my bank was run by, I’ll just say it, about twelve 70 to 75 year old white dudes. That was my bank board. That’s a shame. Yeah, it’s not right.

MacKenzie Brown: Wow, that’s crazy. I’ve never heard of that before.

Wes Spencer: Right. No bank would do that, right? I mean these guys didn’t even read emails. They had a secretary that would like, you know…

MacKenzie Brown: Did it look like when you walk into the bank in Harry Potter when it’s just…just like that?

Wes Spencer: That’s pretty much it. They might’ve actually been trolls. Yeah, it’s hard to say. One wonders, potentially both. Yeah. And I just, I mean, imagine being in a situation like that and you’re trying to explain cyber. It doesn’t work. But I will tell you this. I just was like, okay, fine. They’re listening to me because the regulators are mandating that I get 15 minutes a month with you. Okay.

So I just shifted gears and I went into the first five minutes of my 15, I would just share a news story that was related to banks and cybersecurity. And I’ll never forget the day when the bank president midway through this story, he just says, stop, pause. I was like, OK. And he goes, I’ve been talking about asset quality for years now, for a decade after this big collapse, you know, in 2008. He’s like, maybe it’s not asset quality, it’s cybersecurity that could shut us down.

I’m like…I just zip my lips and I let him go.

MacKenzie Brown: Oh my gosh, a light bulb.

Wes Spencer: A light bulb, and it took about seven, eight months of that, and I didn’t know it was going to happen, but I’m like, I don’t know what else to do. I can talk to you about risk all day long, but until you actually care about it and you can connect the dots between this mattering for your bank and not, I don’t know what else I can do.

So I feel like he led himself to that water. But I did kind of point the way a little bit just by making it relevant. So my point is, I do think it takes some time to get there, and we just we do have to be patient. We do have to be willing to say I tried once and it failed. I tried a second time. They didn’t listen. I tried a third time and maybe piqued their interest a little bit. Four, five, sixth, seventh time, and now they—

And so that goes into this whole like, training versus education. So often training is “You will learn this thing.” Well, that doesn’t mean anything to me if I don’t want to learn it. And it’s not relevant to me. Education is different. Education is, here’s something that can change you for the better. And I think we have to approach it from that perspective and we have to be willing for it to take some time to land.

MacKenzie Brown: There’s definitely a difference in approaching your employees and saying, hey, this is a new phishing campaign or technique on LinkedIn and Facebook. And just like, don’t click things. And here’s your certification button because you took this training and you took social media training.

Versus saying, actually, here is the exact steps for you to go set all the privacy settings on your LinkedIn and on your Facebook, and here’s some things that you should remove and consider, but actually doing more practical application, like that’s education. I completely agree. I think that’s the difference of, sure, we are training you, but it’s not so we can check a box, but it’s more so you can reduce your risk, individual risk, and then therefore, of course, any subsequent employment risk that the organization might face.

So that’s deep, that’s deep, man. But not really super deep, but deep in a way that no one’s doing it. Like no one’s doing things like that.

Wes Spencer: No, I think you’re right. I don’t think we are doing it, largely speaking. I mean, I think it was last month. It might have been two months ago. SEC just pushed out a new some new guidance saying that we are going to mandate that at the board level you have at least one person who has a qualified background in cyber, and I see that and I’m like, yay, this is wonderful. This is an exact example of them mandating and pushing through regulations, something that should have happened a long time ago. And I think those are the right things in motion to get this kind of set correctly. It’s just one example of we’re not doing this and I think we’re starting to see things are in motion. They’re going to change some of that in a good way.

MacKenzie Brown: Right, right. I mean, I won’t take over an entire episode, but I’m sure we could go down the regulatory route and really where we would like to see it go, because right now it is just checking a box and moving on and writing policies and saying we’re good. But I really, yeah, that would be…I mean, there’s some other things on the SEC thing, new rulings that have been a thorn in my paw that we’re going to have to navigate. But I would completely agree that having someone within at that board level that has a cyber background, like mandating a CISO is the biggest thing. It’s just having a CISO for your company.

But if you think about it, that’s also not possible for some of these smaller to medium businesses. They can’t even hire an IT guy half the time. And so really this is, you know, a plug for the MSP space of having an MSP space focus on do we have a CISO if we’re a large IT service providing? Do we have a director of security or someone that is going to be our mouthpiece and someone that’s actually internally looking and assessing cyber and relating it back to our customers, is extremely important.

Wes Spencer: Yeah, it is. And, you know, a good example of this, because I know we have a lot of MSPs listening, is look at the new FTC safeguards. The very first requirement that FTC says if you are an organization where safeguards applies to you is this, you must have someone responsible for cybersecurity. And they were smart enough to say it doesn’t have to be somebody inside your own organization. You actually can sort of like outsource that role. It can be a third party that’s responsible for it.

But then they say, in the same breath, they say, but you as a company are still responsible. You can’t just shop out, “Oh, I have a fractional CISO doing this for me. So therefore I don’t worry about it” any more than you can say, “Oh, I don’t worry about security because all my data is in the cloud.” None of those things are true. They’ve never been true. And so that, that’s the right start.

And then I’ll just say for you as an MSP, that means you. The day has now come as an MSP. You are not just IT management. You are not just handling tickets and hardware lifecycle. You have now stepped into a new era where you are expected, even from a regulatory perspective, to handle, to manage the risk, to communicate the risk of cyber to your clients. That means that you need to go down that journey of “Okay, I better learn cyber myself and I better start practicing it myself and I better start making sure that I have at least one person in my organization that is dedicated towards that full-time equivalent role of cyber risk management for my clients.”

And you may be a small MSP not there yet, but that’s the day that’s now come. And I don’t think that’s a bad thing. I think it’s a wonderful thing because it’s just as you said, Mac, they can’t do it themselves.

MacKenzie Brown: I think it’s a great thing. And it does sort of release the pressure, accommodate that talent shortage view. And we’re not saying just go hire a bunch of V-CISOs out there. The V-CISO game is going to go booming. But it is, in a sense, for the MSPs, is taking cybersecurity seriously, putting services in, doing assessments, maybe adding to your docket of things that you would provide for your customers or standardizing of—a lot of what I’ve learned within this community through some of our partners that do more standardization—of you have to have cyber insurance or you have to have some sort of incident response plan, that’s great.

But I completely agree, like this is the time and opportunity to reach into that talent pool and find someone and say we are gonna not just hire someone who knows cyber and that’s gonna examine internally our cyber risk and our attack surface, but they’re going to do it in a way that they can now socialize it with all of our customers and they can create those standards and they can be the job of a CISO in a sense.

But for more than just the MSP, but now the SMB or any downstream customers that they serve, I think that that’s going to be huge. And it also makes it so that the MSP CEO’s like, oh my gosh, now I got to get jump into cyber. I’m going to go get my CISSP. I’m going to have to go attend all these conferences. Well, you should, but also, look into an option of just hiring someone that can fill that role and be that mouthpiece and be that shining light for your customers.

And again, going back to like, how do we educate this at a universal level? Because a lot of those downstream customers have no idea what you’re talking about. They just read “MGM was hacked” in the news and they’re like, “Wow. Well, we should cancel our trip to Vegas, honey.”

Wes Spencer: I love it. You should cancel your trip to Vegas. I hate that place anyway.

MacKenzie Brown: It’s so stinky. I remember when, you know, during the pandemic, we all remember things very vividly, but they did Black Hat virtually. And so we were able to do Black Hat virtually. And I was just thinking, I’m like, you know what I really need to do? I need to turn off my AC. I need to put a fan in front of my trash can in my house, just so I get like the really good essence of Vegas. And then I need to just smoke cigarettes indoors and have some blinking lines behind me and boom, I’m a Black Hat all over again.

Wes Spencer: How is it any different? That’s right. How is it any different? Yep. And then yeah, just had the lights on all the time because that place, you know, there’s never a window. God forbid they have a window in that city. I mean that just what could you do? Yeah, I’m with you. What a terrible place. I’m sorry if anyone likes it. If there are, probably the same people that think that Die Hard is not a Christmas movie is probably the same people that like Vegas.

MacKenzie Brown: Oh my gosh, I swear if that’s the category now, I’m gonna ask you, raise your hand if you like Vegas. I’ll say that at Right of Boom. Maybe we just, someone who has a mic is like, raise your hand if you like Vegas.

Wes Spencer: There’s probably a correlation. There’s a Venn diagram out there somewhere. Yes. So.

I like it. Oh, that’ll start another fight, yes. But then, yes, say keep your hand up if you think that Die Hard is not a Christmas movie. Yes, because you’ll probably notice the same hands.

MacKenzie Brown: Oh my gosh, that’s the true test. Like, all right, well I don’t wanna hang out with you guys then.

Wes Spencer: So speaking of true tests, I want to get practical for a minute on this conversation. MSPs in particular that are listening today or if you’re not an MSP and you work with one, you have an MSSP or you’re just small and mid-sized business, I think this all applies to you. As you may hear what Mac’s talking about here and say, this is the future and I need to learn how to manage risk, and regulations and cyber insurance and compliance are requiring it. Yes, yes, yes. But how do I do it?

Well, I think there’s a few prerequisites that you should work on, if you’re like, OK, that’s me, I gotta do it. First is, especially as an MSP, you got to have authenticity. You need to eat your own tacos in security. So you can’t just expect to go and say, you know, hey, you’ve got to be good at security but I don’t have to be good at security. That’s never gonna work. You’re gonna lack the authenticity.

And so I would just say, pick a security framework and follow it. And my recommendation for most MSPs is stick with the CIS Controls, Center for Internet Security. Pick those controls, go through them, and make it a commitment within a year to get through implementation group one, which is the very first group. If you need help with that, I’ve got a free podcast for you. It’s thecybercast.com. We do, it’s Andrew Morgan, it’s me, it’s Ryan Weeks, and it’s Phyllis Lee, who she’s the director of the CIS Controls. We go through every single control. So you have the pathway.

MacKenzie Brown: And if anyone doesn’t know what that first control is, it is inventory and control of enterprise assets. It’s because I have it like a Michael Jordan poster on my office wall.

Wes Spencer: Good stuff. And also like the hardest thing to accomplish. It doesn’t help that I tease Phyllis all the time. I’m like, Phyllis.

MacKenzie Brown: It is, and it’s a constant control to accomplish. It’s a maintenance effort, by the way.

Wes Spencer: I’m like, Phyllis, we’re all snowflakes here. Could you switch it to something super easy? Like, I don’t know. Like turn your computer on or put antivirus on your computer or something.

MacKenzie Brown: Right? You get number one and number two done, maybe even number three, then the rest is actually not as complicated.

Wes Spencer: Yeah. So that’s the first prerequisite. You can’t expect to get your clients to do what you’re not doing. It’s like a rope. I can’t push a rope. I can only pull a rope. Same thing with your clients. You can only pull them with you. So don’t expect to be good at this if you’re not doing it yourself.

The second thing I think is valuable is understand the history of the relationship with your client and just come to terms with the fact that, it may have been for 10 years now, you may have just been in an IT relationship and just selling them things. Every time you meet with them, it’s about here’s the next thing to sell you.

So recognize your relationships you’ve had with your client and recognize that they may treat cyber as another thing you’re selling me, because that’s all you’ve ever done in the relationship. And then if you may be thinking, hearing this right now, maybe you’re driving listening to this podcast. You’re like oof, ouch. That’s me. What do I do about that?

Just recognize it. And come to the client and say, hey, I know that the history of our relationship has been primarily IT and sales based. But one of the things that’s happening is we’re now required to handle security for you, because you are a target and we are a target. And we personally at our own MSP have been going down the security journey of really building and formulating a good security strategy, protecting our own house. We got to do the same with you. And here’s a couple of ways we’re going to start with that, right? And if you’re not doing that, you’re going to struggle with it.

MacKenzie Brown: Oh, yeah. Definitely. I think the realism sets in, it’s a lot more palpable if you say hey, just go to the showroom of RSA and walk around and see all the companies that are selling you something that is going to solve a cyber problem. And it’s the only one doing something like this with this unique technology or unique algorithm that they have. But you know, the reality is, is let that soak in and maybe play Mad Libs or something, or Buzzword Bingo, and walk around and just see what it is.

And then go back to your hotel room and look yourself in the mirror and say, am I the problem? Am I the one doing this to my customers? Because that’s, I love that you said that. That’s something we need to fix is how we shouldn’t be selling cyber. That’s where we’re at right now. I would like us to just…It’s like we shouldn’t be selling eating healthy food and fruits and vegetables. People should be doing it and should have access to it, but I completely agree. That’s going to be a big one.

Wes Spencer: Yep. Well, and that brings up the third and final thing I’ll give you, because I just wanna give, there’s more we could talk about, but I think three things to focus on. The third is commit to being an educator. This goes right to what you just said, Mac, is understand that they’re not going to move on it probably right away. You’re gonna have to do some things like a good, you have to get good at risk, understand how to do a good risk assessment, show them where they stand, how they stack up to their peers, if they’re regulated, there’s compliance, how they’re stacking up to those things.

But you also just have to understand you gotta be an educator and you gotta learn how to teach why this matters. And you gotta, again, we’re educating, not training. I can train my dog. We’re not talking about, you know, here’s a little biscuit, go do this thing I’m commanding you, that’s training.

This is education that makes your life better. I go to university, I get a better job. I get out of the factory and now I’ve got a, you know, it’s more stable job that’s, you know, less difficult on my body, but that’s what education does. Same thing in cyber.

So those are my big three things. Commit to a framework. Then the second thing of just really trying to understand the relationship between you and your client and understand that it’s changed and you got to communicate that. And then third, commit to education. I think if you do those things, you’ll find that you’re going to have success in cyber.

MacKenzie Brown: I love that. Those are Wes’s three takeaways. I would completely agree with that too. Second one’s going to be a little bit more difficult. The third one is education, right? If you feel like you’re checking a box or having them check a box or sign something, then you’re not educating them to the why.

And I can only state that because as I’ve been kind of more in this specific MSP space, I’m painfully shocked by the amount of organizations that don’t even have antivirus on their systems. And we’re just going about our day. Like a basic level of endpoint security, they’re not even doing things like that. And then I’m sitting here promoting MFA and enabling that, but I’m like, but really? I mean, like AV? I’m not even saying, this is just like an airbag in your car, but let’s get something going, right?

Wes Spencer: Right. Yeah, I’m trying to think if like we relate to a car, what would AV even be anymore? It’d be like so useless.

MacKenzie Brown: Oh, it’s not the seatbelt, that’s for sure.

Wes Spencer: It’s like, I know what it is. The AV is like having a heater in Phoenix in your car. That’s AV, it’s that worthless, right? Like it’s there…

MacKenzie Brown: Oh, okay, yeah. It’s worthless. It’s gonna keep you going. Oh, I thought maybe it was like a broken AC unit in your car. So it’s still 99 degrees outside, but inside the car it’s 97.

Wes Spencer: Yeah, I like this train of thought. I’ve never really thought of—so maybe like, you know, your lane departure warnings, that’s like your MFA, you know, like because it is valuable and it helps to make sure you don’t make a mistake. You know, maybe your airbags are like your MDR, you know, like Blackpoint. You know, that’s my airbags to say when something happens, we’re going to take care of it, to make sure you don’t lose your crown jewels. Man, we’re going somewhere with this.

MacKenzie Brown: We’re gonna hit you in the face so you know something bad is happening.

Wes Spencer: But I maintain that classic antivirus like your Norton or whatever, I hope I don’t get sued for saying that, is like, you know, that’s definitely having a heater in your car in Phoenix. It’s worthless.

MacKenzie Brown: We can bleep it out like you said a bad word.

Wes Spencer: Yes. What was that, AV? He actually said?

MacKenzie Brown: I absolutely love that. All right, all right, so I do have a couple other things I wanna touch on. All right, we see this larger divide between the IT industry and the cyber industry. Let’s say your mom and pop shop in Chicago, but like a pretty big franchise, versus like national bank level.

Do you think between those, so meaning the SMB space and the MSP space who often source and serve both those large organizations, IT and security for smaller to large organizations or large businesses, do you think that SMB MSP space is getting the short stick in the cyber industry? And I mentioned this when you walk into RSA and you look around the showroom of just getting the realization of how much is being sold to you and is just purely sales.

But are they getting the short stick in a sense that it is not, you know, this goes back to budget, cyber is not affordable.

Wes Spencer: Yeah, I think so. I think there is a short stick that’s here. There’s some advantages that come with being small too, and I’ll talk about that. But I have noticed this, Mac, and I bet you’ve seen the same thing. By and large, the MSP, the channel, is what we call this. The MSP, you know, if you’re listening today and you don’t quite know MSP, and we when we say the words, the channel, yeah, we just mean all these people that serve other industries.

MacKenzie Brown: Ding! Channel. Yeah.

Wes Spencer: And so I think the channel by and large, including the SMB space is about five to seven years behind what enterprise is doing. And this is a little key that you can kind of clue in on. What was happening five to six years ago right now? Well, I’ll tell you, one of those big things was security automation, right? Everyone had their SIEMs at this point, but then they’re like, well, how do we do anything with all of that? We got all these alerts coming in and we’re overwhelmed. We don’t have the staff.

MacKenzie Brown: There are so many logs, just don’t look at the dashboard.

Wes Spencer: Yep. So then all these source security orchestration automation response platforms came on and that’s why they all got gobbled up. So if that’s true, then about right now we’re going to see a big focus in security automation. It’s going to start coming into the market.

So that’s not the point of the podcast, but it’s just to say that I think we’re on average five to seven years behind what’s happening top of market. And it’s a bit of a mo-money-mo-problems thing in the sense of of course, the bigger industries are going to drive those things first because they’re operating at scale.

But also it’s just the reality that it takes time for some of the, to use a Reagan term, this trickle down to kind of happen at some point. Like, it does trickle down and it does start to become a requirement down market. So do we have disadvantages in that we do have the short end of the stick? Yes. Do we have less of a budget to spend on things? Yes.

But also, I’ll steal this from a friend of mine that works at one of the biggest banks in the in the world, International Bank. He made a comment to me, he said, “You know, sometimes when it comes to threat intel, I favor and value the threat intelligence reports coming from smaller organizations versus the big threat intel companies,” because you know your network and you know it’s real and you know what’s true, versus I’ve got subnets I’ve never even seen before inside my network. Like I’ve got locations that no one even knows that we own anymore. It’s colossally difficult to maintain and protect all of these assets because we got to do it at scale. You don’t. So we also have advantages that come with being on the short end of the stick too. So it kind of goes both ways. I guess is my point.

MacKenzie Brown: And where do politics fit into this? Organizational politics. We kind of touched on it a little bit earlier, but you know, where we’re saying like, are we the failures? Is it our problem or is there, are there other factors that are actually weighing against us? Budget being one of them, the industry, right? Five to seven years behind where we’re really at. And of course, your three takeaways too, which are, you know, and critical control, number one, that’s a lot for our users to take away, but are politics going to be a part, a factor into this?

Wes Spencer: You know, I hinted at this earlier. I just believe that it’s less a cyber security problem, more a human problem. And I think it will start to accept that reality. There’s there are cyber there for sure. There’s issues. But I mean, you can even theoretically, you want to get philosophical for a minute. Even zero days come from vulnerabilities and code, which people write. So like at some point, people become the problem to all of this. And so I think if we start at the people level and say, why don’t we really think about it from the people perspective? So, yes, if that’s the case, then politics absolutely are an issue.

I think the politics are a little bit different down market, right? Because you don’t have this power struggle at the end in the C suite of everyone gunning for each other’s jobs. And it’s like, you know, Game of Thrones up in here, corporate level, a corporate edition. But it’s probably more like, you know, the business owner at an, you know, at a client, the MSP service, like I’m not paying for that. I’ve never paid it before. No, we’re not a target. No one’s coming after us. No one cares about my data.

So I think at the political level, it’s probably a lot more of that or like FTC safeguards. Come on, man. They can’t regulate me. I’m a car dealership. I’m not going to deal with that. Whatever, you know, I’m a libertarian. I’ll just do what I want to, steal from Ron Swanson. Right? Love Ron Swanson, by the way.

MacKenzie Brown: I’ll sell gas on the side of the street.

Wes Spencer: Yes, exactly. What could possibly go wrong with this? So yeah, I do think largely politics play in but it is a different style of politics. Usually it’s the politics of like, prove to me why this matters, because I’m not just going to go give you money for the cyber nerd crap, unless I really believe that it’s a yes, it’s relevant.

MacKenzie Brown: Right. Make it relevant. I talked about this a little bit yesterday with our director of APG actually, and we did a job interview and then we got really existential for like an hour on the phone. But we were talking about how to make it relevant to the, even in the MSP space, is what we don’t see from our threat intel reports is really breaking it down, which is what we’re trying to do right now, solve this problem by verticals, and we’re breaking it down by you’re an MSP and you serve primarily healthcare, well, your job’s gonna be a lot easier because now that is what you’re gonna focus on from a cyber perspective and make it relevant to them.

And then you get that buy-in and not like buy-in, like sign the check buy-in, but you actually get them listening to the words that are coming out of your mouth in relation to cyber. And I don’t see a lot of that. I know that people are probably doing that to some extent, but it’s not socialized to the larger channel. I’m gonna learn everything new every time I talk to you, I swear, but to the larger channel, it’s like, who are the people that you serve?

And maybe it’s a mixture between education and retail, but by the way, at an integral level, like if we really wanna get granular, cyber does change when you look at these industries. Maybe the players are the same, but the dependencies, whether it’s a Swift system or a POS system, right?

We’re still, we still need to understand some of those and of course regulatory requirements, to understand some of those differences and they will listen then.

Wes Spencer: I agree and I also think to carry that birds of a feather do flock together. You know, like I saw some white egrets out yesterday and there’s like six of them in my yard. These like, these little white Florida birds peck at your grass looking for bugs, right? And these big long beaks and cool little guys. Although I bet they’d be good to smoke up. I would like to try a capture one. My wife didn’t like it when I said that.

MacKenzie Brown: That went from like 0 to 60. They’re such cute little birds. I’m gonna eat them, maybe, someday.

Wes Spencer: I want to put you in my smoker. I know she never likes it when I say that. Or we have these monster birds these, sandhill cranes, even bigger than that. These sandhill cranes are like not including their big old long necks just their bodies come up to like the size of like a six seven eight year old. They’re just massive birds. They’re basically dinosaurs. Yeah, people say dinosaurs are extinct. I’m like you’ve never come to Florida and seen alligators and these things. Anyway, apparently, the locals used to used to kill them and smoke them all the time, and they called them ribeyes in the sky. That’s what they called them. They apparently taste like rib eye.

MacKenzie Brown: I think just, if there’s not a, you know, county law against it, then bring some chicken wings or whatever they’re called wings.

Wes Spencer: So I’m just saying, you know, Mac, it just so happened that one found his way into my smoker and I closed the lid and started the fire. I mean, it just happened, right?

MacKenzie Brown: I was cleaning my smoker, it was crazy.

Wes Spencer: It just happened. Anyway, yes, birds of a feather do flock together and I think there is value in—you just got me on that. I just had to say it. there is value in that for sure. Like it brings in things like hey, you know other clients that are just like you are doing this. Well, I care about that. I want to know am I ahead or behind. I want to know that.

I have a few MSPs that really focus on a certain industry vertical and they leverage that all the time. I know one MSP that does a phenomenal job of this. They actually assign their banks letter grades that are tied to regulatory adherence and maturity. And so they actually assign them a quarterly letter grade. And he’s like, let me tell you, when we get a bank to an A, they don’t want to ever go off it. And if we have a discussion—and he’s like, we use it in a pure sense, we don’t abuse it. But he tells them, “hey, you know, I know you guys don’t want to do this, but this is really gonna pull you guys down to probably, you know, an A minus or a B.” “Well, we can’t have that. We’ve got to do that.” And it works well.

MacKenzie Brown: Why does everyone love scorecards? I mean, I know we’re raised around grades, but that’s the thing in cyber. It’s like, I’ve learned that in the past, you know, 10 years alone, even on tabletops, they’re like, so how did I do? And I’m like, let me just count your points, see how you did…

Wes Spencer: Well, yeah, the reality is I’m like the last year, maybe the first year of millennials, right? So I’ll be the first to say we millennials and Gen Z’s and all of us. We’re all snowflakes. We know it. And we like to be told that we’re doing a good job and we like to get a good letter grade that’s given to us, whether we earned it or not. That’s true.

MacKenzie Brown: Yeah, we don’t want a participation trophy. We want to know if we can improve, which that does make sense.

Wes Spencer: But I do want a participation trophy too.

MacKenzie Brown: I also would like a trophy and a gift card.

Wes Spencer: Speaking of which, you think Blackpoint would give me a participation trophy for being the first guest? I’m just teasing.

MacKenzie Brown: Oh my gosh, you know what? Cody’s gonna make that happen, actually. We will order a little trophy and send it to every single guest. A participation trophy.

Wes Spencer: I love it, I’ll put it right here on my wall.

MacKenzie Brown: Okay, so I know we’ve gotten to this beatnik level. More existential than I thought we would get, which I absolutely love. That’s my style. And I’m probably gonna drag you on to be a guest one more time. We’ll see how this goes.

Let’s say you’re giving me advice and also our listeners advice and those that may or may not be rolling their eyes around some of the things that we’re talking about, like “Yes, we know these things,” and we’ve talked about kind of the deep factors that play a role and maybe our potential failings or absolutely our failings and whether or not we’re all going to go to Vegas next year. We’re still going to go, let’s be honest.

Can we leave the audience with some positive light? Or a hunger for more, if we wanted them to show back up for episode two, but to want to learn more, whoever is listening, about cybersecurity, what would that advice be that you would give them?

Wes Spencer: My advice, so we, we prognosticators like to just talk, big talk, right? And you hear all these things, and we can feel intimidated. We just often feel like there’s too much to do. This is like, you remember when JFK, I wasn’t alive for this. I know you weren’t either, but you know, when he had his famous, “We’re going to the moon, dang it. And that’s just what we’re doing. So we’re going to do it.” You know, he didn’t give the whole plan on how we were going to get to the moon and how are you going to beat Russia. He just sort of set the vision and said, “This is what we’re going to do. We’re committed to this is a nation.”

And it set us on fire to say yeah, we are going to do it. But there were tacticians behind the scenes that split up this lofty goal, this impossible literal moonshot goal of going to the moon. There are people behind the scenes that you’ll never know that were the ones that like, I made this one little part that got us there, you know, and I focused on that thing. That’s my thing in security is, understand that we talk a big game and we talk about a lot of stuff to do and it can feel intimidating just start somewhere and start small. I think that’s the big takeaway.

So if you heard a lot today on this podcast, go pick the one thing that came out of it that was impactful that you know you can do. And I promise you, there’s something for everybody. So whether that’s starting on the CIS controls or thinking about what your education journey and pathway looks like, or making sure every employee in your MSP is rowing in the same direction when it comes to cyber. There’s a lot, just pick one, just pick one and start working on it. And then that’s how we get it going.

MacKenzie Brown: Right? I would say come to a cyber event, like come to a conference, because again, people wear many hats, you’re trying to learn. That’s why I loved Right of Boom, like come to a conference and just sit in and absorb it all like a sponge. And then like you said, just prioritize, pick and choose the thing that you wanna focus on. And it’s not super complicated.

I used to hand out this book, I’d speak at these, you know, women innovator events for high school girls. And I’ll be like, come to cyber, it’s like really cool. It’s like trying to be cool in front of high schoolers. And that’s where I learned that Facebook’s not cool and Instagram’s cool. And now Instagram’s not cool, I don’t really know. So it really made me feel old.

Wes Spencer: Yeah, it’s basically once their parents get on the platform, it’s not cool anymore. I mean, that’s just how it goes.

MacKenzie Brown: Yeah, yeah, so I was trying to present in a cool way, but I would always give out this one book to them and it would be the Girl’s Guide to Privacy. And they’d actually really enjoy it. And I’m like, this is applicable in your life now. Yeah, I’d love you to go get a career in it. There’s lots of opportunities. But just read this book and realize that it is applicable to you. And cyber’s that. When you look at the CISO map of all the things in cyber, it’s exhaustive and it is scary. And we’re gonna break it down every episode at a time. But ultimately, pick something and go there. I love that advice. And then come back for more to this podcast, because I will bring on guests that will probably demystify more of these cyber concepts.

Well, Wes, thank you so much for being here. Seriously, this was fantastic. I love this. Hopefully we didn’t hurt any feelings, but I got a lot from this. So thank you so much for participating.

Wes Spencer: You are quite welcome. And I’ll just say just in final closing, thank you for having me. And if anyone does want to follow me in any other places, just look me up on LinkedIn or check out what we’re doing at Empath Cyber as well. A lot of what we’re talking about today are stuff that we’re actually solving for at Empath. So thank you for having me on today. And I cannot tell you how much of a fun conversation this has been. I know this podcast is going to blow up, so, yes.

MacKenzie Brown: This is so good. Yeah, and then by the time we get to the end of it, we’re gonna see the briefing of the MGM. Actually, probably not by the time this airs. This will still be ongoing. So we’ll just have like an update like it’s fantasy football or something.

Awesome, well, thank you, Wes, and thank you everyone for listening in. Be sure to join us for our episode two coming up soon. Thanks.

Explore the resources we have to offer!

Sharing information keeps cyber adversaries at bay. Stay sharp by checking out our library of blog posts, on-demand webinars, threat research, and more.