Today, we engage in an enlightening dialogue with Scott Alldridge, a distinguished leader in cybersecurity whose extensive experience spans more than three decades. Our conversation delves into the critical principles of the Total Control Framework and the transformative concept of Zero Trust, elucidating how these methodologies empower leaders to convert compliance into a formidable competitive advantage. Alldridge articulates the need for organizations to transcend traditional cybersecurity paradigms and adopt a strategic business discipline that prioritizes security as integral to operational excellence. Through his insights, we explore the importance of fostering a culture of cybersecurity awareness and the pivotal role that leadership plays in this endeavor. Join us as we navigate these pressing themes, offering invaluable perspectives that every business leader must consider in an era increasingly defined by digital risk.

In this episode of Trailblazer and Titans, host Keith Haney speaks with cybersecurity expert Scott Alldridge about the evolving cybersecurity landscape. They discuss the importance of integrating cybersecurity into business strategy, debunk common myths, and explore the Total Control Framework and Zero Trust principles. Scott emphasizes the need for a security-first mindset among executives and the role of education in fostering a culture of cybersecurity awareness. The conversation also touches on emerging trends, including the impact of AI on cybersecurity, and offers actionable steps for leaders to enhance their organization's security posture.

Takeaways:

• The podcast features a deep dive into cybersecurity principles, emphasizing the critical need for leaders to understand them to safeguard their organizations.
• Scott Alldridge discusses the importance of implementing a zero-trust framework, which is essential for minimizing vulnerabilities within business networks.
• The conversation highlights the necessity of continual vulnerability assessments and penetration testing to ensure robust cybersecurity practices are in place.
• Listeners are encouraged to adopt a security-first mindset, integrating cybersecurity into their overall business strategy to protect revenue and maintain operational integrity.
• Alldridge's latest book, 'Visible Ops Cybersecurity', presents methodologies that align IT processes with security objectives, thereby enhancing organizational resilience.
• The episode underscores the alarming statistic that approximately 60% of businesses do not survive a significant cybersecurity breach, stressing the urgency of proactive measures.

Links referenced in this episode:

• scottalldridge.com

Welcome to Trailblazer and Titans, a podcast where we uncover the stories and strategies behind today's most influential leaders. I am your host, Keith Haney.

Today we're joined by Scott Aldrich, a nationally recognized cybersecurity leader with over 30 years of experience helping organizations reduce digital risk and operational excellence.

As CEO of IP Services, Skyd has guided more than 150 clients toward healthcare, across healthcare, finance and manufacturing to achieve regulatory compliance and cyber resilience. He's also a co founder of the IT Process Institute and creator of a widely adapted visible ops methodology, which has sold over 400,000 copies.

Scott's latest book, Visible Ops, Cybersecurity, and Amazon bestseller Redefine Cybersecurity. And as a strategic business discipline, not just a technical task, Dave.

We're going to dive into Total Control Framework, his zero trust principles, and how leaders can turn compliance into a competitive edge. This is today's conversation about business leaders needs to hear. So let's get started. Scott, welcome to the podcast.

Well, thanks for having me, Keith. Happy to be here.

Glad to talk about this. You know, we all love cybersecurity as much as the next guy loves farm, you know, sometimes planning, so.

But I know it's something that we have to talk about in today's generation, day and age of people getting hacked. So looking forward to this. And I was a recovering computer science major in my background, so.

But that was when we had mainframes that weren't laptops yet.

And now our phones, our cell phones are more powerful than the mainframes. It's crazy, I know.

Isn't it crazy? So I'm going to ask you my favorite question, Scott. What's the best piece of advice you ever received?

Best piece of advice that I ever received was somebody telling me that I needed to think about the bigger picture of life and I needed to contemplate if God had a plan for my life and what I'm going to do about it.

And the best advice I had was that I commit myself to having a personal savior, Jesus Christ, and following him and making him the number one priority in my life. So that that's the best advice and the biggest thing I've ever done in my life.

As you think about that advice, it's always interesting because it shapes so much that we do. How has that shaped how you work in this in the field that you're in?

Yeah.

And kind of being almost in more in the sciences, you know, there's, I think, a lot of kind of pervasive thought that, you know, Everything comes and is based in the reality of science and not getting into any apologetics here or anything, but I think it becomes clear the more you know, the more you don't know and the more you learn that there are. There has to be a beginning of the beginning, no matter what you believe. And so it's been really interesting as that's come up in different ways.

But the big thing really is trying to live by what I would call biblical principles, you know, and the golden rule, right. We do unto others as we'd have them do unto us.

Some people make the point that's not actually quoted in scripture in that way, and I think that's true. But the principle is certainly there.

And so I think that becomes a guiding light, if you will, a guiding force in your life that you try to live by those biblical principles the best that you can. We're. We're all flawed, that's for sure. And. And so we do our best and we're thankful that we have a redeemer and a savior. So. Didn't mean to preach.

That wasn't my goal here today. But you asked the question, and I'm just giving the honest answer.

I love that. I love that. So let's talk about Visible Op. Cybersecurity has become an Amazon bestseller.

What inspired you to write this book and what gap were you trying to fill in writing this book?

Yeah, that's a great question. I also would note, Keith, I've been listening to your podcast a little bit. I about talked.

Tell your followers to go like it and follow and give it five stars because you got some really good topics and good guests and I've enjoyed listening to several of the episodes. Yeah, I've kind of started out in technology as a teampreneur, if you will.

It was like 19 years old and went into software and one of those guys that finished up my education later in life and so forth.

And so as we were rolling out various networks and things that we were doing, we were having to think about IT security and some of the early ways that you protect data and the way that you then the first onset of the firewalls and how you program, you know, and set those up appropriately and for, for a long period of time, it really became all about the firewall. And we still hear that there's still a lot of misinformation, but cybersecurity these days is prolific and ubiquitous.

Used in big words, it's everywhere and it's growing and it really is way, way beyond the firewall anymore. And so as we have the last probably 10 years really led with the idea of managing security for businesses.

And really now the last six, seven years, using the leading, with the cybersecurity buzz, if you will, and, and the way that it's grown in shape, there are so many, you know, businesses that are being attacked nowadays. It's no longer the big companies that used to be worried about because they think they had valuable stuff. It's, you know, small to medium businesses.

You know, you can be a 100 employee business and you're just as much a target as the big guys are these days. So that was a concern.

And then there's some things that we had done along the way over the, my career of 25 years or so, really almost 30, that we cared about certain processes and kind of learned that if you follow certain IT processes, it actually becomes kind of an ultimate backstop to your cyber security.

So we cared about documenting things, believe that configurations, the way things are configured and knowing that they're in secure, well known, secure working configurations, not to repeat myself, that's really important.

And then from there, one of the things we looked at some of the studies and they're saying that 70 to 80% of all IT failure issues, downtime was correlated to unauthorized, untested, unapproved change. So the working thesis was let's do a really good job at managing change and we'll do a good job of availability.

And you know, those, the new quip is no security breach ever happens without a change or need for a change. So as I fast forward to my book now, the first three chapters of my book, number one is, you know, let's start with leadership.

You've got to practice what you breach. You got to care about it. You got to be able to have the conversation with your executive team or your board.

You got, that means you got to have budget for it. It's got to be a priority. Number two, you need to have a philosophy, you know, and what is that philosophy?

You know, is it going to be a security first philosophy? Are we going to make a priority of security and all the things that we build and do or as we configure things and then do we care about it processes.

And then the third chapter is the efficacy of it processes, how they still are effective and how they relate to security. Then I get into zero trust. In the rest of the book I dive into more the methodology of the buzz of.

And we've been doing zero trust for four or five years. Pretty, you know, kind of leading with that, that verbiage and that vernacular.

Over the last two years it's really become very popular, this idea of zero trust. And happy to get into that more in a second.

You know, I was thinking about, as you were talking about this, it was, it's funny to me because there are so many misconceptions about cybersecurity. And I think the number one thing is it's always about your password. If you give a good password, then you can, you have to worry about cybersecurity.

So what are some, some myths that as you're working with people, get people in trouble when it comes to cyber security?

Yeah, really good. Really good question. You know, the strength of passwords used to be the thing.

And it's so funny because we still hear about stories where, you know, passwords are the crazy. I was thinking about the heist, I believe, at the Louvre.

I was reading an article and they drilled down and apparently the password was like Louv123 or something like that to their security camera system. Crazy. So passwords do matter, but it's gone far beyond that. Having a strong password is not enough anymore.

They have the ability to do man in the middle attacks or basically hijack a browser and capture your keystrokes. There's lots of methods that the threat actors use to be able to hijack and get their hands on passwords if they are even strong passwords.

And then there's brute force attackers that'll use algorithms to just run through all of the symbols and characters and over a period of time they can hack your password. So we have to move to an mfa, which we've probably heard of Multi Factor Authentication.

This is where, you know, we're logging to our Amazon site and we have to get a code and it's being sent to us by email or typically by SMS text.

We're now moving beyond that to where that's not really good enough because they're getting good to learn how to hack your SMS tax or your phone to be able to intercept your codes. Or they'll hack your email first where you're sending your code, and then they'll know that they've got your code.

We call this centralized authentication. So you're saying, one, you're sending in, you know, one request to access something, and a central site is giving you the code.

What we want to move to is decentralized. And so that's where we're getting to some of your listeners may be using. It's where we've got the app on the phone, right?

Amazon and all the sites, they have that capability, although it's a bit of a pain to set up and make it work. But you've got to go through the steps and it's worth downloading the app and have it authenticated.

Because now it's now not only sending you part of a.

Basically a crypto key that's on the server or on the base where the primary point of authentication is sending you, but then your app is actually saying, yes, that's a good. And has the other part of the key and it's matching the crypto key.

And then it keeps a constant communication, a ping, if you will, knowing that the right authorized user is accessing the right stuff at the right time.

And one of the reasons this is important for businesses is because we still know that about 70% of all breaches from the threat actors start with the end user and their email or some kind of phishing or fizing attack, which means they're trying to fool you into clicking on a bad website. Click on something on an email and an attachment. All the things that we hear we aren't supposed to do yet.

Our human nature of curiosity, people still do it way too regularly. And that's how it starts a lot of times. Some of the worst breaches, they start just like that.

You know, it's funny, I get an email every day from supposedly my boss saying, hey, I'm trapped overseas. Could you give me an Amazon, our gift card? And we started. We just joked in the opposite. You know, we don't do gift cards.

And so if you, if you're, if you're in prison, I'm sorry, you're going to have to be there for a while. But we laugh about it. But, you know, some of those are, you know, really very complicated.

And now, of course, you know, you hear stories of people who, because of AI, are hacking your family's voices and saying that they are. This is your loved one, they're in prison, they need help. So you're right. There's all kinds of ways that AI and hackers can get into your thing.

Tell us about. I just. We're going to get into something more about your book.

But I'm curious what Your thoughts are when a company gets hacked and what the person who's hacked them is saying, give me X number of dollars in crypto and I'll release your information. Kind of tell us. I'm sure you've worked with that kind of a situation as well.

Yeah. So, you know, we've been brought in, you know, you know, ex post facto of a.

Of a breach or whatever, and, you know, sometimes to clean up the mess or work with, you know, certain department, we have a couple of, you know, groups that work red teams to come in, and we'll work tangent with them. We're on the proactive, defensive side of the cyber security face. But we do get pulled in and typically. Exactly right.

They want crypto because they don't want to. They don't want to trace it. Of course, you know, it's untraceable compared to, you know, what us or a bank transfer might be.

But I think I'd start with the story really thinking about a particular, you know, client that we. We know of that basically got breached. And in the breach, they.

They basically sent them to their call center to be able to settle it up, because they're that sophisticated. And so a few months ago, I was on a lab system, we were on the Dark Web, which you don't ever want to be. Just mess around some stuff.

And it's called the Tor browser. There's some other special browsers that you can use to get at the Dark Web. And all the bad stuff they say that's on there, it's. It's so true.

But an ad popped up and it said, join our Crypt or join our ransomware franchise today for $299. Just like an ad, like you're gonna buy a pair of shoes for a good deal.

And what it basically was explaining is that you can join up, they'll give you a toolkit.

So if you're a smart middle schooler or high schooler and, you know, you really want to dabble or a college student or anybody that just wants to do nefarious stuff and wants to, you know, go hack, they have hack, you know, all these toolkits that you can use.

And then they basically said, if you get stuck or you get only partially in or you need help, we'll escalate to one of our ransomware experts, and they'll help you do the breach and then do the ransomware, and you can use our call center and our transferring services to be able to settle up.

That's how bad it's gotten out there so that, you know, they of course want to settle in crypto, so they're not following US dollars as you were talking about, but there literally are ransomware franchises that exist. It's a real thing.

Wow. So let's talk about your book. Your book introduces a total control framework.

Can you walk us through the core principles and how it differs from traditional cybersecurity?

Yeah, and I, and I touched on this a little bit earlier, right out of the gate, but it really comes back to the total control really is what we developed over about, you know, 16, 17 years in onset of our business. And really how do we develop quality control for it? And of course that applies to your IT security and cybersecurity.

You want to have a quality system. And so we started to look at what are the key ingredients and what truly is a best practice proven by science, not by belief.

You know, we believe this is a good way to do it. We like to look at the science and, you know, run the, run the regression analysis and all those things.

So we've been involved in some research through our IT Process Institute, which is a division of our company and kind of our R and D, if you will. And really it's about managing by fact and not by belief. As I was saying, you're using certain things. So we rely on itil.

The IT infrastructure library is really a framework of how you basically deliver IT services. And then we marry on some of the better practices around that. It's not a whole lot different than a manufacturing.

They've had QA and the dimming wheel and all these things in manufacturing processes to drive quality. We've developed a total control.

So we know that there are certain ingredients, so we look at certain compliance standards, not to check boxes, but we know that there are certain controls that really matter.

Things that you need to have in place, not just policies and procedures, but actually like, you know, real time threat detection that's on your network and certain things like this. So you put all of those pieces together, if you will, that kind of makes up this, this big wheel in our construct that we've developed.

We actually have a marketing thing that kind of explains it that way is a, you know, and it's got all of these different elements of these various pieces that make up quality or drive quality so that the output, the outcome is quality and security. So that's really what the total control system is about.

We've been practicing that for again, 16, 17 years, using that model as kind of our intellectual property, knowing just the right amount of you know, butter and sugar to put in a really good chocolate chip cookie. Hopefully a really safe chocolate chip cookie.

Right. So tell us how you integrate the Zero Trust press bows into the total control.

Yeah.

So the Zero Trust, you know, as my book gets into, and really in some ways I've given away, you know, our secret sauce through the book because it really is the way we eat our own dog food. I mean, we really do, you know, practice and follow the principles of the Visible Ops cybersecurity book that I released.

But the Zero Trust is very interesting. It's a very simple concept. It's very common sense. And I like to explain it like this. Zero Trust is a little bit of the old accounting days.

When you roll out an accounting piece of software, even these days, you're only going to give people access to those modules that they need to have access. Your payroll person's maybe not going to have access to your accounts payable.

Accounts payable doesn't necessarily send you access to accounts receivable. So you're only letting them access. They're all not going to need to touch the general ledger. Maybe on the accountant is.

So you're keeping people controlled within that environment. Another way I like to explain it is you show up to a hotel, you pull in the parking lot immediately. There's probably three cameras watching you.

You walk into the lobby, there's more cameras and maybe a security guard. So you're being watched until you're authenticated.

You go to the counter, you then give them a driver's license and a credit card, and they check you in and they give you a key card. That key card doesn't let you access everything in the hotel. You may be able to get into your room, of course, but not other people's rooms.

You go in the maintenance room, maybe the workout, exercise area, lounge that you can do or access sometimes have accessibility too.

So they're really controlling you for a point in time, and they know you're going to be there two nights, three nights, whatever it is, and then your, of course, access will expire. That really is what we like to do. All the way out to the edge of a network is the way I like to explain it. That really is zero trust.

We're only giving you access to those things on the network in terms of your applications and systems that you need to have access and sometimes for a point in time. And so we're using a thing we call micro segmentation to be able to do that.

And a lot of people use network segmentation to protect Parts of the network from other parts of the network.

But to do the micro really gets down to that detail layer, almost like the individual hotel room or the individual thing that you would access specifically. Again, you're not going to be able to access the back office. You know, there's a lot of things you can't do with that key card.

So that's kind of what really Zero Trust gets about, is that kind of thinking around all of the systems, from the very core systems that you're using to the edge, even your mobile devices. We're only allowing them to access things that they should access for what they need access to.

And what this does, it reduces your attack surface, as we call them cybersecurity. So the threat actors don't really see or have a lot of opportunity or a lot of things to go attack because it's not really available. It's.

It's all being segmented and protected and impenetrable because we're using special technology to protect it. So that's kind of a general idea. Zero Trust at a high level actually breaks it down into seven pillars is the way Zero Trust works.

It starts with really good identity and access management, as we talked about before, right? You know, MFA and advanced MFA through, you know, even applications and authenticators.

And then it goes again all the way through different elements in your network to, you know, having good active detection, threat detection on all of your systems and your network and monitoring all of those things with the right, you know, security monitor, having certain things like data loss prevention, which basically is looking to make sure on your network that people aren't taking things off your network that they shouldn't be. They're controlled in the Zero Trust environment.

So you're not gonna have an employee upload a bunch of stuff to a Google Drive that's not safe, for example. Those kinds of things all become elements that feed into the seven layers of Zero Trust. So that's really the whole concept of Zero Trust.

It reminds me of my favorite movie, now youw See it, where they're trying to break into and steal something.

And because you can't take metal into a certain section of the of the building, they have to find a way to get this card through the metal detectors because the guards are always watching. So I like that.

And if you're doing that in your company, then I'm curious, do you also recommend that you cycle out even the access on a periodic basis? So if so that so that you don't have a system that's been online for Too long.

That doesn't, that passwords don't change and the access doesn't change. Also at level of security.

Yeah, and of course, you know, we're working, we're moving towards, in a lot of cases, the passwordless, you know, logon, where you're getting a code each time. You don't even need a password to do it because it's fully authenticating it, as we were kind of talking about before.

But yeah, you, the constant changing of things and, and that's really important that, you know, you do it in a very, you know, concerted way because again, change can also kill access and productivity to a network.

But yeah, you do want to make sure that you're keeping your systems up to taste that you, you know, you don't have users that are no longer accessing to the system still sitting there in your system. You know, all of these can become potential, you know, gaps or areas where the threat actors can use that.

You know, think of the mgm and this is the other thing about small businesses down to the, you know, that the threat actors are coming after. No size is too small. The mgm, we all heard about that one where they got, you know, this was a couple years ago.

It started with somebody going on LinkedIn, finding a, you know, somebody was a network administrator, a director for a division of mgm, right? Big, huge, multi billion dollar gambling organization, right casino.

And they used that to call the call center and convince the call person at the call center to change a password. They changed the password so they could reset it. They then broke in.

Then the hacking groups that got involved, there was two of them that kind of partnered on it. They went in what we call east to west. They infiltrated slowly over, you know, a period of time. And they're pretty patient.

And they basically locked up the whole network, took them down for about two weeks. They say it cost them about $90 million.

And then here recently, they just settled for $40 million, a little more than that for a class action suit of the data that was stolen from the individuals. So one phone call cost that casino $147 million.

And what you got to think about is that they have all the cyber experts, they have all the latest and best tools, they have the security operations centers that are dialed in. But if you circumvent process and individuals circumvent things, it can cost your whole business, literally can.

Matter of fact, only 40%, I'm sorry, about 60% of businesses actually survive after a serious, you know, attack that happens. If they've had a Big breach. That's a big thing.

And the other thing I'd note with a lot of SMB businesses is that, well, we've got cybersecurity insurance. Well, you got to be careful with that. They're getting smart.

Wow. So for execs listening to this, how do you align cybersecurity with your business objectives?

Give us some practical steps that your framework offers to bridge that gap.

Yeah, so one of the things that we, we start with is really, again, I spoke this a little bit ago, it's a bit of a theme that we like to use is trust but verify. The other is managed by fact and not by belief. So one of the practical things to do is to actually, you know, get a third party opinion.

We actually get involved. We actually can't be the ones that manage cybersecurity and then say we're doing a good job. Of course that's a conflict of interest in a sense.

So we have a partner that is completely objective that does penetration and vulnerability scanning on a deep level to make sure that there's no vulnerabilities that are out there that we didn't know about, that we're really doing the job that we're supposed to be do. And the best practice is that actually should be continually happening. No longer.

Once a year they used to say, do a test once a year, check your vulnerabilities, then it's once a quarter. Then they said, well, every once in a while when there's a big change.

Now they're just saying continual pen and vulnerability scanning is a really, a really best practice to be able to do. So that's a practical thing that you can do to see where you're at.

And then of course, then you can work with your internal teams if you find those gaps to get them plugged and corrected and enhanced, get your posture in place, or if you're using some kind of a provider or a consultant, you can make sure that those are being taken care of as well.

So that's one of the practical things that you can do is really starting with an assessment and then of course, going and asking yourself the right questions around insurance. There are lots of great assessments out there.

They'll tell you, hey, if we've got these things in place, likelihood of insurance paying is, you know, 70, 80%, you know, versus we don't have any of them in place and they wouldn't pay a claim. So that's kind of good to know before the, the actual breach would actually happen and you might need to make a claim. So.

But there's a lot of practical things that you need to do. It's layers. That's really what zero trust becomes about.

You really have to think about all of the layers that you need to add to have a really good cyber security posture. And you, you really can't skip them.

You've got to cover all the bases these days because again, as AI comes on, and not only just deep fakes and all that kind of stuff, but just using AI to reach in, they're so patient, they'll start to watch emails and matter of fact, we had a customer in California that we brought in to correct some stuff.

They had an admin, put a new printer in the accounting office, and he left the administrator, the IT administrator left the password as password 1, 2, 3. When he set up the printer, they used that to breach into the network.

And then they watched for about three months and they saw how the CEO is communicating with the cfo.

They wrote and authored an email that they spoofed that was from the CEO to the CFO to transfer $350,000 to one of their vendor accounts that had changed. Sure enough, he thought it was legitimate because they, they are able to behave the AI, you know, in tone and structure and writing.

It was so believable that he didn't even think about it not being a legitimate email. Matter of fact, they, a few months later had to merge with another finance company because it was so damaging to their business, their credibility.

So this stuff's real. And you got to keep in mind certain organizations have, you know, compliance and they have requirements, they have to disclose breaches.

You know, finance companies do, certain governmental agencies, hospitals with hipaa. But typical private businesses, they don't have to disclose always. Only one in seven breaches gets told about.

So everyone we're hearing about in the news and all that, there's six others that have happened.

Wow.

So if you're hearing this and you go, wow, I gotta take this cybersecurity thing serious, how do you move as an executive to a security first mindset without creating fear and resistance among your employees.

Yes. I think it's education, you know, that's the big part. And that's partly why I wrote the book. Right.

You know, you really gotta, you know, immerse yourself and care enough to get the right people involved to make it a priority if you don't have the time. But it has to be, you know, insight. It has to be top of mind. It has to be something that you're actively working on.

Also you have to think a little bit. You know, it gets a little bit bad things. It's often over budget, not on time when you do it, projects or whatever, even software.

But this idea that it's just a big expense and it doesn't really mean anything, and so it's out of sight, out of mind. We have to think about, you know, cybersecurity as really a revenue protector. It really is a revenue assurance program.

You're keeping your reputation at bay. You're able to keep the revenue. You're not paying out bad guys or bad actors. You're able to, you know, continue productivity in the business.

Because if a breach happens, it distracts everybody and it puts, you know, shuts down the business or pauses work for a period of time. You really got to look at it, the cost center of what a breach really does to an organization. So it really is revenue protection.

It's not really a revenue, it's not really an expense or an IT expense or cybersecurity.

Matter of fact, in one of my books, and I talk a little bit about this, the executive companion I wrote for my Visible Ops book, I actually wrote a companion because I wanted to have no geek speak. My book gets a little detailed into the later parts about methodology, but I wanted to do it in executive.

So, you know, in that particular thing, we have a Deloitte and Touche study that says, hey, you have this much revenue in your business, you should be spending this percentage on it. And if you're not, you might be an outlier. Maybe you're spending too much, maybe too little.

And, oh, by the way, of the percentage that you're spending on it, this percentage should be just on your cybersecurity practices and tools and services so you really can start to gauge whether you're doing a proper job.

So practical advice is to educate yourself, find out what are the best practices, make a priority of it, practice what you preach, you know, and, and get the security stuff taken care of. Because if you don't, you're a sitting duck. Literally a sitting duck. It's just a matter of time. Not if, but when. By the way.

And that's the last principle of zero trust. It actually starts with assume breach. Because of the things I've shared today. It's not if, but when.

Right, and so what is the best thing we can do if we're assuming breach? We make sure that we just don't have, you know, our IT person saying, oh, no, we're all backed up.

Oh, we're backed up and we're sending it to the cloud. That's not good enough anymore. Your backups have to be encrypted and they need to be what we call immutable and air gapped.

So they need to be taken to a spot if they're in a cloud, a special encrypted spot where they aren't accessed by your network. Because a lot of the threat actors and the ransomware people, they'll sit and they'll watch. Not only they'll encrypt your local backups.

This has happened a lot with companies like, oh, no problem, we streamed to the cloud. We got our. We got this. They go check their cloud.

They actually found out where they were being streamed in the cloud and they encrypted them in the cloud. So this is how smart they are. So you. One of the things we start with, just a practical thing.

Do we have really solid backup and restoration processes, systems and methods? And are they air gapped and immutable?

As we say, they're scanned for malware, they're scanned for ransomware, and they're put away in a part that's not reachable by the network. And then you got to have a restore plan. How are you going to get those backing up if the unthinkable happens? So that's.

Those are all pieces that you get into in your cyber security program that you got to think about.

Jess, listen, you talk about this as an exec, I'm going, oh, my word, this is so complicated. I am curious.

Well, it's a great question because I'm just now finishing my book and releasing my next one, which is actually called Visible Ops AI.

And what it's about is governance for AI because what we're seeing is that the business is applied applauding, as we all love what generative AI will do. It's amazing, right we're all enjoying it, but a lot of people.

Well, matter of fact, an unofficial study surveyed 500 companies and they found that somewhere between 18 and 21 different types of AI are being used on an average company, smaller business company. The problem is, is that we don't know what they're doing with that data. Are they putting recipes?

They're putting intellectual property, they're putting, oh, this will redo the financial statements. They're putting so much information, the employees, potentially, that you don't understand what risks really exist.

It's not just the AI being able to hack you or open up back doors or holes into your network, which is also true with AI, But a lot of it's just the use, the governance. Do we have a policy? Are we paying for an AI that's not going to share the data? And they give us security policy guarantees. Right. There's a lot there.

So that's one of the things that I think, obviously the obvious answer is AI, both the good and the bad of AI. And then how are we governing that in our businesses, even small businesses? What do we have a policy? Are we educating our teams?

Are we making sure that the AI that we are using isn't putting further deeper risks out there that could potentially far outweigh the efficiencies that using AI might give you?

Wow.

So for the CEO or board member listening to our podcast today picks up your book and reads it, or what's the first action step they should take tomorrow?

Well, I think the first action step really is to talk to their, you know, really do the research to find out how serious they're taking security and what is in place, and then back to the trust, but verify.

So once we understand where things are at and they, they do the research and the diligence on their own organization, no matter whether at the board layer, if that's at the executive management layer and with the IT teams. But then again, we're going to verify.

So they should look, to say, look, I want to get a penetration test and a vulnerability scan to make sure that our network truly is safe from the outside and the inside. Both directions. You got to look at cyber security. You have to be protected both ways.

Inside threats are a problem and exterior threats, everybody's connected the Internet. And when you're connected, your threat actor can be thousands of miles away. They don't have to be down the street. They generally. Or not.

So that's, that's one of the first things is to really, you know, do the analysis, get a penetration vulnerability Test, matter of fact, kind of, you know, getting to that point, one of the things that we have the ability is I have through our partnership the ability to offer what we call a pin level one test. It'll actually look at some things like what AI is running on your network. It'll do the inside threat and the external vulnerability scan.

And I've got three of those that I can actually do gratis. And so I'd offer that up to your listeners.

If you're listening today and you're wondering what's your first step, certainly you can reach out in a little bit. I'll give a text, business text line and my team will get in touch.

And not only that, I'd also like to offer the ability to give you my executive companion book. It sells on Amazon for 17.95, but it's no geek speak, as I said before, and it's more plain English and it kind of breaks down.

Hey, we're a candy company. We want to make really good candy. We don't need to be a cyber ops organization.

And so it really gets into practical things that you need to employ the way that you know your, your security and practical steps you can take to secure your systems and your network.

So I would offer that book and I would actually offer for the three that are first that I have a limit on to do a penetration vulnerability scan for you and provide a report. You can take that back to your teams to fill any gaps that we find. You can take that to your current provider consultant.

And of course, if there are gaps, we'd certainly talk to you about our solutions as well.

Well, Scott, thanks so much for that generous offer. Make sure we put that in the show notes for the audience.

Put secure 25 and somebody will be back in touch and get your email and get you e copy of the executive companion book. And if you want to sign up for that pen test, put that you'd like to be in line for the pen test and hopefully you'll be one of the first three.

Awesome, Scott, thanks. I love to ask my guests this question. Scott, we started out kind of talking about advice, but what do you want your legacy to be?

Yeah, I think the most important thing for me is with my family. To be honest, I'm a family guy, so I want to know that they're Cared for and loved.

And I think that's the super important thing and that, that is evident in the way that I carry myself and the way that I represent myself and the way that my reputation is. Is that it? It really is caring on both sides of that thing. So that's part of that legacy with my family. That's the most important.

And as I opened up with, you know, ultimately to. To my savior, but secondarily I would like to also know that I little bit of help with the altruism of raising the tide that floats the boats.

I spent most of my career in IT and of course in security and so wanting to help organizations really educate themselves and to make a better cyber safe world, you know, kind of. I've had a couple of companies I've worked with.

They have an odd, you know, an audacious goal to help 100,000 businesses, you know, enhance their cyber security posture. And that's a little bit I've signed on, I share that with them.

Love to know that I've got hundreds of businesses that my, you know, information is creating awareness and helping them be a more cyber safe business.

Wow. Awesome. So, Scott, also on the podcast, we have a new thing and that's a surprise question.

Pick a number between one and ten for your surprise question.

Oh, boy. Let's go with seven.

All right. Ooh. What is your greatest regret?

Oh, that's a good one. My greatest regret is probably that. Man, that's a tough one, I'd say.

My, my, probably my greatest regret is a business that I kind of opportunity that I got pulled into that I didn't do proper due diligence on. And I didn't really think it out. I was thinking all about the positives and not really thinking about the due diligence and the negatives.

And it cost me a lot of money. And, and it's several years ago now. I've recovered. We're okay. But that was no fun.

And I regret not doing better due diligence on that, being smarter about that and not just being taken in with all the positives and asking the right questions. So that would be my biggest regret. I think it was a big blow back at the time.

I can imagine. Where can people find you, Scott, and learn more about you, your company and also where they can find your wonderful books.

Yeah. So the easiest place is my author website, which is. Yeah. Www.scottalderidge.com.

that's S C O T T A L, L, 2 L's, D R, I D, G E and maybe you'll include that in the notes, but if they go to my author website, it's got links to my companies, my articles, the book links you can order on there, and also a form you can fill out if you want to get in touch with me.

Awesome. Scott, thank you so much for sharing your story.

Your incredible insights about how cybersecurity can transform a technical challenge into a strategic advantage. Your expertise and practical frameworks are game changers for leaders in navigating today's digital landscape.

For our listeners, be sure to check out Scott's book Visible Ops Cybersecurity and learn more about his work at IP Services. Links are going to be in the show Notes. If you enjoyed this episode, don't forget to subscribe, rate and share trailblazing Titans with your network.

Until next time, keep blazing trails and keep leading with purpose. Thanks again Scott for being a guest on the show.

Thank you.