FBI Cyber Expert Saves Your Business - M.K. Palmore

Welcome to the Proven Podcast, where we don't care what you think, only what you could prove.

Imagine your data being protected on the same levels of the United States Marine Corps and the FVI.

That's what today's guest brings in. MK tells us all about risk assessments, how to protect our

data in the ever-evolving world and how even with AI, you can remain safe. The show starts now.

All right, welcome back to the show. MK, I'm really excited to have you here.

Excited to be here. Appreciate it, Charles.

So for the four or five people on the planet, who you actually don't know who you are,

can you kind of give a little bit of a brief what you are and what you've done, how you got here?

I'm sure there's more than four or five, but MK Palmore, I'm a consulting leader, a

firm called Apigee Global RMS. My career spans a career in government, 32 years in the U.S.

federal government. I'm a U.S. Naval Academy graduate, United States Marine Corps officer.

I then went on from the Marine to spend 22 years in the federal bureau of investigation of

the special agent. Retired from the FBI as an executive, leading the largest cyber security

team that the FBI has here in FBI San Francisco. And then I went on to work for two

Fortune 500 companies, Palo Alto Networks, and a Fortune 5 company, Google Cloud, as essentially a

field chief information security officer. So great experience working at the enterprise level.

And then broke off out on my own in order to support SMBs and the global public sector through

Apigee Global. So there's a lot to unpack there. And as much as I want to dive right into the

intent stuff at the end of the enterprise and the SMB, let's kind of slowly get out there.

We know that data is being hacked every day. We know that we have things that are being

being beat. WhatsApp or signal our own personal stuff with identity being stolen across the board.

The audience always going to ask me, where's the first thing I can do right now? Like, okay,

I get it. You've done this on the exceptionally high level. You've done it with the FBI.

What is the basic stuff that most people get wrong every single day when it comes to their data

and their protection of what's going on in the world? It's the basic stuff. You know, apps

will oftentimes come to you with default settings that make them easy for you to utilize.

And that ease of use is what the adversary relies upon in order to gain access to your digital

footprint and your private information. And so I would ask people to take that extra step. And

that extra step is not hard. It just simply means enabling things like multi-factor authentication

and the applications that they use or the SAS applications, the portals for which they gain access to.

Doesn't take that much time. People will derive things like SMS as the second factor for

authentication, but some authentication is better than none at all. And so I would encourage people

to yes, utilize SMS if that's the only available resource that you have. But there are a number of

authenticator apps out here and now that use a higher level of encryption and provide

codes for you to gain access to your email or applications. And that's probably at a baseline

for consumers. One of the best things that you could be doing is just simply doing the basics.

Make it harder for an adversary to gain access to your information. And then if you want to

take a few extra steps, there are things like monitoring your background, your credit,

all of those things. You can actually set it up in Google so that if your personal results

happen to show in Google, they will send you an email saying that your personal results,

like your address, are showing up on this particular website and you can go through a process to

have that information removed. It's not that hard to do. And again, these are simple things that

everyone should be doing in order to reduce their exposure and decrease the risk of their digital

privacy being violated. Are there certain apps that you just wouldn't install? I'm going to

add this one to invasive. We know this is kind of a gatekeeper to things that cause problems.

Not for me. So I'm a heavy user of social media one because I use it to amplify my business

brand. And then once you've exposed yourself to social media, very few of us, me included,

have read all of the legal agreements we seem to agree to when we download applications and we

allow them to gain access to our digital footprint within our phones. I think we're given up

quite a bit when we do that. And so there's a there's a push and a pull associated there,

pros and cons. You just have to understand that you're giving up some amount of your privacy and

then again, take those minor steps that you can going into the settings of these applications and

then limiting the amount of access that the applications have to the rest of your digital footprint

and information. The only other thing I would encourage is that, you know, the the likes of Google

through their Play Store, Apple through their store go through very exhaustive steps to make sure

that developers go through a pretty rigorous process. And that is a continuously monitored

process. The applications when they drift or fall outside of the regulations of those platforms,

they essentially are given warnings and then nearly taken down immediately. Essentially,

if they don't follow the the framework for which Apple and Google established for

being able to use applications or deploy applications on their platform. So I would say for

the most part, try as best you can to use those, you know, if you're using a Android device,

the Google Play Store is where you want to get your applications. If you're used in the iOS device,

obviously the Apple Store is where you want to get your applications. Try and avoid downloading

applications from sites that you're directed to because those applications may not necessarily

have been better. Gotcha. And then there are things out there that, you know, they they scrubbed

in that. They look for things. There's these softwares or this this extra layer that people do,

things like whatever incognito or things of that nature. Is that something you would recommend on

the consumer level? Is that is that just overkill? Not necessarily. It depends on what kind of footprint

you want to have. You know, some people may need to go to several extra steps in order to create

a different persona for themselves. Maybe you as a business owner want to create a purely business

persona of yourself, which means you have to be very diligent about which browser you're going to

use that identity with. What information that that you ultimately are going to put into the browser

that's going to tie back to your business. Is that going to tie back to a physical location for you?

So you have to you have to be diligent. I think the problem that, you know, establishing those

kinds of parameters and barriers for yourself isn't hard. The hard part is the consistency of

use of actually doing it every time that you use a particular application or every time that you're

doing business for your company to only use a particular browser and to and to ward off the

temptation to say, well, you know, I'm out and about and I've got my iPad with me. Maybe I'll just

use this to access that account that I normally only access via my safe desktop computer.

So you just have to be consistent, diligent about the process and it can be very hard, but there

there are there are ways, programs, applications and things that can help you with that consistency.

It just depends on how much you want to layer your own privacy and protection.

Yeah, when I growing up, I was a Microsoft certified trainer and we built IT structures,

what we did was instead of worrying about it forward front on the machine, we put our personal

stuff into a trust. So anything I own privately is hidden inside a trust. It's based out of the

Cook Islands. It's good luck trying to penetrate that. It's just it's different phone numbers,

different addresses. I am the poorest person on the planet if you look at my actual numbers.

There's whatever's in my wallet is all the money I have. Everything else is inside trust.

It's inside protected environments. That's what we did because I knew I couldn't compete against

what was happening on the computers, which is obviously this is a very different method when we get

into business environments. When we talk about this things in business we're about to do, you don't

have some of the luxuries of that and they don't understand how the data breaches can happen.

So to talk about that when we get into the SMB world, when we get into small businesses,

I don't think the consumer truly understands how devastating a breach is. Could you

kind of walk us through how absolutely catastrophic it could be when someone does have a data breach?

Yeah, let's look at the relative size of organizations, enterprises that have thousands of people,

thousands of digital resources are able to issue out devices to folks, provision those devices.

They take very, very deep steps in terms of ensuring that their digital environment is protected.

The SMB space may not be as well resourced, but guess what? They have to operate at exactly

the same level as the big folks on the block because from the vantage point of the adversary,

they really don't care how big or small you are. What they care about is whether or not there's

an exploit available that will allow them to gain access and if you fall prey to whatever channel

or methodology that they choose to use, the avenue of attack or approach, it's a win for them

because access to the information is the first step for success for them and then once they

obtain the information, there are a myriad of things that they can do with the digital information

of any one particular individual, much less a large-scale business. And so think about those

resources in terms of the requirement to respond. There are laws on the books. If you suffer a breach,

you have to notify all of the individuals for whom you have digital records for it. That's the

first step. Even just that notification can be troublesome and a challenge for organizations that

are prepared for it. Then guess what? You're likely opening yourself up to some level of liability.

So hopefully you've gone through the process of doing a risk posture assessment. Hopefully you

have cyber insurance and you're actually able to pull in resources that will allow you to both

respond from a digital forensic standpoint. In other words, you respond through your insurance

carrier. They likely have one staff or a panel organizations that can help you from a digital

standpoint, write the ship so to speak, get your technical organization back in order. But then

there's all of the follow-on activity that has to happen. And there are costs associated with that.

We have leveled out now somewhere between three to five million dollars is the

on average cost of a digital breach. And that's been pretty consistent for a number of years.

And that number may not sound big, but at the same time, again, for a small to medium-sized

business, could you rebound or recover from a three million dollar hit to your business?

The short answer to that, I'm sure for most small businesses is no. And we have seen historically

breaches that have gone as high as 270 to 300 million dollars paid and used to mitigate the effects

of a breach or impact on a business organization. And so because of that wide range, the last thing

you want to do is leave yourself open to potential victimization by an adversary. Because the damage

that they do is so devastating to organizations that sometimes the financial component associated

with it makes it unrecoverable from a business standpoint. And we want businesses to thrive. We want

you to get out there and get your wares and your products and things out there to the consumer marketplace.

My proposition is that nearly every business today is a digital business. And so taking time to

understand what your digital footprint looks like and making sure that you secure your footprint is

just a part of business operations today. And that's part of the reason that we're in business.

Well, I think one of the things that doesn't get talked about enough is this is a reputation as well.

When you have to reach out to your client base and say, hey, congratulations, I've had a data breach.

This is one of the reasons I left my cell phone company. They've got they've been they were breached.

The first time I was like, I find it's a lot of work. Second time they got breached. I left and I was

like, we're done. We're leaving. So I think it was that reputation hit that even if you do find a way

to mitigate, hey, I've protected you from this one. It's kind of like the first time someone ever cheats on

you. You're never going to trust them again, no matter what you do for the rest of your life. There's

always going to be that that issue. There were things that you went over that most fall business owners

have never heard of before. They're like a assessment insurance. What are you talking about? They're

I'm just trying to sell my widgets, dude. What are you doing? So let's try and get some of these

people up to date on what are these assessments? What is cyber insurance? There's a lot of things you

went over because again, this is you come from a world where it was literally life and death. It's

just that's your world. You keep people alive for these people. Yes, it might be like a

deputy organization, but they've never heard of any of this because most of them are just struggling

through day to day because you and I both know to get to the 10 million you could do it through

brute force. It just means that you're probably not thinking about all these other things in the

back end. Exactly. What are these assessments and what are these insurances that they're running into?

What is that entail? How long does it take? Let's start at the top of the pyramid risk. Risk

management is a discipline that essentially came to fruition because businesses realize that not

everyone has unlimited resources. In fact, no business will have unlimited resources. It requires

you to prioritize how it is that you devote those resources to business operations, sustainability

and resilience. Cyber has grown to be part of the risk management profile and I would

prefer to anyone that's listening that your cybersecurity is in all likelihood a critical

component and by critical, I mean it's a path to failure for your entire business operation

if you are not taking steps to reduce the risk or potential exposure by adversarial activities

to your enterprise. Starting at the top of that pyramid, every business should be

conducting a risk assessment to determine what their digital exposure is. In other words, have we

done the right things in order to mitigate, not completely remove because that is impossible,

but to mitigate the possibility of a cyber attack having a devastating or critical impact on our

business. Notice that I did not say completely exclude the possibility of having an attack happen

because part of the challenge in our industry is that we have to get folks over the hump of

bad things are going to happen to you from a business standpoint. Maybe even bad things in your

digital environment. What we try and do as an organization is help businesses understand that

resilience is the key. We want to help you understand, okay, things are going to happen but we're

going to take steps to make sure we reduce the possibility of that happening, but the work that we

do is about resilience. How quickly can we get you from that point of failure back to full business

operations and then help you fully recover so that the impact, the blast radius of that is

extremely limited and it's actually manageable and something that you can deal with. And that

exercise contains a myriad of things. And the assessment is merely one of the many things that

you should be doing. Cyber insurance is another thing. Businesses, I think, especially if you're

operating probably, if you're doing five to 10 million in revenue per year, even I would say even

go as low as the million to three million more. If you're doing a million plus in revenue,

you should have some kind of liability insurance in place to ensure that you can recover digitally

from a potential attack. Again, adversaries don't care how big or small you are, they care about

the probability of their exploit landing and in the intended victim actually being put in a

position where they have to make decisions. I'm sure we can get into a conversation about

ransomware, which is one of the most malicious types of attacks that you can be victimized by.

Because there's so much out there on the landscape that you have to be cognizant of taking these

steps in a risk management review, a risk assessment review, or prejudicial essentially to business

operations. And I would prefer, again, if you're in the in the zone of a million plus in revenue,

and certainly if you're in the in the neighborhood of 10 million plus, you should annually

be doing some kind of assessment to ensure that you've taken the steps cyber insurance. Your digital

environment is orchestrated and constructed in a way that makes it difficult for an adversary to

get done what they need to get done. And that doesn't need to get you to the compliance and things

or the regulatory aspects of adhering to particular vertical compliance as safe financial services,

health care, and other industries that have particular baselines that make it increasingly

more difficult to obtain those certifications and to be able to operate. But it's all sort of this

big, I won't call it a mess, but it's this big masala of things that you should be thinking about,

and our businesses to help organizations think about these things in a way that's constructive

and substantive and puts them in a position so that they can reduce risk to the overall enterprise.

Most people think that, hey, I'm going to buy a new router or pop a new VPN on and I'm good to go.

That's about the equivalent of throwing a mosquito in front of a semi-truck trying to stop it.

It's not going to do a heck of a lot. When you talk about these assessments and when you do it

specifically with your clients, where do you start? Do you start with the people? Do you start with

the hardware? What does that look like and how long does an assessment take?

Yeah, so one of the things that we've done as an industry is that we've gotten pretty good at

establishing frameworks that will guide folks through the process of evaluating themselves.

These frameworks, some established by NIST, the National Institute of Science and Technology,

other frameworks established by the Center for Internet Security, the critical controls.

These frameworks are pretty good. They provide a great amount of oversight and advice.

The difficulty is walking through the frameworks and actually answering the questions and aligning

your operations to the guidance that's provided by the frameworks. That is what we do.

We select the framework that's appropriate for your level of business or the vertical that you

happen to be operating in, and we walk through the hundreds of questions and steps associated

with them. In an honest exchange, providing both documentation and verbal answers,

we essentially walk you through the process to make a determination as to what your digital footprint

looks like. Once you have that in hand with some curated advice that we then pour into it,

we help you prioritize the gaps, vulnerabilities, and figure out exactly what your current posture is.

We help you create a roadmap that essentially will allow you then to take steps to reduce

the overall risk in a systemic way. Instead of just saying, hey, let's go get some name brand

firewall or router and implement it into the system and assume that everything is okay,

and I can't tell you the number of times I've gone into conversations with even folks in my lane,

the technical personnel, and instead of talking strategy, they want to talk about products.

We are product-agnostic, thankfully. We have a litany of partners that we partner with in our

organization, but we want to be in a position to be able to meet the customer where they are.

So our solution base is immense and extensive, and I want to be able to identify exactly which

solution is right for that particular customer, and that means that I can't just align myself to a

particular product, because some are great and do exactly what they're supposed to do, but not all

of them. And you may have already made technical investments that prohibit you from actually

getting the benefit of maybe the name brand product that might be a part of the solution set.

So maybe there's an alternative that gets you a partway down the road and gets you to where

you need to be, and we want to be in a position to make that kind of advice.

So I like that it's not dictated by the product. So the router that you bought 13 years ago,

the blue and black one that's sitting in the corner is probably not going to save your tukas,

but sitting down and breaking down, you know, exactly what I'm talking about.

When you talk about the framework, most people who are doing this, especially SMDs,

they have no idea what an IT frameworker. They don't have a protection plan framework.

They don't understand when you say, hey, the framework matters more than the product.

I think conceptually they'll get that, but when you say, hey, there's a framework that we have to do,

you might as well be speaking Sanskrit to them. What do I mean when you talk about a security

posture that's based off of freedom? What does that mean?

So that the technology industry through government identification and partnerships with civilian

organizations have created essentially best practices that any organization can follow

to ensure that they are taking all of the necessary steps that an organization can take to protect

itself. That is a very, very oversimplified way of saying, are you doing all of the right things

that you can do as an organization? That sounds pretty simple, but the challenges is that as

organizations grow, scale, and expand, every business wants to increase revenue. They want to

increase the exposure of their product or their services across the market. And guess what that

means in today's language? That means that their digital footprint is likely changing and evolving

exponentially, especially if you're a global firm and you have services or products that

you want to deliver globally. Guess what? You have third party, third parties that are part of your

ecosystem, part of your channel that are connected to your digital footprint. There are enough

historical examples of breaches of using third party suppliers that now we understand that not only

are you responsible for your digital footprint, you're responsible for everything that you are connected

to. And that can get to be really, really challenging. And oftentimes, because your technical staff

on hand is just dealing with the day to day, the tyranny of the now, it is helpful to bring in

external advisors who can take a step back and give you that outside and perspective that you

desperately need so that you can then action on behalf of your organization, the things that need

to be prioritized and get done. And so what it means is it's not that these organizations aren't capable

of doing these things themselves. They just don't have the time, capacity, or resources to do it.

They are concentrating on running the business, getting the business to the point where it's

profitable and doing all the things they need to do to satisfy their customers. And the truth of

the matter is that investments in security still to this day are oftentimes deprioritized. And

especially in SMB environments, I can't take the number of times I come across, quote, unquote,

the security team of three people for a multi-million dollar business. And the security team is three

people and they're expected to do everything. The governance risk of risk and compliance. They're

expected to be the IT backbone of the organization. They are also expected to be the security of the

organization. And while these people may be immensely competent, there is no way that they can

operate at both the strategic and tactical level without the appropriate help or resources to do

that. And oftentimes the security teams are some of the most under-resourced teams within a

business. I mean, we're talking about technology is the critical factor that's going to keep you

in business. And the fact that we don't spend more money, more time, more resources on security

still to this day amazes me. And again, that's part of the reason why I established

Appity. I want to get in and help organizations scale that problem.

Right. The problem is IT has never seen as a profit center. Even though we are the backbone of it,

we're just not a profit center. So when we come into it, and a lot of issues that we have in this

environment is most IT guys don't speak human. And it's a completely different conversation. We speak

geek. We're going to sit down and we're going to break things out. We're going to be all excited

about it. And the other person, it's kind of like having your account and talk to marketing.

They don't speak the same language. They count in the marketing team, do not speak to sit.

They never have. They never will. So I'm trying in this one. So when we talk about framework,

because most of the people who are listening to this are small business owners. They're going,

what the hell is an assessment framework? What does that even mean? Do I do I give my blood

time to do my sperm count? Do you give me the model of my computers? Like, where am I? Because I'm

trying to break it down so they can understand that. So when we talk about framework and an assessment

framework, how long does it take? What does it include? How do we how how do we trust the

person coming in? What do they take away with them? Are they there on site? What does that look like?

So starting with the last part of what you're saying. So every engagement has

India's associated with it. You basically are an extended arm of the company operating

on their behalf when you engage in a consulting agreement. The information provided belongs to

the company that is providing it always and it is maintained and retains the property value

of the information or access that's provided. That framework, that assessment essentially is a

step-by-step process of analyzing through question and interrogation and document collection.

What steps you have already taken to secure your applications to secure your identity

measures within the environment to ensure that you are patching on a regular basis the technology.

Patching is a way of identifying and changing vulnerabilities or gaps that may be inherent on

the hard tools that you're using or even the cloud-based tools that you're using. Every digital cycle

is dominated by multiple domains within the technology spectrum for which cybersecurity again

has its own domains and an assessment will essentially walk you through in a step-by-step

process whether or not you have done or adhered to the principles of that particular domain.

And it's not just simply a yes or no. You want to give companies credit for the amount of

effort that they've put into some areas. It works on a gradient. Maybe you've knocked it out of the

park so yes that's a complete full fulfillment of that particular aspect of say identity management

but maybe you've done a little bit but didn't do quite enough to get a four-star rating on that

particular question. You get credit for what you have done. We identify the gap between where you

are and what excellent looks like and then tell you hear the things that you need to do to get to

excellent in this particular category. So as you're going through all of these and you're working

through a team what are some of the issues that you run into with people who haven't done this?

When you walk down you're like okay we did the assessment. You're crushing it over here but

good God this is dangerous over here. What does that look like? What it looks like is again a resource

challenge because the teams are under-invested and small. You get a lot of nods. You know

folks saying yeah we're kind of doing that or yes we've taken steps to do that and then we need

the natural follow-on question. Have you documented that somewhere? You always get either the blank

stair or it's in draft. We were going to get to that but they haven't prioritized it and so what

that looks like in practical terms is what you find is that most businesses are doing some things

related to their security posture. They're not doing all of the things that they could be doing

and that again is where an outsider's view coming in and giving you that unvarnished opinion on

where you are can be immensely helpful and it's not that the internal people again don't understand

it or are going to give you misinformation. They may just not they give themselves credit

in areas where maybe credit is not quite due by simply saying hey we got that covered and

that's that's probably the worst expression that you can hear. If one of your technologists

tells you if their answer to everything is we've got that covered you probably should be digging

a bit deeper because that simple answer is not enough and you touched on something that's super

super important. This language that technologists use when communicating business concerns this is

the area of risk and if if technologists are not talking in business language in the language

believe me the folks the stakeholders on the other side of that conversation do not understand a

word that you're saying oftentimes even if they've come from technology backgrounds themselves

once you are in that operating circle where everything is about risk risk exposure risk mitigation

that is what needs to be communicated to the C-suite and the board of directors so that you

then enable them to make a decision about where they're going to prioritize the resources of the

company. You mentioned that they don't speak the same way I've never heard this word document

before I have no idea what you're talking about and I actually die we don't document any where it's

bad but we just don't have time we're like we're trying to just keep things operational and you want

me to sit down and stop you let what I did I'm like you out in a month yeah we just don't have

the bandwidth to do it so that's and that's what I've done IT for longer than I'd like to admit

I can't remember I remember the first time I had to sit down and write a white paper out I was like

what the heck are you talking about and at the time I was advising and I was working with

Microsoft they're like you want me to document all this I'm like I've got fires to put out I'm like

I've got to deal with Susan who hasn't remembered her password for the 19th time today and you want me

to sit this we just don't have that so that is what it is when we talk about risks what is a real

risk give me a real example of a data breach that calls real problems you had to come in and you had

to say let's talk about ransomware because it um ransomware to me is not only one of the most

malicious types of um victimizations and experiences that an organization can have it's pretty

insidious when you think about it that that an adversary uses a normal channel of exploitation

which is typically email and let's take note of that still to this day 2026 email is still the

best avenue of attack for an adversary because it's the highest probability of access by malicious

links other information that then drives users users to maybe watering holes where they go to a

malicious website there aren't enough protections enabled throughout the enterprise on the browser and

say you know uh John from your enterprise is actually able to go to a malicious malicious site

clicks on some link that says hey here's a report that's dealing with your industry download and

read the report PDF right what's going to be wrong with a PDF downloads the report and the

next thing you know the actor the threat actor has access to the environment ransomware and the way

that it works is it then a couple of things it could sit um on a time hack in other words sitting

and waiting for a particular period of time to be exploited or it could get to work immediately

basically attempting to find root access or ground ground access to a system or environment and

then slowly begins to encrypt important files that essentially it's been designated to encrypt

that ultimately will cripple the organization and there have been thousands of victims worldwide

of ransomware incidents and when I say malicious I think it's malicious to take someone's own

information and then make it unusable to them or or or not have the ability to access that information

it's um we say or use a term in cryptic which means it's garbled in a mathematical fashion that

then makes it unreadable or unusable uh and the mathematical key that's necessary to unlock the

information and return it to you often requires you to pay money or a some of money through Bitcoin

or some other cryptocurrency in order to be able to gain access to the stuff that you already own

so pretty malicious and there are certain business verticals that still are falling prey to this

healthcare jumps to mine as a particularly vulnerable vertical that's still especially small

regional healthcare entities that haven't taken the steps to identify where their gaps in

vulnerabilities are relying very heavily on technology if folks are paying attention you know the

the healthcare space relies as much on technology today is any vertical which means they should be

investing in security and technology um the the thing about ransomware is that there are

a couple of different types of ransomware adversaries out there there are individuals who

may have bought an exploit or a ransomware kit off of the dark web and are just going to town on

their own using it setting up their digital wallets and collecting money uh for ransom but there

are also ransomware gangs um in the organized crime realm you could find yourself the victim of a

ransomware incident and they might just provide you an international phone number to call

so that you can get help with your ransomware incident and they will walk you through the process

of providing them money uh so that they can potentially provide you the decryption key for your own

information and i say potentially because there is something nowadays called uh you know sort of the

double um impact of ransomware they're now threatening to release your your data or information

so there's double payments associated with it and there are known instances of where

the ransom has been paid and they haven't still never provided the decryption keys which means

you have to start from zero if you haven't taken the steps from a resilience fashion to make

sure that you have uh backups that are immutable and protected and can't be uh hit by a potential

adversarial activity so there's there's a lot involved just in that short conversation i barely

touched on some of the areas that you could go very very deep on but the assessments that we provide

would have essentially determined whether or not you had taken the steps necessary to

buttress a potential attack like that or as i like to say again limited the blast area so that you

could rebound and recover from a potential attack like that and you won't know that unless you

have actually gone through the steps of a risk assessment and made those determinations please

do not just take the nod from the IT guy who says yeah we're good to go we can we can recover

from that that's not that's not a good answer for the board of directors for a company

i think there's so many important things you just said where we talk about that there's a time

delay now for the for those of you who are playing at home who don't know IT the time delay matters

because our default reaction as IT guys they're like oh we'll just restore the backup like

i'll give you we got three just five days ago it's five days of data loss it's not the end of

the world what is restored back that because we keep backups centers six months old the problem is

let's say you're about your your hack happened to you five months ago and again well we'd have

backups that date back a year congratulations you just lost a year of data can you survive that can

and they're like wait what so that's what why we have time delays in this situation and people

like oh my god i'm not i'm not ready for that what do i well how long should my backups be

it's not a question of how long your backups should be in that environment i think it's more of the

question of how have you done the assessment how have you done the things to protect yourself because

one of the tests we and again this is 20 years ago we would then we would send emails to people

like hey here's a pdf we would spoof the email in other words make it seem like it's coming from

your internal department right it to you click this link for this meeting we have coming up later

today and then just see how many people clicked the link and the majority of people

clicked the link my favorite was when the sea level when the sea suites they would click the link

they're like oh my god i can't believe Susie from HR did that she's stupid really sir cto you

clicked on it too and they're like oh my god you're an idiot as well so the problem isn't every

it's universal it's just in the process of our day we're just so used to just clicking and firing

and this is why again to your to your point you're three or four guys that are elite

unbelievable individuals who are running your IT organization you can't this isn't 300 you can

expect 300 guys to stop the entire army that's coming at you you got to get them resources you

got to get them hell now i want to talk about the introduction of AI now AI we already know it

doesn't meet artificial intelligence we already know it means always incorrect we're still

using it and we're still uploading vast amounts of information into it which is an absolute

nightmare from a security part to it's a nightmare what do you tell the organizations you're working

with they're like hey yeah i know you want to work with open you know open claw or you want to

work with plot or you want to put codex so you work with maness and they're like hey why don't you

just walk outside make it um what do you tell the people in that environment to protect them who

are because we're becoming an AI first world we were in that first world now we're an AI first world

how do you protect them in that environment there's a couple of different things that we do one

i've assembled a partner network that has a variety of solutions that meet customers needs as

it relates to the adoption and implementation of artificial intelligence in the business

environment and i've aligned myself with these potential technology providers because i love

their technology and it does what it is that they claim it's able to do that's part of the challenge

we from a standpoint of making sure that there's a knowledge transfer that we equate our client

with the challenges they may be facing and using AI have built a internal process that will allow

them to take the steps in a diligent fashion and make sure that they aren't just simply opening the

gates and allowing their employees essentially to give up the companies goods through the use of

these tools it requires a lot of diligence it requires companies to take steps like creating

a change committee or an artificial intelligence committee for which they do in evaluation

of the potential impact of these solutions on business on business operations in other words each

business leader might have to contribute what kinds of information they intended put into this

system and then what their expectations are for what kind of access the bots agents and other

aspects of AI will have throughout the enterprise all of that needs to be governed in a governance

risk and compliance fashion and it requires you to stand up committees and yes take very very

diligent steps that will allow you to assess whether or not a particular solution can be helpful

but then implementing it in a fashion that is safe and secure and then ultimately helpful to business

operations and so it requires you to think about it it's not just a matter of going to the site

signing up and just assuming that that that technology provider is is going to provide you all of

the security measures and default settings that you need in order to protect your enterprise you

have to take extra steps and that is thinking through those extra steps is what we do as an

organization we help organizations identify how they think through those steps we bring experts

to the table who can explain the risk associated with anyone particular solution and give them

a general approach that will allow them to reduce the opportunity of any particular adversary to

exploit their system and or just make bad use of AI there there are gaps in the use of artificial

intelligence I heard some interesting stories recently about AI or or large language models that

have been given you know widespread access to enterprise information and in doing that because

they only understand you know language props have gone out into areas and retrieved information

and presented it to users and that user didn't have access to that particular information from

their role-based access within the company but the bothead access to it and provided the

information these are all challenges that are fixable but they're only fixable if you are taking the

the preemptive steps necessary to make sure that you're protecting your digital information wherever

it may reside I think assuming that whoever you're working with whatever software it is that's

trying to protect you it's just it's not doing that it's evolving too fast and the best example I

can give over this is for those of you playing home I created I had a box that had none of my personal

information in it and I created a VM or I created a little virtual machine inside my box I then loaded

a version of that inside of it called open-cloth and I wanted to see I'm like I'm going to do

the resources has none of my personal information and I watched it open-cloth figured out that it

was inside a VM and inside of virtual machine and then it was like huh I need more resources it

then penetrated out of the sandbox to try and get more resources from my parent Aless and I was

like okay no we're done I'm going the whole OS out I was like we're done I've never seen anybody

do with that before I'm like I don't want to play anymore goodbye but I'd never seen it wasn't

doing it at the time tremendously but I've never seen a piece of software break out of a VM and then

go out at the parent OS I was like what that how is that yeah I'm starting to hear more stories like

that because it's interesting the you know computers and technology does what we tell it to do

and if you tell it to do a task it then assumes that it has to complete that task and it has

all of the variable things available to them to include what might be considered malicious

behavior to achieve the task that you've given it and so these are important elements that we

need to be thinking about I heard a very similar story in the context of you know RSA that was

that occurred this week in San Francisco about of a AI agent essentially executing a exploitation

in order to gain access to information to satisfy the original task that it was given which is

which is crazy to me but guess what it makes sense you told it to do that and it thinks that it

has all of these things available to it you didn't tell it that there were boundaries and these are

things that we're going to have to learn as humans that oftentimes not only do we have to give it a

task but maybe we have to give it the limitations for which they can execute that task right I

tell people all the time AI is a toddler at this point if you're like hey I need you to go build a

kitchen and it needs wood it will tear down the rest of the house to get the wood for that rest of

that kitchen it's because it doesn't understand oh you didn't need the rest oh you need the rest

the house you just told me to go to kitchen there I knew there was wood somewhere I went and found

wood you like whoa oh stop the next problem you run into and I don't think people understand

us really on the tech levels much as we picked on tech guys the opposite occurs as well when we

IT guys show up and you don't understand what we're talking about and we're really dorky the culture

has to change in your org like listen these are your vulnerabilities we did this assessment these

are the problems there's only so much we can do here you go this is going to happen and then you're

see sweet or your your SMB or whatever it is it's like dude I got to get these widgets out the door

I don't you have to have a culture change when you run into that for your clients how do you pivot

the entire culture to get them to understand this is part of the reason that we operate across

multiple variables variables of the risk spectrum so we are an enterprise risk company

in terms of our advisory work I believe in my heart that no single solution like a digital

widget is going to solve the problem that you're actually needing to solve and so when I think

about people process and technology which is sort of the consulting mantra we do all three we

come in and we may we may help you identify the digital solution that's helpful to you and then

you may come back to us and say well I'm still short on people well guess what we have interim

resources we can add to the add to the solution so that you can have a a a period of having folks

that have the expertise available to them to ride along with you to help the company continue to

grow and then you can take the time to plan how you're going to hire a permanent person to do the

job that this interim person is doing and they're doing it in an excellent manner and maybe the

solution is for some limited period of time to have it be that adjunct person or fractional as

we like to call in our industry be the person that's going to ride along with you for that phase of

your growth and development you will get to a point where yeah you want to hire someone permanently

and that's where we also come in with okay now that we've provided the fractional technology

talent to help you grow and scale to a new phase of your company's operations now we're going to

go out on the field through our broad network and actually help you identify who's the right person

to do a longer term engagement here multi-year maybe even become part of your FTE workforce

and give you that person and guess what we've we've been on part of the journey with you

up to that point so we now understand the company culture what what's going to work best not

just from a skill set standpoint but who's going to be a good fit for your organization for

the next phase that you're moving into and so we want to be supportive across that entire

people process and technology cycle so I want to dissect this model a little bit more so when

when I was doing this again allow ago we were what was known as an MSP which is a matter

service provider we would come in and we would provide small to medium sky companies IT departments

and it was really simple it's like you can pay this guy 120k a year or you can pay me two grand

a month which is like $24,000 and we're going to do 90% of what you need you don't need that full

time person at $180,000 to $200,000 a year because most of the time in IT we're going to just be

surfing the internet and goof it off because they don't wait every 37 seconds it just let's be

honest so you don't need someone full time I think what you need is you need that elite level of

support you need that elite level of experience that comes in it says okay I'm going to do what's

going to take somebody else who has no idea I'm doing about an outlet I got this here it is this is

what you need to do now you got to figure your culture out you have to do all that we're going to

advise you but I think most small businesses are like you know they hear MK and I'm Jesus Christ

we're going to cost me a half a million dollars I'm not going to be oh my god and they freak out

like whoa this is fractional the model is important to come in and say listen here's an expert

we're going to sit with you but I don't think and correct them if I'm wrong my experience with this

is it's not a problem of we doing us doing the assessment and us giving you the expertise it's you

now sitting down and pivoting your culture and this is where I've shown who's got the experience

it's okay we just found out we're exceptionally vulnerable now you're not going to give it to your

C-level CEO who is never logged into anything other than their Gmail you're going to have to have

someone hold their hand but it doesn't have to be those cost prohibitive thing in the world

is that kind of the same model you guys are still using or have I just outdated myself at this point

no no it's it's the model we're using but maybe I'm taking even an extra step to explain it let's

just use a some notional figures and a notional scenario say you determine as an organization

that you're ready we need to hire a security executive to champion our security expertise and the

things that we need to be doing from a security standpoint guess what security persons with deep

experience and knowledge like myself come at a high high price for a permanent personnel

I did pretty well I did pretty well working for a couple of fortune 500 companies here in Silicon

Valley and so even at the SMB level you want that level of expertise but you're not ready to pay

the same amount that you know the likes of Google or Palo Alto Networks is going to pay so why not

hire a fractional person that you didn't get at essentially a fourth a fourth of the price

and still get the expertise and level of engagement that you need and you get to go through a

period of evaluation quite frankly to determine if they can do the job

because oftentimes what happens is that they make these high dollar value hires and the person

doesn't even work out and so they've essentially wasted time here here's the other component I'll tell

you that I think is fascinating you hire a a CISO and let's just use the CISO because that's

sort of the go to persona if you will for technical expertise at the C-suite level you hire a CISO

they are they are immediately going to want to build a team so you aren't just hiring one

executive you're hiring an executive who then is going to build a roadmap to building a team

that's capable of executing because I don't care even even the most technically minded CISO

doesn't want to be the the person actually developing and shipping security within the enterprise

they want to be spending time on the on the strategic measures so they're going to go out and hire

that great security engineer that they worked with at company X they're going to go out and

identify that person at GRC that they worked with a few years back who was just excellent at

documenting process and stay and making sure that the team stayed on point in terms of policies

procedures and keeping all of that stuff updated and before you know it you've got you know your

one person hire has ballooned into a 50 60 person team that cost an immense amount of money for talent

again for for a fourth of that you can have an expert team come in operate in a fractional

capacity and then help you in a slow mature fashion identify the long term resources that you're

going to need or quite frankly maybe you determine that the fractional model which is becoming super

relevant today I can't say the number of technologists I know that are on the bench by choice

because they would rather operate fractionally rather than do long term projects they want to take

their expertise and go from project to project because they don't want to work for a large skill

enterprise as a permanent person because they like to free them associated with hey I got

expertise and like you said what might take you 10 hours to do because I have the expertise I

can come in and do it in an hour and a half and it's done in a in an enterprise level fashion

and then guess what I have the rest of that time available to me to go do other projects or do

something else that I intend to do in my case I get to go run the other aspects of a business which

means that the fractional the fractional experience and the an engagement that I need in order to get

that customer to where they need to be I can parse that out and give that to 10 companies at one

time as opposed to one company at a time I agree a thousand percent and I've said this again

20 years ago you do not need a full-time IT department period full stop you do not need a full

time see so you don't this should be outsourced you should be hiring I would rather you spend

for the expertise than the time because the expertise is going to save you that time and having

somebody that's sitting there for half a million dollars a year sitting there who's going to build

out an entire team just going to drain your revenue streams having someone who's got the experience

that comes in says hey these are the next five things you need to do we're going to do this let's

sit down talk about it you will not only be more protected but you will also have saved

an immense amount of money the reason I say that you're more protected is because he's not

experiencing it just at one client anymore he's now experiencing a hundred clients at a time

so the experience of one breach that's happening client Q is now happening to help out client aid

and I just don't think small business owners understand that there's this ego that like no they

have to be mine they have to do that you're not getting the best expertise and you're wasting

an immense amount of time and money in order to do it so just just don't do that for those of you

guys who are playing at home who are small business owners are like listen this is this is

Sanskrit to me I don't understand any of this look at a fractional environment be it mk or anybody

else but on any level of your IT stuff and I'm sure I'm going to get some nasty grabs from the

IT guys you don't need to be full-time be honest we're all just browsing YouTube way too much anyway

so you know get off of that and then it's just what's happening so having that so if the people

are watching for home I have two questions I want to ask you one is what are the things if they

never run into you if you get eaten by a purple dragon today you disappear or you win the lottery

make a hundred billion dollars and you put your phone in a blender what are the five or six things

that the five or six things that they could do right now like okay I need to do this there's

this online tool or there's this thing that I could do or one of the things that I could do right

now to protect myself on a personal level and then the things that I could do for my business

environment we provide a a risk assessment that folks can take freely at our website that risk

assessment will walk you through some basics to give you a high-level understanding of where it is

that you may have not made the proper investments in the reduction of risk to the enterprise and

we cover multiple domains again we're people process and technology advisory firm so I would say

at the very least take some time to assess where you are as a company and you can do that with us

you can do it with others we think we bring not just an immense amount of experience but a special

expertise based on my experience and those of my executive team and the others that we have

engaged but do something evaluate where you are as an organization and bring in folks who have

experienced broad-based expertise and will give you an unvarnished opinion as to where you stand

as an organization take the time to make the investment in that effort and it doesn't happen

overnight you know a typical risk assessment is likely a six to eight week engagement if done

correctly just a lining time schedule is going through the process of asking all of the there's

you know probably 180 to 200 plus questions they get asked during the course of the assessment

you do those in chunks you don't want to do those all at one time there's a gathering of data

in information in terms of documentation or the absence of the documentation that needs to be

noted so the process takes a while so it gets started from a personal standpoint there are several

things that you can do that just sort of evaluate where you are just google your name for starters

going to an incognito browser and google your name and see what information comes up in a google

search and then google how do you get google to remove your name and personal information from

searches and it will tell you the steps that you need to take in order to essentially give google

the information that it needs to be looking for and it will come back and tell you I do it myself

it I get probably an email every three weeks or so hey your personal information is found on this

site would you like it to be reviewed for removal I click yes and 99% of the time you can email

back says it was removed every once in a while there's some you know site and because of

the way that the information was collected they're unable to have it removed that one

percent of time again it's about limiting your footprint limiting your exposure to risk it's

not about eliminating it if you want to completely eliminate digital risk don't use digital products

correct that's it that's the only way to do it that's the only way to do it but if you're if

you're like the 99.9% of the rest of the world who has a phone and wants access to this digital

information there are basic things that you can do to protect yourself do the basics and that

at least gets you on the right path because most folks aren't even doing the basics and that's

what the adversary's channel we talk about something in the military all the time about everyday

carry one of the things you carry every day be it from operational from military for

side armor is whatever that is when it comes to this what is your everyday carry for the

stuff in your world that you use on a text side are you like okay I use Android or I'm going to be a

Google guy or I'm going to always have a flash drive on me or whatever it is because I keep a

flash drive in my wallet that is I use very specifically that can breach me into any machine I've

had it on me for 20 years it's just I'm like I get in anybody's sheen that I ever get locked out

of it's just a habit I always have it inside my wallet what are the things that you have on your

world that like these are my everyday carry so I'm always going to have this on me or this is

what I use all the time because through your immense experience for the FBI and the Marine Corps

and the Navy and thank you again for your service one of the things like you know what this is

one of the use this is the case I'm going to use this is because those are the things that people

like what is he use he's got this experience what was he taught they want to know those things so

what is your kind of your everyday carry let me let me answer it this way so part of what I bring

to the table is a level of communication that can be helpful at the strategic and executive level

so I'm a communicator by trade that's what I get paid to do in most instances is what I get paid

for an enterprise and it's a skill set that I've developed over time in terms of my tactical carry

today because I had such a wonderful experience at one of the biggest technology companies on the

planet I'm a Google workspace user through and through I I love the products I love the ecosystem

I know the story behind the preferential use of zero trust in terms of the principles that were

used to build out the environment and so guess what I'm a Chromebook user I like telling folks

the story that you know I I love Max just like everybody else the look feel and presence of a

Mac is is is unmatched but if I'm traveling for business guess what I got my Chromebook with

me it's probably a safer platform to use there have never been an instance of a Chromebook being

violated via ransomware the the the probability of it happening is actually zero I use a pixel phone

because it's tied it tied uniquely to the the the Google ecosystem do I have Mac products

absolutely I'm I I will tell folks day in and day out I'm I'm an iPad user because I don't

think that there is I have yet to see in tablet form something that is as useful from a utility

fashion as the iPad you attach a keyboard to an iPad there's almost nothing that's restricted to

you to be able to do I mean it is it is part of my go-to carry and yes I have a tech bag or whatever

you want to call it that I carry with me for business travel and when I'm out and about meeting with

customers and clients but from a tactical fashion I'd say my everyday carry is is that when I walk

away from my home office I'm going to have my Chromebook I'm going to have my iPad I'm going to have

my pixel phone and a tech bag that's going to essentially allow me to get in front of folks and

carry on whatever kind of conversation I need in order to either develop business or quite frankly

just to help them understand what what I'm seeing and the challenges on the environment landscape

dang it I have to start looking at Google workspace again because I'm a Microsoft guy and I

just I learned it so I'm going to have to transition that's yeah you bastard um what are some of

the tools out there just I'm stopped so I'm going to have to pivot because I'm such a Microsoft

guy and it just it's worked and I hate what is it sheeps and I'm like to can I just put it in

Excel and they're like no there is such there is such parity and operability between the Microsoft

office capabilities and Google workspace today that it's almost 100% seamless so you

the transition may not be as hard as you might think it is oh god that's okay I'll work on that

I promise I'll work on it the next thing what are certain things that you're like dude that's

just a waste of money like they have these little stickers that you put on cell phones that

reduce EMI or EMF and they don't mess with you right what are some of the things you're like please

stop buying this what what are you people doing like what are there anything out there that you

could think of that you're like no um now I I don't want to disparage the use of any kind of

technical product you know I I do think that um you know things like most people don't have to worry

about you know RFID readers the the common consumer but I noticed that you know there's even a

stretch of folks out there that are selling like Faraday bags to people that who know now they

need to keep their technology in a third day bang and I'm just you can go too far I think with some

of this stuff and that's I'm not that guy I'm not the person who's who's going to tell you that

you know um you know every time you you know don't use public Wi-Fi yeah you know be be careful

when using public Wi-Fi um you know they're still they're still the validity to the use of VPNs

most most phones have VPN systems built into them turn on your VPN when you're out public

or it's Starbucks using Starbucks Wi-Fi or or when you're traveling in going to hotel you know

if you don't want to use a hotel Wi-Fi by your own Wi-Fi puck um and use that when you travel

so that you can have safe security like you know there's so you're saying how much pain you

want to you want to inflict on yourself so you mean the shoebox that I have in my house that's

wrapped with aluminum foil is not a good idea is that what you're saying I shouldn't okay there's

a bunch of people out there who are gonna like I I need to talk to someone it needs to be on

an a fractional environment how do people track you down how do they get access to you how do they

ask questions to kind of to lead themselves and protect themselves in a world that's getting

more and more risky yeah a couple of different things one I would tell them to to visit our website

at apogee global rms.io you can see the full suite of services that we offer as a company there's

some stuff about our background and there's some information from a thought leadership standpoint

in terms of our approach to security and enterprise risk and all of the things that that

came up in conversation I think that's a great starting point from an individual perspective we

have both a company presence and my personal presence on LinkedIn I'm a heavy I'm a heavy

LinkedIn user so like we can give a we can give a nod to Microsoft in that way if you like you know

they're they own LinkedIn so I'm a big believer in LinkedIn I think it's a great professional

social network I keep in touch with lots of people on LinkedIn I'm there as mk palmore if you look

me up I'm pretty sure I'm the only mk palmore on LinkedIn I'm open to outreach I can't tell you

the number of folks who reach out to me sort of blindly that I've had the opportunity to actually

connect with and have conversations with so you can see a lot about what we're doing as a company

and what I do individually for my own personal brand which amplifies the company brand either at

our website or on LinkedIn perfect and if not we'll put your direct phone number your

social security number your bank account and your home address in the show note okay I'd

appreciate you to come on I really do thank you for sharing all the information that you did

with us security isn't about having the fanciest tools it's about doing the basics every single time

MFA on permissions lock down stay consistent that's it mk made it clear today the adversary is

counting on your laziness don't give it to them as always thanks for tuning in stay safe out

there digitally and otherwise see you next time