Spend Advantage Podcast

How to reduce human-factor cyber risks?

January 05, 2023 Varisource Season 1 Episode 17
Spend Advantage Podcast
How to reduce human-factor cyber risks?
Show Notes Transcript

 Welcome to The Did You Know Podcast by Varisource, where we interview founders, executives and experts at amazing technology companies that can help your business save a lot of time, money and grow faster. Especially bring awareness to smarter, better, faster solutions that can transform your business and give you a competitive advantage----https://www.varisource.com 

Welcome to the Did You know Podcast by Varisource, where we interview founders and executives at amazing technology companies that can help your business save time and money and grow. Especially bring awareness to smarter, better, faster solutions that can transform your business. 1.3s Hello, everyone. This is Victor with Varisource source. Welcome to another episode of the Digital podcast. Today we have a doctor in the house, Dr. James Nori, who is the CEO and founder of CyberCon IQ. They are essentially the human defense platform which preventing human factor cyber risks. Welcome to the show, James. 

U2

Thank you, Victor. Great to be here 

U1

today. Yeah, so, no, super excited. A lot of exciting topics. Obviously the two that I'm most fascinated about is people and Cyber Risk because those things seem seem to go hand in hand together. Unfortunately, they 

U2

do. And if any of your listeners have looked recently, the dramatic increase in the number of successful attacks that can be linked to a human factor, whatever that might be, could be oversight, could be mistake manipulation, accidental insider credential, compromise. Doesn't matter. Victor, that's 80% to 85% of successful attacks today. 

U1

Yeah, I've got 1000 questions for you on that. But before we start, first of all, we don't have a lot of doctors on the show as guests, so glad, glad you're coming on. But you know, obviously what we love is oftentimes CEO founders have these found founding journeys or the AHA, moment of what I was doing before and then AHA, like why am I building this thing that needs to save the world, right? So I'd love to kind of hear a little bit of your background and what made you create or want to create cyberconnecting. 

U2

Sure. Well, this is startup number five for me. So I've got a little bit of a disease, so entrepreneurial disease. I keep saying I'm never going to do another one and I keep doing another one. However, they're born typically out of research that I do with my clients. So after my first exit, I became a professor and for me the interesting thing about the academic world is that I get paid to play for the rest of my life to use what I know in a number of disciplines. So for the benefit of your listeners, I have terminal degrees in business, computer engineering, law, psychology and cybersecurity. So talk about a great time to be doing what I do. Right, but in all cases the ideas come out of research and these are research driven and very attentive to current issues where we find a solution and then we turn it into a product after we've proven the solution works. So in this particular case, I'm proud to say that not only did this come out of some work we did in my lab beginning in 2016 and 17, but more particularly, also led to patent which was recently granted. So it's us patent number eleven, 411, nine, seven, eight, number I'll never forget for the rest of my life because they're hard to get. But it is a patented solution that is distinctly different in approach. And so I guess Victor, the pathway is really simple. I go into the lab to solve problems for my clients. In most cases they're large global banks, financial institutions, those kinds of things. And enterprises at scale are suffering right now terribly with this problem. And it was frustration on the part of my clients that led me down this path. And once we discovered that it worked and it worked dramatically, well, obviously we want to bring that to scale, to offer that opportunity and benefit to everybody. 1.1s

U1

That's amazing, man. I think maybe like MIT or some colleges, I think they do something similar where they do like clinical or at least just research 1.2s because a lot of companies so that's actually super fascinating. I didn't know about that. That's a great nugget there. Obviously, like you mentioned, security is a huge topic right now, especially even after COVID, where everything is even more digitized and more remote. And now, unfortunately, that means happier place for cyber criminals, risks. But obviously, for all the hacks that we've seen in the last six months, twelve months, you can have the best tools, you can have the best you can spend the money on all these crazy tools, parameters and defenses, yet one person slips up, boom. Right? Like you're del, 

U2

Victor. You just hit it. We call it click boom for a reason, right? It only takes one click and boom. Okay, so funny you should say that because that's the same thing we say internally around here. So if we want to trace this back, the origins of this problem actually lie between the computer and the chair. And that space is occupied by human. And there's always a human in your organization that has the keys to the kingdom, right? They have the credentials necessary frequently at a privileged user access level to be able to keep your enterprise functioning. Well, it's great when they're working on your behalf diligently. And we're assuming here that you have employees who want to be diligent and trustworthy, but that also means that same person can be compromised pretty easily. And I don't I'm sure need to tell your listeners that all the variety of vectors that come at them. So most of the work in security has been repelling threats at the perimeter, right? Cyber hygiene vector. And as you point out, there's all kinds of tools and solutions and systems. And I'm going to presume that anybody listening to this podcast probably has that covered, and usually pretty well our most mature and pretty well resourced clients can keep those repet, those threats repelled 92, 93% of the time, right? So you're dealing with a very small margin of novel, brand new threats that have not been seen before, and they're generated by AI. The bad guys using AI against us. Victor, I mean, just take a guess. How frequently do you think there is a novel new threat in the space? 1.6s

U1

You mean to the company's overall overall market. 

U2

So somebody trades, let's say let's say one 5 billion. Okay, so there are there are millions and billions of them, but they a brand new one. Occurs about every 1.7 seconds. So you have a novel threat approximately every 1.7 seconds. That means that statistically, the probability of your company, no matter how big or how small victor, I want to point out something important to your listers. Nobody is too small to be attacked because this is broad brush threat distribution. What they're doing is they're taking a huge swath of people and they're throwing these threats out there, and they're hoping for two things. They're hoping that you don't have the perimeter defenses necessary to detect it, and that if you do, in fact detect it and repel it, that there may be challenges with how quickly that happens. So maybe they're speaking to some need for urgency on the part of them and the employee to click. Or if you miss it, it is sitting in front of the employee. So any of those to make a threat into a vulnerability takes mere seconds for it to get around your perimeter defenses. If it's a novel threat and sitting in front of an employee, and that's what we protect against. What we want to do is build the capability and the capacity it's resilience is what it really is, Victor, for your employees and your contractors and your partners and your vendors, however you want to decide, your perimeter is defined. We want to help every single human there. 1s Detect when they're being manipulated and how. And we don't care about the content. Memes so you mentioned COVID, right. COVID distributed all of us to working from home, whether companies wanted or not. We've extended the perimeter of the company, but it's not the meme of the threat that we worry about. It's the architecture of the context and the threat. So what makes us very different is we're building capacity in your employees, one person and one style at a time. So everybody's journey through our system is different, and it's based on a combination of their personality, their style, and their knowledge of cyber. And we marry them and we take them on a personalized journey to improve resilience. And we've had dramatic results. And when I say dramatic results, I'll just use one proxy measure for risk. Victor, if I may. So you probably have most of your clients fishing their employees to see whether they've got people who are prone to clicking on fishing, right? Pretty common 

U1

tactic. Yes. 

U2

And frequently that failure rate in a lot of our companies can be really, really high. It can be 1015, 20, 30% if they're untrained. With training, you can bring it down. Well, in our platform, it's almost always sub 2%. And more important than sub 2%, a lot of our clients are getting between 0.3 and 0.7. And how do we do it? Well, we teach people to be sensitized to their vulnerabilities because no threat in the environment, Victor, becomes a vulnerability unless somebody is tempted to do something right, whether that's clicking or sharing their credentials or letting somebody in the system or loading malware or whatever it is. So we really focus on this idea that the human firewall, that last mile in the human firewall, it's real. We can create it for your clients and we can make a difference. And we know that it works. And I'd be happy to spend time proving that to anybody. Scientifically, our version of this is completely personalized, and it works far better than any generic security training in the marketplace today. 1.2s

U1

Yeah, first of all, 1.3s I think the goal of this podcast is to let people know about your amazing solution, but also pique their interest to want to come to the webinar thereafter that you and I are setting up to show them the magic. But all the things you just said, I'm like, where's the webinar? Let me sign up right now. You're definitely picking the interest already. One thing, because obviously you guys do several things, right? You talk about phishing simulation. You guys also do some security awareness training, which I want to ask you about right now. You guys also do cyber risk and risk assessment. Yeah. So there's a lot but I want to address this one first, which is the security awareness training, because I myself previously in Corporate Jobs, obviously had these trainings and obviously a lot of times when people and again, we're here to ask tough questions, right? I mean, that's what this podcast is about, right? But I was one of the people they got to send the request to, everybody got to take training and stuff. So we take the training, but we're all kind of taking it as like, yeah, we need to do it, we answer it. But then do people really have that full seriousness or urgency of understanding, hey, there's a criticality of these tests, and also after you take it, is it that effective to protect you thereafter? I would say subjective, probably not right for me. So how do you look at this problem of, sure, you can buy training, you can go through training, and I'm sure everybody can buy 

U2

training, lots and lots of training 

U1

available. Yeah, but it's not really I don't think that works exactly right. So kind of walk through that specifically there 

U2

well, and we'll get into the secret sauce a little bit more in the webinar, as you point out. But let me answer some of your questions at a high level because it's a little bit complicated, but not too complicated. So first of all, any educator so remember, one of my degrees is in Ed Psych, right, is in adult education. So one of the things that anybody who teaches somebody and if any of your listeners have kids who are in school, you'll see this, if the learning experience isn't interesting, then aren't you just going through the motions? Victor yeah, okay, so I would argue so much of security training is delivered from the perspective of the security professional. And where else in the business do we assume that if we just tell people what to do and that we tell them why they should do it, they'll just do it? No other part of the business assumes that in every other part of the business, we try to create a series of motivating factors and reward systems and encouragement and we build context and holy smokes. Like to get human beings to actually all do the same thing, which we call conditioning or habituation in psychology. To get people to replace or suppress their instincts and impulses and actually do something that's better for them is not easy. And dare I say, victor, have you ever made any New Year's resolutions? 1.4s

U1

Absolutely all the time. 1.2s Right? 

U2

Well, there you go. So I like in generic security training to like New Year's resolutions. We put a little tick in the box because we had a couple of glasses of champagne. We feel pretty good. We say we're going to be better and go to the gym. Okay, great. And then a week or two later, not so much. Right? Well, the same thing happens at security education. So one of the things that I say is, don't compare us to security training. I would like and what we do to that on steroids, it's an educational experience and it begins with actually helping the learner understand who they are at their core, what are their instincts and impulses, and how are they vulnerable to certain kinds of online threats, how do they behave online? And how is the way you behave, Victor, different from me, different from the listener who's on this podcast today? So we all are going to have different vulnerabilities for reasons that are endemic to our personality. So that's the first thing. We sort of then we train you and we speak to you in a language you understand that is synonymous or what we call symmetric with your personality. And suddenly you go like, wow, this is kind of cool. And not only is it fun and engaging, but it's cognitively complex. So the next step of ours, which is different, how often, Victor, I'm going to ask you and listeners, you can play along with us. This is like a game show. So, Victor, how often have you put the training on silent or advanced through it and then tried to fake your way through a 

U1

quiz? Since I no longer worked for the corporate company before, I would say, yeah, majority of the time, probably. 

U2

Okay, so what that is, is it makes the assessment too simple. It proves nothing because there's a huge difference between knowing something and doing something. So we focus actually on something novel, which is if you're you are going to take valuable time away from employees, right. And the listeners who are decision makers, I'm going to tell you the most valuable thing you have is your employee time. It's a really precious resource. So if you're going to take that away, that's got an opportunity cost for you as an organization. If they're not doing their job and they're engaged in security training, wouldn't the objective be to change their behavior? Victor? 2s

U1

Absolutely. And I think what you said earlier really resonated, which is it's a tick in the box. It's a check in the box, and there's something wrong with that. Like, that's a human nature. 

U2

Well, there is something wrong with it. It doesn't change behavior. So while you put a check in the box and you say, okay, to the regulator or to the boss or to the board or whoever you're trying to impress, that you did something I want to ask listeners is honestly, is putting that tick in the box really what you want to be about? Because it's not going to change your risk profile. It's not going to improve your posture. It's not going to change employee security habits. So what we do is we do things differently. And we do things differently not just on a patented basis, but also the way we do this in the order we do it and how we do it. We've really studied how we get people to change paper. Let me not rest on marketing slogans, Victor, for just a second. Let me give you a real proof. So when was the last time when you were working for said large organization that after going through the training, you were so enthralled with the experience of the training, you learned so much, you actually asked for more? I bet you that happened. Never, right? Okay, here's a stat, real stat from our platform today, as we speak, 77% of learners on our platform actually consume additional training from our resource library not assigned to them. And they do it because they're engaged, they're interested, and because they think they're learning something about themselves. And you know what's even more fundamentally cool, Victor? Not just something that keeps them safe at work, but something that keeps them safe at home. So the other thing we do is we don't focus just on your security behavior in a professional context, but your security awareness and behavior period as a human being. And when you do that, you treat people like they're part of the solution instead of part of the problem. So instead of labeling them the problem, we label them the solution. And then we give them the really important skills and abilities and reinforcement to feel confident. And when you do that, people not only enjoy the experience, but they have higher recall, higher application. We can prove to your clients, to your listeners on this podcast that we're we can actually change employee behavior. So training, if it doesn't change behavior, is of no value. 1.8s

U1

Yeah. James I feel like if you were my professor before, I would go to school every day, just the way obviously able to explain things. And it's interesting because 1.1s I think a lot of times in education, even outside of work environment, like an education, even in colleges and high school, it's like, to some degree, the check in the box. Are you trying to graduate and you're trying to get a degree? Sure. Does anybody remember anything you actually learned or useful? It's an education way of education. I think it's a challenge. And I think what you're talking about really resonates. That's amazing, though, for that staff, for that people to want more information. Because people do want to learn. They do want to get 

U2

people to learn. People love to learn. 3s

U1

It is well, it's the form format, the content, the voicing, the approach. There's a lot to this. Like when I say to your listeners that we are data driven and science based. We really are a team here that is heavily leaning towards the educational psychology and other kinds of things. It's not that we don't have security professionals, we have tons of those too, but it's the marrying of the two. And we call it actually cyberology. And your podcast listeners will learn this when they come to our webinar, but cyberology is the combination of technology and psychology because technology is a disintermediating experience. So when people are online, they are actually shielding themselves a little bit so they would say things and do things online. So, Victor, the example of this we just went through. Of course we've had us. Elections, right? It's been very interesting. And as you and I have talked about, there's a lot of disinformation flowing around online that people give credibility to. That's undeserved because it's not real and it's not true. But we sometimes have that weird experience where we're sort of separated. And what we do online is we're sitting there typing so you can hear the effects in the back. So here we are typing away on our keyboard, and we disassociate a little bit because we would not say or do often the same thing online that we would do in person. So our effort is to reduce that sense of disintermediation and make sure that employees take the same responsibility for their actions online that they would take if they were doing it in person. So we often say in our training, if somebody was standing in front of you and saying, could I please have a signed blank check from your company, do you mind? What would everybody automatically say? Victor? 1.6s

U2

No, no. Right? Because we go, wait a second, but we get into a similar situation that's a little more manipulative where we say online, would you mind the tall just putting your credentials in here that will allow me to issue a blank check against your company's assets. And we all say click that's disassociation. So we have to reengage learners to understand that they have personal responsibility for their security habits and for their security behavior. So it is changing the way people think about it, but in a positive way. We don't want to use fear because fear. So just for a second and a little bit of science, again for your listeners, this will probably intrigue you. There is a condition called hypervigilance, which is really a very subtle form of the fight or flight response. So Victor, what is the human condition, the fight or flight response? 

U1

Do you know what that is? No. When you 

U2

are faced with fear or situation that is threatening, you are either going to stand and fight if you think that's your better option or you're going to flee. 

U1

Right. Fight or fleet. 

U2

It's a perfectly normal response. And while your body is busy getting ready to do one of those two things, it's flooding you with all kinds of chemicals and they're whipping through your neuroreceptors and they're causing your body to get bursts of energy through 1.3s elevated sugars as an example and strengths and reducing your pain threshold. And like so, your body biopsychologically as a creature. We are absolutely programmed that when we're faced with that fear that this fight or flight response is triggered. It's a biological response. Now let's go to cybersecurity. 1.3s So most of your listeners, I think, could understand that we've made our users perpetually afraid. We've not only said they're part of the problem, but we've triggered something called hypervigilance, which is this lowlevel stasis of fear. And what happens, Victor, is after a while, it wears us down. And we're willing to do anything to get away from feeling this dread that no matter what I do, eventually I'm going to be the source of a hack. Now, fishing is interesting because we fish our employee population. Now, I'm going to be honest. I'm not a huge fan of fishing as a proxy for risk. I think the way most companies do it is catching people doing something wrong. And there's all kinds of issues about how we do it, but let's leave that aside. We can talk about that in the webinar. That'll be another opportunity for a topic that people get a lot of value out of. But if you're going to do that, it's also triggering fear. And as you trigger fear, what you get is fatigued based compliance. So even as you're putting that check in the box and fishing people, and they're failing, you are building a culture of fear and that will never give you sustainable. 1.3s And really effective strategies to defeat the bad guys. The bad guys are actually going to use that against you. And the more afraid you make your employee population, the more vulnerable they become. And I don't think that we as a profession have grasped this. So I'm really passionate about this. You can tell I love talking about it, but I love talking about it because your listeners need to understand this fear works against us. And so we can get this temporary compliance, but it will not create a positive, sustained climate. And so we talk about not fear, but awareness. And generally getting people to understand they can be a part of the solution. They don't need to be afraid. We want to reduce that fear. So that's why we call ourselves the Human Defense Platform. We are not a security awareness training product. We are so much more than that. And the way we do it and how we do it will deliver world class results, reduce your clients risks, and absolutely make you safer. 1.8s

U1

I can see how everything kind of ties together. So maybe, interesting question for you. So we have listeners from obviously 1.2s business owners, from CEOs of SMB, to maybe procurement in larger organizations. So you're dealing with different people at different levels, whether it's rules or hierarchies and sizes of companies. So in your thinking, first of all, do you guys target certain size of organizations? Or how does your program high level kind of customize towards maybe your role, your job title, maybe the department partner you work in? And obviously talk about your personality. How does it fit different? Because. Everybody operates differently, right? CEOs are doing different things and procurements are focusing on different areas, or it's focused on different areas. So how do you kind of work through that in a company? 

U2

So, a few things you can scale. Like any platform, you can scale the degree to which you want to intensify the experience. So let's begin with the fact that it's basically super easy to deploy our platform. It's done as a SaaS model. We select only first name, last name and email. We do that through a simple CSV file. Like it couldn't be easier for your listeners to get started. We try to make it simple. So if you just want it to deliver it as a SaaS product, you can do that. You pay per employee and away you go. And what's neat is it's a little bit set it and forget it, victor because we're really aware that if you don't have a very sophisticated enterprise with a whole program of security maturity, but you're a business owner and you know you got to do something. This is what I will call a cheap and cheerful intervention. This is a great place to start. If you're not doing it today or you haven't been persuaded to do it, I can persuade you that this simple investment of time and energy, copying down into a file, first name, last name and email, and paying a very reasonable fee to train your employees, is a great first step. It doesn't require huge technical knowledge and it has an immediate improvement in your security posture. It will pay for itself. We call that risk adjusted ROI. Now, as you mature, you might deploy other parts of the platform. So, for instance, maybe you move to adding phishing simulation if you're not doing that. Or perhaps you're interested in our products that relate to measuring security and vulnerability. So we can take your clients on a journey. It scales to both their matures. 

U1

They can pick and choose what kind of area they have to pick one where you say, you know what? If all you can do is one thing, you should start absolutely with this thing first. What would that be? 

U2

I would start with the education platform. So I would start with the assessment that's done. Each individual goes through an assessment that helps them understand how they're individually vulnerable to risk. And then it starts someone that's that personalized journey to reducing that risk. And the reason I say that is because that begins in the first eight or ten minutes of investment of time. You're already getting a return on investment. So I would say for an easy way to start, that's where I would start. No question right there. 1.8s

U1

No, that's awesome. So, obviously, look, the world as we know it has changed quite a bit in so many different ways. Obviously, I think what it's done, at least for me, it's accelerated the digital transformation of because everybody is remote. And because of that, there's a lot of technology you're now utilizing, from software to hardware to other things, where it's just even further exposing everyone to even more security risk. Yeah, you used to be in an office, shut off in a security box, but now everybody's everywhere. So when you look at it from your point of view of the market, what has really changed for you from a security perspective in the last two years? And now this is the new norm moving forward. Right. What do you see now? Are the companies literally just at a disadvantage from the criminals, basically? What do you see? Yeah, 

U2

I think, first of all, and for your more sophisticated listeners, who perhaps are more mature in their programs, there are all kinds of really sophisticated technologies we can do, but they take security professionals. And right now, the biggest thing I would say to you is security professionals are in such demand. I don't know a single company that remains fully staffed in the security area. Right. Victor I mean, it's just a real challenge. So everybody's competing for resources. So that means that the things that you can do are limited by the experts and the resources that you can both afford and find and secure and retain. Right. So a lot of our clients now are moving rapidly to consuming security as a service. And I think that's something we've seen as all of these companies had to amp up their security efforts, because now, as you went fully remote, and as many companies have 

U1

made the decision to either stay remote or at least stay in hybrid, you have now. 1s Ultimately inherited, the weakest part of your perimeter is going to be the furthest from you. So you've got employees working frequently on not company signed devices, but home devices, and you get into questions about what that means. Security. Same thing for contractors or for vendors. A lot of organizations before COVID were rapidly moving towards integrating things like vendors into their systems. Now we see clients unhooking that stuff just as quick as they can. It's fascinating. So back to my original thing. We can work with you as a SaaS product, we can work with you as SSO, or we can integrate and give you a site license right on your company in behind your firewall. We want to respond to the level of maturity in both technical capacity and program maturity to align what we do to whatever the client needs are. But for clients who don't have a security team, and that may be a large number of your clients, perhaps victor they may have limited resources in their tech department, or maybe only one or two security folks we can also offer you our expertise. We have a way to manage that and package it as a service. And increasingly, although that has a slightly higher cost, it also brings with it all of our resources around best practices and the things you need to do, 

U2

all tied to standards, whether that's NIST or ISO or CIS, those might not even mean anything to 

U1

you. But as a business owner with financial responsibility and the one who's going to receive the lawsuit when it comes, you should be. So it's important for us to bring that level of education, because I don't think every business going forward is going to be able to secure and retain the security talent it needs. And so we need to, as an industry, find new and innovative ways for your clients to achieve that. And so, for us, offering our product as a service has really been successful, especially in that small, that SMB space 

U2

where frequently they need that help. So maybe that's a great place to end. I don't know. We'll talk more about at the Webinar. I defer to you 1s today, but I think there's a lot we can discuss when we get these folks who are listing today into the Webinar. 

U1

Absolutely. So as we were close to a wrap up here, I got two last questions for you. One is maybe just my own curiosity based on everything you know about the industry. Obviously, when we, when we talk to SMB or, you know, mid market clients, they just, they know they need security, and they have some, you know, security staff and they have some. But it's just you literally cannot buy enough security solutions. There's literally security just for this one software and for everything. Like, literally, you can, you can never buy enough of all solutions. And they feel overwhelmed, and they're just like, okay, yes, I have all the money in the world. I can't even buy every single security. I mean, even Apple, even the largest companies getting hacked, they have all the money in the world. They can't buy all the tools on Earth either. And it's very overwhelming, right? Just like, okay, I only have this much, you know, budget. This is only what I can buy. 1.2s I mean, what is your kind of there's no perfect solution, right? Not every company is going to have all the money, but it's like, 1.3s what do you think about that kind of challenge or that kind of stress that a company faces? 1.2s Not even that they can't find enough security folks. But it's like there's literally so many security products they need to buy and just so overwhelming the whole industry as a whole. Well, you nailed it. Even if you had all the money in the world, world, and you could buy every single solution, you would never get your risk of a breach to zero. Do we agree? You can never, ever be 100% secure. Okay, so this brings us around to an interesting topic, and again, we probably don't have time to do it all today, but for your listeners, cybersecurity has existed outside of what we often call Erm, or enterprise Risk management. And there are really well developed methodologies that have been studied for decades about how we deal with risk and think about the risks that affect businesses. Victor like weather risk as an example, right? Political risk, economic risk. Are we going to window recession, currency risk, and how we hedge and how we get insurance? So we have a whole industry about how to manage risk. And cyber grew up with people thinking it was a technology thing, and now we've discovered it really isn't. It's much more. It's not only a human thing, so it's not just a technology problem, it's a human problem, but it's also an organizational problem. And in every other part of the business, we do what we call risk adjusted ROI. We actually rank our investments based on how much risk they can mitigate, because there's only three things you can do with a risk, victor you can accept the risk. And you're going to have to accept some risk, because you can't be on this planet, exist and live without some risk. And the same thing is true for a business. So you either accept the risk, you mitigate the risk, and that's what you're talking about, making investments in platforms or improving our maturity or capabilities, or you transfer the risk. And here's something I'll tell you, and it's delivered on my part, because it's a bit of allure for our webinar, but I do probably, probably three or four cybersecurity insurance reviews a week for clients. And there are clients who recommended to me, as you found it by word of mouth, I do this and I will pull apart, because I'm both a lawyer and a cyber guy, I will pull apart your cybersecurity insurance policy and explain what you think it covers versus what it really covers. And then I will explain to you that you are over relying on transferring that risk. Because I hear this all the time. I hear clients tell me, no, I got this covered, because I've already got solution ABC, and I've got cybersecurity insurance. And I say, well, actually, I don't think you have it covered, and I would be very careful if I was you. I think what we need to do is make things a little easier for people to prioritize where they spend their time and money. Because if you're just pouring more and more money into more and more solutions that are more and more technology focused, you might actually be missing some other really important strategies. The people side is an example. The risk mitigation side, transferring some of this to insurance or not. Might you be wise, Victor, to pull some money out of the rapidly rising premiums you're paying for your cybersecurity policy? Bring that over and buy some of the solutions that you and I sell to customers. Frequently, what you'll find is you could be better off taking some of that, mitigating your risk and reducing your coverage, rather than going the other way, because you're overpaying and over relying on coverage that isn't going to save you. So it's a complicated answer, but I think the security industry has become a little bit like the beauty industry. 1.1s

U2

There's just absolutely all these beauty enhancing things we can do. And have you ever met somebody who says, oh, I want to be uglier? No. Everybody wants to be more beautiful. Everybody wants to be more secure, but let's be careful. That's handing some vendors a blank check to sell you snake oil. So I really would urge your clients to think about what the risk adjusted ROI is of every single dollar, and that includes employee time, precious resource invested in trying to make themselves safer online. 

U1

Yeah, I mean, there's been so many great nuggets out of this session that we could probably have three or four different webinars and it'd be all fascinating. But last question, as we wrap up here, is the one question I always ask at the end for a guest, which is, look, you know, you you know so much five times more than anybody in their lifetime, right? Because you you I mean, it's just it's amazing. I love hearing you talk, but you, you explain things so concisely. I love it. But with all the things, you know, what would be one advice if you had to say to give out to business owners or anybody out there listening, any one person or one business advice that you're really passionate about, what would it be, you think 1.4s

U2

something that I've always admired about people that I respect. And I think that that's something that we can all figure out. We all have people we look at, whether there are mentors or people we admire. I think there's something about human intuition which is underestimated. So, Victor, here's what I would say. If you are listening to this podcast and you intuitively got the explanations we just talked about and they made sense to you, I urge you to act. Because where your intuition says you should do something, you should do it. And the biggest condition that human beings fight is the status quo. It's just easier to leave things the way they are and say, no, I already got it. We got that covered. If you heard something today, your intuition went, wow, that sounds cool, give us a call, speak to Victor, speak to me. Let's not let this be something that you don't do and later regret, because the condition of regret or guilt on the human side is overwhelming. So I guess I would tie intuition to being proactive. So if you heard something today, act on it. 

U1

No, that was amazing. Thank you so much, James, for the amazing conversation. My 

U2

pleasure. It was great to be here today and we'll talk to you soon. 1.3s

U1

That was an amazing episode of the did you know podcast with Varisource. Hope you enjoyed it and got some great insights from it. Make sure you follow us on social media for the next episode. And if you want to get the best deals from the guest today, make sure to send us a message at sales@varisource.com.