52: In The Shadows with Jim Tiller

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

[00:00:00] Chris: jim tiller is here with me today. Jim is a security executive with over two decades of information security, experience leadership, a history of outstanding performance and growth business turnarounds, and global recognition for innovation and security strategies and execution. He is currently global CSO for Harvey Nash

[00:00:22] Chris: my man, Jim, what is going on? My friend?

[00:00:24] Jim Tiller: Hey, Chris wow that’s a mouthful. Let me start off by saying all those things that I’ve got to do come for two reasons. One is I’ve been in this rodeo for a long time and I got to stand on the shoulders of some really great people. So there’s some amazing people I’ve got a chance to work with and they’re just, this industry is awesome.

[00:00:41] Jim Tiller: We, we really get to come in contact with some amazing people and so. But man, it is great to be here. I’ve been so excited about getting on this podcast with you and hardly slept last night, to be honest.

[00:00:52] Chris: Oh man. I’m, I’m honored to have you on man. You’re, you’re a veteran in the industry and I’m just looking forward to, to hearing a little bit about that.

[00:01:02] Chris: And, and I guess we can start off with that, you know, talk to me a little bit about. That experience that I mentioned in the intro. And what led up to your current role at Harvey

[00:01:12] Jim Tiller: Nash? Well, I guess the short version of the story is it was really kind of pen testing that got me into it. If you go back to 91 92 timeframe I was messing around with computers and networks.

[00:01:25] Jim Tiller: Actually I was writing applications for Autodesk. I wanted to be an engineer, a civil engineer, structural. And started building networks to help my applications work better. And then I realized, wow, these systems, I can do anything. I want to the computer, a couple of cubes down kind of thing. And so then I started kinda messing around with, you know, the old Solaris pizza boxes.

[00:01:48] Jim Tiller: And then I realized that, you know, I can make kind of computers, kind of do what I wanted them to do, whether it be through developing an application or hacking into the lack of a better term. So I committed to being a security professional probably in 1994, I think is when I, I said I made the turn, I want to make it a focus.

[00:02:07] Jim Tiller: And then from there I just kept building up on experiences. I got into risk management and compliance and, you know, early days of compliance when HIPAA and GLBA, for example I got to be involved a lot of really interesting things like CMI or SSE CMI back in the late, mid, late nineties. Obviously HIPAA, I mentioned things like when BIA 7, 9, 9 part one first came out from the British standards Institute.

[00:02:30] Jim Tiller: That was a game changer for me. From there, you know, I started just quite literally flying around the world consulting organizations on cyber security. So I was really. Given an amazing opportunity to collaborate with huge financial firms small organizations. It was just an amazing opportunity, a learning opportunity, a knowledge sharing opportunity.

[00:02:52] Jim Tiller: And then I started running small teams and then small teams became bigger teams and bigger jeans became business units. And, you know, next thing you know, you’re really spending a lot of time working with again, great people and be able to share. Your knowledge and their knowledge with organizations to the consultative process.

[00:03:11] Jim Tiller: I know it sounds kind of, you know, clinical, but the, I guess the way I would characterize it is I’ve spent my entire career doing security as a consultant. Right. So it wasn’t like I went to go be, you know, a VP of this bank for a little while, or went to do this thing over here for a little while. I’ve always been in that consultative realm specifically in cyber safety.

[00:03:34] Jim Tiller: And oh, well, let’s just say up until recently, right? So I’ve, I’ve advised CSOs around the world and in many ways or shapes or forms, and, and now, you know, I finally decided to put my money where my mouth is and become a CSO for a global organization. And it’s been great so far. Harvey Nash is an amazing company, so super happy to be here.

[00:03:55] Chris: That’s awesome to hear, man. I’m sure that with your extensive advisory experience, you’ve got to see a long list of different types of organizations, different industries that you’ve had to interact with and different struggles that they go through. I’d like to talk to you a little bit about those organizations that are in the shadows, right?

[00:04:14] Chris: And, and what I mean by that is if you have a company like manufacturing, transportation, industrial agriculture, If a system where to go down the business survival rate itself would be much higher than industries like financial healthcare and other electronic based business models. Although I think that has changed in recent years due to the technology integration business processes and supply chain needs.

[00:04:45] Chris: I’m curious, is this something that you’ve noticed as well? And if so, what are some of the problems. These type of organizations face. And do you agree that these industries are still primed for a cyberattack?

[00:04:58] Jim Tiller: Yeah. Wow. That’s a big one. So I think your point about in the shadows is amazing because there was a time like take I’m trying to remember who was the famous guy that what was it?

[00:05:10] Jim Tiller: Willie Sutton said, why do you rob banks? He goes, well, that’s where the money is. All security is, are the controls that protect your assets from threats. So, threats want your assets and the greatest valuable asset is, typically money, which is in the beginning.

[00:05:25] Jim Tiller: And then that then kind of turns into almost like processing power in some way. And then it was information and then manipulating that access and information to gain other forms of monetary value. So stealing credit cards. So nothing’s really changed, but the simple fact of the matter is for decades, forever, frankly, is a lot of organizations can be in the shadow because, why would somebody want to hack me? I’m in the agriculture business.

[00:05:55] Jim Tiller: And it makes for a really compelling conversation, right? You get sort of a theorial at that point, really kind of balancing that perspective of what is a threat and also what makes you a target. But, when we look at the indiscriminate nature of hacking today, especially like ransomware and things of that nature combined with the adoption of technology and becoming more deeply infused into how businesses do their business.

[00:06:22] Jim Tiller: So you take these two massive growth areas, the expansion of the threat environment and the interpretation of what is a threat, combined with what makes me a target? What makes you a target now simply because you have the potential to have value and threats can spend easily more time trying to poke into small, medium size organizations and frankly, easily because their security posture is not, you know, at the same of like a Bank of America or an American Express.

[00:06:57] Jim Tiller: And they can just sit there and wait for something to happen that gives them that value proposition. And they can turn that into 6, 7, 8 figure payouts monetizing these types of things. So now you have organizations that historically were not see themselves as a target. Why would somebody hack me?

[00:07:13] Jim Tiller: I make, coat hangers , but they’re also adopting technology at a massive rate which makes them ironically more exposed because their business is becoming deeply reliant on that technology. So you really have like a collision of about four or five different major changes affecting virtually every company on the planet now.

[00:07:32] Jim Tiller: And, you know, just take United States alone. We have about, I don’t know. I think it’s somewhere in between 30 to 35 million small businesses. Even if there was only 25% of that, we’re relying heavily on technology as a new adoption or transforming transformative thing for their business. That’s a lot of companies, you know, was that 350,000 or something like that that are now having to deal with security in a ways that they’ve never had to perceive before and it can have a greater impact.

[00:08:01] Chris: Yeah. I know ignorance is a strong word, but a lot of times it’s that ignorance. Security or just knowing what threats exist, because your day to day, you’re laser focused on your business and rightfully so up until this point. And then with the introduction of the, the technology, the supply chain it’s almost like you can’t avoid it at this point.

[00:08:24] Jim Tiller: And I, you know, I think yeah, haters is strong, strong word, and there is some reality that had but. I think it also plays in just, it seems totally insurmountable. Let’s say you’re, let’s say you’re a company. You do whatever it is that you do. You’re starting to migrated to the cloud. You’re leveraging data analytics and BI you’re looking at a more sophisticated CRM applications.

[00:08:46] Jim Tiller: You’re obtaining information from your manufacturing equipment through IOT, all this kind of stuff. Right now, add to the. You’re talking to a security company, a vendor, and they’re trying to sell you EDR or another. One’s trying to sell you pen testing and they’re scaring you to death, right? So the whole FID fear, uncertainty doubt sales cycle still exist, unfortunately, as part of our industry sales cycle.

[00:09:10] Jim Tiller: Right. You know, and so if you think about it, human nature, when you become overwhelmed, you know, sometimes you just kind of turn away from it. Like, I can’t do anything with this. It’s just too much, you know what, I’m just going to slide it off the side, you know, it’s so to be human, right. And you know, you go into an organization and they’re trying to adopt this technology.

[00:09:30] Jim Tiller: You’re trying to up the ante as it were and be more competitive or whatever business objective we’re talking about. And then there’s. W wait, there’s just so much happening in security, bad. I just don’t even know where to start. And so they just throw their hands up in the air. And can you blame them? I say the answer is absolutely not.

[00:09:49] Jim Tiller: You can’t blame them. It’s a difficult challenge. And one on top of all the technology adoption, that’s the technology enough is enough disruption. Now we’re asking them to deal with complex security issues.

[00:10:01] Chris: Yeah. And not only that, I mean, it’s. We’re we’re sort of in a, in a place where a lot of these organizations are just surviving during the pandemic.

[00:10:12] Chris: And just trying to, again, focus on their business. It’s like, we’ve never been hit by a cyber attack. So why am I going to put that at the top of the list? That’s it. And on the topic of challenges associated with those smaller organizations, how about budget and resource concerns?

[00:10:32] Jim Tiller: I think there’s this thought that the more you spend makes you more secure and I’m here to tell you that’s actually not the case.

[00:10:39] Jim Tiller: Now. Sometimes there’s just simple scales of economy. You’ve got 27 internet connections. You need 5 27 firewalls. I’m sorry, but you’re going to buy 27 firewalls as an example. There’s a certain things you can’t get away from, but just because you take two companies to the exact same size and one spends twice as much of the other one, it does not necessarily mean they’re going to be there actually more.

[00:10:59] Jim Tiller: Which kind of went back to my, you know, paying the bridge, getting the basics done kind of thing, which is an oversimplified message, but it’s absolutely the fact.

[00:11:07] Chris: Yeah. I, I completely agree. I think that’s a huge myth and unfortunately there are snake oil solutions out there, which, you know, as security professionals we know is not the cure all.

[00:11:21] Chris: But that could be confusing for those organizations and, and just. Challenging for them to recognize the difference.

[00:11:30] Jim Tiller: Yes, sir. That is absolutely dead spot on. It’s a big deal.

[00:11:34] Chris: Yeah, definitely. And, and the resources again having limited resources to actually. Manage that solution, even if they had the budget, just to be able to manage it, configure it, not wanting to spend money on a, on a MSP or if an MSP is not even an option for them.

[00:11:51] Chris: Just having resources with that knowledge to bring in, hire who to hire. That’s all I think. Overwhelming

[00:11:58] Jim Tiller: for those businesses. It’s intensely overwhelming. I mean, think about this is you had to one find somebody attract them to your relatively, let’s just say small company. Cause you’re not, you know, fortunate 1,500 or whatever, then let’s get this.

[00:12:12] Jim Tiller: You have to keep them utilized, right? Like you get in a heavy hitter and, and they’re going to figure out your environment. Pretty cool. You know, and then start making things happen. And then, you know, they’re going to get bored. So how you keep them interested and, and, and let’s call a duck, a duck security people fundamentally.

[00:12:28] Jim Tiller: And I’m not saying this is just limited to security professionals, but I mean, come on. We’re, we’re in it because it’s fast. Moving fast paced is completely bonkers on every day. There’s something crazy going on. There’s always something to learn. There’s always something to try. It is non. So if you stop that crazy train for one second, they’re going to get off.

[00:12:49] Jim Tiller: Okay. And so how do you find attract, acquire a full. Keep them engaged, keep them up to speed, get them out to various, you know it’s just, it’s an equation that is just overwhelming. So one we’re overwhelming, small, medium companies could technical, overwhelming them with the whole, you need to be secure and here’s my 27 solutions.

[00:13:12] Jim Tiller: And then we’re over on the fact that, well, you’re not gonna be able to find way to help you anyway, you know, you know, it was just like is completely unobtainium. And imagine you’re the CEO or CIO, CTO, VP, whatever of a company. That is this absorbing technology at a massive rate. And now you have this mountain in front of you just from a business process, and now you’ve got to figure out, well, who do I go to?

[00:13:35] Jim Tiller: Do I even know if this person is the right, have the right skills for me? And will those skills mature? I mean, will I be able to keep that person entrusted? I mean, it’s, it’s absolutely mind-numbingly complicated and difficult.

[00:13:49] Chris: Yeah, I agree. And do you feel like the COVID pandemic. At the accelerator on the risk factor.

[00:13:57] Chris: Yeah.

[00:13:57] Jim Tiller: Yeah. COVID the pandemic created a couple interesting things. One is we were cruising right along with migrating to the cloud. We had things like zoom and sort of, kind of enhancing the work experience and the it world, but it was kind of like truckling along, like just moving along, you know, you had your early adopters and you’re the kind of.

[00:14:19] Jim Tiller: All of a sudden you get hit by a pandemic. Obviously the most obvious tip of the iceberg is everybody started working from home and all of that implied, but that just drove a wedge. Like you said, accelerator just drove a wedge and everybody completely changed their thing. And moved really rapidly. So organizations move far more rapidly to the cloud that created demand for the big ones, you know, the, the Amazons and the Microsofts and so forth.

[00:14:43] Jim Tiller: And they just really started advancing and really kind of pouring all their energy into, into their cloud options. Right. And streamlining it and importantly, making it easier to adopt. Right. And so now, roughly two years into this madness, if you will, we have companies, you know, dealing with. Enormous options around it and technology and it’s it outpaced frankly, kind of the rhythm of the business.

[00:15:12] Jim Tiller: And so a lot of businesses are catching up to these new capabilities and you have these big companies that have. Piling out new sophisticated capabilities which includes security by the way. And it’s just, I think for a lot of businesses it can be overwhelming and it’s a great thing, but let’s not say it’s a bad thing.

[00:15:29] Jim Tiller: It’s a great thing. Not the pandemic, obviously, but the great grazing around the they were arrested

[00:15:35] Chris: into the digital world, right?

[00:15:37] Jim Tiller: Absolutely. Absolutely. It’s visual and it has a lot of by-product some not so great.

[00:15:44] Chris: Yeah. So looking at these organizations that are in the shadows that have been thrusted into the digital world we can obviously define some, some common use cases here, but just curious, where, where would you suggest they get started?

[00:15:57] Chris: How can we as a security industry, provide them support to become more secure without causing disruption to their day-to-day business. And. Just helping them understand the criticality, even if their core business isn’t tech based. Or do you think that the already realized the importance?

[00:16:21] Jim Tiller: I think they sense the importance.

[00:16:22] Jim Tiller: Some, I mean, I think everybody realizes cyber’s important in some way, shape or form, but the question is, is do they think it’s important to them because what you see on the news. Or what you see on articles sometimes seems very far away. When in reality, there was a study recently done that of all the major breaches of information, which we think about, you know, the big ones, the targets and the Equifax is all kind of stuff.

[00:16:45] Jim Tiller: Roughly 35 to 40% of the data that was lost was actually through small medium companies. It didn’t come from these giant warehouses that we know of today. They have to deal with it. They know they have to deal with it. And where is that starting point? So I think there’s a couple of different ways of going after this is one is I’ll preface by saying a lot of people rightly so.

[00:17:08] Jim Tiller: Right. See security is like the super sexy thing, right? Threats and intelligence. And you know, I get to be double oh seven. I get to be a hacker for a day and not have to go to jail. And it’s super cool. And you know what? These are all critically important capabilities. But what really makes a company secure at the end of the day, when you pull back the covers and you wipe away all the stuff, there is a handful of people doing the hard work every single day, day in and day out.

[00:17:36] Jim Tiller: It’s the boring painting, the bridge stuff that gets it done. And so why am I saying that is because there’s an amazing amount of. Advantage that is not necessarily marketed in doing just the basics. Hygiene is number one. If, if somebody come to me and said, Jim, I need to do three things. What are they? I go patch your systems, just do it.

[00:17:58] Jim Tiller: And it’s so old school. I mean, how long we’ve been talking about patches and passwords, right? So that’s the first password. And since the first patch, like, you know, fix the whole, you know, so it’s getting a little ridiculous. Another piece is I didn’t access management call zero trust, put whatever spin you want.

[00:18:14] Jim Tiller: But you got to control who has access to your resources. You know, whether they, it doesn’t matter if they’re virtual or whatever, just system or applications or data just control who has access and manage it. Right. And then after that, it just comes down to find ways of better monitoring your environment.

[00:18:31] Jim Tiller: And there’s degrees of sophistication. I personally believe EDR is one of the best things that vendors and technology in a very, very long time, you know, and you’re talking to the guy that was around when IDs was first rolled out. Right. You know in fire, remember firewalls, like what is that?

[00:18:46] Jim Tiller: You’re going to put that between the internet and our network. No, you can’t do that. So EDR, I think is an amazing opportunity because the perimeter, right. I remember, I don’t know if you remember the term Jericho. It was a very concept back in the nineties and early turn of the century, it was like, okay, there is no more parameter reality of it is, is I agree with that.

[00:19:07] Jim Tiller: You still need firewalls. I’m not saying don’t get away with a hat, but the perimeter is moved to the individual is moved to the human being, you know? And to your point earlier, COVID has pushed that to the nth degree immediately, right. Because people are working from home. So. EDR for obvious reasons because the world is happening from a cyber perspective and a business perspective, really at the human level now and the data.

[00:19:33] Jim Tiller: So you got to protect the person, the system, their access, and then of course, make sure that the hygiene of the environment is a good, is solid. Those would be the big ones, but as you well know, Chris, there’s a lot of other things that need to be considered. Oh yes.

[00:19:50] Chris: But I think that’s a great place to stop.

[00:19:53] Chris: As sort of basically putting it out there, like you don’t need these extreme solutions to start out. And if you are a business that you are a target, right. Let’s just lay the groundwork. Let’s, let’s knock out these three or four heavy hitters that are going to protect you and then, you know, work from there.

[00:20:13] Jim Tiller: Absolutely. If I may be so bold, I add one more comment that. We talked about moving to the cloud is very disruptive, especially from a security perspective. So let’s take organization. I do have a security program. They may not be huge or small, but they have a CSO they’ve got, you know, or IP security person, whatever the case may be.

[00:20:31] Jim Tiller: And they’re challenged with how do I get this security policy to manifest itself in the cloud and so forth. But I don’t think we’re talking necessarily about all these massive advantages of moving to the cloud. So when you move to the cloud, Your optionality for security obviously is reduced to whatever that vendor provides you immediately in many ways, but the options that you do now have, and many ways exceed the security practices or technology that you had planned on implementing.

[00:20:59] Jim Tiller: Right? So I would say, I would say is, you know, what, if you’re trying to solve a security problem, sometimes getting to the cloud can be a can be a shortcut. And there really are no shortcuts. Let’s be honest. Here’s the kicker. The critical difference is you have to absolutely employ 100% of what that vendor is offering you as security controls in the cloud.

[00:21:23] Jim Tiller: Real quick, interesting story is there was a study done actually by Microsoft years ago when they were considering selling parts of Microsoft office. Okay. And about, and they, and they did a study saying. Most people buy Microsoft office, but only use about 15% of the capabilities of say Excel, right?

[00:21:42] Jim Tiller: So they’re saying, well, maybe we just sell certain capabilities right now. We have a 365, the rest is history. So it’s known fact that of technology solutions out there, people are only using about 20% of this features and functions and that’s become a, an accepted. Behavior, but in reality, if you go to the cloud, you have to use a 100%, you’d be absolutely focused on leveraging those capabilities and configuring to make, get advantage of it

[00:22:10] Chris: now.

[00:22:10] Chris: Very, very good point. Let’s say we have a satellite view of a city and. We’re looking at these big buildings. These are the ones that are to healthcare, to financial, to the heavy targets. Right? This is an attacker’s viewpoint. He’s looking at a satellite view of the map. Then we just talked about those companies in the shadows, right?

[00:22:31] Chris: The sunlight has got to hit from some angle. There’s going to be a business in the shadows. So I’m going to zoom in a little bit more on his map. And now I’m looking at, you know, that used bookstore right on the. And the organizations that operate on a much, much, much smaller scale, never been a target. I don’t even realize they need to seek security guidance.

[00:22:55] Chris: How do we break through to those companies?

[00:22:59] Jim Tiller: Wow. That’s the silver bullet, right? I mean, first of all, the imagery you just created was amazing. I loved it. I think as an industry, we’ve kind of failed a little bit for the let’s call it the little guy, even though it sounds so cliche ish. Right. You know, we have a tendency as an industry to again, focus on the sexy stuff.

[00:23:16] Jim Tiller: Right. Which is totally cool. And there’s no problem with that. But we have also have a tendency of just scaring people to death. And so if you’re a small company and you maybe not fully understand that you are now a target because you know, ISR can zoom in on you now the thing is, is I think through, I hate to say almost like a community effort is I think as security professionals we spend rightly so I’m not criticizing the industry by any stretch of imagination.

[00:23:43] Jim Tiller: Right. Is we spend a lot of time talking to each other, you know, we’d go to these events. And dare I say it becomes slightly an echo chamber. And I mean that with all due respect, you know, I mean, putting on events like RSA is not a small feat. Hopefully we’ll get to do that again here soon and is great for people to come together, but does the used bookstore on the corner of fifth and main can they afford to go to Horace?

[00:24:07] Jim Tiller: A and again, it goes back to just overwhelming them to death, but here’s what you’ll find is that corner bookstore. I bet. Kind of finds ways to collaborate with some of their lack of a better term competitors in the area. They probably are part of some industry, you know, article, paper, website, your Facebook group kind of thing, companies connect.

[00:24:33] Jim Tiller: Okay. And as security professionals, we have to be engaging with those communities. We have to be ready to go share our time, share our experiences and provide that look. You really need to be thinking in this way. And if you want to take what I say to heart, that’s totally up to you, but at least now you’re in that you’re having that conversation.

[00:24:52] Jim Tiller: And then you can get back together and kind of feel about what are the next steps. But I, I really do believe that in today’s day and age, I think, you know, information is, is valuable. You know, I think information should be of made available to everybody. When it especially comes to protecting your business, protecting your employees.

[00:25:11] Jim Tiller: And protecting your customers. Right? And so there’s a lot that we have, and we have a tendency to write these giant articles and we have tendency to write books, me being an included that is nobody’s reading because they’re just too long and boring. And so how do we take something as extraordinarily, as complex, as security and say, listen, at the end of the day, here’s what you really need to focus on.

[00:25:30] Jim Tiller: Just go do this. You know, what’s the intent, here’s the intent of what you need to accomplish, how you do it. You know, these are options, but you’ll figure that. And time, but like I said earlier, patching, right? There’s a million different ways to do that. So we need to really open ourselves up and engage with small and medium organizations and then go to them.

[00:25:53] Jim Tiller: They have events, you know, as soon as pandemic will lighten up a bit and we need to find that and we need to find ways of saying, you know, I would love to be on your panel and talk about security.

[00:26:03] Chris: I love that approach. And you’re right. It’s like, if they’re not coming to us, we go to them. No, Truly believe that if we, you know, inject our knowledge into their business, I walk into that bookstore and I have a use security book and I talked to him about it while I’m there, I’m in their environment, I’m in their comfort zone, but yet I found a way in and I think it’s a matter of just them talking to someone one-on-one about risk in a simplified form.

[00:26:35] Jim Tiller: Yeah. And just to make sure for clarity sake is I’m not talking about going on a sales mission. You know, this isn’t about selling your awareness. This is about helping others and let them make a buying decision after that kind of thing. Absolutely. You know,

[00:26:49] Chris: in the end it’s, it’s, I look at it as sort of free advisory and we do it with people that we know, I think day to day, friends of ours, if you, if you take our business lives out of it and we’re hanging out with our friends, that may be.

[00:27:03] Chris: Mechanics contractors farmers, and then, you know, something comes up where it rings that internal alarm, like what you’re doing may not be safe. You’re going to mention it to them, but that’s because you’re in that situation. And I think if we seek out those situations, we can definitely raise the visibility for our industry.

[00:27:22] Jim Tiller: Yeah. And to your point, I think we are absolutely talking to our friends. I mean, I know you do it. I do it a bunch as well, but all of us need to take that extra effort and go try to, you know, force multiply is really what I’m talking about here is forced multiplication and that is go out and be go to their events.

[00:27:43] Jim Tiller: I mean, a colleague of mine, a former colleague of mine I’ve known for 20 years, he actually just went and was a, a panel speaker. At a industry event for, I think it was like I think it was like furniture manufacturing or something. Okay. And there’s maybe, I don’t know, a hundred people there, maybe 200 people there and, you know, and analysis security is on, was on the agenda and he was able to share kinda like what we’re talking about here today.

[00:28:09] Jim Tiller: And that is really cool. And we need to be doing a lot more of that and you may just something to

[00:28:15] Chris: great cause you, cause then you uncover. Workflows you uncover tribal knowledge that they have that could help you in your business?

[00:28:25] Jim Tiller: Absolutely. Absolutely. That’s actually really good. I mean, really kind of think that all the way through, but you’re absolutely right.

[00:28:31] Jim Tiller: Every time you get together with somebody, you get to learn something it’s not all about just, you know, barking and sharing your perspective.

[00:28:38] Chris: I might learn how to build a chair too.

[00:28:40] Jim Tiller: You have to go figure.

[00:28:45] Chris: If we look at it through a compliance lens, you know, we can also be a source of identification for those businesses as well. Like, okay. I notice you do business in the EU. That means you must be GDPR compliant and here are the rules that you must adhere to.

[00:29:06] Jim Tiller: It’s amazing, Chris, that happens so often that you wake up one day and go, well, first of all, it can not be.

[00:29:13] Jim Tiller: Open up a facility in Germany or whatever or the UK with GDPR, like you mentioned, it can be a new regulation that just falls out of the sky and you don’t really yet. Now you have to understand it. What’s its implications. What’s my risk. What’s my business impact of that. But you know that in of itself around compliance, I think there’s a new dimension forming.

[00:29:37] Jim Tiller: Now that’s adding even more complex. So a lot of organizations. Understandably so. And I’m a huge fan of cyber insurance, right? I think it’s a good, good investment, but cyber insurance companies expect you to be secure. Right. And that has a direct impact on your insureability. And then of course, what type of rate scenario that you’re in.

[00:30:00] Jim Tiller: So. Much like, you know, early turn the century, 18 hundreds to, you know, the industrial revolution from the UK, obviously over into the United States and globally insurance companies set the fire standards we have today, you know, some company that was manufacturing textiles that was burning down because they were using oil lamps.

[00:30:19] Jim Tiller: They didn’t care. They didn’t want to build in fire suppression. It was the insurance companies had to pay the bill that invented effectively the fire codes that we know and understand that. We’re going to see the exact same thing. And insurance is going to begin to drive what is prioritization.

[00:30:37] Jim Tiller: And so you’re going to see this very interesting evolution of control frameworks that we have gut dozens of them, and we have hundreds of whatever compliance issues. And now if you want to be insured, which is now becoming increasingly complex, now they’re gonna start telling you what to do now. How do you fuse all three of those together into a meaningful security program?

[00:30:56] Jim Tiller: And you know, that crazy little thing called business that you still got to get done. How are you going to manage that and do it in a cost effective way? So it’s times are really interesting to say the least, you know, and there’s a lot, there are a lot of challenges ahead, but there are options. So there’ll be interesting.

[00:31:15] Chris: Yeah. And if things play out the way that, that you see them playing out, could it be possible that we start seeing security become more embedded with the. Insurance companies or vice versa, maybe security organizations bringing in the cyber insurance aspect into our

[00:31:35] Jim Tiller: arena. Wow. So I’m grinning while you’re saying that Chris so quick, I’ll tell you a little story about a meeting I had with my CEO back in, I think 2002.

[00:31:46] Jim Tiller: And I sat up, sat in his office and I. The security thing we really got to, you know, this is the biggest thing since sliced bread. This is going to be a big part of our future, but it’s only going to last like another five, six, maybe eight years on the outside. So we got to take advantage of this wonderful craziness in business, you know, and help customers, all that kind of great stuff and technology.

[00:32:06] Jim Tiller: And, and he’s like, well, why do you think it’s going to end? And, you know, five to 10 years? And I was like, well, obviously security is just gonna become integrated into everything. Right. That’s the most obvious thing to have happened. Yeah. You it, and whatever, we didn’t have cloud back then. And and it’s so funny how really wrong I was way off base.

[00:32:24] Jim Tiller: Totally wrong. He was smart, man. That list too. So why am I, why did I tell you that story and why I’m reacting that way is I’m very interested to see. And this relates back to my conversation about the cloud, right, is at what point does the vast optionality, vast options and horizons of all possibilities in cybersecurity?

[00:32:47] Jim Tiller: Look at all the products that are out there. Do me a favor. Go look at a list of security products that were available in 2005, 2010, and then fast forward to now it’s grown by literally like 20 times. It’s unbelievable. And and they’re all very good. I mean, all of them have a really interesting value proposition, but at some point, how do we take organization and say these are the right things to buy and then having to deal with that flow.

[00:33:15] Jim Tiller: And it goes back to the cloud concept. Will security just be a feature in a cloud environment? Will it just be a feature in an application or a platform as a service? I mean, it kind of exists. But one could argue that we’re not bonding the security all the way through the system and the cloud. And all of that means we see things like CASBY or sassy and all kinds of other kinds of things that are moving, obviously in that direction.

[00:33:40] Jim Tiller: But to your point about having security integrated, I do think between cloud insurance and compliance, where I think we’re going to see a hyper. Alignment there. And I really thought CMMC from the government actually was going to be a stimulator of that. And then of course, version two came out it softened and you know, the rest is history, but I think between these government oversight industry oversight, like the first, like PCI is a good example of that.

[00:34:12] Jim Tiller: And then now the insurance companies. They all realize are really fundamentally asking for the same thing. They’re just asking for it in different ways. And that is going to be like a, like a Nova moment, like where the, the way that it’s going to crush under its own weight and finally become something that people can understand.

[00:34:30] Jim Tiller: Yeah. I can’t

[00:34:31] Chris: wait to see it

[00:34:34] Jim Tiller: because you and me both

[00:34:35] Chris: is cyber insurance. Regulated or required in any industry. Are we at that point yet? Where, you know, if you drive a car, you gotta have insurance. If you operate business XYZ, do you have to have insurance?

[00:34:48] Jim Tiller: Wow. You know what, I, I honestly can’t answer that question.

[00:34:51] Jim Tiller: I, I have, I can see that happening, but I would have not have thought of that before. You just mentioned it, to be honest with you is I see insurance organizations and underwriters. Acting as a guides. Okay. And saying, okay, here’s what the insurance companies are asking for. Here’s how, you know, what you, the controls you need to qualify.

[00:35:13] Jim Tiller: And then the, the degree of those controls help kind of say how risky of an investment are you from an insurance perspective? I still think leveraging other organization help you implement those controls. I don’t want to say, see that intermingling, but I can see how that could happen. But as far as requiring cyber ensure.

[00:35:31] Jim Tiller: That may actually be out there. I have to admit that’s a, that’s a gap for me. I’d have to do some research on that. Just because I think interesting

[00:35:37] Chris: perspective, if you look at the parallels between auto or home insurance to cyber insurance and well, you got hit by ransomware, we’re raising your premium.

[00:35:47] Chris: Yeah. It’s just, I think it just needs to be presented clear. And I think once we have more of that security alignment with those providers, hopefully that’ll cut through the fog.

[00:36:00] Jim Tiller: And one last point on caught of that fog is how they quantify a control. There is some elements of interpretation there. So you take a security professional and an insurance professional, and they could literally be having two different conversations, but using the same words, you know?

[00:36:17] Jim Tiller: And so I think we’re gonna see a continued increase in sophistication in the cyber insurance industry. Right. So they’re going to become, you know, they already have a high degree of professional cyber capabilities in their minds, but it’s still a relative compared to the rest of the companies, the small percentage that’s going to increase dramatically.

[00:36:39] Jim Tiller: Just cause you have to speak the same language. And I think there’s still some of those challenges there.

[00:36:44] Chris: Gotcha. Okay, Jim, let’s get down to the brass tacks here. I overheard. You’re James and fan, is that,

[00:36:59] Jim Tiller: did somebody take a picture or something in my office? And I I overheard that at the bar, I will happily admit to the world that I am a absolute Jameson fans. Jameson can do no wrong in my eyes. You’ve heard it here. First lady. You heard it here. First, my friend, have

[00:37:19] Chris: you ever tried Jamison and ginger?

[00:37:21] Jim Tiller: Yes, I have, I’ve probably tried Jamison with something at anything at one point in time, because it makes the role better. It’s like pixie dust. It makes everything taste better. No, all, all seriousness I’ve had, and I’m not a huge ginger ale guy or a ginger beer guy. Right. But again, you mix Jamison with it and it’s magical, but no, I had, I’ve had it with ginger ale before Honestly, mostly just on the rocks.

[00:37:45] Chris: Okay. All right. Yeah. So my bartender’s over there pointing at his watch. I think we’re running up on time. And I know you gotta get back to back to Raleigh. Yeah. I’ve spent some time down in Raleigh. I love it down there. One of my favorite bars down there is called box. Have you ever been there?

[00:38:04] Chris: No, I haven’t. You got to check out box cards, say a it’s an awesome bar, but then they also have retro video games. Oh, that’s the best. I love it. I’ll get you the address, but it’s, it’s very cool. But I haven’t spent too much time down there, so I’m just curious what bars I’m missing. Like what, what bars in Raleigh or outside of the Raleigh area are worth checking out.

[00:38:24] Jim Tiller: So there’s one. I would recommend, especially if you’re. Going out with your significant other. And I don’t know if I’m giving it away as is technically like a secret bar, but you gotta, there’s no sign for it. You gotta go through a door and walk up some stairs and then there’s a hidden door to the bar and there’s about four or five tables in it and they serve the craziest drinks.

[00:38:47] Jim Tiller: It’s, it’s a really, really, really, really cool place. It’s called the green. The green light. Okay. Green light. You can only find it because while you can look it up and get the address, but you have to get into the door kind of thing, but there’s when you you’re in the streets, you’ll see a tiny little green, little be like an Edison light, but a little Greenland about 30 feet up in the air, on the, on the building.

[00:39:09] Jim Tiller: And that’s your signal. That’s that’s, you’re in the right place kind of thing. It’s kinda cool.

[00:39:13] Chris: I will check that out, man. I love speakeasies.

[00:39:20] Chris: All right. So I just officially heard last call. You have time for more. Let’s do it. If you decided to open a cybersecurity theme bar, what would the name be and what would your signature drink be? Because,

[00:39:33] Jim Tiller: okay. Of course I’ve listened to all your podcasts. So I knew this was coming so I’m totally prepared.

[00:39:39] Jim Tiller: But I don’t know if it’s cool. My bar name is going to be cyber Belgium. I know it seems weird. Belgium. I think if I’m correct is Latin for war. So it’s kind of like a play on cyber war. Okay. Cyber Belgium sounds kind of cool. I liked cyber bell in one word. Cyber Belgium. Just one word. Yeah. I played around with it.

[00:39:58] Jim Tiller: I’m trying to think of a cool name. That’s the one who came up with actually, so the drink I think the whole concept of malware and all that kinda stuff was kinda cool. So I’ll call it the drop. It has, it has a number of different connotations. Cause I think you’ll drop out off the edge of the bar if you drink too many of them.

[00:40:14] Jim Tiller: But it’s actually what I drank all the time. Aliza call like the upside down Jameson and Coke. What I mean by that? You take a, essentially like two or three cups of Jamison and then just a tiny little, like two ounces of diet Coke. Normally you have a lot of Coke and a little bit of Jamison.

[00:40:32] Jim Tiller: Just turn it upside down. A lot of Jamison, a little bit of Coke, the dropper.

[00:40:38] Chris: That’s awesome, man. I can’t wait until you open that bar up. I’ll be there getting the dropper and a. Thanks for dropping by. I really appreciate it. Crusade the knowledge and the insight and your perspective on all of these things.

[00:40:53] Chris: And I’m ready to go on a used bookstore tour with you one day and we can just talk security. That’s a shock the world.

[00:41:00] Jim Tiller: That’s it. Hit bars all over. I got to tell you, it’s been amazing. Thank you so much for having me on. It’s been a real honor and a pleasure. You’re you’re amazing. So wonderful show and I

[00:41:10] Chris: really appreciate it, Jim.

[00:41:12] Chris: Thanks so much for being an amazing, yes, man. You take care of be safe.