 Hey, Aloha! And how are you doing? Gordo, the tech star here. I'm here with my good old buddy, Andrew, the security guy. Aloha, everybody. Nice to see you. Welcome. Welcome to Hibachi Talk. We have, I keep wanting to say... Ken, tell me. Ken, tell me. Ken, tell me he's in the house. Thank goodness, because I almost said Dick, tell me. It's not spelled the same way. It's not, yeah, not the same guy. It's a T-O-M-I. This is a tech guy. Not a football guy. Not a football guy. That's too bad. Okay, that's a show I've overfished. So you're the client manager with Optiv, and we're going to discuss cybersecurity and 30-party risk, third-party risk programs. Yeah, they got some good stuff going on over there, so I'm happy to have you in today. So cool. Thanks for having me. So grab yourself a libation, pull up a chair, grab a Hibachi somewhere. Find our Hibachi on that beach, because we lost it. And then bring it up, and then another 30 minutes of fun and frolic in Hibachi Talk. Let's do it. So, we always like to find out a little bit about our guests. That's right. So, Kenneth, tell us a little bit about yourself. You know, and thanks for having me, by the way, and I appreciate you inviting me to a show. All right, the check is in the mail. Check's in the mail. And I did watch a couple of your shows online, so we do know a lot of things. I'm just in the comments. So I am the product of the Hawaii Public School System. Yeah, righty. Awesome. I graduated from the Iolani East Campus, which to others it's known as Kaimuki. Kaimuki. Right on. Wow, good for you. And University of Hawaii. Okay, awesome. It actually started out my education at the university in the college of engineering. So, and it was back in the day, and then you can relate to this when you used it. Well, you go back in the day and you relate to me. Oh, punch cards. Punch cards. Oh, you look like a young guy. You punch cards? Yeah, punch cards. You did. You assembler, and there's a two-ball, and a cobalt, Fortran. Nice. PL. Oh, I forgot about PL. I didn't have one. One in PL, one in PL, two, two. Yes, I didn't have one. I don't know PL. And carrying those cards around and, you know, stacking around with them and dropping them. And I bet you were a smart guy, and you put the serial number them all the time. No, you know, I was smarter than that, because we actually found a terminal near the computing center that we had access to. Oh, really? You punch them out close by? Oh, wow. Wow, that's pretty darn cool. So now you're with a company called Optiv. Yeah, absolutely. And Optiv is an acronym, or Optiv is a name, or Optiv is the last name of some famous startup person. There is a story behind it, but the reality is Optiv is a merger of two companies. One company called AcuVon, and the other one called Fishnet. And both of the companies were highly active in the cybersecurity industry. AcuVon more so on the west coast, and Fishnet on the east coast. And both were acquired by Blackstone. Oh, okay. And Blackstone saw the potential and merged two companies together. Merged together and created Optiv. So we'll do a little pause here, because we have this segment we call You Know Got One Tech Job, right? Yeah. So we search out for people who might not be in the tech industry and see if we find something that might interest one. And so this is one. It's so Pokemon gone players. I'm gone. Pokemon go players are urged to avoid minefields. So apparently in Russia, apparently in Russia, they've been wandering around and hitting some of the minefields. People put an award in there, right? A what? An award. I guess we have to capture or get. Oh, in there. Okay. Not an award when you're stepping on them. Exactly. He figured there's a little trade off. It's a high value award, though. But it's high. But Pokemon. No, no, not high enough. High value. So for me, that's not still around. We're still not playing that stupid game. Oh, it's huge. Oh, yeah. No, no. Oh, I thought the hackers already took it over. And now you capture the thing and invade your world and drain your bank accounts. And which is why we got Optiv to make sure that if I'm playing Pokemon talk about party risk to them. Don't go in there and whatever. So tell me, tell us a little bit about Optiv. Should we know it's the merger? We know Blackstone is a major player and they're a huge operation. So what is it you focus on? We do cybersecurity solutions, pure and simple, and in a more simplistic term. I guess descriptor is that we plan, build and run cybersecurity solutions. And that's a little better. Give me an example. So what's a cybersecurity solution? So let's say you're owner of a business and you're looking for a way to implement cybersecurity protection for the information that you have. Now, if you go out in the world of cybersecurity today and looking for solutions, there's a multitude of there for you. Yeah. And what we do in the plan stages, look at essentially the first thing we should be looking at is your crown jewels, you know what it is that you want to protect. Okay. And we're starting from there. I could have said something there, but I decided to keep my mouth shut. I always want to protect my crown jewels. But so in this particular scenario, I think we're mostly talking about what information is the most important that you need to protect. And there are literally dozens of layers of different security solutions that can be applicable to that particular scenario. What we do is in the build phase is look at your environment and your requirements. And because we have all of these relationships already built up over the years with literally every security vendor that's in the market today, we can determine which ones make the most sense for you. So now this depends. Go ahead. Well, we talk about that a lot, you know, and typically these owners really have a difficult time categorizing that asset, right? That piece of information is how should it be? Is it confidential? Should it be free and open? What is it? So oftentimes that's the biggest challenge initially to getting sort of your cybersecurity profile set up is understanding what information you have and what makes it valuable or not. How do you know about going about assessing the risk for it? I'm thinking of the small business, you know, people in small courses out there and they've got a small business and they've got, leave it smaller. You only have one car. I know, and he's over employed. Can't take on any more work. The stuff that we look at, right? But the stuff we look at, how do I know, let's say I'm a startup law firm, right? I'm a startup. I'm my one person shop. So, you know, what do I do? I start a web. I put up a website. The moment I put that up, I probably opened up some hole somewhere. And then so what do I know? Who do I know? Your customer information, right? So the risk is your maybe for your, what's that, when you're PR, right? Your personal, people find out you've been breached all of a sudden, your public image, yeah, your public image is at risk. So I think, but as soon as you get beyond that, just a little bit, if you're maintaining the database of customer information, right, names, phone numbers, that kind of stuff that can be correlated with other information that hackers get because they're trying to get as much information about Ken as they possibly can. So the more things he's entered in, the more places they gather information on him, the more stuff that they're able to fish. And we'll talk a little bit about some of these other technologies that they use, they spy mails and things like that on the security men. Okay, so you go in and you'll, no, but I think no one wants to spend, I'm getting frustrated with all this because no one wants to spend money on this stuff. Yes, I mean, they're really, I was about to say another peeing me off. I can say that. Anyway, they're really peeing me off because they won't spend money on this stuff. It's like the system is like the cameras, right? This is one's driving me crazy, drives you nuts. Now I'm going crazy. The denial of service attacks coming off of camera systems that came out last week, because these people do not want to do anything about it. Well, yeah, and I think that's a consumer market, right? I think obviously you got a lot of homeowners plugging stuff in, they got their router configured default, all their stuff configured default, and they got 50 IP devices at home, or devices at home today, right? Right. They're, they're all owned by armies of guys who sit around and do nothing but send bots out to find that stuff constantly. So how do you, so I tell you, we've taken a worse show in our lives to talk. He works B2B though. The business is the business size. Yes, so you go in there and you start looking at companies. But you did bring up a good point though, because actually someone just asked me this question before I walked in here. It was regarding how you know, how should I be protecting myself as an individual and if it's really necessary. So the short answer is yes, it's necessary. And the reason why is because one of the more prevalent attacks that happens today. It, you know, we use third, they use third parties. Yeah, and basically they'll use you to get into the source of information that they want to get to. And you're really just the carrier, the access that Trojan horse in order to get in. So are you at risk? Yeah, but more at risk for being the vehicle to get access to the crown jewels that they're really after the organization. Yeah, exactly. And it could be just owning, if they just own your corporate computers with some hidden malware that they can activate when they want things like that. If they can't get in through your business portal and your target, they will come to your house and try to get there. They will, they will. Because people don't secure their homes. So we typically consider, you know, the denial of service attacks and, you know, these type of, it's really at the nuisance level type of attacks now because the level of sophistication of the attacks that we're getting today, the breaches are- Oh, they're incredible. Yeah, they're very highly sophisticated and much greater than the public has really embraced at this point. So we see it every day and we may be at fault for getting kind of used to it. And it doesn't resonate as much with us, but it's really in the millions, you know, in terms of the attempts that we're getting. So, and it is a cyber war that we battle every single day. Right, so now, Optiv, how do you get the client or potential client to have an awareness that this is important? This is very important. What I'm finding is that I can't get them to realize it's really important. It's like insurance for your car, right? Or life insurance. Well, you're required to have your insurance in your car because you get a safety check. So you're stuck there, but there's no requirement for you to get cybersecurity insurance. Nothing yet that I know of. Yeah, it's getting a lot more popular in the industry today, but no, it's not a requirement yet. There are a lot of regulatory oversight, you know, for businesses and organizations that dictate what kind of cybersecurity policy actually gets implemented. But more importantly for us is, and you're right, it is a challenge. So a lot of the work that we do is educating and increasing awareness. So like one of the things that I talked about earlier was we're trying to set up a CISO round table in Hawaii. And that's forming an organization where all of the chief security officers in town. Well, not a lot of chief, there's not a lot of chief security officers in town either. So that would be the CISOs and the CIOs because a lot of the CIOs are playing that role. And not just in Hawaii, you know, it's kind of a global thing. You know, one of the biggest issues, and I think another guest on a previous show had mentioned this that we have in this industry is that there is a tremendous shortage of qualified individuals to play in this. We've got a gap. And that's probably the biggest problem that we have right now. Especially in Hawaii. Especially everywhere. Yeah, here is really bad. You just came back from Arizona and I can tell you right now in Arizona, they are screaming for bodies. For in this industry. They just cannot, whether it be Phoenix or Tucson or whatever, they just cannot find the resources. And they've got a whole tech community that they've developed, almost another city just to kind of get people out of groomed and into this business. So it's a challenge. I mean, so a multiple, a multitude of challenges that we have in here. And one of them is increasing the level of awareness of the cybersecurity threat, the environment, and just getting people to get a little bit more acclimated to what it is that we're playing with in today's environment. Now, Optiv isn't just a local company though. They're a significant president. We're not talking to someone who's running it out of, one, two, three, eight, Kamau Key Avenue or whatever. Yeah, yeah, yeah. Yeah, I know that, I know that. I own one of those. I started it. Anyways. No, so Optiv, yeah, it is a formidable force in the cybersecurity industry. So we are, you know, we used to say that we were the largest pure play cybersecurity provider and now semantic when they merged with a blue coat. You know, they claim that title right? Rightfully so, because from a pure dollar standpoint, they are, but as far as the pure play being a fairly vendor agnostic, that's us. And we're the only one that do that. And yes, we are a long organization, yeah. Okay, well, okay. So hold that, hold that. Cause we still haven't, we haven't gotten to the third party risk. We're already up on that halfway mark. I gotta go to Lua, gotta go get Angus. Oh yeah. And he's got a big question for you. So if you get ready. Let's pay some bills. So we'll pay some bills, we'll be back in a minute. Aloha, I'm Chantel Seville, host of the Savvy Chick Show on Think Tech Hawaii. This show is for you. It's all about inspiring and empowering girls of the future to do what they love, get out there and be healthy, fit and confident. If you're up for that, 11 a.m. every Wednesday, I'll see you there. Welcome to thinktechhawaii.com. This is Johnson Choi. I'm the host for the weekly Thursday 11 o'clock show called Asian Reveal. See you next month. You're watching Think Tech Hawaii, offering lifelong learning from passionate hosts and fascinating guests ready to explore and explain Hawaii's place in the 21st century. Great content for Hawaii from Think Tech. Hi, I'm Ethan Allen, host of Lakeable Science on Think Tech Hawaii. Every Friday at 2 p.m., we bring on scientists of all types, all sorts, all varieties from all disciplines, and we talk science in a likable way. We make science fun and accessible. We help you understand why you should care about science, why you should like science, why you can't help but like science. Science is really fun. We tell good stories about science. We have scientists on discussing current issues in science and how these issues might impact you and the world around you, the world maybe your kids will inherit. We hope you'll come and join us every Friday at 2 p.m. here on Think Tech Hawaii. Hi, I'm Crystal. Welcome to Think Tech, my show, Clock Talk. Normally airs at 10 o'clock on Tuesdays, but it's gonna change to 11 o'clock. So don't miss it. It's an hour later. You can sleep in a little longer. Come with me and engage in some sensitive provocative discussions on everything. It's all good, all right? Women's issues, things that people don't dare talk about. We want it on the table. So join me. Hey, Aloha. Welcome back to the Batchi Talk. Andrew, the security guy. I got a security minute for you today. I wanted to talk about something that we touched on, but maybe not completely, and it's the rise of spy mail. So you can get spy mail. It's a little piece of code that's going to communicate back to somebody in your location. Maybe when you read that email, time of day, that sort of stuff. So even as much as maybe the hotel you're staying at. So I want you to keep something in mind about this spy mail. You can get this stuff just from an embedded email. So maybe you signed up for an event or signed up for something, and someone's added this little piece of code into this email. So it doesn't say it looked malicious to you or anything like that, but once you've activated that email, now you've got this little bit of code that's telling people stuff about you. And if you're traveling, for example, and you're an executive, now this person now knows that you're traveling. So let's them call your office and maybe do a little bit of a phishing attack against some of the staff there or something. Maybe send some funds somewhere or send some information somewhere. So give some thought to spy mail and we'll talk a little bit with our guest about that, hopefully a little bit later. And there are some tools out there that can catch it and strip that out. So if you're concerned about that kind of thing, take a look at it. We got Angus back in here off the beach. Angus, what's going on, buddy? Good to see you. How you doing, Erru? Very well. I didn't go to the beach anymore. Why not? Because, you know, I'm now the news guy. I'm out there doing the fact-finding. Good to see you there, lad. Good to see you. You're not related to Dick. Tell me, are you? That's my uncle. Oh, okay. That's all right. He spelled your name different. He doesn't know it yet. Anyway, I got a wee bit of this now. I like to challenge the guests now. You know, we used to discuss word of the day. But now we're going to challenge the guests. So, you know, the Department of Health and Human Services Privacy and Security Guidance failed to meet the federal guidelines. Anyway, why am I not feeling comfortable with this? Anyway, why am I not feeling comfortable with government? Anyway, the U.S. Government Accountability Office, and there's another one, the U.S. Government Accountability Office, said that current guidance on security and privacy requirements to protect health information and hip-hop compliance fails to meet federal guidelines. Government always makes me feel comfortable. Anyway, you know, to improve this, GAO said they should recommend HHS to HSS that they followed the NIST guidelines. We've been saying that for 87 shows. Well, we, I think they know about it. I don't think they have their resource to take care of it. I really don't know. Okay, what about any of the problems? That is driving me crazy. Anyway, so here's my question to you. Optiv is a market leader in providing end-to-end cybersecurity solutions. Right? That's what you do. Absolutely. Okay, well, glad to hear that. I got it right the first time. Simply put, what is end-to-end cybersecurity? And how much does it cost? And let me just say that, how much does it cost and what's end-to-end? And before I leave, let me say one thing to everybody else. Let your wind gang free, where are you be? Alo? Yeah, I can. So when we talk about end-to-end, right, everybody goes, oh, what's it cost? That kind of stuff. So what, I mean, from a government perspective, you know, like that can be a big number. Yeah, so what is end-to-end? So let's clarify that. Yeah. What's end-to-end cybersecurity? I'm thinking like, and what's one end and what's the other end? Policy to reporting, I'd say. Yeah, so basically end-to-end would mean a comprehensive cybersecurity posture, meaning that you have developed policies. Sure, yeah, 27,000, too. So Department of Human Services should develop, Health and Human Services should develop policies. Is this ours? No, this is federal government. You'll leave it less comfortable. Yeah. With Obamacare. So we got Obamacare and Health and Human Services. So, first of all, we have the policies. It can be really busy after this show. Yeah, we have the policies. Yeah, so, and I can allude to a model that we all learned in the 80s for any management where everything comes down to, you know, the people, processes, and technology. That's my logo on my website. The tripod. We talked about that, sure. Yeah, and that applies to this industry. The technology piece is a small part of what the total solution is. The bigger part of arriving at what the right solution is or end-to-end solution is recognizing what it is that you need to protect and how you want to protect it, when, where, how, and why. And when you get down to the specifics in that, then you have the framework onto which you can add the proper technologies. And in order to build that, you got to look at the resources to people that you have and the processes that you have in this. From one to the other. So, I'm trying to think of an industry. I was just going to say, so we talk a lot about the CSC Top 20. We talk a lot about the 853 to CSF, the frameworks, right? So, but those are technical guidance. And what Ken's, the great point, he's making here is you've also got to have that people component. Yeah, I'm trying to simply... Which is leadership and governance. And that's the ISO 27000, that's two, basically. So, here you go. Geek speak. I mean, you're bringing... Well, these things are all mapped together. I know that. But do you think our viewers know what ISO 27000 is? Well, Ken's here to tell them. We don't have enough time to get to that. Yeah, we really don't. But it is out there for consumption. Yeah, you know, go out there and... But, you know, people process technology. So, you have your policies in place, right? Right. So, you've got to have that. So, what am I protecting? So, if I'm a car industry or a car dealer, I got one set, if I'm an attorney, if I'm a healthcare provider. You know, I'm a little nervous about these standalone clinics. I really am concerned about these clinics because I'm not sure they've got even anyone that's looking at that thing from end to end. Exactly. And everyone's concerned about that. And that's why when you look at the regulatory requirements, you know, they try to encompass all of that. But more importantly, you're correct. Every organization recognizes or should be looking at what it is. The first thing really is getting back to what it is that you want to protect. You know, how important is that? Right, yeah. Is that asset or those assets? Patient information, employee information. Exactly. They're hard buyer information. And like in patient information, you not only have the responsibility, you know, to protect that, but you also have oversight, you know, with all of the regulatory oversight that comes along with that. Sure. That needs to be addressed. So all of those need to be incorporated into your decision-making process. So I've got this. And so I've got the policies. You've got your, you've got those. You make sure that they're being followed. Exactly. That's the process. That's the process. Right. To audit. You know, then you've got the technology, all of those things are protected. Another thing that irritates that, it's like zero with blonde hair. Anyway, another thing, is that zero with blonde hair? Anyway, well, you said it, I didn't. Anyway, a little conversation going on in here. Can you put that when we edit? Can we put that in? Anyway, Cesar, you got me all confused. Anyway, so we got the people, but the underlying technology and getting that protected. I mean, I'm, it's driving me crazy when they're going, oh, well, I've got Symantec, or I've got such and such, yet, you know, I had a recent client where we actually went onto their network and found a camera that was pinging a server somewhere. Yeah. You know, we found a server that was doing a call home to Russia. But they said, oh, wait, we got Symantec on all of our desktops. But that's an interest, that, you know, that's not in the end. And it's, that's a signature-based ESP, right? So it's not, yeah. And so you hit the nil on the head. There's one message that I can convey today is that there is no silver bullet. There is no single vendor, no single solution that will provide you a cybersecurity protection that is adequate. What you need to be able to do is find the right combination of solutions that are out there and apply them to, you know, the policies and the information that you want to protect and find that balance. To the people, the process, the technology. Exactly. At least to the next piece. And you brought this one up, and I'm really naive on this one. Third-party risk programs. So what are third-party risk programs? It sounds like an insurance company. It does. It does. And it's kind of like at the periphery of the cybersecurity umbrella. But it's an integral and important part because what we've discovered in recent past is that being the cybersecurity industry as a whole, not only opt-in, I can plug my company in. Yeah, we'll do that. Yeah, so opt-in. We figured that one out. See? I'm helping. But a little over 50%, and it could be more today because that's how quickly these statistics change. The breaches that we see in the recent past have come through third-party vendors. So it's your suppliers that are providing the malicious attacks a path into your sources of information that they want to get to. And mitigating that is a daunting problem for just about 100% of the organizations out there today. And I agree with you totally, Kim, because just recently I got called and had to go talk with someone that were concerned about something that was happening on their system, and it ended up that there was a connection they had to one of their suppliers. It was one of their suppliers that caused their situation to occur within their system. Yeah, exactly. And the third-plier supplier was not people, process, technology, astute, and had that in place. Exactly. So the level of sophistication of the attacks today are really much more sophisticated for no other word than what we saw even just a few years ago. They incorporate social media to a great degree, and that's why that's one of the... Actually, social engineering is still one of the more prolific attacks that happen today for everyone. And for the common men, it's just clicking on those emails. Well, they're going to that website. They're going to the website. And it's like Drew said earlier. If you get an email, if in doubt, don't read it. Don't read it. You're not going to miss anything. You're not expecting it. If it's really important, how many members are going to call you? So if in doubt, if in doubt, leave it out. Leave it out. Just don't bother with it. Block send it. Get it. Block the whole dot CN domain, if you ask me. CN is Canadian. No, it's China. Okay. Oh, by the way, by the way, Canada won the World Cup of Hockey. I saw that. Yay! Anyway, so we only got less than a minute. So give us a... What's a... Give us a 30-second word of wisdom. I don't know if I mentioned this earlier, but somebody asked me what the two things are that you need to do, right? If you're the common man on the street, number one is backup. Back it up every day, if you can. All of the information that's important to you. And the second thing is to change your passwords. Oh, yes. And it's past phrases now. It's 21 characters. Use the phrases. Alpha, numeric and all that kind of stuff. Right. And if you are diligent about doing that and it'll help immensely. All right. Cool. And thanks a lot. We just burned through another 30 minutes, but no guest goes unrewarded. Number 88 in the series of our solo cups. Fantastic. A lot of grass solo cups. There you go. So thank you so much for joining us. Yeah, appreciate it. Appreciate having you here. Thanks so much, man. And we always have a closing phrase for all of our visitors. Thank you for watching on Hobajitalk at 123. How are you doing? Hold it. How lucky. Thank you.