Disaster recovery plans for small businesses

[0:00:00] Chris Sienko: Is Cinderella a social engineer? That terrifying monster trying to break into the office, or did he just forget his badge again? Find out with Work Bytes, a new security awareness training series from InfoSec. This series features a colorful array of fantastical characters, including vampires, pirates, aliens, and zombies as they interact in the workplace and encounter today's most common cybersecurity threats.

InfoSec created Work Bytes to help organizations empower employees by delivering short, entertaining, and impactful training to teach them how to recognize and keep the company secure from cyber threats. Compelling stories and likable characters mean that the lessons will stick. Go to infosecinstitute.com/free to learn more about the series and explore a number of other free cybersecurity training resources we assembled for Cyber Work listeners, just like you. Again, go to infosecinstitute.com/free and grab all of your free cybersecurity training and resources today.

[0:00:59] CS: Today on Cyber Work, ProServeIT's President, Eric Sugar, joins me to talk about disaster recovery planning for small and medium businesses. This is an excellent add-on episode to our third episode from way back in 2018, when our InfoSec instructor, Keatron Evans, discussed the work of an incident responder. If you're a small or medium-sized company suffers an incident, whether a breach, or a ransom, or just a power failure, the first thing you're going to want to hope is that you have a disaster recovery plan already written and sitting in the CEO's lock desk drawer. If not, it's time for you to prepare and breathe easier down the line. That's all here on Cyber Work.

[0:01:39] CS: Welcome to this week's episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in, or moving up the ladder in the cybersecurity industry. Our guest today is Eric Sugar. He's the President of ProServeIT. Whether it's helping his employees remove roadblocks, educating customers on how various technologies can make their jobs and their lives better, or instructing their leaders on the importance of corporate and personal cybersecurity, ProServeIT always takes a people-centric approach to their role.

Over 25 years in the IT industry, Eric Sugar has been with ProServeIT since its inception in 2002. You will see what technology can do for people and how technology can have a positive impact on organizations. As for ProServeIT, is a multi-award-winning Microsoft Gold Partner headquartered in Canada, founded in 2002, and the same ProServeIT occupies a unique space in the IT world by providing guidance and resources to help our valued customers solve IT challenges.

Today's topic for Eric and I, Eric is going to tell us about disaster recovery plans and specifically disaster recovery plans for small and medium businesses, SMBs as it were. I'm looking forward to finding out more about this and I'll just say Eric, thanks for joining me today and welcome to Cyber Work.

[0:03:03] Eric Sugar: Thanks for having me, Chris. Excited to be here.

[0:03:06] CS: To start with, I want to take the temperature on your initial interest in tech and cybersecurity. How far back does your interest and maybe even obsession go? Were you a tech and computer fanatic from an early age, or did it come later?

[0:03:19] ES: I did start pretty young. Very lucky and blessed. My dad bought a computer when I was probably seven, or eight-years-old, and –

[0:03:26] CS: Wow. Which ones?

[0:03:27] ES: - the whole family learned how to use it. It was a VIC-20 – not the 20s. Before that, there's one. But yes, we did have a VIC-20. I can see a little black little box like this that plugged into an RCA cable.

[0:03:38] CS: Yeah. Yeah, yeah. You were a Commodore family as well then.

[0:03:41] ES: Yeah, Commodore. We had some other products as well. Timex Sinclair. It was a Timex Sinclair. That was the first one.

[0:03:46] CS: Oh, Sinclair. Yeah. Boy, that’s one – That's a deep pull. You don't hear that very often.

[0:03:50] ES: You’d have a tape drive, like an actual cassette tape drive, not a tape drive as you think you put in it.

[0:03:55] CS: Low drive and comma one, comma one. Yeah, yeah. Exactly.

[0:03:58] ES: We had lots of fun with that and into the PC world. Yeah, I've been in tech almost since I was – I remember.

[0:04:02] CS: Okay. You’ve been very comfortable with taking things apart, putting things together and seeing how they work and all that. That's guided your career principles, it sounds like.

[0:04:10] ES: Screwdriver is the odd hammer.

[0:04:12] CS: Yeah.

[0:04:13] ES: The persuader, as my dad called it.

[0:04:15] CS: Yup. Yup. Yeah, when everything – when all you have is a hammer, everything looks like a nail. One of my most reliable ways to get a sense of a person's career arc is I like to look through your LinkedIn profile beforehand. Sorry about that. Being snoopy.

[0:04:30] ES: No, it’s okay.

[0:04:31] CS: Look at your own list of experiences, it gives me a line on what is a very, very rewarding place to work. You've been part of ProServeIT since its inception in 2002. You've taken positions higher and higher in the org chart, starting with director of business development, to your current role as ProServeIT president since 2015. Can you talk about your time at ProServeIT and talk about the ways that the industry has changed in those 20 years and the way that your company has had to change to meet those different demands?

[0:05:00] ES: It's changed a lot. Winding back to 2002, stuff like VMware was brand new and almost non-existent. I was actually a VMware consultant when I got hired. Leading virtualization, got to work some of the banks in Canada and the US. Got to work in agriculture. The very first physical to virtual conversions, I was involved with dealing with people in VMware in the US. Some really interesting stuff, but very technical at the beginning of my career.

What I learned as I spent more time in the space was that I actually love the people side of it. I actually loved talking to people, spending time with people more than I loved learning the feeds and speeds and the different settings. That gradually transitioned me into management and then into leadership. Then I got a big kick in the backside into sales. Someone came in as a new boss and leader and said, “Oh, you're a sales guy now.” I'm like, “I'm a what?” That kicked off a whole different journey into sales and marketing side, which very lucky, it rounded me out.

Created somebody who understood a bit of technology, understood a bit of people, understood sales and marketing, which that probably allowed me to continue to grow at ProServe. I’ve had very lucky opportunities there.

[0:06:12] CS: I imagine also, just refined your communication skills anyway, since you’re – if you're in sales, you're just constantly having to talk up your product, you have to talk up your company, and just put on a good face every single moment.

[0:06:26] ES: You have to do that. You have to keep learning. I've spent time with stuff like Toastmasters and Sandler Sales, Techer Visage, Mckacio Forum. Lots of learning to help me continue to grow and stay on top of my game.

[0:06:40] CS: Let's talk about your current role. We have a lot of listeners who like to listen to the show to daydream about which direction they're moving in their career. Can you talk about your average workday as president of ProServeIT? Because you've worked in business development, like you said, sales and marketing. What are the new and different roles you've taken on since 2015 and some of your favorite activities and maybe something that never gets easier no matter how many years you take it on?

[0:07:08] ES: Yeah. I get a very varied experience. I get to do a little bit of operations, a little bit of finance, a little bit of HR, a little bit of business development. My job really is coaching people now. I help people learn what they can do, or share my experience as I help them guide to understand what they love. I'm a big person of follow your passion. If you're super passionate about security and white hat hacking, or black hat hacking, or trying to do penetration testing, get really deep in that. Get really passionate about it. If you love leading people, take a people leadership vent.

I get to try a bit of everything, which that probably helps with my personality, or I like to float around. I am passionate about sales. I love selling, I love talking to people and educating as a part of sales. That's my favorite part. The stuff that never gets easier for me is finance. I have a math degree, an economics degree from U of T, but the finance side never gets easier. It's always, you’re learning. It's hard work. It's very detail oriented.

[0:08:07] CS: When you say a finance side, are you talking just operational budget and marketing expectations, or sales expectations, things like that?

[0:08:16] ES: Operational budget, sales budgets, marketing budgets, the P&L, the balance sheets, all the stuff from a financial leadership side of the business and leading our finance team. It's hard work. It's rewarding, but it's hard work.

[0:08:32] CS: Right. It takes you away from – You're in your cave during those moments, like beating your head against a spreadsheet [inaudible 0:08:40]. Yeah.

[0:08:42] ES: Spreadsheets are a cruel and unusual form of torture for someone like me, right? I like people. I like being out there, having fun.

[0:08:49] CS: Worst part of the thing about them is they never end.

[0:08:51] ES: They never – Yeah.

[0:08:52] CS: They just get going. More and more rows get added. It's like, yeah, shorting your treadmill. Our topic today is disaster recovery. Before the show, you and I narrowed the focus of this specifically to disaster recovery for small, medium businesses, which is intriguing to me, because I can conceive of a small business in my head. I can see a small staff and an infrastructure, as well as the catastrophic possible consequences in the case of any physical, or digital disaster. To set some guidelines around our discussion for our listeners, Eric, can you talk about what we mean when we say small, medium businesses in terms of size, operating budget staff, etc.?

[0:09:31] ES: Yeah. In my brain, when I think of small, medium business, I tend to think a business as less than 500 employees. They're businesses that probably don't have a fully formed IT department. They've got some IT leadership. They maybe have some service desk. But IT is something where they are struggling to become the CEO's right hand, which is you start to look at enterprises, they start to look at bigger businesses. IT is side by side and lockstep with the CEO driving digital transformation, driving disruption in their industry. Yeah, sub 500 and that space, you have to really think about what you need. I think people forget how important technology is there.

[0:10:09] CS: Yeah. Also, just how much of the talk around disaster recovery is for 20,000 employee businesses and hire. Yeah.

[0:10:18] ES: It's for everyone. From the day you start your business, you have to know what happens if your data gets stolen, your data gets lost, you need to at least plan for it and really test it. Testing is as important as planning, or maybe even more important than planning.

[0:10:35] CS: Yeah. Like I say, a lot of the disaster recovery plans I've seen online are only feasible when you have a big operating capital and big staff of IT people and so forth. When creating a disaster recovery plan in a small, medium business situation, what are some critical pieces you need to consider? Or if you don't even have one, where do you get started?

[0:10:59] ES: Yeah. Let's say you don't have one at all, the first place to start is what is your economic driver? How do you make money? If technology goes away, do you stop making money? Then you can understand the importance of a system. Really easy example, a lawn maintenance company. IT goes down, they still can drive money. They can still move money through their systems. A retail shop maybe cannot. You have to understand, what's your economic driver? How is that tied to technology? How is business development tied to technology? Then you start to say, okay, if my economic driver, if it's mowing lawns, or planting trees, I can still do that when IT is down. I got to get it back, but I probably have two or three days to get it back. If you're a retail store, and IT goes down, you don't have a lot of time to get it back. You need to be able to sell the goods –

[0:11:51] CS: Yeah. You’re losing money by the second. Yeah. Right, right.

[0:11:54] ES: 100%. If you're not digitally transacting, it is by the second, overnight, 24 hours a day.

[0:12:00] CS: Yes.

[0:12:00] ES: That first understanding and that first step of what is my economic driver helps me get to how big of an issue is this for me? Then you start to say, “Okay, is this a two-day problem, a five-day problem?” You start to narrow in. Let's use the lawn care example. It's a five-day problem. They got to get by the end of the week to get payroll, get invoices out. We have five days to recover. Now we start to look at the systems and how hard, or easier they recover. What's the budget? What's the time? What type of people are needed? All that stuff starts to take place.

If you're on the digital retail side, it's a bigger investment. You're going to have to put more money towards it. You're going to have to have a strategy, a test, who can declare the disaster is really important. We've had a few times where if you think about the ISP goes out, so your internet service provider, sorry to use acronyms. They go down. Do you actually do anything? Or do you say, this is not like, yes, we're down and it's not a disaster? The CEO's responsibility, or the president's responsibility, whatever title you're using, business owner in a small, medium business, sometimes they have to stop and say, “Is this a disaster? Do we as a business do anything? Or do we wait?” Waiting sometimes is a really good answer.

If you've been ransomed, if you get cyber ransom, you've been breached, not a good time to wait. Internet service provider, a power outage, it's probably, let's pause. Yes, this is hard, but let's not do anything for 24 hours.

[0:13:34] CS: We're not breaking glass yet.

[0:13:36] ES: Yeah, 100%. Yeah, it's not a break glass moment.

[0:13:39] CS: Not emergency per se. Okay. Well, yeah. That's great. That's a great way to think of the first steps of it. Again, speaking to past guests, the notion of disaster recovery plans had an unspoken element of having an entire security team. Like you said, security that's directly tied to the C-suite and the head of the company, at least a dedicated disaster recovery specialist, maybe on prem, or on retainer for a fixed amount of time. Yeah, so no matter the size, a disaster recovery plan works best if it solves the specific issues of your company. What are some tips to customize your disaster recovery plan to your specific organization, especially if you don't necessarily have the army of security people that can march in and get it started?

[0:14:22] ES: Security is only one component. You do need IT and security is important when it's a security incident. IT is important when it's a non-security incident. Security often does more respond and detect than they do remediate. Remediate almost always falls back to core IT. We need to recognize the incidents. We need to see them and understand them. Then security needs to partner with IT and this can be all outsourced. It can be some inside, some outside. It can be a combination. It can be all inside. But the key thing is their security is a partner to IT to help them understand what to recover and to make sure when you recover, you don't have a second incident right away.

[0:15:01] CS: Yeah. Right.

[0:15:02] ES: That's critical.

[0:15:04] CS: And sadly, common.

[0:15:07] ES: Yeah, scary and common. The other piece we often talk through with businesses, especially in that small, medium enterprise or small, meeting business segment is, we want you to think about a resilient by design solution. When we start to think of cloud solution providers, where we do a lot of work with Microsoft, but any of the major cloud bars, Microsoft, Google, Amazon, you can build resilience by design. Then when you look at security on your workstations, you can build resilience by design with stuff like, Defender for Endpoint, or Defender for Business in the small, medium space, or CrowdStrike, where you have a rewind capability, so we can say, “Hey, something bad happened at 9 a.m., we're going to rewind 8.45 and stop it before it happens.”

If you can start to think resilience, we can actually avoid the whole disaster recovery plan. The smaller you are, resilience is way more important, because you don't have time to be down. It can be catastrophic for a business to go down for five days, or three days while you recover.

[0:16:08] CS: Yeah. No, I totally agree. Well, to that end, something that applies to businesses of all sizes and departments of all sizes and shapes is there's not often enough allotted time to do tasks that might involve an event that could theoretically happen at some unspecified time in the future, let alone issues happening in the present and your current docket of things to do. Then this is likely compounded if you're a small company, or understaffed, or don't have the resources to allocate.

In a hectic environment like this, Eric, how do small businesses learn to prioritize disaster recovery plans, rather than maybe crossing fingers and whistling past the graveyard and hoping for the best?

[0:16:47] ES: Yeah. Business of every size need, A, they need to have a technology roadmap of plan. That is just as important as your strategic business plan. Most businesses don't start their fiscal year without knowing at least roughly where they're headed. They often skip the planning in the IT side. If you have the IT plan, one component of it is our business continuity, disaster recovery. For a small business, it might just be like, we're going to spend 10 grand testing a recovery incident.

The VP of sales’ laptop gets stolen. What do we do? Build two or three scenarios and test those scenarios and allocate a budget to the beginning of the year. Tell people, “If we don't spend this budget, it's a failure. This is not where we want to save money. We need to be proactive on this so that when, not if.” It is a when. When something happens, we've got a plan, we've tested it. It doesn't have to be a 100-page plan. I'm talking like a two-page checklist that says, “Do these 10 things.” Office 365 gets ransomware decrypted. Here the 10 steps to recover Microsoft 365, or here's the 10 steps to recover Google workspace. Those are documented. If you haven't tested it before, or haven't looked at it and walked through the process, it's really stressful to do it in real time. That's when you make mistakes.

[0:18:08] CS: That now, I mean, that opens up the question of how do you gather the most likely, because VPs of sales’ laptop gets stolen is not one that I've would have thought of immediately. I mean, at that point, you could spin out hundreds of them, like lightning could strike the top of the building, or Batman could come flying through the window, or whatever. How do you winnow down to, like you said, things 365 gets ransomwared, or whatever, like, I guess, that's something that a disaster recovery specialist knows to do, right?

[0:18:43] ES: Your managed service provider, your disaster recovery specialist, they should be able to guide you through that. The VP of sales’ laptop going missing, or getting stolen, when you think about how much VP of sales often travel is way more common than you expect. Get’s left in an airport and disappears. It is shockingly common that, hey, we had critical information, sales proposals, RFP responses on this VP of sales’ laptop, it's gone. Can we hit the self-destruct button? Can we send that person to Best Buy to go buy a brand new machine and auto magically send all their data to you, and so they’re –

[0:19:16] CS: Pull it back. Yeah, right. Go back in time. Time machine.

[0:19:21] ES: It doesn't have to be VP of sales. It could be any person.

[0:19:24] CS: Of course.

[0:19:24] ES: Device stolen.

[0:19:26] CS: Device stolen. Yeah.

[0:19:26] ES: Crypto is the most common. Crypto and email breaches. To me, those are the most common.

[0:19:32] CS: Talk about crypto issues. We just had someone on who was – the part of the government's crypto recovery plan and so forth. What is making that larger now than say, ransomware?

[0:19:46] ES: Sorry. Crypto ransomware. Yes. Sorry.

[0:19:47] CS: Oh, okay. Got it. Got it. Got it.

[0:19:48] ES: Crypto locked. Yeah, yeah.

[0:19:49] CS: Crypto locked ransomware. Got it. Got it. Got it. Okay. I was thinking specifically of crypto scams that what we were talking about.

[0:19:54] ES: No. Sorry. Crypto lock. Yeah. Ransomware is number one. Email breaches is number two. It's the whole concept that the two things we can do to protect our associates from that are – they're fairly easy. It's multi-factor authentication and trust no one. The whole concept is zero trust. This is all people education. That eliminates 95% of the bell curve of incidents we observe, or we see in industry today. It is two steps. Education and MFA. That's the best remedy in every small business we talk to, is MFA turned on and have you done your education in the last 90 days? If not, let's turn MFA on and let's set up your 90-day education schedule.

[0:20:42] CS: Yeah. Yeah, yeah, yeah. There's not really that many barn doors to open and close when you really get down to it.

[0:20:48] ES: Yeah. If you've got your Google Workspace environment set up, or your microf365 environment set up for security and you're going secure by design, resilient by design, you really make yourself not a shiny target. It's the same as putting a club in your steering wheel. You can still cut it off. You can drive with it, but it's a pain. You're just making it a little more difficult and they go look at the next car. Oh, that one doesn't have it, and scrap the car instead.

[0:21:14] CS: Yeah. They say that, too, about just the sign in your front lawn about having an ADT system.

[0:21:20] ES: Security system. A 100%.

[0:21:21] CS: Yeah, yeah. They’re like, “Never mind.”

[0:21:23] ES: Ring camera on the front door.

[0:21:26] CS: Yeah. We've been talking up to this point about the abstract concept of disaster recovery plans and some practical examples. Can you give any specific examples of businesses that have successfully implemented sturdy disaster recovery plans and bonus points if they had to deploy the plan and actually worked?

[0:21:42] ES: Yes, we have helped many businesses. We typically don't name them, because they don't love that getting out in the press and in the wild. Small business and –

[0:21:52] CS: Does it rhyme with Blikerosoft? No, I’m just kidding.

[0:21:55] ES: Small business in the US, a user clicked on something they shouldn't have clicked on. They're in a financial services space. Someone got through, because they clicked on it. They actually had MFA turned on, got through the MFA by really is a great social engineering hack where they got you to punch in your information. It looked like you should MFA. They were MFA’ing you in real time, so they're screen grabbing at the same time. Got breached, then got cryptoed. In that case, they did have the CEO immediately declared a disaster.

Step one, the CEO had a playbook. He had his – CEO had three checkboxes in his checklist. Is it a disaster? Yes, or no? Good. He in this case had declared that, but they have to declare that. After that, who do I notify? Cyber insurance and communication plan. That's the CEO's responsibilities. We need to get that locked down, nailed for that CEO. Everything else becomes a technical exercise that in this case, we helped them, we had practiced with them, so we're able to say, “Okay, we're undoing all this. We're resetting everyone's password. We're ejecting all devices that are auto protected, or auto logged in. Everyone will have to re-authenticate as of noon today.” Resetting MFA, do all the other stuff. Good education session the next day and then go through what data got extracted. That business was backed up and I will say, mostly functional with a few scared individuals inside of about four hours. That's a great scenario. That's about as good as you can get.

[0:23:29] CS: That's still pretty attainable with not a lot of money behind it.

[0:23:35] ES: They practice twice a year. It's a $10,000 investment twice a year to test a scenario. We just test one scenario. Probably, 10 grand a year to keep that plan up to date. For 30 grand a year, they know and they've had a few different issues. This business, their high visibility, high attack profile, because they’re a financial services service company. Yeah, so it's we practice, we practice, we practice. That means you can recover really fast.

On the negative side, we've had customers call us and say, “Hey, we had someone click a link they shouldn't have clicked. We didn't have our deep email threat scanning turned on. We've cryptoed everything in the building. By the way, the backups we thought were working might not have been working quite as well as we thought.” Those are the really hard ones. Now you're thinking, this is going to be a – we're in for two weeks of really hard work to try and –

[0:24:31] CS: Bringing in the biohazard suits. Yeah, right.

[0:24:33] ES: Pull up the paddles, like the paddles are on the chest, and it’s like – Those are not fun. But they're still, worst cases sometimes you'd have to pay. We have had that with clients where it's like, “No, sorry. It's time to pay. Let’s call the insurance company. Let’s go get some Bitcoin. Let's do the unthinkable.”

[0:24:55] CS: Let's talk to our negotiator and let's go.

[0:24:58] ES: We've experienced the whole gamut there. To me, the best thing you do is two drills a year and a plan update once a year. If you can do that for 30 grand a year, not a god investment.

[0:25:10] CS: Two-page checklist feels more attainable than what you imagine of this multi-page flow chart, or something like that. Yeah.

[0:25:21] ES: Yeah. If you get up to a 2,500 user environment where there's a 100 systems, you are into that 100 page document. Tests, different tests. You're into probably a couple $100,000 a year of investments. You need to size all your investments relative to your business and your risk. The only thing I think it's unfair to you, your staff, your customers, your vendors is to put your head in the sand and say, “I'm not a target.” I'm not at risk.

[0:25:50] CS: We’re too small. Yeah.

[0:25:51] ES: That's the only spot where we really get aggressive, or pushing. You are the target. Citibank is not the target. Citibank has a thousand people working against this.

[0:26:02] CS: Yes, right. We are Fort Knox. Yeah, right.

[0:26:05] ES: Yeah.

[0:26:07] CS: Yeah. You are a barn with a window open.

[0:26:11] ES: And no lock.

[0:26:12] CS: And no lock. Yeah, exactly. And a sign that says, “Hey, over here.” As we move to talking about the actual work of this type of disaster recovery, the purpose of Cyber Work is to prepare people for their careers. Can you talk about for people who are interested in doing this work full-time, can you talk about the skills, education or experiences needed to become a disaster recovery professional?

[0:26:37] ES: Yeah. Disaster recovery professional, or security incident response professional. Two different topics.

[0:26:46] CS: I would say, I want to talk about disaster recovery specifically. Oh, and also, where that fits in – Is that something that's mostly outsourced to a company? Would you work for something, like your company in doing that, or in a small business situation, would you ever have your skills be on staff, or something like that?

[0:27:08] ES: Yeah. for a small business in that sub 500 seats base, I would tend to say this is an outsourced activity. The reason is it's going to happen at the worst possible time. Things are happening. People are attacking environment 24 hours a day. Your staff, your IT staff and your security staff at 500 people are not running 24/7 typically. If there's an incident, you need them to work on your business, not on recovery. You want that SWAT team to show up and add a 1,000 horsepower to your team to recover you, and you need that back faster.

[0:27:44] CS: Okay. Then yeah, I definitely want to talk toward people who would do that work and also, specifically do the work of the crafting the disaster recovery plan and presenting it to the CEO and saying, this is how it works. Can you talk about where you would need to get started to have those kinds of skills and qualifications?

[0:28:06] ES: Yeah. On the recovery plan building piece, in our worlds, that's a business analyst. They sit down with the business. They understand what the systems do. It's all about asking really good questions. If you're very inquisitive by nature, love asking probing questions and keep scratching at things, now I would be coaching, okay, let's go to school on business. Let's go to school on business systems. It’s not as much as security.

[0:28:30] CS: This is something where an MBA might actually help?

[0:28:33] ES: Yeah, absolutely.

[0:28:35] CS: Okay. Okay.

[0:28:36] ES: A MBA, or a Bcom, bachelor of commerce. Someone who can sit down and look at a business and step back and zoom out, that's the person who can write a really good business continuity, business recovery plan.

[0:28:48] CS: Okay. There's a nice Venn diagram, or a convergence of a business background. What level of technical mastery are we talking here? Are we talking net plus? Are we talking full – Yeah, just probably not. Yeah, right?

[0:29:07] ES: No. For the business analyst, it's less about how to configure the system and how to recover the system, and more understanding what's the impact of this system. The next person, there's the person who's going to find and detect this – I said, that security incident response person, he or she now needs to be watching the systems all the time, or using tools, automation, using AI, using stuff like Azure Sentinel to understand what's happening in that single pane of glass to look at it. That person's job is to call it when it happens and it's going to happen.

They're the tip of the spear. The business analyst has fed all that information and here's the systems of modern watch. They're the analyst on the front end saying, “I think I got a problem. I'm bringing in my next level security resource to help support this.” Then once security’s found and stopped the incident. They're passing it off typically to someone who's really, your IT system in who's done backup and restore, knows backups really well, knows networking and can build that plan. It is a Venn diagram and you do need three different skill sets. I'd say, it's pretty rare, maybe even a unicorn to find all three skill sets in one person. It's a team.

[0:30:28] CS: Okay. It is a team then. Yeah. And someone who's doing this business analyst work for a small company is probably not employed by that company, I'm guessing. This is like a retainer thing. Is it something that you could hang your shingle as an independent contractor, or are you going to work for a company like yours?

[0:30:48] ES: No. You could absolutely do this independent contractor. You could partner with a great group to partner with to be CA firms, so chartered accountants, because the accountants deal with the risk in a business. You can help the accounts actually eliminate, or reduce risk for the business. We do sometimes see a VP of accounting play this role, where they look at and say, “Here are the systems that are going to cause us to lose money.” If it's internal, it's more of a finance risk role. That’s as you get closer to the 300, 400, 500, they'll do it internally. At a 100, this would be external and partnering with accountants.

If you come at it with a bit of a technology lens, you're more powerful, and you'll do a better job, but you don't need to know how to configure Google workspace, or do the recovery in CrowdStrike.

[0:31:38] CS: You're not actually dealing –

[0:31:38] ES: Getting hands on keyboard.

[0:31:39] CS: Yeah, you're not actually winding the tapes back, or doing the recovery, or whatever. Well, to that end, though, are there certain skills, or certifications, or experiences that you would want to see on someone's resume who wants to get into this space, or degrees, obviously, and so forth. What helps float you to the top of the resume pile?

[0:32:03] CS: Generalist, actually. Someone who's done a little bit of everything. When we're looking at people, or interviewing for people in our business, very well-rounded, know a little bit of networking, know a a little bit of security, a little bit of infrastructure, a little bit of business, that human, he or she, they're really valuable and they're very unique. You don't find a lot of people that have that rounding, or they have bounced around a bit. You're almost finding someone who's mid-career, or re-careered. Or we do a lot of investment on employees in a lot of training. We'll train up the pieces that are missing. We look a lot at aptitude. What's your aptitude, Chris? What are you passionate about? How do we augment that with some extra skills, or experience we have to teach you how to now be either that analyst, or that incident response specialist, or that disaster recovery specialist?

[0:32:55] CS: Okay. That's great. That definitely puts it into perspective, because sometimes, yeah, other job roles that we've discussed with people, it's like, you have to just be focused on this one thing and you've got to – you even said before about just getting obsessed with one aspect of security and so forth. It is rare and worth noting that some of the key cyber and cyber adjacent and security-related job roles actually do call for generalists and master of none.

[0:33:28] ES: It's probably more in that small business segment than it is – as soon as you move up in the business size to 2,500 employees, 5,000 employees, you now get to someone who is super laser focused and very niche.

[0:33:43] CS: Definitely has their corner.

[0:33:44] ES: They don't take well in a small business. Yeah, yeah. They can't scale down. As a generalist, actually doesn't typically scale up well. That's why I said, it's a pretty interesting person who loves to do that.

[0:33:54] CS: They're almost like, two different job roles, it sounds like.

[0:33:57] ES: They are. Yeah.

[0:33:58] CS: SMB versus a large person doing the same type of thing.

[0:34:02] ES: Yeah. If we had the same conversation focused on enterprises, we would absolutely have a business analyst. We'd have a business system owner who's describing what this business response for, or what the system response for, what it drives from a monetary perspective, what the – and we didn't talk RT, or RPOs, or time recovery operations, recovery for how much data you can lose. Stuff like that becomes super critical in the enterprise. We can drown people in acronyms and SMB –

[0:34:34] CS: We do it every day here.

[0:34:35] - and it makes it hard. It makes it really hard and we don't need to have that conversation. We just say, okay, you've got a finance system. It's Microsoft Dynamics 365, or it's NetSuite and you need it back online by Friday, if this happens on Monday. It can be that easy of a conversation. If finance says, “We invoice on the 15th and 30th,” okay, you need it by the 15th. We really have to get to simple conversations for SMB and it's because we're trying not to make IT confusing and complex, or security confusing and complex

[0:35:08] CS: Okay. Now, just one more thing on that as we talk about dedicated role of disaster recovery specialist, what does promotion look like in terms of that? We talked about how there's these two strata, there's the SMB type specialist and the laser focused enterprise. Are the SMB people trying to build the experience to make the jump into enterprise, or is there a way to accrue more responsibility in a larger reach while not leaving the SMB space?

[0:35:43] ES: My observation is people that fit really well in the SMB space, or they fit really well in enterprise, the people who like to cut through red tape, don't love the politics, they just want to come in and get their piece of the world moving really fast and to fit better in SMB. The people who love to see big machines move and see how things interact and learn how to go cross departmental, more of an enterprise play. I don't think I'd see a lot of those people crisscrossing very often. You need different support on either side. one, you have to be able to probably bend rules that exist in enterprise that don't exist in the small business and you're coming down, you're expecting support that the small business doesn't have for you.

In the SMB disaster recovery world, you may turn around and move into a consulting world, you may turn around into an operation, so there's lots of career paths. I'd suggest, anyone with any of these three skill sets we've discussed, their career opportunities are almost endless today. It can be moving internal in a larger SMB. as you get to that four or 500, they want someone with expertise inside to manage their partners or manage their vendors. You could look at moving from the disaster recovery specialist into that business analyst role, because you've actually done disaster recovery. You could look at project management, or engagement management.

There's a move into sales. If you can talk and tell the business how and why and what's important in disaster recovery, you get really interesting sales resource. Then there's all the really deep technical stuff. You go become a Microsoft 365 operations expert, or an automation expert, or DevOps. Anyone with those three skills, the world's there are stir my mind.

[0:37:33] CS: Nice, I love that. Let's end with that. As we wrap up, I want to circle back around to have you talk a little bit about ProServeIT and your company services and maybe some things you're excited about with the company that might be happening in the second half of 2023.

[0:37:51] ES: I'll start with what I'm excited about. I am super excited about some of what I'm observing and what we're going to dabble with on the AI co-pilot, ChatGPT side of things.

[0:38:01] CS: Oh, cool. Yup.

[0:38:04] ES: We're doing some security operations integration with I’ll say, machine learning, artificial intelligence that finally is starting to feel real when you look at ChatGPT, Microsoft co-pilot. Our team is doing some really interesting R&D into that space. The early indicators are just mind-boggling of what work will look like in five years.

[0:38:28] CS: Yeah, talk about that a little bit. What are you seeing as going away and emphasizing and what issues are being solved forth?

[0:38:36] ES: I'll start with what I actually think is the next career opportunity, because that's a positive side of that. The next career opportunity is people who learn how to operate. AI operators and AI interactors, people who figure what the correct prompts are, how to help the machine learn faster. There is such an incredible career with that. When you tie that back into data analytics, data for business, it's just incredible. If you look at the security upside, the ability for an analyst to spend less time with false alerts, because machine learning can apply a first level of analysis and response is really exciting.

The AI operator to me is the most interesting opportunity coming out of this. On the downside stuff that I think will – and I think the roles will change more than they'll be lost. I think the person writing reports today, I would be concerned, the reports will be written by a robot. Anyone doing manual data entry. I think there's ways to have – you can do it now. You can take a picture of a spreadsheet, or a picture of a set of columns and numbers and it auto populates into Excel or Google Sheets.The data expert, data entry person, I think their job's up for a change. I go learn how to be an AI operator.

[0:39:58] CS: Okay, so yeah. What advice do you have to those folks who might be comfortable where they are, but seeing the ground crumble be their feet?

[0:40:11] ES: Yeah. We're a little ways from the ground crumbling beneath your feet. I've had probably four distinct careers in IT and I assume this is going to be my fifth, or sixth when you start to look at how AI will change. The people involved in security and technology, they have to love change. You can't get stuck in what you do today. I went from, again, before ProServe, racking servers, installing Citrix to virtualization, to Microsoft, to Office 365, to Azure. They're all distinct in different businesses. They all have linkages, they're all technology businesses, but Citrix and Microsoft 365 or two ends the spectrum.

For me, it's be really comfortable to change, be really comfortable with experimentation is the advice to those people. And learn. Be a learner. I’ll just like, you hear from many business leaders. Learn everything you can and experiment as much as you can.

[0:41:15] CS: All right, one last question. If our listeners want to learn more about Eric Sugar, or ProServeIT, where should they go online?

[0:41:22] ES: They can find us at www.proserveit.com. Or you can find Eric on LinkedIn. It's LinkedIn/Eric Sugar.

[0:41:32] CS: Perfect. Eric, thank you so much for joining me today. I really enjoyed this conversation. I appreciate it.

[0:41:38] ES: Thanks, Chris. Have a great time. Great to meet you and spend some time together.

[0:41:42] CS: Absolutely. Again, I'd like to thank all of you who've been listening to and watching the Cyber podcast on a massive unprecedented scale. We're so glad to have you all along for the ride. Before I let you go, I want to invite you to visit infosecinstitute.com/free to get a whole bunch of free stuff for Cyber Work listeners. That includes our new security awareness training series, Work Bytes, a live action, fairly humorous series of films featuring a host of fantastical employees, including a zombie, a vampire, a princess and a pirate, making security mistakes and hopefully learning from them.

Also, visit infosecinstitute.com/free for your free cybersecurity talent development eBook. It's got in-depth training plans for the 12 most common roles, including sock analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. Lots to see, lots to do once you get to infosecinstitute.com/free. Yes, the link is in the description below.

Thanks once again to Eric Sugar and ProServeIT. Thank you all so much for watching and listening. As usual, we will talk to you next week. Take care.