From hacker to lawyer: An expert in cybersecurity law
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Transcript
Chris Sienko: Welcome to another episode of the CyberWork with Infosec podcast. Each week, I sit down with a different industry thought leader to discuss the latest cybersecurity trends and how those trends are affecting the work of infosec professionals as well as tips for those trying to break in or move up the ladder in the cybersecurity industry. Bradley Gross has an interesting career arc. He's the founder and president of the Law Office of Bradley Gross, P.A., but he started his career as a hacker As a professional, steeped in the ways of cybersecurity hacking and all the attendant ethical and legal baggage surrounding it, Brad now structures his law practice around these areas, providing IT and technology consulting, trademark and copyright registration and enforcement, online privacy and security, restrictive covenants for the development and use of IP and more. We're gonna talk today about his career journey and learn something about this underserved area in cybersecurity law. Bradley Gross is the founding partner of the Law Office of Bradley Gross, P.A., a boutique law firm that focuses on transactions involving MSPs, VARs and tech companies worldwide. His firm represents more MSPs than all other US-based law firms and he is an international legal authority in the area of cloud computing transactions. He has been named on nine occasions to the list of super lawyers in the area of IT and technology laws and speaks at industry events throughout the world on issues involving data privacy and security. Brad, thank you so much for taking time today.
Bradley Gross: Thanks for having me.
Chris: So, tell me about your unconventional career journey. First of all, what type of hacker were you and when and where did you first get interested in hacking and computers in general?
Bradley: So, I was the best kind of hacker. I was 10 years old. I just turned 50, so you can do the math. I was young, fearless and I was doing things back in the day, you know, about 40 years ago, when the law in the area was in its infancy and companies really didn't have their defenses up. People weren't thinking about those kinds of things. And so it made it fairly easy for my friends and I, who were young computer nerds, the first generation of computer nerds, to start hacking into things, whether it was software, BBSs, phone phreaking. A fairly open and wide territory because no one really had their eye on what was going on.
Chris: Yeah, yeah, yeah, yeah, so what were, do you have any sort of hacking war stories, or frightening or amazing attacks or accomplishments from those times?
Bradley: Well, it's interesting. Back in that day, we were using, I was using my first computer, a TRS-80, Model One, Level II.
Chris: Wow, you were hacking with a TRS-80.
Bradley: A six of RAM. Yeah, I have some street cred. See, I can spring the lingo. In fact, I still have that computer in my office, and it still works. The only thing I had to replace on it was the power supply, and I got that on eBay.
Chris: There you go.
Bradley: Believe it or not. So, it works. Back in the day, my friends and I would hack into BBSs, which were the precursors of websites. And I had a 300-baud modem. I remember when my buddy got a 1200-baud modem, and we were all jealous, because that was magical to us back then.
Chris: Yeah, lightning speed.
Bradley: Oh, it was lightning, it was incredible. And I had the kind that you had to dial the phone. You actually had to dial the phone--
Chris: Put the--
Bradley: and then take it--
Chris: Put the receiver--
Bradley: and put it in the curse, in the cradle, right. In the cradle. And we did a fair amount of brute-force hacking, password guessing, to no real avail. I mean, we got into these BBSs, and we'd say, "Now what?" I don't know, now we'll post crazy things. What're you gonna do? You're 10, you're 11, what do ya know? We did a fair amount of phone phreaking.
Chris: Okay.
Bradley: I remember we bought the supplies at Radio Shack. And built a phone phreak box that we would go to a pay phone, we'd hold the box up to the receiver, to the voice part and it would emulate the sounds of quarters and dimes being dropped into the phone. So, the phone would think you just put in $10 worth of quarters, it would let you call whatever you want, whoever you wanted to call, but I was 11. Who am I gonna call? I didn't know who to call. I lived on Long Island. My friends were within a five-block radius.
Chris: Yeah, you just wanted the accomplishment of doing it.
Bradley: Yeah, we had the accomplishment, so we would just 212 and then random numbers and we're thinking, wow, we're calling Manhattan. As if that's a major thing. But for us, at the age of 11 or 12, it was really just creating the box and realizing that you can take technology, turn it on its head and have fun with it, really. So, that was where it all started for me.
Chris: So, this is all probably pre the movie, War Games, then even? Did you guys ever have the inclination to hacking into something larger, say government mainframes?
Bradley: We had the inclination, but we didn't have the guts.
Chris: Okay.
Bradley: We definitely tried to hack into some, if I remember, now, we're going back 35 years ago. I know we hacked into some municipalities, some utilities, just by password guessing. It wasn't very complicated. But, once you're in there, immediately the thought of oh, someone's gonna catch us, so you know, but it wasn't the authorities, actually. It was more of my dad's gonna catch me, right? My mom, your sister's gonna walk in and tell your mom and then what?
Chris: Those were the people in your world who were gonna punish you.
Bradley: Absolutely. That was our small world. Now, you know, had we continued along those lines, for a number of years, it probably would've advanced into something more advanced. But it was largely limited to hacking into BBSs, easy-to-guess municipalities, a lotta copying of software, breaking through the code, the bit, the data protection they would have on there and phone phreaking. That's where I started out.
Chris: Did you sort of continue, maybe in a less malignant way, sort of understanding this as you went on and as the technology improved?
Bradley: I would like to take the fifth amendment on that. No, I'm joking. I'll tell you. As I got older, it developed more into a coding. More of a coding interest than an actual hacking interest. Because again, I don't think I had the hard-wiring to really do anything nefarious, so if you're not doing anything nefarious, after a while, you sit back and you think okay, I did that. I hacked in here, I got the password for that. Now what am I gonna do? Nothing. Let me move onto something a little more productive.
Chris: Accomplish some things you wanted to accomplish. So, okay, was there a defining moment that made you realize that you wanted to be on the legal side of cybersecurity, or did you become disillusioned over time? Or was it as simple as just needing a change of pace?
Bradley: Most definitely. So, I started out in the DA's office. In Nassau County, New York.
Chris: Okay.
Bradley: Started out like every other prosecutor, in traffic court, misdemeanors, felonies and so forth. But one day, this was sort of a light-bulb moment. Everyone has a light-bulb moment that occurs over their head, ding, oh, I could do this. One day the bureau chief was walking up and down the hallway, cursing at the top of his lungs, 'cause he was the bureau chief, he could do that. And he said I don't know what I'm gonna do with this thing. Why did they arrest this guy? What's going on? And everyone's wondering whatcha doing? What's going on? Bureau chief walks right by my office and our eyes lock. Mine, probably because I was scared about what he was yelling, our eyes lock and he looks at me and he says, "You, Gross. "You know about computers, right?" And I said, "Yeah." And he dropped this big file on my desk. And said, "This is yours. "Handle it." It turned out to be the first case of computer stalking, or harassment in the U.S., this was back in 1994, '95. Back then, what happened was a woman broke up with her boyfriend and he then proceeded to post all of her personal information, as well as some not-so-flattering commentary about her, on dozens of BBSs, everywhere. Everywhere she went, it was for a good time, call, and it was her real name, her real phone number, her real address. So she calls the cops and the cops see what's going on they have no idea what, they have no idea what to do. This is 20 plus years, 25 years ago. They had no idea. They interview the guy and he admits to it. He's like, "Yeah, I posted it, so?" Now what, right? And the cops were yeah, now what? Now what? So what they did was they arrested him for harassment. They couldn't think of anything else. They arrested him. Today, if you do the same crime in New York, or Florida, where I'm sitting, it's a felony. You could be charged with a felony. You go to jail, prison, actually. Back then, it was just harassment. We took it to trial. He was found guilty at a bench trial. He got a $50 fine, like a parking ticket. Walked out the door. Wasn't even a crime. It was like a parking ticket.
Chris: Slap on the wrist.
Bradley: Like I said, yeah, today, it would be a felony. Back then, he walked out the door. But again, it's sorta like what we were talking about with the phone phreaking and the hacking. It wasn't so much that I did it, it was that it could be done. It was that we could actually pursue people who engage in that type of activity. And so the light bulb went off and I thought wow, I could merge what I know about computers and technology and programming with what I'm doing, the law, and I could do this. And that led to a career for a while in the DA's office up there, going after computer crimes, and starting the internet and computer crime division of the state attorney's office in Miami-Dade, Florida, in Miami-Dade County.
Chris: Okay, well, tell me a little more about that. Did you, so there must've been kind of a mixed, or a bitter-sweet feeling of well, we got the guy, but we got him on this, on a pretty low charge. Were you able to sort of craft your case against people like this to increase the penalties or increase time or just make it known as more of an important legal issue than it was at the time?
Bradley: Well, so at that time, the law really hadn't caught up with the technology. I mean, we were far behind. And so, largely, if you were going to really enforce a criminal act involving technology, it was usually against the child predators. The online predators. That would go onto BBSs, eventually they became chat rooms. CompuServe.
Chris: AOL, yeah.
Bradley: For those of you who remember that, AOL. And they would try to solicit 10 year olds, eleven, who they thought were 10 or 11 year olds into sex acts and so forth. We would have detectives, of course, posing as these kids, so they didn't know that, well, they think they're talking to an 11-year old boy, they're talking to Charlie the cop, who's 300 pounds, with a full beard, and types with two very big fingers, like this, and that was very rewarding to go and pursue these guys. And arrange for meetings and then see them arrested and put 'em in jail, so the technology and the criminal laws, at least, back then, were sorta, kinda on par. Sort of, kind of. It wasn't until later, actually, after I was no longer a prosecutor, when things started to amp up. And in fact, I sat on a commission, with then governor, Jeb Bush, in Florida, to determine how we could increase penalties and enhance the law to accommodate not only these new technology crimes, but how to enforce civilly, technology and privacy and as well as encourage more business from a technological perspective, in Florida. But that really came about starting in about 2000, forward. Before that, it was what you could make of it.
Chris: Yeah, kinda the Wild West.
Bradley: Right.
Chris: So, okay, so jumping ahead to that, when did you start the Law Office of Bradley Gross? We mentioned in the intro, but tell me about your mission statement and the types of cases you take on, especially.
Bradley: Sure, sure, sure. So, I started my office back in 2011. Back in October, 2011, I had been a director and a partner in a very large law firm here in Florida, handling intellectual property, and corporate, and the technology end of things. And so eventually you think okay, I could do it better on my own. So I formed my own firm. My mission really in my firm is to merge my knowledge of technology at a grass roots level with plain speak, jargon-free, okay? To empower clients to make the best decisions they can make and in doing so, they can engage in deals and transactions in which they make a lot of money. And they get a lot of benefit from. It is a fairly interesting an unique firm in that way, because we understand technology. I'm a computer hacker that went to law school. I'm not a lawyer that understands technology. So, along those lines, we represent a huge range of companies, globally, from white hat hackers to pen testing companies, to security monitoring services, companies that offer phishing solutions, because when we sit in a room with them, we understand the technology, the good bad and ugly, and we can get down to business. And that's a great firm to work with. In fact, my staff, they can come in in t-shirts and jeans, as long as they're comfortable, happy and doing what they're doing, it's all good.
Chris: Okay, so what are some of the common services that you provide to these types of tech organizations?
Bradley: So, we largely represent them in transactions. We do some litigation, in federal court. And a little bit in the state court, but we try to stay out of court. I always say you grow old, you stop fighting. You stop fighting. I've learned that if you're fighting in court, then something not only has gone wrong, but the only people who are making money are the attorneys and that doesn't benefit anyone but the attorneys. So, what we try to do is engage in transactions and make those transactions as jargon-free, as straightforward and as beneficial as possible. So that might be licensing, structuring licensing deals. It might be structuring intellectual property transactions in which companies who have technology wanna monetize it. We might represent companies that need the technology and are acquiring it. We might represent digital companies that, as we discussed earlier, are specialists in cybersecurity. They're the ones that you call in to test your systems. To try to hack it, to give security awareness training. To provide you with policies, monitoring, remediation and so forth. We represent well over 1,000 of those types of companies globally. It's a lotta fun. It's the good part of the law.
Chris: Yeah. So obviously, you mentioned that you're a former hacker who's a lawyer, rather than a lawyer who learned a little bit about tech, but what are some of the specific skills that you learned as a hacker, be it problem solving or whatever, that helped you most in your work as a lawyer?
Bradley: Sure, sure. I'll tell you. There are two skill sets that every hacker has. And once you learn them, they are a life's lesson. All right? And the skills are patience and confidence. Patience and confidence. It is crucial, any good hacker, has patience to keep trying and if something doesn't work, try it a different way, if something doesn't work try it in a different way, and that's not to say you don't get frustrated. You get frustrated. But you're patient enough to understand that the frustration is situational. It's situational, stay with it and eventually that will go away. And that bleeds into the other thing, which is confidence. You have to know that there is a hole. There is a way. There's something there. And you'll get to it if you have enough patience, right? And you don't give up and you don't allow your frustration to overtake your patience, well, then you can remain confident, you stay with it. And whether it's brute-force hacking or password guessing or social engineering, whatever it is, or even in life. With lawyers or doctors or any service. You just need patience, if it doesn't work, you try it a different way. If it doesn't work, a third way. If that doesn't work, I think there's a fourth way. There's gotta be a fourth way, right?
Chris: Yeah, there's always a fourth way.
Bradley: You stay confident that you know what you're doing and you understand your skill set, you're gonna get the goal. You're gonna get to where you wanna be. Every hacker learns that at an early age. I learned it and it's really, really helped me in my career. Most definitely.
Chris: So, obviously, you've had such a fascinating career and so much and I'd be dropping the ball if I didn't ask you for some war stories. Are there any particularly unusual cybersecurity-related cases you ever litigated and some surprising things that you've seen happen inside a courtroom?
Bradley: Well, you know, from a courtroom perspective, we would go back to the criminal end of things. Going after these child predators. There is nothing more rewarding, still to this day. There was nothing more rewarding that I've done than putting these people in prison. And then of course, the interesting part is hearing why they did what they were gonna do. Oh, we were entrapped. Or oh, I thought it was a joke. Oh, I didn't mean it. Right, you didn't mean it.
Chris: Sure, sure.
Bradley: But came to the mall with rope, literally rope. I mean, all kinds of things to meet an underage kid. So, that was a wonderful experience putting them in prison. From a litigation perspective, where we find a lot of the interesting stuff occurring is in representing security companies that when they're doing what they're supposed to do. Pen testing. Really pushing the limits of a client's defenses and so forth. Defending them when the inevitable happens. They do penetrate the defenses. Bad-- here's a great story. So, we represented a white hat hacking company and I tell this story whenever I speak. We represented the white hat hacking company. And they were hired to break into a bank. The bank hired them. In a state. I won't mention the state. In a state and it had about 14 branches in the state. So they were hired to break in, and they did. Or at least, they tried to. And what happened was the bank's security system detected the attempt and shut down the attempt. Now, it did that by shutting down every computer, every server in the bank, in the middle of the week.
Chris: Oh, my gosh.
Bradley: In all 14 branches. And because of the way it was set up, the security would not allow the computers to come back online for at least 24 hours. So, here you had the bank saying, "What did you do? "You shut us down in the middle of the week." Of course, we were operating under an agreement that we had drafted that said look, we're walking, essentially, we're walking into a dark room. We may cut across that room and not bump into something. We may bump into something. Some things may get knocked down. There is no standard way of breaking into a bank. We're gonna try some orthodox methods, some unorthodox methods. We don't know what's going to happen. So you understand that there are no knowns and there are no unknowns and we're gonna be hold harmless from that. So, despite the bank's calls and threats and demand letters and so forth, once they really took a look at the contract, they understood, well that's the nature of pen testing. And that's sort of a lesson for those companies that are engaged in that security paradigm. Those security services. They need to know there are no knowns, there are no unknowns, and while they understand that, they need their clients to understand that. You need your client to thoroughly understand that. That's how you manage expectations. That's how you stay outta court.
Chris: Yeah, have you done a lot of that sort of? I mean, it sounded like you were drifting in almost to red teaming territory, where you're sort of broaching the perimeter and on-site and things like that, have you done a lot of that sort of controlled penetration testing for security companies and so forth?
Bradley: Have I done it? Well, my clients do that.
Chris: Your clients do that, okay.
Bradley: I don't do any pen testing, I'm not that good.
Chris: Okay.
Bradley: I can design a website now. I can do some coding, but I'm not breaking into any banks any time soon.
Chris: Okay. So you're the legal mitigator that's letting everyone understand that this is what's going on.
Bradley: I'm the Rosetta Stone, okay? I'm the guy who my client will talk in some sort of technical jargon and I have to explain it to opposing counsel that barely knows, he's happy he just turned on his laptop at work. He's happy he had an upgrade.
Chris: Right.
Bradley: From Windows 10 into whatever he's using. So, I'm sorta the Rosetta Stone. I translate it and bring the situation to a decent level and try to resolve issues. That's what we do.
Chris: Yeah, this dates me as well, but I always, people like that, I always have the image of the old cartoons of like the octopus who's the phone operators, that's doing all the different--
Bradley: That's it.
Chris: Connecting points. And so forth.
Bradley: That's it, and you have to know where all the phones are located and where you're putting them.
Chris: Yeah. Every one. So, in your intro, you mentioned that you are an international legal authority in the area of cloud computing transactions. What does that mean, exactly. How did you become that specific type of expert? What was the draw?
Bradley: So what we do is we represent multinational companies. Companies that are located here, in the EU, in South America. They are in this global economy, I know it's a cliche to say that, but it's truth. It's the truth. In this global economy, it is very rare to have a substantial size company located only in the United States or only in the United States and maybe Canada, near a shore. Usually, they're located in London and Switzerland and Barcelona and so forth. So, what you need to do is you need to understand both the regulatory compliance needs of all those different locations and if you don't understand them, you need to know where you find people who do. And so that's largely what we'll often do. We'll be called into a place in France and they'll say, "We have a place in New York and in Miami and in Paris. Well, I know what I know and I know what I don't know. I don't know Parisian laws, but I do know someone who does.
Chris: Right.
Bradley: And so, sometimes I'm a traffic cop. I'm sort of directing issues to different people. And when you do that, you become known as the guy who can handle international transactions. So, while we can handle matters that are entirely local, maybe bound to a single state, we are not intimidated and we handle it all the time, when a company comes to us and says, "Look. "We have companies all over the U.S., Canada and Europe. "Here are the issues. "It's all cloud-based this, that. "We're storing some of the stuff in Ireland. "We're gonna co-locate in Idaho in a bunker. "How we gonna handle this?" That's what we do. So, just doing it time and time again and understanding the technology at a grass-roots level allows us really to step up and become experts in the field.
Chris: So our particular podcast has spoken a lot this year about the skills gap in cybersecurity. Short version that there's more labor positions out there than there are qualified people to fill them. Do you feel that there's a similar issue in security law? Are there enough security-focused lawyers out there, or is this a career path that's kind of understaffed at the moment?
Bradley: Well, thank God there aren't that many security-focused lawyers out there. It sort of leaves a large area of real estate for us to explore, but if we're just speaking candidly and genuinely, no, there are very, very few lawyers. Very few. I could count, in the state of Florida, I could count on one hand the number of attorneys that I would consider qualified to engage in that type of thing. And I think that it's largely because it's an intimidating area. It's not something that you learn in law school. It's not something that you're going to learn working for a large firm or the government. It's something that you almost need to incorporate from your personal life, like I did.
Chris: It's like double majoring, but you're double careering. You're basically learning a full career and then a second full career.
Bradley: That's it. If you're a computer guy or woman, and you say, "I'm gonna go to law school, "and I'm gonna merge the two." Well, that's wonderful. But there aren't a lotta computer people out there that wanna go to law school. They stay computer people. Or they are lawyers and they stay lawyers. They don't merge. And as a result, you have a lot of lawyers engaged in regulatory compliance and privacy and data security paradigms that really shouldn't be doing it. They don't understand it and they treat it like anything else.
Chris: Hit him with a hammer, yeah.
Bradley: Shouldn't be treated like anything else. It's a unique fit. You don't dabble in this. Either you do it or you do not do it. And so as far as I'm concerned, there aren't enough lawyers in this field and I'm not complaining about that right now.
Chris: Okay, so in your opinion, what are some of the biggest legal issues currently looming over the cybersecurity horizon that aren't being addressed?
Bradley: Well, I'll tell ya. I think that right now, the biggest problem that people are facing is ignorance. That's it. It's ignorance. They don't understand what dangers exist. So, that's the first part. They don't understand the threat. They are ignorant of compliance requirements. They are ignorant of the results of noncompliance. And it is that ignorance that is pushing most of the agenda today. And they don't take things, companies, individuals, companies, they don't take things seriously until something bad really happens. And when it happens, well, then it might be too late. The liabilities are immense. And that's how cyber criminals, that's what they do, that's how they do so well. They leverage that ignorance and you could read all about this in the newspaper and watch it on the news. Oh, Equifax had a breach, this, that, and so on. You know, of course, everyone reads that and thinks, wow, that's crazy. We should be doing something better. We should be really, we should be on top of that. And then, they will all download an app that makes them look older. They'll upload their picture so it makes 'em look older and they say, "Hey, look, I look, I'm 20 years older." Not realizing that now, they're sending their email address, their identity to some address in the middle of nowhere. You don't even know where that's going. And people look on the one hand and they say, "Oh, my God, we gotta do something about security "and privacy," and the other hand, then they go home and do crazy things. So it's that ignorance that's pushing the agenda and needs to be addressed.
Chris: Okay, so in the hot take department, what's your take on, there was a story in Lake City, Florida, about an IT employee who was fired after the city was forced to approve a half-million-dollar payment to cover a ransom payment? It was believed that he sort of fell asleep on the job or something got through on his watch. Do you feel this was justified or do you think the city kind of put the blame for a systemic issue on a scapegoat?
Bradley: So, I'm familiar with that case only to the extent that I've read it, in the newspaper and online like everyone else. So, it's hard to say, not being familiar with all the facts, but, and realizing also that companies all over the world are having the exact same problem. So it's not Lake City could turn around and say, "How dare you do this." Or, "How could this happen to us?"
Chris: This is unprecedented.
Bradley: It's happened to everybody. With that said, I think it comes down to certain questions that need to be answered. As far as I know, they haven't been at least in the news. I mean, for example, what security paradigms were in place at that time, and were they recommended to the city by the IT director and not implemented? Or did the IT director simply proceed in ignorance? Not realizing that there are bigger and better ways to do things, there are processes that need to be in place. Did he fail to implement any sort of initiatives? Were there procedures in place for backup and recovery? If not, why? Was there an incident response plan in place that could help mitigate the problems? If not, why? You can't. What you often find in municipalities and in large companies is that it's spread responsibility so thin that no one takes responsibility. And so when something like this happens and they point the finger at a person, it's very easy to say well, it wasn't just me, there were three other people who I told and they didn't respond and then it dropped off the agenda. You know, that doesn't mean that someone shouldn't take responsibility. Yeah, I'd love to know, did they have a computer emergency response team, a CERT team. That could've mitigated these issues and if not, why not? And then I'll tell you this. Anyone, including Lake City, who doesn't have those processes and procedures in place, having gone through this and having read about it now, shame on them. Shame on them, because this is going to, not it might. You didn't hear me say might. This is going to happen to them. And when it does, rest assured, people will try to spread responsibility thin and then it's gonna be a question of whose fault was it and so on. It shouldn't be that way. Everyone should have defined responsibility. Risk should be allocated amongst a group of people that are named, with definitive positions and responsibilities. With backup plans and procedures in place. It shouldn't be a fire drill, running around, wondering where the exits are when something like this happens. Instead, it should be, okay, open up your handbook, page 65, here's what we're gonna do. One, two, three, four. That's what it should be. Now, were those processes in place in Lake City? I don't know. If they weren't, then whoever should've had them in place or whoever's job it was to make sure they were in place, yeah, he or she should've been fired.
Chris: Right.
Bradley: That's my opinion.
Chris: And there's plenty of situations where all those things can be in place and something still gets through, but yeah, you're right. That they're--
Bradley: Agreed.
Chris: Everyone's gonna get hit eventually, but--
Bradley: Yeah, I mean, if people are acting responsibly and pursuant to a plan, you're 100% right. Things can still happen, but at that point, you can say, "We acted with not just a standard, "a good standard of care, we acted up here. "We're way up." And at that point, no one should lose their job. But it's when people just ignore things. They assume things are in place. You're not paid to assume. You're not paid to ignore, okay? If we wanted someone to ignore, we could fire you and just put a kid in there. We could hire to just sit there.
Chris: On the table, yeah.
Bradley: So, you're not paid to ignore. So, if you ignore, it's on you.
Chris: Yep, okay. So, it seems like a good deal of your work deals with intellectual property and the tech and security realms. What are the big issues in the area of IP at the moment? What are some things that security practitioners and enterprises don't do properly to protect their IP?
Bradley: A lot right now is just theft of IP, right? Theft of creative works, theft of marketing plans, theft of customer lists, those are prime targets. Personal information, right now, is obviously very, very big. The collection of it and the storage and the access to it are really activities that companies are engaged in and they are sort of ignorant of the threats and so that kind of intangible property is really the prime target. And companies that don't understand the risk and don't have CERTs in place and policies and procedures, they're gonna get hit. Phishing attacks, for example. They're ubiquitous. They're everywhere. And yet, very few companies actually engage security firms to test their employees security awareness and so on, so what's the big thing that's out there? All kinds of intangible information. What are they not doing? They're not teaching. They're not engaged. And as a result, they're all sitting ducks. They're sitting ducks. They're slow-moving targets for these hackers. And they will eventually implement these plans. They'll implement them, however, after things go bad.
Chris: After the barn's burned down.
Bradley: And that's not how it should be done.
Chris: Right. So tell me a little about your own podcast. You do, called The Technology Bradcast. What's the focus and what have you, what's been your favorite episode to record so far?
Bradley: So the Technology Bradcast is my brainchild that I sat back and I thought there's a lot of stuff I just wanna convey to clients and to people in the technology field and it's just not... I speak a lot, I write a lot, but it's just not out there in a spoken way. I think I can convey ideas pretty well when I just sit down with people and talk to them. And there's no better venue to do that than through a podcast. So, the podcast really focuses on manned service providers, bars, OEMs, and the issues that they're going to face on a day-to-day, week-to-week, month-to-month basis. And that might be things related to how a particular law will influence or impact what they do. It might relate to their customer facing agreements or their lack thereof, a lack of agreements, and what risks they have. I like to think of it this way. I like to think of it as if you're an MSP or you're a solution provider, think of all the things that keep you up at night. Think of those things. The clients that don't pay you. The clients that challenge everything you do. The clients that don't listen to your advice. Now, what do you do about that? What do you do about that? Most people would sit there and say, "I'm not sure." Right, you're not sure. I know you're not sure, because you're like everyone else. They're not sure either. But you know who's sure? I'm sure. I know what you do. And so that's why I have a podcast. I talk about what needs to be in agreements. What needs to be in statements of work. What do you need to do to get things off the ground, limit your liability so you can sleep at night? And I don't know of any other podcast that's out there. I had to give it a little funky name, instead of just Technology podcast, because that would make people go to sleep.
Chris: Sure.
Bradley: So, I call it the Bradcast. Very clever, I know, very clever. But it worked.
Chris: You heard it first here. Brad has the answer.
Bradley: That's right. I have the answer.
Chris: Was your slogan, so is this available at all the podcatchers of choice?
Bradley: Yeah, it's funny. You say I have the answer. My motto is always you're gonna learn a lot. That's the motto. You're gonna learn a lot. That's what it's about. I know it's available, well if you Google it, it's available, it's on the Play store. It's on Podbean. And it's about to be on iTunes as well.
Chris: Good, okay.
Bradley: Yeah, and it's if you go to technologybradcast.com, you'll find it.
Chris: Great. Okay, so as we wrap up today, what piece of free legal advice would you like to give to the cybersecurity industry as a whole, or to the people who work in it?
Bradley: Wow. That's a good one. So, I guess the one bit of advice would be vigilance. The way I look at it is imagine for a moment you're walking down a street, a dark street and you think you're being followed. So, what do you do? You turn around. Right? You turn around and say what's going on? You turn around. And let's say you see nothing. Do you just keep walking and that's it? You just say, "Oh, there was nothing there. "I'm fine." Of course not. Every now and then, you still turn around. You still look, because what wasn't there at one point might be there at a different point. You didn't see it that moment in time, when you turn a different way or a few steps later, you have a different vantage point. A different perspective and you might see things you didn't see then. So, it always amazes me when I see companies that will do a pen test or some sort of security awareness training or they'll have their agreements maybe reviewed once on day one and years will go by and they won't think about it. Really? You're not gonna turn around again? Really? I mean you really think you're gonna make it down that dark street and no one's behind you and things haven't changed and your perspective is the same? It isn't. So, I guess my bit of advice is be vigilant. Question things. Be patient and confident, but don't be so confident to have a false sense of security. There are a lotta bad people around there. Perspectives change. Circumstances change. Stay on top of it. Be vigilant. Don't just turn around once. Turn around often. And I think that you'll find yourself way ahead of the pack.
Chris: All right, and so we've promoted the Bradcast, but if people wanna get in touch with Brad Gross or the Law Firm of Bradley Gross, P.A., where should they go online?
Bradley: They could either contact us by phone, 954-217-6225. Or they could drop an email at info@bradleygross.com. Or visit the website, bradleygross.com. There's a contact page there. Subscribe to the podcast, we'd love to have you. If you have questions, you call or email us. And really, this is what I enjoy doing.
Chris: Well, Brad Gross, thank you so much for being here. This was really fascinating. I appreciate your time.
Bradley: Absolutely, thanks for having me.
Chris: Okay, and thank you all for listening and watching. If you enjoyed today's video, you may find many more on our YouTube page. Just go to YouTube and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher. See current promotional offers available for podcast listeners and to learn more about our Infosec Pro live bootcamp, Infosec Skills on demand training library, and Infosec IQ security awareness and training platform, go to InfosecInstitute.com/podcast, or click the link in the description below. Thanks once again to Bradley Gross and thank you all again as always for listening and watching. We'll speak to you next week.
Subscribe to podcast
How does your salary stack up?
Ever wonder how much a career in cybersecurity pays? We crunched the numbers for the most popular roles and certifications. Download the 2024 Cybersecurity Salary Guide to learn more.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.