Chris Sienko: Welcome to this week’s episode of The Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader, and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. Scott Madsen is the CEO at Cingo Solutions, a provider of cybersecurity, MDR, and IT consulting based in the southwestern United States. Now Scott has been a guest on the infosec webinar concerning cybersecurity skills gap, which is a regular topic on this podcast, so we’re gonna talk a little bit about the skills gap today as well as some of the interesting things going on over at Cingo. Scott, welcome to the show.
Scott Madsen: Thank you, thanks for having me.
Chris: So first of all, tell me a bit about your background. When did you first get involved in computers and security? Were these always interesting to you, or did you sort of come to it later in life?
Scott: Always had an interest in it, I came to it, I ended up coming into it a little bit later in life. My partners and I all come from kind of varying backgrounds. One of them’s from tech, one of them’s from finance, I’m from more of an inventory management logistical consulting background. But really when we kinda came together, our love of process, our love of trying to figure out how to make things more efficient, it kind of caused us to end up launching Cingo. Since then, we started with just doing full fledged web development and then managed IT, and we ended up kind of working with a lot of companies that need or require regulatory compliance. So it’s kind of been a very interesting thing for us. We, with our backgrounds, we kinda get that quite a bit, I had worked with the FDA quite a bit, and with, you know, individual Oregon, not Oregon sorry, individual organic qualifiers in the food industry. I’ve done some other work with banking, and so, we ended up taking on clients that had a really heavy compliance base, and we were looking for cybersecurity professionals and companies that we could refer them to, or help kinda broaden out our base of offering, and just never found anybody that would be a good fit, that could deal with their compliance. ‘Cause like, we ended up having to speak directly with state regulators and never really found a good fit. So we ended up just doing it ourselves. And so most of our base for our clients all deal with industries that relate to some element of compliance. So we work with their internal compliance, we work with, again, state, federal, and yeah. So that’s kinda where our specialty ended up residing.
Chris: Okay, so you’re primarily involved in compliance, sounds like that’s your primary?
Scott: Yep, well, primary cybersecurity, but again, most compliance has a really specific requirement for cyber.
Scott: Security companies really understand how to deal with. But we’ve worked with those guys for years, so it’s something that kind of has helped us find our niche in the market.
Chris: Are there any particular, sort of, aspects of cybersecurity and compliance that you, you know, sort of got so good at that you’re sort of the brand leader? What are some of the more unusual sort of cybersecurity requests that people have needed to deal with in order to do compliance?
Scott: Yeah, well a lot of it, what we’ll do is we’ll end up getting engaged by companies for who are in an audit, or have been, you know, have had a bad audit, and need to do some work on their internal processes. And then they get referred to us just through our current customer base. And then we go in and basically just evaluate where they are. A big part of what we do, I would say that probably our specialty is financial institutions. We also work with the FDA for both pharmaceutical and, you know, health care providers. I think that you guys have done quite a bit of work and done great work on notifying the public about CCPA. I think once regulation ends up getting put into law, it’s very hard to back that off. And following and trending that way. So, you’re talking about, instead of the people that we deal with being legal firms and accounting firms and these financial institutions, things like that, you’re talking about people who own bowling alleys, people who own diners, people who’ve never had to deal with anything like this that are gonna all of a sudden be randomly audited and be fined for noncompliance. So, really, I think right now, especially as a cybersecurity provider, the gauntlet’s kind of been thrown down for us to say how are we going to help our clients navigate the new framework that we’re entering into, and how can we better train our staff, you know, as a cybersecurity focus, how can we better train our staff to have kind of a dual purpose of compliance and cybersecurity.
Chris: Is that sort of a niche that you’ve found for yourself, working with, sort of, mom and pop businesses or the small organizations like that, or is that just sort of part of it?
Scott: It’s just part of it. I mean, you know, for us, and it’s been a good thing. You usually kind of have to swim upstream a little bit when you’re starting a business. But for us, it’s kind of an area where we all have personal proficiency, so coming together and ending up with the client base that we have, it’s something that’s been very natural. And since, really most of the, CCPA, it’s California Consumer Privacy Act, they, most of it’s dealing with how you’re dealing with data. That’s something we’re doing anyway. And are you protecting people’s data which, again, is something we’re doing anyway. And so, kind of helping to create solutions that are gonna be a lot more effective and cost effective for smaller businesses has been something we’ve really enjoyed over the past couple years. Putting those programs together has been, has been really effective for us, so.
Chris: Cool. So, yeah, going back to something you said before. You mentioned that you and your colleagues come from kind of divergent backgrounds. You’re not strictly tech and cyber people. And I think this is something we, we come to on our program a lot, because a lot of our listeners are people who might not be involved with cybersecurity at all but might want to get into it and feel, well, I can’t necessarily because I’ve been in finance for 20 years, or I’ve been doing government work, or whatever. So, can you talk a little bit about that? What makes the, sort of, diversity of backgrounds so important?
Scott: Well, I think, you know, we’re at a really interesting moment here with the skills gap with trying to entice people into doing what we want to do, or what we’re doing for a living and need them for. And I think that IT is a fantastic field to get into. It’s about as deep and as broad as you can get as far as skillsets within the industry, as far as requirements for education and adaptation for an individual basis and also for a company basis. And I think that anyone wanting to make the switch, I think it’s a great thing. I don’t think that there’s gonna be, that you’re going to regret going the route that you did. We have, actually, I would say that if you lined up all of our employees, the most common background is in finance. Almost, we have probably 30 or 40% of our staff used to work as financial advisors or brokers, used to work for banks as lenders. And they kind of started to see a little bit of the threat that was kind of coming up in their day-to-day and the way the banks were starting to kind of, they’re kind of slow-moving, but the way they start to surround themselves, say okay, we need to start having a cybersecurity focus. They saw it as a way to separate themselves out from every other FA or, you know, everybody else in their industry and to pick up a unique skill set and move into it. So I think, and a lot of those are some of our more effective ones that come over later in life. They feel real passion, real drive about what they’re doing. And I think that if we’re talking about making a switch and how to close the skills gap, it’s 100% about passion and interest. Another thing, and I don’t mean to just go on if you want to move to the questions.
Chris: Oh, no, no, no.
Scott: I tend to speak, to talk a lot, so.
Chris: Sure, that’s fine. I only have so many questions, so feel free to answer them all in detail.
Scott: There you go. But I think that something that’s kind of unique in our industry right now is we’re seeing a lot of people being able to move into it, and the draw is that people are saying, you know, move into tech, you’ll make 100 grand a year, you’ll make six figures, it’ll be really easy. And the reality is, no you won’t. It’s not, tech is just like any other skill. And I think that people underestimate that. And I think, we talk about a skills gap, that’s why we’re not talking about a potential worker gap. We’re talking about just the skill that it takes to do what we do. And I think that we underestimate that. As an industry, we’ve underestimated it and we’re rewarded bad behavior in hiring people that are not capable of doing the job at a high rate just because we need somebody in a seat. And I think it’s done quite a bit of damage to people’s expectations about what they can do and what they think they’re worth. And I think we’ve kind of gone away from the model of, you know, apprentice, journeyman, master where people should come in and really be absorbing data. They should be absorbing how to learn, about how to do these processes. And as they adapt to in, then they can actually become more valuable to the company because they can act on those adaptations. And then as they become, as they get 10, 15 years in, they’re basically masters. They can dictate how things go, they can recognize threats and trends coming down through the market. You know, a lot of our analysts have come up through, and they’ve ended up just from years and years of experience watching how the market moves and the way these threats develop. They can usually forecast with a fair amount of certainty what we’re gonna be dealing with. But I think that, in order to close that skills gap, you know, China doesn’t have a skills gap in this area. And I think it’s because they take the low paying jobs and learn it and come through it, and then, you know, end up building a career long-term in it. But again, I think in the U.S., I think we’ve taken a short-term approach to just getting people into the system, paying them a large sum of money, and not really doing our job to make sure they have the competence that they should.
Chris: Okay, so, you know, I think one of the problems, you said it specifically, is that a lot of places will say, well, just put someone in there, we don’t have time to find the right person. So where does the time come from, exactly? What do we do in the meantime? Like, what you’re saying is there needs to be a large sort of farm team of entry-level cybersecurity jobs out there that people can learn through. And it sounds like that fundamentally requires sort of restructuring large swaths of the workforce. So what do we do about that?
Scott: Well, I think that the interesting thing is, it’s not really the workforce’s problem. It’s our problem with cybersecurity companies figuring out how to help those people become the best that we can, that we can have. So for companies, some of that that we’ve done here at Cingo, we’ve tried really hard to take people where they are. So when we interview, we bring people in, you can teach anybody any skill out there but you can’t teach them a work ethic. They’ve gotta come in with that. And if you really wanna learn, then great. We have jobs, we won’t let them touch the high-voltage stuff, but they can certainly move around and learning those skills and, you know, we can pay them a reasonable sum for doing so. But it really comes down to their commitment to making that change in their career and getting on the right path and staying on it. And so I think that the burden 100% is not on the people who want to come over, except for that they need to have passion, they need to have that drive. It’s 100% on us. If we, if Cingo hopes to have a long-term workforce that we can draw from and that we can pull from, we have to have the internal development here to be able to take people from whatever skillset, wherever they are in their learning curve, and develop them through to where we have, you know, if they wanna go all the way to the top, and they want to really be in management or they want to be taking on a lot of responsibility, then heck yeah. We pay a very, very competitive and fair wage, and we would love to do that. But again, it comes down to where their latent ability is and what their drive is kind of bringing to it.
Chris: Okay, so along with work ethic which obviously is crucial, and you mentioned 30-40% of your workforce is formerly in finance. What are some of the other soft skills or skillsets that people in finance or other industries have that you think are crucial to a cybersecurity career apart from, you know, coding and networking?
Scott: Sure, well, I think any industry, and I think it’s, you know, when you pull people from professional services, there’s already a cause and effect that’s very natural. It’s kind of encoded into them when they come over because they’re touching, whether they’re coming from legal or accounting or from finance, which are usually the three best to hire from, they’re used to working in a framework where, if you do the wrong thing, there’s not just, oh, man, I messed that up, but there could be jail time. They have a very rigid sense of rules. And I think, especially moving into cybersecurity, it is extremely rigid, and the small things are the ones that matter. You know, most of the breaches that our clients end up experiencing aren’t from a lack of the high-end coverage, it’s from a small mistake that an employee makes. And so, you know, you really have to find people who have that sense of, these are the rigid areas that we have to observe in order to have success here. And if you can get them in and get them trained, then most people, it’s not rocket science. It’s just not. We have good enough high-end tools to make sure that the, like I say, the high voltage stuff is usually covered. We need people who are willing to learn how to train the employees of our clients. We need to have people who have those soft skills to interact and to be patient with people who aren’t technical professionals. Like I said, there are so many areas of this job that you can bring people in and move them through up until they’re, like I say, if they’re doing an analyst job or if they’re, you know, cybersecurity team lead or something like that. There are so many jobs in between that companies like us just have to do a much better job of finding and being willing to train, and employees have to be willing to stick with the company even if they’re getting better offers from somebody else.
Chris: Okay, so there needs to be a sort of loyalty with the understanding that, you know, the company is going to sort of be your, be your, you said your journeymen or your tradesmen that you’re learning from.
Scott: Right, exactly. I think, if companies have that well developed, and a lot of companies don’t, so I understand when people kind of flip, especially in our industry, from one company to the next. A lot of companies haven’t done an effective job of creating internal growth mechanisms to help recognize good talent, recognize people who are wanting to adapt and progress. But, I think that if you are in a company that’s like that you should stick it through. You should be there through until you feel like you’ve gained the knowledge base, that you’ve learned as much and you become proficient as well as you can with the people around you. And then if you want to move, then great, now you’re a high-value acquisition for somebody. I think that, again, in our industry, the difficult thing is people come into it expecting a vast improvement over their previous life which takes a little bit of time. You can get there, but you’ve gotta take the time. I think that’s the number one area where our skills gap is kind of broadening now is because people are making that jump, they’re learning basic skills, they’re trying to leverage those skills into better, high-paying jobs, they’re not lasting in the job very long, and then they end up moving from job to job to job, and it’s just never a long-term situation. I have a, a bunch of my friends are mechanical engineers. I was speaking with one of them a while ago about turnover in IT just because it’s something we’re all dealing with. I mean, the labor market is crazy right now. And he was talking about, as a mechanical engineer, if you’re not with a company for 10 years, it shows that you’re too, like, flippant.
Chris: Yeah, right, okay.
Scott: And that’s crazy to me. Imagine, like, you’ve gotta be with somebody for 10 years before you have credibility with other employers? There’s something smart behind that.
Chris: Yeah, no. I used to work in publishing, and I worked with people who, you know, had been there for 30 years, and that was pretty common. And then you go into the tech sector and you get introduced to the guy who’s been here for three years, and they’re like, he’s our vet.
Scott: Yeah, that’s exactly it. It’s incredible. And what we lose as newer people come into the industry, we lose the knowledge base that that 30-year veteran could give you.
Chris: Oh, yeah.
Scott: And companies like us, we would pay quite a bit to have a 30-year veteran. And I think most companies would. But again, people have to, and I think, again, the burden isn’t necessarily on the people in the industry. It’s on the job providers. We have to give people a reason to stay and for them to understand that mechanism, and if we get a 30-year veteran in here, to understand that you get to teach the next generation of cyber professionals. You get to, you know, be more involved in the day-to-day ops of business, the trajectory of where we’re going and how we’re identifying new products and all that, then I think, I think we’ll have a better, we’ll be doing lot more service to people. And the skills gap, close that to keep people in the positions, to keep them in the jobs as they’re expanding, and to have a perceived benefit for more long-term commitment.
Chris: Well, and you say, you know, specifically, that you would welcome a 30-year veteran, you know, and pay them a commensurate salary, but I think one of the problems is that a lot of places don’t see it that way. I think a lot of them are looking at, you know, their budget line and saying, why get this 30-year veteran when I can get, you know, three people who’ve been around for less than five years for the same price?
Chris: So how do we change that, sort of, perception across the field?
Scott: Well, I think there’s always going to be the, kind of, the lower end providers. Managed IT companies are usually, you get kind of the bottom end where they’re just charging, you know, 20 bucks a desk to make sure your printer’s working. Usually when you send in a ticket, they’re 45 days out. I mean, you’re always gonna have that really low-line provider all the way up to the really expensive provider. We’re probably one of the more expensive providers. But it’s because you get a response within 48 hours, you have five people who are assigned to your account that have been veterans here. You’re not gonna have turnover. You get to know these people, they get to know your company, the way that your data flows. They do, you know, yearly follow ups with you to make sure everything’s going the right way. We keep you with the best providers if we aren’t currently doing or providing the software. So I think you’re gonna have, no matter what, you’re gonna have lower-end guys and higher-end guys however your market is. But I think that if you’re a higher-end provider, then by nature we have to, we have to invest in the people who have long-term goals because we need that vision. We need that vision, number one to be in the company, but to kind of transmit down through the ranks to say we are forward-looking people, and if you want to better yourself or better your position and your skillset, then be forward-looking with us, ’cause we need you. And I think, if you don’t have and you’re not willing as a company to invest in high skill, then you can’t charge a high rate and you’re gonna be obsolete eventually, ’cause the lifecycle of tech is insane. I mean, three to five years, you’ve either completely remodeled or redesigned your business plan and become twice as effective or you’re out of business.
Chris: Yeah. So, one of the things that we talk about on here, especially when we’re talking to people about the skills gap, is this sort of job posting gap. Which is to say, a lot of HR people will put, they’re basically sort of trolling for unicorn candidates. They want someone that has, you know, 10 years of experience and certification’s only five years old, they want people with a master’s degree when they’re only gonna be doing code analysis and things like that. And you’re breaking it down even further to say, not just we want the right skills for the right job, but we don’t even care if you necessarily have the technical skills as much as you have the soft skills and sort of the work ethic in the background. So, like walk me through what your sort of ideal job posting would be looking for this type of candidate? What would you put on there in terms of the skills, background? How do you sort of convey that, even if you don’t have all of the things in the list, we still want to hear from you?
Scott: It depends on the job that we’re posting for. Usually when we have, you know, really kind of entry-level jobs, we have a lot more of them because you work them kind of like apprentices. They spend a lot of hours, they do a lot of broad things to try to pick up on as many skills as they can. But we’re looking for someone who’s gonna be running and leading, basically those style of apprentices, then we obviously need little bit more experience for something like that. But we need less of them because we can kind of distribute a lot of the, you know, the basic work, like my printer’s down, or this or that, those are skills you can teach rather quickly. It’s when you get up into the heavy cybersecurity side that you really have to look for specifically skilled people. I think one of the big mistakes that we make as an industry, though, is we look for college graduates. I think that it’s something that’s nice to have, certainly nice to have, but again, I think that if you took a random sampling of all the best hackers in the world, I wonder if any of them are college graduates. You totally negate the latent ability and talent of somebody if you say, if you can sit in a classroom for four years versus you’ve been eat, breathing, and sleeping this since you were seven or eight. You know, some of our best employees have been younger guys that have been 18-25, and they just, they didn’t go to college, but they do this 24/7. They never stop doing it. A lot of the guys who actually pursue, and they will pursue like ethical hacking certificate, a lot of them are just people who have that natural latent ability to really just pound through code and to, you know, be able to forecast a lot of what’s happening with the market as far as cybersecurity goes. And to identify trends early. A lot of them are just the guys who, if you find a gamer, if you find somebody who loves something, they do it all day, every day. And those are the people that we really look for. And those are the people you know that you can advance really quickly. I think that if there are people who are just looking for a job, we need those too. We need those too. If you just do it because it’s a way to pay the bills, I get that, but there’s always that, that glass ceiling because you’re not excelling as much as you would if you felt passionate. Number one, people getting into tech in a robotic, kind of disjointed way where they’re not incredibly interested but it’s something that they can make a good living at, I would say don’t do it. I would rather not have you even enter the industry than to come in and cause more headache and more problems. Hiring someone who you believe is capable and competent, then watching them burn out quickly, and having to go through the process all over again. I don’t think they’ll be happy, and it certainly doesn’t make us happy.
Chris: Okay, so how do you square that with, you were saying on one hand, you want these people who’ve been eating and breathing and living this their entire life, but on the other hand you have these people who’ve transferred in from other industries who are a little older. So how do you, are you specifically looking for those or is that just a byproduct? How do you sort of let other types of candidates with other types of skills know that, even though they haven’t been eating, breathing, sleeping this since they were seven, that they might also have a position in your company?
Scott: Well, so we have one employee who came over, she was in banking, and just kind of was going with the flow, going through the motions of banking. She ended up coming over and getting into tech. And the fire that it lit in her was impressive. I mean, she’s done a lot of really good work for us and really rose through the ranks. Not because she figured that out at a young age, but because when she came over she realized that it’s a passion. And when you’re passionate about something, you develop as a person at a totally different rate than, say, the next person. And so, I think that it doesn’t really matter what your history is or where you come from. What matters is you’re teachable and you’re willing to actually do the groundwork. You’re not expecting to get rich right out of the gate. I think that it is an industry that is going to continue to grow. I don’t think, if there’s any sign of it slowing down, I think that the more regulation that comes in, the more companies actually need companies like Cingo or other companies to do cybersecurity. So, I think there’s plenty of growth for everybody and I think there’s plenty of money to be made, but I think everybody needs to just slow down. Get your ground game right. Make sure that you have the skills that you’re claiming to have when you go in for these interviews. Make sure that when you’re going into a company you are an asset to them instead of, you know, or you’ve been honest about, I need to learn these things. That’s really what helps us as employers know how to identify and how to help people where they are is if they come in saying, hey, I’ve been doing this for a long time, I’m really good at it, they’ve worked at 17 or 18 different companies that have given them great positions for six months each, you know, usually that’s a warning sign that people have been a little shallow, maybe, with their own self, the way that they’ve viewed their . But I think being straight up honest and saying, here’s where I’m at, here’s where I’d like to be in five years or three years, can you help me get there, and what are you willing to pay me while I’m getting there? And I think, at that point, that’s a very hire-able person if they come in and have that language because I already know what they’re gonna be expecting of me, they know what I’m expecting of them, and I can build a success path for that person to get them to where I need them to be in five years and where they want to be.
Chris: So one of the questions I had was talking about where you look for candidates. Now, I’m assuming you aren’t just, you know, throwing your listings on Indeed and waiting for them to come to you. Are you actually seeking out good candidates, and if so, what unconventional places might you be looking? Where are some places people should be looking apart from just saying, well, we only got one candidate, I don’t know what happened.
Scott: Yeah, well, we go to a lot of shows. We’re kinda lucky. We’re based in southern Utah outside Las Vegas. We have two really good hiring pools. Salt Lake has actually turned into a pretty large tech hub. There are a lot of people up there. Adobe moved there, you’ve got the Microsoft office there, you’ve got up there. You have a lot of really well-paying, well-established tech companies up there, and they’ve been working with a lot of our local colleges to get people into programs to help them identify, you know, what they want to do and to help them become, you know, skilled at that. And then also, just the people around the edges who just do a really great jo of . You know, we’re lucky because there’s a really broad base for hiring where we are. I think that, well, then we have the conventions. We go and try to be active in going to small meets or meet and greets, things that are from our local community. But also, you know, we used LinkedIn, we use referral basis. A lot of our good workers that come in, they’ve usually worked with other people. Even if the aren’t in tech, we try to kind of draw from that. But really, we just try to have a really solid ground game. We try to be really open at the very beginning about what expectations are and how you can grow here if you commit to the process. And then from there, luckily, we’ve not really run into too many issues where we’ve had a difficult time finding talent.
Chris: Okay, so, jumping to the sort of organizational side of things. And, you know. I don’t know necessarily if you hire everyone personally, but, like, what kind of questions should you be asking candidates or existing employees to prove their knowledge, you know, rather than just looking at their degrees or their certifications or whatever. Like, what kind of, what clues do you see in a candidate?
Scott: Well, so we have a multi, kind of a multi-varied approach. What we do is we try to have as many interviews in the process as possible. One will be a technical proficiency, one will be soft skills, one will be, if they make it through the technical proficiency then what we try to do it put together kind of a, we draw from different parts of the company, from problems that we’ve experienced and how we’ve had to solve them. There are usually some that are pretty difficult that have taken us a moment to really get on top of. Other ones are pretty common. And what we try to do is see how they adapt in the moment. It’s one thing to be able to be at home or be at your desk here and to run into something and try to figure out, you have time, you have people to help you figure out the best way to do it. But again, watching the way that they solve those problems, what their body language is when they’re under pressure, ’cause we work in an industry where sometimes there’s zero pressure and sometimes the whole place is burning down. We’ve got to get on top of a leak, we’ve got to get on top of something really quickly. So watching how they work in that environment has been really important to us. But we try to, we try to stage it out. I forget what the CEO of Yahoo!, a really bright woman that I’ve looked to quite a bit through my career, she said “Hire slowly, fire quickly.” And that’s a big goal for us is that we want to maintain a culture of curiosity. We want to make sure that we’re rewarding people who are constantly just driving their own knowledge base and their own interest in what they’re doing. We want to get rid of people or cycle through people who are not interested in having it as a long-term solution or a long-term investment for them. So for us, we try really hard to go through, you know, a multi-staged approach to make sure that we know what the general interest of this person is, where their proficiency is, where we can really fit them into the company and with what team they would gel the most as far as their soft skills, their interpersonal interests are. So we try to be really broad about that, getting to know the candidates before we bring them in. It’s obviously difficult because with growth you have to get them in as fast as you can, and so we just, we do the best we can, but, you know, every company has . We try to mitigate that as much we can with the hiring process, but it’s inevitable.
Chris: So, sort of tying off this section of the interview. If you have the proverbial magic wand to solve the skills gap tomorrow, what actions would you take? What is the combination of fast track measures and long-term solutions that you think would solve this?
Scott: Well, I think, you know, number one would just end end cyber crime, obviously. That would be a great thing.
Chris: Put us all out of business.
Scott: But I think that the biggest thing, again, is just becoming adaptable. One thing that I think people forget about. On the other side of this, there are individuals and individual interests. It’s not this, you know, large automaton that has, you know, miscellaneous interests. They want to make money, they want to do it by stealing your data, they want to do it by stealing your identity. And so sometimes we get to this point where we feel it’s so advanced and so beyond the realm of individual thought we forget that it’s individuals on the other side. Brilliant individuals, but still individuals nonetheless that are trying to figure out ways to get that data out. And so, I think that the way that we solve that is by, again, putting money as companies, investing in individuals who are so driven by this that it makes it worth their while to come work on the straight side, not on the, kind of, the dark side of this whole problem. And I think that, as we do that, it’s never gonna go away. Organized crime has been around as long as people have been around. But I think that understanding it and getting ahead of it the way that we are starting to, you look at the 1990s and early 2000s the way we dealt with cybersecurity, last year cybersecurity became a bigger moneymaker for organized crime than drug trafficking. Crazy. And I think understanding that and saying, okay, we as people need to be more prepared. And so, better training, better investment in internal practices to make sure that we’re developing new software, that we’re adapting as companies into the next model. You know, one of the questions that you’d written on the thing you sent me was “What’s the future for MDR?”
Scott: I’d say the future for managed detection response is obsolescence. It’s going away.
Chris: Yeah, okay.
Scott: For eight years, but we can’t be behind it anymore. We can’t be behind the curve. We have to be anticipating and trying, basing statistical models on what’s happening and trying to figure out how to forecast what’s coming. And, you know, for Cingo, we’ve been working for the last couple years to graduate to a managed SIM. And at the beginning of the year, we’ll be launching our SIM software for all our current clients and then going out and marketing it to additional clients. But really, we have to become more adaptive. We have to use, you know, AI. We have to try to get ahead of, if they’re using big data, then we need to use it, too. We need to be creating statistical models to get ahead of the threat. And we can start to see and forecast a little better about the way that they’re dealing with that.
Chris: How does that work? How would we, as you say, use big data to get ahead of the threat? What does that look like?
Scott: Well, when we’re looking at the way that people come in and try to infiltrate, there is a recorded method. And when we start to look at that, and if we can, the whole way we’ve discovered phishing and spear phishing and things like that. You have these different data sets that start to provide a commonality between them. And I think that as companies, especially cyber companies, start to look at this specifically, and we’ve done this internally, you start to look at the ways that your clients are attempted to be breached every day. And you start to create a statistical model based on the way that they’re trying to make that entry. And then you can start to see trends. You’re still gonna have the low-end guys that are constantly just pinging people’s IPs endlessly, and then you’re gonna have the higher-end guys that are not just using spear phishing, they’re getting into your social media, learning your habits, learning your secretary’s name or birthday or everything else that they’re starting to use instead of hacking. They’re social hacking instead of cyber hacking. They’re getting information that way. I think, again, if we can be smart about it, then we can end up basing a lot of the decisions we make off of statistical models instead of just our gut feeling or whatever, you know, is driving us. That I think we’re gonna be able to get ahead of it a lot faster. And I think we are getting smarter as an industry about how to do that, about how to read the data, about how to get ahead of it.
Chris: Okay, so as we wrap up today, what are some cybersecurity issues that you would like to see people more aware of and proactive about? And conversely, are there any sort of cybersecurity, you know, scares out there that people are spending entirely too much time worrying about?
Scott: Um, I think that, I mean, no, I don’t think that anybody’s spending too much time worrying about it. I think that there are things that are far less probable. But I would say that probably the greatest threat is the soft stuff, the small stuff. You know, are you getting public WiFi on your phone still at the coffee shop? Are you plugging your phone into your computer at work to recharge it? I mean, it’s these tiny things, that I would say probably 70-80% of all hacks happen from these like minor things that people just forget. It’s just housekeeping stuff, really. And so, I would say, if there was anything that I was gonna leave your listeners with, it’s just be smart about the small stuff. Have etiquette as far as how you handle your data. You know, don’t email things you know you shouldn’t email. Most people, and that’s the crazy thing, most people understand what’s wrong, it’s just they get a little lazy around the edges.
Scott: Moments that you get trapped. I mean, you could live an extraordinarily clean way as far as your interaction with the cyber world goes, but you make one small mistake one day, and that may be the day that gets you. So, I would say that, I mean, the big things are always gonna be there, but the small things are the things that they just, they’ll get in a lot faster, so be careful with them.
Chris: Sweat the small stuff. So, if people want to know more about you, Scott Madsen, or Cingo Solutions, where can they go online?
Scott: Our website is cingo.solutions. All of our products and our history are up on that site. Our Twitter is @cingosolutions. If you want to know more about me or any of the people that work here, just go ahead on LinkedIn. Most of our staff’s on that, so, good way to get a hold of us. Or you can just call in through the front line. It’s 1-888, or sorry, 1-833-CINGOIT.
Chris: Okay, Scott Madsen, thanks for your time and insights today.
Scott: Thanks a lot Chris, thanks.
Chris: And thank you all for listening and watching. If you enjoyed today’s video, you can find many more of them on our YouTube page. Just go to YouTube and type in Cyber Work with Infosec. Check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. And to see current promotional offers available to listeners of this podcast, go to infosecinstitute.com/podcast or click the link in the description. Thanks once again to Scott Madsen, and thank you all again for watching and listening. We’ll talk to you next week.