#56: Identifying issues in cybersecurity with David Malicoat

January 11, 2021 • 55:49


Aaron Spatz, Host, America’s Entrepreneur
David Malicoat, Founder, BAMCIS Cybersecurity

Aaron  00:10
Good morning, DFW. Welcome to The Dallas-Fort Worth Business Podcast. I’m Aaron Spatz. Thank you so much for joining this morning. I hope that all of you all are doing incredibly well. Excited to bring yet another show to you this week. And you know, as I’ve already said, you probably have already gotten tired of hearing me say this, but if you’re joining the show, again, I’m going to do the obligatory like, subscribe, comment, share, all that jazz. I’ll probably eventually quit saying it. But that would be a great way to kind of help get the show going, get more awareness for it across the metroplex.

And you know, if there’s anything that you love particularly about the show, if there’s people that you want me to talk to, if there’s anything else about it, shoot me some feedback. What do you like? What do you not like? What would you like to hear? What intrigues you? I love the word ‘intrigue’ but drop me a line. podcast@boldmedia.us is the fastest way to get ahold of me. And today we have on the show David Malicoat. He’s a cybersecurity technology extraordinaire for 20 plus years. Those are my words, not his. He would probably correct me, but he is a US Marine like myself. And David, I just want to welcome you to the show today.

David  01:22
Thanks, Aaron. Thanks for having me on, man. I appreciate it.

Aaron  01:25
For sure, for sure. So man, you’ve been in the tech space for quite some time. I mean, I’m going to try to not age you that much, man, but you’ve been in it for, we’ll say, about 20 years.

David  01:40

Aaron  01:40
So, I mean, what’s it been like to be in this industry for 20 years?

David  01:49
The rate of growth has been amazing. And I mean, growth as in – and maybe you could see these old gray beards that you have back from the 70s that would say the same thing as they progressed in the 80s and 90s. But from my perspective, the rate of change has only increased exponentially for that, particularly once we move into the cloud and all the things that go with that. It’s been an amazing journey so far. I still feel relatively young, so I think, you know, plenty of road ahead as far as that goes.

Aaron  02:25
Absolutely. For sure.

David  02:26
But sure, it’s been an interesting ride so far and only getting better. I can tell you that.

Aaron  02:32
Yeah. I mean, it’s changed so much. And without dating myself, I’m going to try to not do that too, but you know, you can call back to the 90s when we had, you know, there’s beepers, pagers, big old, clunky brick cell phones as big as some of these devices I have sitting on my desk. So it’s crazy to see where technology has gone. It’s crazy to see also the threat landscape and how that’s evolved and how that’s changed. And so, you know, share with us a little bit about journey. So share with us a little bit about your background. I mentioned US Marines. Jump into that real quick and then share with us a little bit about your progression post-military and what that’s been like for you.

David  03:11
One of the interesting part is they’re intricately related. So I started out as an infantry or in the Marine Corps, they call them grunts, right? So 0311 for those Marines out there that know what the MOS designator is. But quickly learned, and nothing against these professions, but I knew I didn’t want to be a cop or security guard. No offense to those guys, but I had a different path. So I moved into the intelligence field and I wanted to be an analyst and they were full, but they were like, “Hey, you can come and look at this imagery stuff.” It’s an 0241 as they call it.

And so right about that time, it was mid-90s, everything was moving from hard copy imagery where you’re looking at satellite photos or ones from aircraft, you’re looking at these hard copies and they’re moving into digital which is much similar to Google Maps now, I say Google Map or Google Earth and other platforms like that, which now you just click up on your desktop. Back then, you couldn’t do that.

And so they’re moving these over. And I was stationed in Okinawa, Japan, and they were looking for folks to help support the systems. And I had an old sergeant that told me, “If they ever offer you training, don’t ask what it is, just raise your hand and get it.” And so I did. I raised my hand and they actually sent me back to the states and I took – the systems that we were on were Unix systems, which they had to have kind of this heavy iron, so to speak, to be able to handle these large images. You don’t have to do that now, you have it on your phone, right? But back then, the old days, you had to.

And so I helped take care of those systems for a few years before I got out. And then the transition was virtually seamless. It was 1999. Dating myself, of course. And I pretty much had a job before I even came back from overseas and really just ramped into becoming a systems administrator, took all the training that I could. And I quickly found that leadership was something that was recognized coming out of the military. And within two weeks, I was a team leader of the organization I was at. It was pretty quick.

But kept that path and then quickly learned that I was not really going to be the technical nerd expert, so to speak. I knew about the technology. I knew how to do it, but I wasn’t great. I was good. I guess it’d be the best way to put it. But I also had this leadership potential and I found myself at Perot Systems around 2004, 2005-ish. And you know, Ross Perot owned it. It was a great place to be, a great place for foreign military. And after a few years, I got my opportunity to dig into their leadership program. And so I expanded from just doing the Unix work into more of leading multiple different disciplines – network, storage, security, all across these different customers. It’s like you have a question.

Aaron  06:21
Yeah, no. You mentioned their leadership programs. So what was their leadership program? I’m just generally curious.

David  06:28
So you kind of had to get identified, I guess, would be the way to put it, be recommended in. Funny enough, I’ve met Ross Perot. I mean, I don’t have that many fingers and toes. You’d see him in the hallway or at lunch. He’d talked to you all day long. Great, great man, great gentleman. Really neat place to be. But once you were identified then they would put you into a kind of a mentorship program and a lot of it was off the job. My first mentor for the job, the role that I was in, I believe he was employee number four named John Ferrari. Great, great guy. I learned so much from him about how to deal with customers, deal with difficult people, difficult situations. It was quite a learning experience. It was high ramp up. Don’t get me wrong. It was a pretty intense, but fun, nonetheless. So to be able to go in and be able to do those things live in front of the customer right out of the gate was impactful.

Aaron  07:34
I mean, we never deal with difficult customers, right?

David  07:39
No, no. The best part these days is to get it to where they don’t become a difficult customer. You manage them progressively to where that doesn’t become an issue mostly.

Aaron  07:50
It’s all about those relationships, man. It’s all about forming a great relationship built on trust and so you’ve got that relationship equity to fall back on. So if crap does hit the fan and things don’t work out for whatever reason in a situation or whatever, you’re able to come from a position of trust and a mutual respect knowing that I was going to get taken care of.

David  08:13
And I think one of the things, you know, a lot of people, you hear them talk about wanting to get into that trusted advisor space. And it’s interesting because if you’re not genuine, you wind up not finding yourself there. You talk about being in relationships, that having genuine relationships to where I’m here, I’m a professional and I provide you a level of expertise that you may not have yourself in your company or in your general vicinity. So to be able to come in and say I truly want to do the right thing for you and get in and move into that trusted advisor position, it provides you that mileage, I guess would be the way put it, or that thing to fall back on like you talked about. It’s the key, for sure.

Aaron  08:57
Right. That’s awesome. I mean, so picking back up into your career, so you’re at Perot Systems and then you moved on from there.

David  09:07
Yeah. And actually, they’ve got bought by Dell in 2008. So about halfway through my tenure, it flips over and you want to talk about culture shock. That was an interesting. You go from wearing a jacket and a tie to seeing people walking around in shorts in hallways. It was a major difference in culture. But again, still valuable, nonetheless, lots of learning. And looking at it for a different way for scaling perspective, Perot Systems was always a place that is very safe and they played it very safe because it was an investment for the family. Dell, not so much. They’re more aggressive and they go out there and they spend money to make money. Perot wasn’t necessarily that way. Not against them. It’s just two different business outlooks or approaches.

So moved on from there. Actually, I had a good friend of mine that I had worked with at Perot. He had convinced me to – after all this experience that I had in doing, basically, people for the bad word called outsourcing but sourcing or providing services to other business to business, whether it be IT or security. He said, “You should get into the consulting space” because he was in that same space and he said the demand was high and it would kind of develop right at that time.

Well, they had it before then but it was really hitting a stride then where companies were wanting to go and find these service providers to come in and run parts of their IT and things like that. But they were real shy about it because they didn’t have the expertise on how to do it correctly. So if I’m a company and I’m like, “Hey, I want to outsource my backend infrastructure.” You can go directly to a service provider, but ultimately, it’s like going and buying a car, right? You want to be pretty savvy on the car you’re buying, the deal that you’re getting, all that stuff. So there’s a middle consulting that you can come in and actually be the advocate of the company looking to get the services. And you can go in, use everything that you’ve ever learned and provide them good guidance on service levels. What exactly services do you need? How do you write your RFP? How do you go out there and negotiate with the service provider? Things like that.

So I got into that space for about five years with a company called WGroup, which is now called Wavestone. They got purchased last year – I’m sorry, two years ago now. We’re in 2021. They got purchased in ’19. And I’d given myself a five-year kind of a ramp with them. And I’m like, when I figure out where I want to be – and toward the middle, I was like, security’s where it’s at. There’s this convergence that’s happening. You can’t really go in and talk about either sourcing or doing any type of consulting in an organization unless you’re talking about security, and I mean, an organization, as far as IT side goes. Because WGroup was a more of an IT management consultancy.

And so I found myself in a space where I was like, I had a little bit of time, I was on the bench. Went and got my CISSP and really started focusing and concentrating on the security aspect of things. And next thing you know, all these different engagements can trickling in where there was always a need and it just ramped up from there. And so we kind of diverged a little bit. I wanted to kind of do my own thing and they actually got bought out and the company that bought them out had a pretty strong cybersecurity presence already. So I was like, I’m good. Let’s move on and see what the next chapter brings.

And so went independent, did a gig at the state of Texas, worked on the Next Generation 911. For those of you that don’t know, the vast majority of 911 is still at its core analog. Interesting tidbit there. And that’s not a secret. If you ever researched it, it’s public knowledge. But they are transitioning over to basically it’s voice over IP for 911. And they needed help kind of figuring out what they needed to do as far as cybersecurity and what kind of controls they need to put in place to be able to make sure that’s secure.

Interesting tidbit that I learned during that engagement was normally you have what they call the CIA triad, which is the confidentiality, integrity, and availability. And most of the time, it’s confidentiality that you’re talking about. You want to keep your secrets secret. Or integrity. You want your data to stay as it’s supposed to stay. Availability is good, but it’s usually almost like the third leg of the stool that everybody thinks about later. For the 911 aspect of things, availability is actually number one. And the reason is that call has to go through every time, every single time. And so that was a big learning curve and a difference because in corporate environment, it’s always about confidentiality. Just saying. Nice little tidbit there.

And something that I’d always kind of woven its way through all this and in the back of my head is I had found that even in large companies, but mostly at these midsize companies, these companies are growing and they have cybersecurity requirements, they have need. But ultimately, they struggle with being able to solve that problem. One, there’s a shortage in skills. I don’t know if you’ve ever picked up any type of trade magazine. You always see it. Everybody talks about it. Last I saw was a million, million and a half, you know, within the next couple of years of open security positions.

Aaron  14:54
Yep. It’s hiring.

David  14:55
So that’s one big thing. It’s to be able to track a talent as a midsize business. And of course, having my background in services, I go, wait a minute, that seems like a pretty decent business opportunity to be able to go and say, “What if I had an organization that could come in and provide those key services for that midsize business at a fractional basis, right?” So you don’t need to hire all the different positions as a midsize business. That’s a lot of money, a lot of investment. You may be only need somebody on a quarter time basis. I can provide those levels of expertise at that fractional basis as well.

So interestingly enough, got to the end of ‘19 and really started kind of putting that in motion and quickly found that there’s momentum. And so I signed on my backend because BAMCIS Cybersecurity provides a full stack. We go from leadership, governance, operations, even the technology and tools, to get it done. And again, targeting these midsize businesses. And so I got all my backend things signed and actually gained a couple of customers from a former colleague that decided to move on to something different. And then the pandemic hit. And so February came, I had two customers and everything stopped. And my consulting engagement ended as well.

Aaron  16:29
Oh, man.

David  16:29
It just went silent and it was nerve wracking. And actually, through some of the support things that we had, I think I got an idea to get a loan through the SBA, was managed to get me through the summer or get us through the summer – mainly me at that point. But as we’ve grown and picked up customers, I believe in the July, beginning of August, picked up another customer and things now are opening up and you’re finding – and then I don’t want to call it a pivot, what I would call it is, you know, as you’re going through and you find that emerging markets, you find that things change. And initially, what we were doing is we were offering just a set of what I call point services, right? Your SOC as a service, security operations center as a service or managed endpoint, where you’re helping manage the security of the endpoints, you know, people’s laptops, desktops, things like that, vulnerability management, stuff like that.

And what we found through learning with customers, current customers and potential customers, is they don’t want point solutions. Because especially at the midsize businesses, they just want their problem solved. And I’m actually going to going to provide a little bit of whatever – this will go on the 19th, we are relaunching into what we call the cybersecurity as a service. Again, targeting those midsize companies to where we just come in and solve the problem. We meet you where you’re at when it comes to cybersecurity and able to provide leadership, provide that overall governance that you need, risk management, all the way through to daily operations and the tools to be able to do it. So that’s one of the things we learned. We’re going to relaunch it on the 19th and respond to the market.

Aaron  18:16
Man, well, I mean, that’s fantastic. I mean, obviously, not fantastic that the pandemic had the effect that it had on you, and you actually took the question right on my mouth. Because I was going to ask you, man, with a lot of service industries and all these different companies that provide critical or sometimes other types of services to a variety of clients, how did the pandemic affect you? How did the pandemic affect your client base directly?

David  18:45
So client base directly, and I can say the two customers that we have during were amazingly faithful and we were obviously faithful to them and we’ll continue to be. We don’t forget the folks that got us through the rough times, right? You hear grandparents or great grandparents talking about the depression and always maybe owing somebody a debt of gratitude. Very similar to these two companies. One is a commercial real estate company that owns a construction company and they pay the bills on time every time. And that helped us leverage into becoming what we are today and growing as we are today. And the engagement was good. The dry time was around when you’re going and talking to potential customers or people that maybe you were already talking to in February, but then come March, it was, “Hey, there’s no budget right now. Everything dried up.”

Aaron  19:43
Yep. Exactly.

David  19:45
And those conversations did not resume, I would say, until July-August timeframe. And now even there’s still a fair degree of it. As we move forward, what we’re finding is the wait and see tends to be over and I think a lot of folks tended to be waiting – what it seemed like was the folks were waiting for that next budget cycle. So now that we’re in the beginning of the new year and they’re moving into that next phase of things, the conversation has picked up dramatically.

Aaron  20:17
Yeah. Well, I mean, because now they can actually take a look and see and plan for the entire year and they’re probably going to make some assumptions, right? Like, hey, we’re probably going to be under this remote-first model for quite some time. So I think everyone’s had a chance to kind of catch their breath, reevaluate what the situation is, and kind of put together – because I mean, I’m telling you, there’s been some companies that have been killing it in terms of reducing their operating costs because they don’t have anybody inside of a building anymore or it’s like a skeleton crew and so, I mean, your overhead goes down dramatically.

And then there’s even companies that are reporting increased productivity because people, they’re not commuting an hour or 30 minutes to work one way each day. And they’re more focused, they’re more on task in  their own homes, which is crazy because – this is my opinion. I would not think that would be the case. And I think I’ve been surprised to learn that that people have been actually more productive outside of their workplace. I mean, shoot, I’ve been incredibly productive just working out of an office. And so it’s been pretty wild, but it’s great to hear, though, that there’s companies that are now starting to take a look at their budget, look at their plans and then you’re able to now kind of continue some of those conversations, maybe have some new conversations with new folks.

David  21:46
And I think the key on that is – and you know, I will say, I think any business owner or somebody that’s in a decision-making capacity in a business, back to that idea of responding to the market, if we would have stayed on the path that we were on instead of becoming a problem solver, just saying we’re going to solve these specific problems, I think that would not do us justice or be able to provide that value that these folks are seeking. Because normally, let’s say our typical customer in the midrange or the midsize, they’re heavy tech for sure, right? And you have those requirements, example being like you just said, now everybody’s working remote. How do you deal with that?

Aaron  22:33
You have to secure your network and you got to keep people productive at the same time.

David  22:37
Correct. And they don’t want me to come in and start talking about, “Well, I can provide this service and that service.” They’re like, “I just want you to solve my problem. Give me a reasonable idea of what it’s going to cost me as well as what level of risk you’re going to reduce for me to be able to move this forward.” And so with that new approach, and I say new, I wouldn’t say it’s necessarily novel. I think it’s novel for more of a midsize company. Because what I feel is, and whatever the feedback that you’re getting, there’s a lot of folks that don’t know that that exists out there right now.

When they see what they have to do as far as cybersecurity, they think I have to hire this person. They think I have to go buy this expensive tool. They think that you can get these things on a fractional basis and the cost goes way down comparatively. And you have your hands-on available to you, you have your hands-on high-level experts in their specific field, whether it be risk management, cybersecurity leadership or daily operations or specific to the tools that are deployed.

Aaron  23:41
Yeah. Actually, I think it’s a great place. We’re to go to break real quick. But when we come back, what I would like to do is I would like to understand what are the newest, latest, and greatest challenges you’re working on. You’ve already alluded to it, I think, with a remote-first workforce, but I would love to get a little bit more depth into that and maybe put that aside and I’d love to understand a little bit more of some of the cyber threat landscape that you’re dealing with. So we’ll be right back.

All right. So this show is made and supported by our sponsors and we’re so incredibly grateful to our sponsorships. And so I just want to shout out and give credit to our sponsor, 1st Response AC & Heating. So they primarily service the Fort Worth side of the metroplex. Don’t tell them this. They may or may not make a run out to Dallas, but they do most of their work in inside of the Greater Fort Worth area. One of the biggest things I feel that people struggle with when it comes to home contractors and certain service type things such as air conditioning and heating and plumbing and electrical and whatever the case may be. It’s hard to understand what’s going on because there’s a knowledge monopoly, right? So they’re going to know more about situation than you will. And so you need someone that you can trust, that you know is going to level with you that is going to give it to you straight.

And so that’s been my experience with 1st Response. They have personally serviced all of my heating and AC needs and they’ve done a phenomenal job. There’s even a time where I thought that there was a problem and I thought I had it pinpointed because I like to think I’m pretty good at figuring problems out. It turns out I was wrong, right? So I actually misdiagnosed the problem and they’re like, “No, this isn’t going to cause what you thought it was. It was actually only this. So let’s just fix this one thing and you’re good to go.” I’m like, “What? You mean we don’t have to gut and take the entire system out and start over?” And that wasn’t the case. Now, that may not always be the case, right? There may be a time that comes when, “Hey, this thing is dead. It’s gone. You need to replace it completely.” At that point, though, I would know that I could trust what they’re saying. So anyway, if you’re looking for a solid company to help you with your AC and heating needs, I would encourage you to reach out to these guys. Phenomenal, phenomenal service. Loyal, hardworking folks. So incredibly grateful to their sponsorship of our show.

So getting right back into it, David. So yeah, I mean, the threat landscape, I think, is really fascinating. There’s unique problems, I think, to computer networks and to corporate networks now that it’s a remote-first. So we’re doing a lot of remote access into critical infrastructure. We’re accessing either stuff that’s on-premises or we’re accessing cloud services. And so there’s a threat landscape that is evolving and changing. We see it in the news all the time, right? You know, county X or company Y getting hit with some type of – the stuff that makes the news is always going to be the ransomware stuff because it’s like the most shock and awe, you know, your systems are down, everything’s encrypted, you either pay the Bitcoin or you hope you’ve got clean backups. But what’s been some of the things that you were seeing? What’s the latest and greatest stuff?

David  26:57
And I would say you’re dead on as far as the latest and greatest. With remote work, the challenge has been now you take – and I’ll take a step back. Well, there’s a little bit of education here. So cybersecurity has always depended so far on companies at least, you know, somebody, you or myself or anybody, coming in to the four walls of the organization. You get your security updates there, you get your patches there most of the time. Or at least if there’s new security policies that have to be rolled out to that piece of the organization, you come within the four walls within a reasonable amount of time, you get those. We’re not seeing that anymore. So now with the distributed nature of the workforce for any given company, we’ve had to solve that problem of how do you make sure these folks are protected? How do you make sure that their systems can get updated and that you make sure that they’re updated? And the reason why is that ransomware works because people don’t patch. I mean, that’s about the most simple way that I can put it.

Aaron  28:05
And patching for those of you that don’t know what patching is, that’s just simply getting the latest and greatest updates to whatever piece of software or operating system that’s out there. Just keeping your stuff current and up-to-date with the manufacturer.

David  28:16
Correct. A hundred percent. And so many times, when you do the root cause or you look at the root cause of any given ransomware or a malware type attack, it has to do with there is a well-known and longstanding vulnerability that these folks got in on. So if you’re talking remote workforce, make sure that your automatic updates are set for Microsoft as well as any other major applications that you use. For example, your web browsers. Web browsers are very important. Microsoft Edge, Chrome, Firefox, all of those have the capabilities of being automatically updated. And so that’s the big thing for the remote. And when it comes to generally speaking, let’s say from a server perspective or your web-facing or your internet-facing, as a company, making sure you have a robust vulnerability and patch management program. And it is about as not sexy as it gets when it comes to cybersecurity. I can say that.

Aaron  29:32

David  29:33
It is the most bland thing that you can come up with, but it is also the most important. So these folks coming in and talking about, “Oh, my gosh, you’ve got these great tools” blah, blah, blah. Guess what? If you are not checking to make sure what your patch levels are and whether you’re backlogged or you have ones that you need to do to your servers, to your network components, to your firewalls, to your VPNs things, like that, checking those, making sure you’re up-to-date. And if you’re not, then remediate it. Go through, do your patches, right?

It takes some planning. Again, back to the idea that it’s not sexy, but ultimately, the grunt work does pay off and that’s what’s good. I would say you can reduce your risk significantly just by going through and doing vulnerability and patch management, which is obviously why we put ourselves in that space as well. It’s one of the first things we recommend to folks when we walk in the door or one of the first things that we do for people as a service when we walk in the door. Because you can have all the awesome tools there that you have that are out there, but if the door is still wide open, people are just going to walk through it. They’re going to find it and they’re going to walk through it. So I would say education is another piece. I’m trying to be diplomatic about it, but you would be so surprised. 

Aaron  31:08
It matters.

David  31:10
I’m surprised.

Aaron  31:10
I can say it for you, right? Your workforce is your biggest vulnerability. Your people are going to be your biggest vulnerability.

David  31:16
Where the human meets the keyboard, it’s your biggest vulnerability, for sure. I’ve written about that in the past. And so having a general level or basic level of knowledge around security, understand what a phishing email looks like. I guess that would lead into another piece, which is what you’re talking about. What are some of the biggest things you see? Phishing is huge right now. Why is that? Because people were distributed. Again, a lot of times we rely on that the four walls to protect you. When they’re out there sitting at home on this relatively insecure home network, you get somebody to click on a phishing email and boom, you’ve got them, and then possibly even coming back to your central location for your business.

But what I recommend when it comes to education, because what I’ve seen quite a bit of, is you get it once a year. You get your refresher training once a year. That wears off, right? And you’re not really getting – and things change so often. Back to the idea of phishing or now we’re remote. What are the things I need to worry about if I’m sitting at the coffee shop? Now that things are opened up a little bit, people sort of shoulder surfing me, what’s going on there?

So what I’d like to do is I’d like to institute it quarterly at least to where you take that big chunk – because I think we’ve all seen it. You get this a hundred-page either PDF or PowerPoint that you got to go through or some sort of webinar and it’s just ad nauseum and people were just like, yeah, yeah, yeah, I got this. But to be able to roll it out over a full year on a quarterly basis, being able to dynamically update that education and it brings people – and actually, the way the education works today we’re a partner with KnowBe4. It’s well-known. They provide great training. It’s dynamic. So, you know, things that have been out there in the news, recent breaches, things that are being used more often like ransomware.

Aaron  33:25
Well, that’s the stuff that makes you like pay attention, right?

David  33:27

Aaron  33:27
It’s not some random news story pulled from 2014. Hey, this happened six weeks ago or three months ago. We’re not making this crap up. This is real.

David  33:41
Exactly. And so to be able to spread that out throughout the year and do it on a quarterly basis, it’s a little bit more of a minder. And I say quarterly, I mean, it can even be monthly. It could be one of those. And the cool part is if you’re doing it monthly, that’s that much shorter than it needs to be, right? I’m not doing that a hundred-page thing. I’m doing a five-page thing. I’m just giving you that minder, “Hey, by the way, it’s January, here’s what concentrating on, check this out” and you go through your five pages and you’re done. Do it again in February, March, that good stuff.

So that’s the approach that we take because we understand that the risk really sits at the person and it’s not an indictment. Look, if you’re a CFO or even just a person that does the job, you’re not even an executive, you’re an individual contributor, I don’t expect you to be a cybersecurity expert, but we do have to instill a minimum level of knowledge and an awareness. And so to expect that to last for an entire year, just because we’re doing the compliance stuff, it just seems ridiculous to me. So that’s why we went with this approach, and it’s so far been pretty successful to get people engaged.

Aaron  34:59
No. Well, I mean, and engagement is really important too. Because you don’t want people to give you shark eyes during your freaking presentation and it’s just in one ear and out the other, or it doesn’t go in the ear, it just goes right over their head and they’re just not even paying attention. But there’s something to be said, though, for the education piece. And I’ve really do feel like it’s just as important as understanding, I don’t know, basic finances, understanding how to lock the front door of your own car or of your own house rather. It just like all these basic things. I really do see cybersecurity knowledge as it’s just a basic working knowledge. We don’t have to be advanced. We don’t have to go get certifications. We just need a basic level understanding. Because raising that situational awareness, I really do believe, sincerely believe, that it is just as important as all these other things that we connect daily to our lives and it’s not going away.

That’s the thing. This isn’t something – it’s not a fad. It’s not something that’s just going to fizzle and go away. It’s just going to get more and more and more dominant. And you’re seeing it. Unfortunately, you’re seeing it more and more and more in the news and it doesn’t matter. This is the thing. It doesn’t matter how big your company may be or small, with enough resources, especially like nation state actors, if they have essentially an infinite amount of resources, it’s only a matter of when something’s going to happen. So this whole risk mitigation thing too is really important.

But anyway, you get me excited because I’ve worked in the space somewhat over the last several years on a couple of random things. And so the education side, man, I’m sitting here jumping up and down with you. People need to learn. They need to know. And it’s not this degrading thing. And I know I can speak for you when I say this. We’re not calling people stupid. That’s not it. We’re just trying to raise everybody’s situational awareness. And like you said earlier, David, the threats are changing daily and we just need to be prepared to deal with it. And if we can do a couple of just basic things consistently, we’re going to be in good shape. So anyway, I will stop my rant, because I mean, you got me a little wound up.

David  37:20
Excellent rant. I would like to own that myself. I am very similar in that. I’ll go into it maybe a little bit extension of that, which is not very long, but what I like to try to communicate to business leaders, right? Cybersecurity risk is business risk. And you even said it, even more so now with as pervasive as technology is, there is no company out there that does not use technology, right? So to be able to look at and talk to a business leader, first is I don’t want someone to be afraid to have a conversation, right? First thing, I think you’re going to sell me something but hang on a second. Let’s talk about how cybersecurity versus business risk. And if you’re using technology, do you have a decent understanding of what business risks you are experiencing based upon your use of technology. That’s one and just with a business leader.

And so I always tell folks, more than happy to talk to anybody at any time, right? I’ll give you an hour and let’s just have a conversation. And I’m going to tell you a darn thing. What I want is to understand where you’re at. I get something out of it because I get to understand where I can adjust my business model based on how these folks are providing me feedback. I’ll be perfectly transparent and selfish on that. But the other side of it is hopefully during that conversation, I can provide them some tips and tricks, things to think about. How should you maybe approach a cybersecurity risks when it comes to how you’re looking at business risks?

But ultimately, if I can be a good resource to folks to where they feel like they’re getting a straight scoop and just provide, you know, and I think that’s maybe from our Marine background, right? When were you just like, “Look, I’m just going to tell you honest and here’s where we’re at.” And so it’s just one of those pervasive things that I’ve always put out there. I’m more than happy to have a conversation because I want people to be smarter about these things. And it seems like where business leaders tend to be is they’re not realizing how pervasive their cybersecurity risks are compared to their business risks. They can talk about business risks all day long.

Aaron  39:42
But David, I haven’t been hacked yet. So obviously, I don’t need this.

David  39:46

Aaron  39:47
Nothing bad has happened yet. It’s this age-old song of, you know, I mean, but then there is the concept of we could theoretically overprotect. And what I mean by that is from the business side, you can never actually overprotect. If resources were infinite, that would be ideal, but businesses have very finite resources and so there is a measure of risk acceptance. We hate to say that. But there is a measure of risk acceptance into the business. And so it’s helping them mitigate as much risk as humanly possible the most effective and efficient way. And obviously, the most cost-effective way falls part of that.

And so, man, I couldn’t agree with you more. I definitely found my guy, man. So for those listening, watching, man, you need cyber-related services, because I’ve been in that business. I’ve run a boutique IT consulting firm. I’ve had to stop taking clients because I’m too busy doing podcasts. I’m too busy doing business consulting. I can’t do as much of that stuff anymore. And so, I mean, you’re clearly a great match for folks here inside the metroplex. And there’s a ton of companies here and it helps when you’ve got people that you can trust and want to really understand what’s going on.

And I’d love to understand a little bit further with you specifically, David. So we’ve talked about a lot of stuff and you get two geeks together – I know we don’t look like geeks, right? We probably looked like we were hanging out inside the gym or whatever. But what are some things that we haven’t already discussed that people don’t know about cybersecurity or cybersecurity risk that they should know? And if we’ve already covered it all, then feel free to move on. Or if you’d like to share with people – maybe this is a good time to share with people a little bit of insight into what the dark web is and what does that whole monster like?

David  41:54
Well, I want to start with if you’re not using a password manager, use a password manager. And we’re talking just these basic kind of tips and tricks. Password manager. You should have a different password for every website that you log into. So the day of having a really strong, good password that I use across multiple websites or multiple accounts, those days are over. I know, right? So the password manager provides you a) it generates it for you, which is a great function, and it provides a very complex password that allows you to – it just does it for you. All of these password managers now have plugins for your browser. So it’s set to where it’ll just come up and it’ll fill in your information for you. So you really don’t have to think about it.

So that’s a challenge these days. Because I mean, and I would say, I don’t know, maybe six, seven, eight years ago, I was strong password across multiple, you know, I was doing it all the same. But then I was like, okay, as I got more into it, I’m like, yeah, it makes more sense now. And they’re even moving to this idea of passphrases where you would have a common phrase. Like I was telling a colleague today, full metal jacket, right? Obviously, Marine Corps, you know that one. But you can use that as a phrase and then you can change some of the letters into symbols or put in between the full, the metal, and the jacket. You could put some sort of symbol in between there. And that way, it provides you something easy to remember, but you can also change it up just enough to where it won’t get caught up in these automatic guessers or dictionary attacks, things like that. So that’s the big one. It’s the using a password manager.

Aaron  43:44
So let me jump in on that real quick. So password managers, I’m going to go ahead and ask the question on behalf of the person listening to this right now, who wants to know how and why is a password manager more secure? Can’t a password manager get hacked?

David  44:01
It certainly can. Your strongest password should be your master password for your password manager. And that’s where, like for me, I use a passphrase and I’m certainly not going to tell you what my passphrase is, but it’s a long phrase. I don’t know, about ten 12 words. So it’s super long. And then I actually put symbols in between each of the words, that type of thing. I’ve had taken that approach. So that’s my strongest password. And then I let the password manager for bank or for log in to O365 for Microsoft, for email, I let it choose my passwords. I make them at six length of 16 with high complexity.

And I will say this, the days of changing your password on a regular basis are actually over. So the recommendations from the National Institute of Standards and Technology, NIST as they call it, which is what the US Department of Commerce and US government follow when it comes to cybersecurity. I think it was 2017. They came back and said changing on a regular basis actually leads people to either write them down, make them more simple and lower the complexity.

Aaron  45:15
One, two.

David  45:16
Exactly. One, two, three password or something like that.

Aaron  45:19
One, two, four password.

David  45:21
So having a password for a long time – again, as long as you have maybe that password manager where you have different passwords for each site, again, the idea that the days of me remembering a password, there’s only one that I need to remember, which is my master one for my password manager. All the other ones, I don’t know, because they’re all just random, generated by the password manager. And when I log in, the password manager, you also have on your phone so it will automatically fill them in that way as well. So all good then. So when you talk about that, just kind of the basics, I think that would go a long way to keep people from getting hacked because it keeps people from having to simplify their passwords and either be guessed or attacked in a certain way to where they can be violated. There’s a second part of your question and I forgot it.

Aaron  46:08
I’m actually going to go ahead and interrupt myself on the question.

David  46:13
No problem.

Aaron  46:13
And change direction here. So getting more contextual to the DFW metroplex, are there any common things that you’re seeing? Is there anything in the threat landscape that people need to be aware of that may or may not be specific to the DFW area?

David  46:32
Let me think. Specific to the DFW. Well, I mean, I can tell you, DFW being now the hive of activity that it is, right? So I would say one of the things I’ve been looking out for, and I don’t necessarily have this rooted in any type of research or anything like that, I haven’t seen it, but we have a lot of businesses and people moving from other states, particularly California, maybe New York, others. And so I think look out for potential scams for folks that have recently moved or things like that to where they’re trying to manipulate that. There’s a lot of types of things to see – I mean, I think I just saw it today. U-Haul gave their report on the top areas where people are renting or dropping off U-Hauls at their final destination and Texas was number two.

Aaron  47:27

David  47:27
I think Tennessee was number one.

Aaron  47:29
Oh, no way.

David  47:30
So keep in mind that the bad guys are sitting there, they see these same reports and they’re like, “Okay. How can I take advantage of this?” And so sending out emails saying, “Hey, are you a recent looking…?” And people that don’t know how Texas works, right? So they could spoof something maybe from the county government or the local government. So I would say folks be on the lookout for that. That would be a big one. I don’t know of anything particular to the DFW area where we’re under a certain threat just because we’re us. But I will say being tech heavy, I would say that you’re going to have more traffic as far as that goes. We are a higher threat area just because we have such, you know, we’ve been technology – I came here in ’99 out of the military and we are tech heavy then. And obviously, we’ve only grown since then, so huge there.

Aaron  48:20
Yeah, yeah. That’s crazy. That’s crazy. And I mean, you’ve been here for quite some time. I can’t imagine how much the metroplex has changed just in the time you’ve been here. And man, you know, it’s a fascinating study. You’re kind of making my wheels spin now in terms of just thinking about how threats are changing. There’s more companies showing up. There’s a lot more people working from home and the attacks and everything else are getting more complex. And so it’s gotten crazy, man. It’s gotten ridiculous to be completely honest. And to the point where you feel like you can’t trust anything or anywhere that you go.

And man, I struggle with the password stuff. I ended up having to click ‘forget your password’ on a whole bunch of stuff and have to reset my crap all the time. I’m just like, man, I had to increase complexity. And I think that’s where the password managers are really handy, because you go to one website and it needs a minimum of 12 or 16 characters, you’ve got another one, they only need eight. And other ones will allow the symbols, other ones won’t. You can never – I mean, it’s kind of nice because you can’t recycle your password, which is probably what most people do anyway. But yeah, no, password managers are huge.

As we start to kind of wind down, I was just going to ask you a couple more questions. And I have a suspicion of this. But what do you enjoy the most about doing what it is you do?

David  49:53
Ooh. I think it’s about the service. And one of the things, one of the founding principles of BAMCIS Cybersecurity and one of the reasons why I went in this direction is because I had seen – and this is not to be negative towards anybody, but as a whole, things were very transactional when it came to cybersecurity and cybersecurity services. And that kind of bothered me.

And I learned – well, I considered was from the best as far as particularly technology services – at Perot. And I wanted to take that and move it forward. So again, a local company that existed for a long time and was doing it right, well-respected. I want to take that and move it into my company and to be able to push that forward into an arena that is known for that. Most of the time, when you hear about cybersecurity services, yeah, we’re going to monitor your stuff and then we’re going to throw these tickets over the wall at you and basically cause more issues than you solve. And we really want to get away from that. What we want to do is come in and solve those problems for folks to where they don’t have to worry about it, help them sleep better at night to where, you know, am I hacked or we have an issue like that. But to have somebody kind of at the gate watching or at the door watching for you and also providing you that service where you can come in and have that interaction and it not feel contrived or manipulated or salesy.

Aaron  51:27
I hate that crap, man.

David  51:29

Aaron  51:29
Don’t hard sell me. Can’t we just build a relationship?

David  51:33

Aaron  51:33
And don’t do the whole fake build a relationship because I can smell that crap a mile away.

David  51:40

Aaron  51:41
Yeah. Well, no. And so, I mean, one, I’m happy that you’ve been able to float through the pandemic and things are starting to look a little bit more upward for you. So again, for my memory and for everybody else’s, on the 18th, you’re kind of relaunching it again. Recap that for me.

David  52:02
Yeah. So it’s the 19th,

Aaron  52:04
19th. Sorry.

David  52:05
It’s a Tuesday. Because obviously, everybody tells you don’t do it on Monday or Friday. So we’re doing a Tuesday. And it’s going from basically taking things from point solutions to cybersecurity as a service. We come in and talk to you. Where are you at? What are your needs? And we will provide a full suite of services to solve those problems.

Aaron  52:26

David  52:27
Yeah. Cut down on your confusion, cut down on kind of that anxiety that goes along with it. So that’s the point?

Aaron  52:35
Well, congrats to you, man. How can people get in touch with you?

David  52:40
So we’ve got a website, bamciscyber.com. It’ll look a lot different on the 19th, but as of today, as all of our contact information – and again, I tell folks, if you want to have a conversation, let’s just talk. Again, I am not a hard sell guy. Definitely relationship guy. Definitely want to make sure that people understand what they’re getting into, people understand the kind of the nature of what’s going on. So definitely give you an hour today to start a relationship and look at it long long-term with no expectations.

Aaron  53:13
Well, that’s fantastic. No, that’s awesome. And it’s definitely something worth taking a look at. Again, it’s a topic near and dear to my heart. Man, I’m grateful to you to spend some time with me on the show today. It’s been a blast. And again, best of luck next week on the 19th.

David  53:30
I appreciate that. I do want to put one thing out, which is we are a veteran-owned, obviously, from the conversation before, but we have veteran preference. So we actually have several veterans of our workforce right now. And actually, in this first quarter, we’re launching – we talked about the shortage of cybersecurity talent. We’re launching an apprenticeship program.

Aaron  53:56

David  53:56
And it does have a veteran’s preference. We do take all company, we’ll take all comers, but folks that are veterans and veterans spouses will have a preference in the rating system that we have. But ultimately, the idea is if somebody has a true passion and they want to get into cybersecurity and they see an opportunity there and they feel that that may be a fit for them, we would want to talk to them and look and see if they’re a good fit. And so it would be a six-to-nine-month, maybe a year, but the idea is get them a basic cybersecurity education with hands-on, with the tools, with the practices, the processes, and at the end, we have an option we could bring them on not as an apprentice, but as a full cybersecurity analyst. Or if they feel they’re not as matched for us, they would have the skills to go get an entry-level job or maybe even hire at another organization.

Aaron  54:47
Wow. Man, that’s terrific. Thanks for doing that.

David  54:52
Appreciate that. Because we believe in it. I think the skills match, right? So you know from your veteran experience, it’s to be able to have – it’s the planning that they teach us. It’s the sense of duty. I know when I got out, I was a little bit lost, because I felt I needed a mission. And I can tell you, service orientation and a mission orientation is big. And what I tell potential clients is, “Hey, let us be your next mission” or “we want you to be our next mission”, I guess that’s the right way to put it.

Aaron  55:32
Sure. No, that’s awesome. Well, man, thanks again. Appreciate it. It’s a lot of fun.

David  55:37
Yeah. Same here. Appreciate your time.

Aaron  55:39

AE Podcast

Never Miss an Episode!

Get episodes and other news delivered straight to your inbox!

You have Successfully Subscribed!