Learn more about Risk Crew at: www.riskcrew.com
Find Richard Hollis on LinkedIn here: https://www.linkedin.com/in/riskexpertrichardhollis/
JC: Welcome, everybody to another episode of the Future of Biz Tech. I’m your host, JC Granger, I have another fantastic guest with me on the show today. Listen, if you end up liking this episode, please show your love and appreciation by following this podcast, wherever you’re listening and you know, give it that five-star review, preferably with some nice comments in there, right? Because that is how techies like you and I find really cool podcasts like this. And today I had the absolute pleasure of interviewing Richard Hollis, who’s the founder and CEO of Risk Crew. Richard, thank you so much for being on the show. Tell the audience a little bit about yourself. And what does Risk Crew do?
Richard: Well, first of all, JC Thank you. Thank you for having me. Big fan of the podcast. Where do I start? So I’m a cybersecurity professional for over 25-30 years now, I’m a founder of a company called Risk Crew. We’re a sort of product-agnostic consultancy, located that has got a portfolio of cybersecurity risk management solutions. We were founded on the principle JC of the idea that cybersecurity is an oxymoron. There’s no such thing as a secure computer.
Richard: So what’s the game? the game is to identify, minimize and manage the threats to your risk appetite, the appetite that you have for doing business online. So we work with businesses to identify that risk appetite, how much could you lose in the event that you had a breach, define the strategy, and then work everything from their policies, their procedures, their strategies, and deliver things like code reviews of their critical applications, looking at the vendors, you know, the software, the hardware that they’re actually using for security vulnerabilities, duplicating how hackers would hack into their systems and giving them you know, cost-effective ways to remediate those vulnerabilities. So it’s a process organization, we believe that it that cybersecurity is a process, in fact, not a product. And so we come to the angle that the cybersecurity industry is a little behind is a little behind. Well, it’s always behind. But it’s probably just I love to talk about that. But that’s who I am. And that’s what we do. We’ve been in business for well over 10 years. And every year it gets bigger and bigger and bigger the cybersecurity threat landscape. So it’s a lot of fun, like an exciting time is a great time to be in my industry.
JC: Well, you know, the audience might understand this, too, based on what you said your company is. But we talked about before you’re kind of a unicorn for me right now. Because I typically interview C-level execs at like software companies, right like the product. And like you said your product is agnostic. Why I wanted to have you on specifically because, with the advent and not even having it, I would say just with the exponential increase of intelligence for AI, specifically. When I saw you come across my desk, so to speak, right, I thought I think we need to have a really big conversation about the thing that most people really aren’t thinking about. Right? And, you know, we talked about it, most people can’t wrap their heads around the concept of exponential, right? Because the brain really does have its limits, right when it starts imagining things. And so I want to hear your take on what kind of fears or hopes you have when it comes to how AI is going to affect cybersecurity. It’s a cat-and-mouse game, right? So you’re gonna have the bad actors using AI to try to, you know, fool a lot of systems on a very large scale. But we’ll also have the people using AI to try to catch them. So where do you see like, how do you see this playing out? And what are you seeing right now?
Richard: Okay, the best place to start there is to look at our past. Okay? New technology comes on the horizon. And the failure, our failure in cybersecurity has been to not understand the cybersecurity ramifications of new technology or new waves of technology as they come. So you know, the internet comes along, we forgot about security, security concepts, the idea of breaching systems, so suddenly Internet Security meant to the firewall and okay, then we go to WiFi, and then we go to the cloud. And then we go, you know, there’s always every three to five years, there’s a wave of technology comes. But here’s the problem. Cybersecurity is always a bolt-on to that technology. We do not build secure by design, nor do we consider it in any technology that comes on the horizon. So where I come from is a long history of “ah, we forgot security”. Technologies were cool with their increased productivity. It’s increased efficiency. But suddenly we forgot that that code, that code that that application runs on that software as a service runs, is insecure. And we lose data. And it’s so so we call it a bolt-on we have always been cybersecurity has always been a bolt-on to the technology industry. All right, so then, so this new so suddenly ai ai is probably a game changer. I felt that way in terms of the cybersecurity threat landscape when nation-states started to hack into our systems. There’s no way that small businesses or even large businesses could compete against a nation-state putting its resources into breaching your system. Alright, now suddenly, that kind of capability, you know, China, the NSA, in France, the UK of being able to look at a business and breach that system, that kind of and of power now is going to be available to any ying yang out there who can get his hands on a small AI. Alright, so AI comes along, and it changes the threat landscape considerably. It’ll be unrecognizable. It’s like, you know, you remember that? What was it Crocodile Dundee where they’re walking across the park with his girlfriend and some guy comes out and pulls a knife and says, “Give me your wallet”. And he just smiles. And he said, and she says, what didn’t you? Well, if he’s got a knife, and he said, No, that’s not a knife. This is a knife and pulls out that here’s, yeah, that’s what AI is to the cybersecurity threat landscape, it dwarfs anything in terms of a threat. Now we are extremely vulnerable JC right now because we’re still playing catch up. We’re still playing catch up on you know, anti-malware that doesn’t work. Firewalls that lead through traffic that they shouldn’t. So we have not, it’s not like we got a history of getting better. Cybersecurity to us has been a product. It’s been a product, we want to buy a product.
JC: We have a how-to then how do people How do companies or nations protect themselves with a bolt-on because seeing a bolt-on might have been fine with the speed and the speed of which the bad actors could act, right? They could only come up with new code every so often to try to come up with something they can only implement to so many systems in one shot, it gives you time, you get hit once and you’re like, Ah, okay, that hurt. Let’s patch that right? And that speed would go back and forth. But with AI, it gives a bad act or the ability to hit you everywhere all the time without stopping while also changing the method in real-time. How on earth do we possibly work with that with a bolt-on strategy?
Richard: You’re right in, which is why I’m extremely visible about the future of cybersecurity when the present and the past have always been a step behind. So along comes something like you said that’s always on everywhere at all times. But in there is also the powerful and it’ll shrink the attack time because when a typical hacker was looking at a system to break in, there was a reconnaissance time, he had to understand what kind of firewall his business app, what kind of antivirus can I get this what and do some reconnaissance to understand the vulnerabilities and then exploit those vulnerabilities. An AI tool will just look at the products and come and automatically print out a list of the vulnerabilities known with that product and automatically apply a tool. So it’s like a hyper, it’s a leap into hyperspace, for the attack time itself. And here’s the thing JC this is not new, you and I are talking about it when real AI attacks were happening at least a year and a half two years ago. You know what we’re talking about now because of chatGPT and Bard and these things that, you know, the consumers are talking about. Anybody working with AI and machine learning technology in us in cyberspace in a hacking space has had their tools set out and running for at least 18 months. So we’re a step behind yet again.
JC: Yeah, I think the scary thing that I was thinking about is, I kind of had this analogy in my head, I don’t know if you’ve watched a Game of Thrones, not sure if you’re Game of Thrones fan, but the dragon’s having the dragon egg was like this really prized thing because that dragon egg, although it’s small, and it can’t do anything right now. But if you keep that egg and it hatches, you have a dragon, it’s a baby one, but it’ll get bigger and bigger and bigger. And eventually, you have it. And what I see is that the problem with AI is that although the average person or even a hacker usually doesn’t have access to the most advanced hacking AI, they don’t need it, they just need the egg, right, they just need the base coding of a good AI system, because they will teach it and it will grow and will get better and smarter over time. And the problem is, eggs are really easy to come by now. And that’s the analogy that’s in my head. And that’s what kind of scares me is that even an average hacker doesn’t need to have the best system because there’s, there’s, it’s been hard for them to attain it right? Even in that world and that Blackhat world, you’re gonna have a lot of money, or you have to do the right people. And now you don’t need either one of those. Right? You’re gonna have a base foundation, a little bit of startup capital for your own server or cloud or whatnot. Right? And then just enough time to sit there and teach it things the way you mold it and then eventually within a few months you have a dragon like a big one. Right?
JC: And I think that is what kind of scares me about this because, you know, I think the only thing that might save us is if everyone can take everyone out right? It’s like a nuclear holocaust. Right? I think it becomes a what’s the term when no one fires nukes because everybody with.
Richard: Mutually Assured Destruction
JC: Yeah. Mutually Assured Destruction, right? Yeah. I think the only thing that might save us as a nation-state, for example, and companies is that if everyone had someone that could attack someone else and nobody does it because then everybody would do it and nobody wins, right? That’s the only thing that’s in my head. But that’s it’s very nihilistic. And I don’t like to be nihilistic. I want to be hopeful. So I guess my question to you is this, do you see the ability like, where do you see AI? As far as its ability to detect and defend against other AI? How are you guys at Risk Crew, or, or the industry in general, looking at aI had to harness it to be on your side?
Richard: We’re using it. Let’s go back to my analogy that we’re still behind. And we’re still behind in this AI. You’re right. There are dragon eggs out there. There are live dragons. And those dragons were programmed to, you know, not breathe fire, but you know, it’s, they’ll get worse with every generation. So you’re right. And remember, I said that we’re always a step behind, whether that’s technology or that the actors today. And we are programmed then to be reactive in our industry. All right. So it’s like they bring a knife, we bring up a gun, they bring a machine gun, we’ve got to bring a howitzer, uh, you know, we’ve got to it’s, it’s a natural escalation, you’re absolutely right to feel is a strategy of Mutually Assured Destruction, effective? And I tell you, it’s the only one that I know that works now. A, because one nation-states use it. You don’t attack a nation-state without getting and you know, what other industry uses it? You’ll be surprised to hear the online adult entertainment industry was, Oh, yes. Who has always embraced technology, and you want to, and there are a lot of people who don’t like what these people provide his content and for religious or moral purposes, and there are organized hacker groups that that take them out. But that’s a business that will turn around, identify where your attack is coming from, and take you off the face of the internet. All right, they get proactive, you know, us does that as a nation-state Israel does that. You know, they are proactive, and they in fact, have a rep have a history of coming up with the best security products because they’re proactive in nature.
Richard: They gave us the, we used to talk about intrusion prevention, assorted intrusion detection, they came up with intrusion prevention, if somebody starts scanning your firewall, identify and shut that down. So we have to get proactive. You’re absolutely right. And the only history of success we’ve had is in those pockets that understand that the internet is a war zone, and you better come well armed or you’re going to be a casualty of war. And yes, nation-states get that. And on a nation-state level, nation, state, and nation-state, we will achieve mutually assured destruction, but not when it comes to cyber, cyber-criminal gangs against small to medium businesses and banks who are using AI as enrolling in the big guns. You’re absolutely right. Anybody can have a dragon. Now, in terms of the best defensive strategy that we recommend is proactive, let’s start making our own dragons here. And you know, at the end of the day, the internet is not governed. There’s no right, there’s no wrong, there are a couple of federal agencies that just chase pedophiles. But technically, you can launch a denial of service attack on an IP that’s doing reconnaissance of your business, and with no repercussions whatsoever. And all you know, there are no international treaties that allow us to extradite hackers or hacker groups, no, anything goes on the internet. So we are moving to if we’re not proactive, we will be a casualty. So that’s what I see as AI. I see that we need to start using it not just for defensive purposes, because we’ll always be a step ahead. But take the next step and be and be offensive in nature and start to kill these dragons in their eggs. Before they’re, you know, they’re hatched, and they wreak havoc on our businesses.
JC: That’s a good point. You know, given the exponential nature and where this is probably headed. Do you see what is still somewhat of a small cybersecurity industry? Do you see it exploding out of necessity? Do you see it staying small, and just consolidating with mergers? Where do you see cybersecurity as an industry going, knowing that this wave is coming?
Richard: Well, I don’t see the industry from the outside. I see it from the inside, I’m inside it and it seems pretty big here. And there are 20 leaders, there are 20 industry leaders out there with big names that own the predominantly the large part of the market. Okay. And you know, my concern is that the products these industry leaders put out are not fit for purpose. They’re not working and there’s they’re making a lot of money. So in terms of yes, there’s an explosion and but for me, I think there’s an explosion. I think the growth needs to be a nonproduct. A product vendor’s products right now are part of the problem. They’re not part of the solution. products right now cybersecurity products are the most popular venue for hackers to come in because they’re trusted products that yeah, so and they’re not built any they’re not built securely, these big names, putting out firewalls and these things that we’re using in Sims, there, it’s not like they’re been designed securely and have secure code, they have same vulnerabilities than any software as a service that GitHub or Salesforce or the anybody else is putting their information assets in. But their cybersecurity products, so they’re trusted, they’re trusted by name, which makes them even more overlooked. You know, we want to put in a firewall by so and so check a box and say, That’s it, we’re secure. And we overlook that anyway.
Richard: So my issue or where I see the most growth is needed, is in an AI strategy is in formulating a strategy to keep businesses inside the risk appetite, and keep them alive on the Warfield. And you know, but the products the things that we’re struggling with right now. Look at ransomware it’s the best idea. Ransomware is what it’s malware? Do you know anybody that doesn’t have anti-malware on their device? Do you know anybody and yet we don’t talk about it? Businesses are getting ransomware and they’re being put out of business? And nobody asks, Well, geez, you know, ransomware is malware, we got real running now where our malware is no good. That’s the problem.
Richard: People get ransomware because the malware is terrible. It malware is not it’s up, it’s running signatures that were designed 510 years ago. So you know, seriously, it’s odd. That’s, that’s the greatest example, how we’re always late, you know, our hair’s on fire about ransomware. And we don’t even bring up the fact that hey, maybe we get maybe our malware is poor. And that’s why we’re getting this ransomware. Same idea, when I’m looking at is that we need to take it beyond product, we need to take it and AI is going to push us there because AI will make a product obsolete. As far as I’m concerned, there won’t be there won’t be a defendable network out there against an AI attack. So we got to start using gray matter. And we have to start using strategy. And I think the best thinkers out there in our industry are going to be an explosion in that. But until then, we’re going to see in the next six months, we’re going to see a wave of breaches. And you’re going to see product vendors shift and try to say, Okay, you just need our new AI-driven firewall and start to use AI in the title of their product, or AI, are our machine learning anti-malware solution. And they’re going to stretch and stretch and stretch that product is, you know, to point it toward the AI problem. But it will be as ineffective as it’s been against malware and denial of service attacks and all these other attacks that we’ve had over the last 20 years. So I’m not optimistic that our vendors are going to get smart because JC you know what they need, they need r&d time, you know, they come out with a new firewall, that’s because they did r&d For the last five years. And they’re going to make money on that firewall. So they’re going to keep it on the market for the next two years, even though it’s no longer fit for purpose of what but the attacks and the threats out there, you got to get a return on your investment. So until there’s money to be made real money, ours, our vendors are going to take products and leave them on the market until they get a return on them.
JC: So with all that, then what is Risk Crew doing as a consultancy firm, to help your clients right? Like, you know, this is all doom and gloom, and it kind of should be a little bit but then the question is, you know, where’s the light at the end of that tunnel? You know, how is Risk Crew? What are you guys telling your clients? You know, like, well, how are you guys trying to help this massive problem?
Richard: Well, we’re trying to, you know, how, you know, if you’ve been in therapy, JC but you go to a therapist, and because you want to hear the truth, you want to lay out and say, Hey, I’m using this, I’m using that I’m still getting breached, alright, it’s more
JC: I’m more of a heavy bag with boxing, gloves, therapy, whatever, we’re, whatever you had very few problems I couldn’t solve in 15 minutes on a heavy bag. But I understand your analogy.
Richard: You gotta go to somebody to your priest, your therapist, your guru, your you know, your rabbi, you got to sit down. And you got to say, All right, you know, I can’t get my head around cybersecurity. So what Risk Crew does is start with the strategy. What are you trying to protect, while trying to protect what’s going to happen to you if you fail, and come up with a risk out, help you define your risk appetite for your business for us, that’s where one, how much it’s like going into Vegas, how much you’re going to put in your pocket before you walk out, you know, and you lose it and you realize I can’t lose any more than that. So we’ll help you define that risk appetite for your business. How much you could possibly and then we’re to you to identify all the threats that you’re looking at, in the way that you do business today that exceed that risk appetite, you know, a threat that would come in and put you out of business to give you that but that that risk appetite, you have to understand how much you can’t take to know how much you need to apply to that fight so and 99.9% of businesses don’t understand. It’s like that Clint Eastwood adage.
Richard: You know, a man’s got to know his limitations. Businesses don’t understand the limitations when it comes to cybersecurity. So I’d like to think that the first thing we do is give them strategy, give them, show them their limitations, this breach would put you out of business and say, that’s fine. If you want to accept that risk, then go on, and help them realize and stay within their risk appetite. By doing this, the basics, as I said, we preach the gospel of process over product, IT strategy, and every attack. Hackers have three attack vectors, people processes, and technology. And but the whole industry is focused on technology buying that piece of technology that will secure your business and they neglect, and they neglect the other two proven attack vectors through people like social engineering, or process for interrupting business continuity and disaster recovery, things like this. So it’s, it’s just, that’s what we try to do is open up their vision and say, Listen, what about these other two attack vectors? What about your people? What about your processes, your business processes that are just as vulnerable to disruption or cybercrime? So that’s what we do. And we do them by knowledge transfer, we do them by, like I said, policy agnostic consulting, where we go in and do things like risk assessments and policies and, and education and awareness training, and then looking at products and doing security assessments of products to make sure they fit for purpose, and they work. And that there are no vulnerabilities in the code, doing code reviews and fixing that, and making sure that everything’s running as optimal. But the key thing I’d like to think is, is a strategy, showing a business, what they can’t take, and just saying, if that’s it, then fine. Welcome to welcome to the club. Welcome to Vegas, you know, but you know, it just takes one bad roll, and you could lose it all. And as long as you know that, then we feel our job is done. But to go back to your first question, the future doesn’t look bright. There’s a big storm cloud on the horizon called AI. And I’m not particularly pantheist about the future because of the past and the present. So I’m, I am looking for a new voice. I’m looking for the next generation who’s going to come up and start to address and look at cybersecurity as a process, not a product I’m hoping that for us a company like Risk Crew is the answer or is the best foot forward toward AI-driven attack.
JC: You don’t do you see, you know, like how Apple with their iPhone, started taking some things more native built into the device? So for example, up to read a QR code in the past, you had to download an app that could read QR codes, and then that app, you would open it up, QR code will go to something which didn’t take very well, because most people don’t want to have an app on their phone just to do a thing. And they want to open an app. And I was thinking myself, I’m like, Why doesn’t Apple just make this native to the camera? And eventually, they did. And so what I’m curious is, you know, you talk about how the cybersecurity industry like the product part of the industry is, there are their steps behind and even, and they’re going to keep products on the industry to get their ROI. Do you see a possibility of a Blockbuster Entertainment moment? And by that what I mean is, Blockbuster should have been Netflix, right? They had all the material, all the rights, they saw that the cloud existed, if they could have been Netflix, and they didn’t they didn’t they weren’t and then they fought it and then they died. And I’m wondering, do you see a possibility of cybersecurity products being an industry that dies because the platform, not platforms but device manufacturers start integrating like what you said an AI, but that involves the entire everything in that device and all the files in it, right? So for example, what if Apple launched an AI that was native to the iPhone, anything within the boundaries of that phone? It covered all of it and in real-time, right as in, it was an egg. It was a dragon egg that sat there and got smarter and smarter. So this way in real-time, if it sees certain things coming through it not only knows how to defend it but learns from that one in case it doesn’t. And it gets to take the collective knowledge of all the phones and everything right like do you see I guess, manufacturers or product or device companies may be overtaking cybersecurity product companies the way that Netflix overtook Blockbuster?
Richard: That’s a great JC that’s a really good analogy and be a recommendation in terms of going forward. I love the way that you said I saw this barcode but then eventually they did. And when you said that I said yeah. Eventually, when they made their money off the first iPhone, you know the next incarnation and the next incarnation comes, you know what I’ve come to see my industry, you know the least say about the pharmaceutical industry. He, you know, makes a lot of money off of treating the symptoms
JC: There’s not a lot of money in the cure. There’s very little money in Cure.
Richard: Exactly! If there was, if you could take a pill and never take a common cut, you have a cold again. And so there is so much money on treating the symptoms of cybersecurity problems. All right, and this is where the only thing that’s going to get a vendor to change his way is that he’s going to make money on it. So you’re right. But you also mentioned a big player, if Apple moves in and suddenly gives us an AI smart, defensive machine that we’re using, first of all, that’s going to come way down the line after you and I and many, many businesses have, you know, if anybody’s still standing, great, we can have apples, but the problem there is, they’re all going to be proprietary. Because if you’re you know, then you’ve got Apple over here, you got Microsoft over here.
JC: Well, who’s gonna care? I mean, why? I mean, I guess my point is, if they listen, they’ve always been a black box, right? And that’s fine. If you’re the user, right? And that’s just phones. What about, what about laptops? Right? I guess my point is that if they were to start with phones, right, and then they say, and people say, Well, what’s proprietary, we can’t see it, okay? I don’t, I’m a consumer, I don’t need to see it, I just need to buy the product. So I know it’s safe. It’s providing that it is, know what I’m saying you’ve got a great yeah, and, and they don’t need to make the money like McAfee or Norton Antivirus has to because those are products, they only make the money on that. They don’t, they probably wouldn’t mind investing the money because then more people just buy their devices, they make the money on the devices on the cloud subscriptions, and things like that. Sometimes it takes an industry that actually doesn’t care, like doesn’t really, I should say, on the full profits, it can be a loss leader for them if they’re making up for people buying their devices, and subscribing to their cloud subscriptions, things like that. So that’s why when I say Apple, I mean, Google could be part of that as well, you know, or Samsung, for example, right? That’s why I think they’re most likely to come in because they don’t actually rely on the revenue from a standard subscription model, that the cybersecurity companies that are keeping products out there on purpose to make their money back because they’re not innovating as fast. Apple would have every reason to innovate every single day because more people will keep buying their devices and their cloud stuff.
Richard: You’re absolutely right, from an end-user perspective, you know, a B to C environment, that would be a huge leap forward. The problem in a business or b2b environment is not everybody has an Apple, you know, an iPhone, this or you know, shares the same technology. So businesses will invest in one technology. So the business would have to invest in Apple, and give them all to their users, which, okay, that.
JC: Well it would not take a long time. But that was IBM’s strategy. Remember, that’s how they got through on the enterprise level, b2b, and corporate side, convincing companies to completely transition over to their, to their systems. And I mean, Apple, although will take a while. I mean, their position very well to do the same thing. If they wanted to do that they could knock out IBM and Microsoft within five years, if they started today, in my opinion.
Richard: If they move it correctly. Also, it could be a Blackberry in my industry, Blackberry was a no, no. And I had a Blackberry and I loved the BlackBerry and, you know, encrypted calls you did me why? Yeah. But but but there’s, so it’s got to be a smart move. It’s got to be by three or four major players. And that’s a move that would absolutely protect the end consumer users, you and I, my mother, and my father, my sister, my brother, that would make us in a safer place. Yes. But I go back to this, but first of all, remember, we talked about nation states? And if you think Apple is free from the nation-state, you know, intrusions. Yeah, so suddenly, then nation-states own the cybersecurity landscape, which is, I guess, you know, keeps out the riffraff and only keeps the professionals from getting into our devices. Okay, fine, it would, it would eliminate a big problem. But businesses are so much they have so much hybrid technology, you know, so many different types of hardware and software, and software as a service. And so many people from so many locations using different, you know, hard, we have moved technology has moved us, you know, from to such a hybrid use of technology that I don’t see a universal, you know, even if it was Apple, even if it was Microsoft, I don’t see a universal adaptation that would take us out of harm’s way.
JC: There shouldn’t be, you don’t want to have you can’t have our eggs in one basket either way, but I do see maybe two to three players tops reaching that point, you think Apple has a company worth that is higher than about 90% of most country’s GDP. So if any company didn’t have the resources on that level to combat nation-states, it’s Apple, right? And that’s why I just think, you know, I could see an IBM, Apple, Microsoft, you know, competing, maybe Google in their kind of thing, but I just, I’m just curious. I wonder if this becomes the Netflix blockbuster thing where like, yeah, Blockbuster should have been Netflix. And you know, Norton Antivirus should end up being the thing, but I don’t think they will. I think their business model the way you’re explaining is going to die and not a slow death. I think it’s going to die at a very exponential AI death, unfortunately.
Richard: I’m not wishing for that. Because I think here’s the problem. I think that the time it’ll take for the product cybersecurity industry to go down will be faster than it will take anyone else to pick up the slack, including Apple or anyone else there, even if they switch to this real-time device AI prevention model, which I think is a cool idea. Right? I’m biased because I just had the idea. But even if that were to happen, that would take longer to implement. We’d have a massive gap, I think in the middle. And I think that is very scary. From even just the consumer side, people think that you know, that nation-states are targeting the governments in the US and they used to, but now they’re realizing they can cause more havoc by going after 1000 private companies, you know, what happens if you take WordPress, for example, is the most attacked? system on the planet, right? Because it’s open source. So that which is good and bad, right? And now most companies have their website on WordPress. Also, usually, the bigger companies have things in there to help protect it, right? They’re not easy targets. I mean, if anyone really, really wants to get to you, if they target you specifically, they could probably get in at some point. But that’s not it’s kind of how muggers, work muggers don’t go attack a guy who looks like he plays or that fights for the UFC, they’re gonna attack someone who looks like they can’t really defend themselves, right? It’s an it’s a cognitive opportunity. And that is like 90% of most attacks. So when you start seeing a nation-state, a bad actor, a nation-state, they can go out to the government. But that’s not the easy target.
Richard: You know what is easy to target? The 10 million small businesses in America that are all working off of a WordPress site with the same login URL, the Ford slash admin with the same username for admin, you know, whatever. And then all they got to do that’s three, that’s two out of three parts down right there, you put an AI in there just a run through standard passwords, you could hit fight with, you could hit 400,000 small businesses and take the websites down tomorrow. That is massive. And they’re all easy targets and AI makes it to where you don’t have to put in the labor for it right? You don’t have to take time or labor, you just have your dragon egg that goes in there and starts wreaking havoc and blowing fire all over the landscape. And that’s just that’s the thing that keeps me up at night because I’m a tech nerd, right? Like, that’s the stuff I think about.
Richard: Watch it, that’s the hoo-ha behind Instagram in China. Did you know, Wired Magazine did a great piece about a year and a half ago that they noticed that China was quietly buying up? And within two years, they bought 37% of the encrypted VPN market. So almost 40% of the VPNs out there in use by companies are in fact, Chinese owned Chinese national-owned, that is.
JC: That’s diabolical. It is that like white furry cat genius, right? Dr. Evil style.
Richard: And these are big names. And the other thing I wanted to remind you as JC is, is our vendors, you know the names that you mentioned, the big guys, the leaders, the people we’re supposed to look up to, for in these dark times of AI clouds forming on the horizon. They don’t know what to do look at take, you know, the top 20 cybersecurity vendors, all of them, all of them have been hacked in the last 12 months. So they don’t know any deep dark secrets. And I’m assuming they’re using their own product. But every single one of these big guys has been hacked. And they’re struggling with the same problems we are, you know, we and we get we follow them like they’re shepherds, but they’re just as lost as we are. They’re just sheep just like us. And we go to them for answers. And we buy stuff and they’re getting their systems are getting hacked, just like us. So I don’t look to them for sighted AI leadership? Well, of course, they are. But that’s what we tell our vendors who are our current customers, we’re about to make a big expenditure, we say stop, go to Google, type in that vendor and see if they’ve been hacked in the last 12 months, then pick up the phone call your sales rep and say excuse me, don’t you use your own product, the board I’m about to buy and make a huge six-figure investment and because either it doesn’t work, or is this something you’re not telling me. But this is absent this kind of accountability, this kind of connecting the dots in our industry. And anyway, my point is, I don’t expect I don’t expect any of the big cybersecurity names to be leaders in AI security, because they got two minutes and investment in the present and the past. But then like you said the most, the most optimistic view would be that the top five to 10 technology leaders like Apple and Google get in the game and proactively start protecting end consumers you know, which would be better than nothing but doesn’t leave us free of nation state. And the Instagram thing still doesn’t sink in on us that we don’t understand what’s at stake, how valuable our data is. And you know, shame on us because at the end of the day, JC you know what the frustration you hear in my voice is that I’ve been doing this for my whole lifetime, my whole professional life. And I go to a business and they don’t. And they see it as protecting ones and zeros. You know, this cybersecurity is about protecting computer data. That’s ones and zeros. No, this is data about people’s lives. This is data about someone’s mother and father, your kids, your blood type your, you know, your race, your religion, your it is very sensitive data to us. And yet we don’t give it two thoughts. It’s just ones and zeros when it’s online. And the sad fact is, in the last, I think, seven years, we have lost over 21 billion personnel records. That’s almost three times the number of people walking on the planet walking around on the face of this planet. It’s how can we lose more than that? And yet we do look at these breaches. Yahoo. 3 billion, Yahoo still got 3 billion users Good. Good for them. billion records? Not us. Yeah, three, good point. Good point. But, these breaches are staggering. And it’s all it’s a poor reflection, that we’re not getting the job done. And, you know, the leaders that we look to to get the job done, are struggling with it ourselves. I’m, I’m not optimistic. And I don’t want to leave you on a pessimistic note. And I think you’re right to think this is going to take some leadership, somebody’s got to step up and point the way. But until then, we’re in for a rough ride.
JC: Yeah, you know, this is one of those topics I could talk for hours about we don’t have hours. So I’m gonna wrap it up here with us here. And you know, normally for the audience, I, I always asked that question, you know, for being The Future of Biz Tech, but this entire conversation was the future, right? Everything about what we talked about was looking at the future of this. Listen, I’m so glad you were able to come on. And for anyone else listening out there. Again, if you liked what you heard today, be sure to subscribe to this podcast, and give it a five-star rating, preferably with some of that cool comments behind it. So other techies like us can find it and enjoy learning about all the amazing and helpful b2b software and consultancies, like Richard’s out there, Richard, where can people find you specifically if they want to reach out? And then also, where can they find Risk Crew if they want to sit down and have a real sober conversation about ways that they can help themselves?
Richard: Well, I’m on LinkedIn, and you know, when I want to be found, that’s where they find me. Otherwise, take a look at Risk Crew, it’s just riskcrew.com, all one word. And you get an idea. Also, there’s a lot of what we’ve been talking about. We do a lot of, you know, white papers and things that positioning and strategy and things to think about when you’re putting together a security strategy for your business. So it’s all there. And it’s all along the lines of what we’ve been talking tonight. JC thanks. I really enjoyed it. Thanks again for the opportunity. Love your podcast. Keep up the good work. Keep up the fight.