75. Governance, Frameworks & Compliance: Your Business Survival Guide
Justin Shelley (00:00)
to episode 75 of unhacked. are here to help business owners understand cybersecurity, know their risks and protect themselves against it because ⁓ Mario, have you ever heard of a company getting hit with a breach of some sort and then going out of business?
Mario Zaki (00:16)
A couple of times. Yeah, actually I have. If you.
Justin Shelley (00:19)
I've, ⁓ I've heard the stories I've seen like near misses people that get hit and barely barely get through it. ⁓ no matter what it's, it's a devastating near end. ⁓ and that's what we want to avoid. So
Mario Zaki (00:33)
you
Justin Shelley (00:33)
that's why we do this, Mario. let's do some quick introductions. I'm Justin Shelley, CEO of Phoenix IT advisors. And you know, my passion is really helping people use technology to build their business and to make money. that said, once we have anything worth,
having somebody tries to take it away from us. So, ⁓ unfortunately, nicely tied to that is we have to help people protect their assets from, you know, the likes of the Russian hackers. you know, Uncle Sam, because he's going to come in and want a piece of it through government fines and penalties. And then the lawyers, can't leave them out because they want their two cents, ⁓ usually a little bit more than two cents, because they're going to come and sue you if you fuck it up. Pardon my French, but like guys, this is what we're dealing with. It's it's a version of a war and we're here to help you through it.
Mario Zaki (01:09)
it it.
Justin Shelley (01:17)
And as always, I am here with my two loyal co-hosts. ⁓ well, one loyal co-host today, Mario, tell everybody who you are, what you do
and who you do it for.
Mario Zaki (01:28)
Yeah, Mario Zacchi, CEO of Mastic IT located in New Jersey, right outside of Manhattan. We work with small to medium sized businesses to keep them secure and give the ability for the business owner to sleep better at night knowing that their company will be there the next morning.
Justin Shelley (01:49)
I love it. And it's not a given. Unfortunately, we've said it before. We'll say it again. You go to bed at night. You hope everything's in place when you wake up, but it may not be. All right. So with that, Mario, we're going to talk today and actually we're going to kind of introduce a mini series over the next 10, 12 plus episodes. ⁓ know, we used to talk about it more than we have recently been. I want to kind of get back to our roots. We talked a lot about a free assessment, right? Do you still offer a free assessment?
Mario Zaki (02:18)
Of course, yes.
Justin Shelley (02:19)
Okay.
So, I want to talk, you know, and it's, on our website. It's, it's, you can Google it, you know, you can chat GPT this stuff. but I really want to kind of deep dive and talk about what it is that we need to be looking for as business owners. We're going to try to keep this out of the weeds as far as not being too technical, but here's the truth. It is technical. So as a business owner, you need to know enough to keep your business safe and to know that if you're not doing this yourself and you shouldn't be because you got another.
Mario Zaki (02:26)
Okay.
Justin Shelley (02:48)
enough other things to do. But you have to know enough to know that the ones you're writing a check to are keeping you protected. So that's what we're going to dig into today. And we're going to start with ⁓ God, I hope that just reading this doesn't put people to sleep, but we're going to talk about governance, frameworks, and compliance. And I think we just lost most of the audience right there. So doing our best. I know me too. We're going to do our best to keep this ⁓
Mario Zaki (02:53)
You almost lost me.
Justin Shelley (03:18)
light, not too technical. I don't know, we're going to do our best, but guys, this is important. And, you know, spoiler alert, if you're a business owner listening to this, I'm going to tell you right now, what we're going to do today is put you in the hot seat because what will never get you out of trouble is saying, I didn't know that's not going to help you not get breached. It's not going to help you not get government fines and penalties. And it sure as hell isn't going to keep you from getting sued. So let's, let's kind of jump into this.
Take an example. This is hypothetical, but it is very realistic. This is something that absolutely could happen. We're going to take a fictitious, let's call it a manufacturing company, maybe 60 employees, and they get hit with ransomware. All right. ⁓
Mario Zaki (03:49)
⁓
Justin Shelley (04:04)
Mario, do you, let's see, don't, I don't know that you, want to bring it back to something more real world. You don't have any, real dealings with ransomware recently. you
Mario Zaki (04:16)
No, not recently.
Justin Shelley (04:17)
Now,
okay.
Mario Zaki (04:19)
You know knock on wood nobody that we manage but Somebody that we are currently talking to That got recently hit ⁓ But it was and it seems like they're going to recover because you know luckily for them that a lot of the stuff that they had is you know was stored elsewhere with the
I almost want to say ignorance of somebody else, know, of like their previous IT person. That person, ⁓ you know, was working on migrating their server to another, from an old server to a new server. And in the process, he actually created a, like a batch file to copy over stuff to the old server while he does it.
And luckily, it was never discovered by their existing IT company. So they ended up recovering some of the stuff that they needed. ⁓ But they weren't completely in the clear. They got some, but not completely in the clear.
Justin Shelley (05:31)
Yeah.
Okay. Um, you know, I, I know of, I know of a couple that I've seen, or at least know the people who have dealt with it directly. And I'll tell you, it's, it's very common for recommendations to have been given previous to it that were ignored, you know, and if we go to this fictitious company, you know, they got a ransomware attack. Um, and you know, when, when you start backing up,
you look at the fact that IT had recommended MFA, multi-factor authentication, and
six months earlier, leadership said, ⁓ we'll do it next quarter. We're slammed productions. You know, we're, we're backed up on production. We can't do it right now. ⁓ well that was six months ago and they said next quarter, ⁓ you know, like it's just, if we don't address things when they're brought to our attention, there may not be a tomorrow to go ahead and put this into place either because it happens before we can act or because we simply forget or fail to take action. You know, so
Mario Zaki (06:26)
Okay.
Justin Shelley (06:43)
Let's, say this company gets shut down for four days. we can estimate $180,000 in lost revenue. we've, we've played this game before where we talked about the amount of loss. You've got revenue loss, direct costs, right? The direct impact financially, but then you have a lot of other indirect costs that, go into these. ⁓ so it, it,
Mario Zaki (07:04)
Now one thing
I want to interrupt you for a second because I know a lot of our listeners are going to hear what you just said and like, oh, okay, we're in the clear. We have 2FA enabled on our 365. Right? It doesn't stop there. That's the beginning layer because that's what's open to the public. But MFA, two factor authentication is done on multiple levels. You you can, you have to do it on certain websites.
Justin Shelley (07:08)
Yeah.
Mario Zaki (07:34)
Banking when you're when you have people working remotely You know to VPN into your network That has to have an MFA as well ⁓ Getting into your server. You should have MFA, you know, like it would be only given to IT and maybe owners However, but we go as far as even putting MFA on workstations themselves as well
It's not just 365. So don't think that, yeah, we enabled Microsoft 365 MFA. We're good. This does not apply to me. It still applies. It just one system has it. Okay, you don't stop there.
Justin Shelley (08:19)
And you just nailed it, Mario, because I'm a business owner. I'm sitting here listening to you and my eyes rolled to the back of my head. And I'm like, holy hell that sounds a like a lot of work and inconvenience and be like money. Right. I don't want to deal with that right now. All right. We're going to do it later, but you're my IT guy and I still protect expect you to protect me and keep me safe. So when I get hit with ransomware, I'm coming to you, Mario. And I'm saying, Mario, you're my IT company. I'm paying you. Why didn't you stop this? Like that is what happens. And then.
Mario Zaki (08:35)
Yeah.
Justin Shelley (08:49)
Hopefully Mario, you can go back and say, well, let's look at this document that you signed where you said you did not want to take this recommendation. And unfortunately that is what it comes down to is right. We almost have to have in the medical world, they call it AMA, right? You have to sign an AMA
Mario Zaki (09:03)
Mm.
Justin Shelley (09:04)
format against medical advice. I've had to do that before, by the way.
Mario Zaki (09:07)
Well,
I actually will tell you this and I actually so I don't know if you know I coach a couple, know smaller IT companies, you know, they're spread throughout the country and They asked me something about you know, the client of service letter to you know that they could send to some of their clients What the first thing I told them to do, you know after I provided them the information is
Justin Shelley (09:17)
Mm-hmm.
Mario Zaki (09:34)
Do not put the part on there for them to sign They will never sign it because they feel they feel like if they sign it they're acknowledging it Okay, they will never sign it. They will read it and it's I'm not signing this, you know, so they think that It didn't happen because they didn't sign it. So Smart MSP is and I'm not trying to be sneaky with this
Justin Shelley (09:40)
Good point.
Yeah.
Mario Zaki (09:59)
It's a notice, not necessarily something you're gonna acknowledge. So don't think, I would never assign something like that. We don't really have any customers that decline stuff like this because they do go by our recommendation, but it does happen. ⁓ We don't have them sign anything because nobody has ever signed it. ⁓
Justin Shelley (10:03)
That's a good point.
And I'll, I'll, I'll give
you a, an additional, a different way to go about that, where you, if you want to get their attention for reals and don't need them to actually sign off on it, just since a hard copy certified mail. ⁓ it, and you don't even have to do that. An email alone is enough. We learned that on an episode. I, we're coming up on two years ago. You know, if, there is an email, if, this goes to discovery in the legal system and there's an email where a recommendation was made.
Mario Zaki (10:27)
Mm. Okay.
Justin Shelley (10:48)
and no action was taken. That's bad. That's, that's enough to demonstrate, ⁓ negligence,
Mario Zaki (10:56)
Yeah. Okay.
Justin Shelley (10:56)
you know, and it gets ugly. So again, what we're talking about here is as a business owner, myself, Justin Shelley, and I'm talking about me, I run a business. I'm responsible for this stuff. I don't love it. I don't love it, Mario. don't, I didn't get into it because I love cybersecurity. didn't get here because I like fighting Russian hackers. I don't love that, but
here we are and it's my job. And now not only is it my job to protect my company, I find
myself in the position where I have to protect everybody else that does business with me. And by extension, their clients, I mean, this is a, it's a huge responsibility. So, ⁓ we just, you know, the point of today, if there's nothing else, I'm gonna, I'm gonna cut straight to lessons learned or key takeaways is like, just take ownership of this. You know, we have a lot to do as, business owners, as CEOs, but this is one.
It cannot be ignored. So now that we've established that whose fault it is when the proverbial shit hits the fan, let's talk about how we can gauge risk because that that's what it comes down to. There's no perfect system. There's no guarantee. There's no absolute in this world. And even if there were, it changes on almost a daily basis. So, ⁓ Maro you've you've heard, cause we've talked about on the show before about, ⁓ frameworks.
Mario Zaki (11:49)
Yeah.
Justin Shelley (12:16)
But I want to back up because you've got the
legal frameworks that generally apply to a specific industry. Healthcare has HIPAA. Manufacturing, if you're working with the Department of Defense, has CMMC. You know, there's different frameworks that apply to different industries. But what if you find yourself in an industry that is not regulated? What then? What are your thoughts on that?
Mario Zaki (12:18)
⁓
If you find something that if you're in an industry that's not regular like for example ⁓ construction
construction unless you're working with a Department of Defense, you're not really regulated. So what you want to do is take one of the frameworks and we've discussed a couple on here before, CIS, what was the other one?
Justin Shelley (13:06)
⁓ I mean, this is kind of the baseline that everybody pulls from.
Mario Zaki (13:07)
I forgot the name. NIST, yeah, yeah. Yeah,
yeah. So what you do is you follow something that is kind of a, the pretty much the big things out of everybody, know, MFA, backup, know, stuff like that, encryptions on laptops and stuff like that. So you wanna kind of have a... ⁓
A little bit of everything. You want to still put yourself as the business owner in your company. You want to still put yourself under some sort of guidelines. You know, some best practices, you know, if you want to call it like that. Right. You don't have to say I follow something. You can just say I follow best practices. Yeah.
Justin Shelley (13:47)
Yeah.
As long as you can articulate them, you know, and,
that's, think is the key point. ⁓ almost all of these have a significant amount of overlap. There's, there's some nuances in the different industries, but security kind of is security, right? You've, you've got the baseline and that's what we're here talking about. before I really got involved in, in compliance and frameworks and stuff like that, ⁓ we just called it our own internal standard.
Mario Zaki (14:02)
. you
Justin Shelley (14:22)
And we standardized, you know, I went to flight school aviation school years and years ago. And over and over there, we just had these standardization classes. You had checklists, you had, know, everything was done the same way every time. And that's how they prevented accidents. It's still what they do in the aviation world where lives are on the line and the amount of risk that has been reduced, the amount of deaths that have been reduced because of that is phenomenal. And so, you know, this, there's a lesson to be learned there.
Mario Zaki (14:36)
.
Justin Shelley (14:52)
Now the question is, what checklist are we following? What standard are we following? And, you know,
absent of any government mandated one, I mean, have your own if nothing else. And, you know, you can chat GPT this stuff these days. ⁓ And I think there's, you know, how we do it internally, absent of an industry specific framework that's required, we do have an internal baseline. And that's, you know,
Mario Zaki (14:58)
Yeah. you
Justin Shelley (15:21)
we're going to go through that over the next quarter. And, but it all could be mapped back to these other frameworks as well. I mean, it's all there. So yeah, you've mentioned CIS, NIST. ⁓ You've got, let's not do that because each and each of those has, you know, anywhere from dozens to hundreds of controls that need to be put into place. But here's what I want to say. These are decision frameworks.
Mario Zaki (15:36)
Okay. you
Justin Shelley (15:47)
What these what these give us is a way to measure risk and a way to make decisions. I will say that not all of them can be applied all at once. Absolutely not possible. ⁓ But what we can do is just do the general assessment and create kind of like a roadmap. ⁓
Mario Zaki (16:07)
And if I could add to the majority of these is there's no cost to it. know, you know, enabling MFA on Microsoft 365, it's built in. You just have to enable it. You have to install the app.
Justin Shelley (16:15)
Correct.
Mario Zaki (16:25)
on your phone, click the little screenshot or picture of a QR code, bada bing bada boom. know, a lot of it is not going to cost you much. Yes, some later on, certain backups, certain retentions and stuff like that will, but that's also, you know, something that it's also putting in place, not just from the bad guys, not preventing you from the bad guys. I mean, we spent ⁓
a couple days ago last week working with a company that the owner mistakenly moved one folder from like their SharePoint site from one folder he dragged it all the way to another folder and It was missing so we act and and they didn't even realize that for months So we were able to go back and see what happened to that folder and stuff like that through backups. So it was just for
I don't even want to say negligence, just human error. So having some things in place will not only protect you from the hackers, but it will also protect you from mistakes and stuff like that. Mm-hmm.
Justin Shelley (17:25)
Yeah.
Absolutely. ⁓ Yeah. There's a lot of different ways these things come about, you know, the, the problems come into being, but ⁓ what we want is that roadmap to know how to, how to protect against it. Right. And,
really to define. So, you know, in, truth, we all accept risk in life and in business. Every time I get in my car, I accept the fact that that's risky. You know, it isn't, ⁓ that is not a safe thing that we do.
Mario Zaki (17:57)
Yeah.
Justin Shelley (18:01)
every single day of our lives. In the world of business, we have a huge amount of risk that we're managing all the time from competitors from, you know, like vendors, everything we do employees. Yeah, there's there's all kinds of risk. ⁓
Mario Zaki (18:12)
Employees.
Justin Shelley (18:17)
And what we have to do most importantly is just to be aware of it. And, and then, you know, pick your framework, and I'm not going to get into which framework because we're going to kind of standardize that through this series.
but what you have is a roadmap of what ideal looks like compared with where you're at right now. And then you make decisions. And that's really what this is all about is giving the power for business owners to make the right decisions, to accept their level of risk. Because listen, some businesses, risk is not acceptable at all. They have to mitigate it as much as possible. ⁓ and some businesses just say, you know what? I don't care.
You've got a guy in his eighties, you know, he doesn't care. He's got his money put away somewhere. If his business goes to shit, whatever.
Mario Zaki (19:10)
I actually was servicing a client. This is a long time ago when I was like
just working out of the house, I was working with the doctor's office, not too big. You know, they were probably like seven users, know, seven computers altogether. And I told the office manager and I told the doctor, I'm like, you don't have, you know, the proper things in place. And it's not because I didn't do them is because we need to go to like a managed services approach.
You we have to have better backups. We need to do this. We need to do this. ⁓ You know, computers, you know, you have some computers here that are like 15 years old. We need to replace them. ⁓ Here is the, you know, what could happen. And you know what the doctor said? The doctor said, he's like, you know what, Mario? I am, I what he said. was like, I'm like 69 years old. He's like, I'm planning on probably working for another year or two.
If I sell, you know, and I don't think I'm going to sell the company, I'm just going to retire. Because for some reason, doctors don't sell the companies, they just retire. ⁓ He's like, if that day comes earlier than what I'm planning, okay. I don't care. I'm set. And the office manager just looked at him like, you know, she gave him this look like, well, what about us?
Justin Shelley (20:21)
Yeah.
Mario Zaki (20:42)
You know, like what's going to happen to your employees? And he didn't give a shit. You know, he said, I'm not spending an extra dollar because I don't have to. If I have to retire early, I'll retire early. And, you know, shortly after that, I said, I don't want the risk, you know, ⁓ here's a referral to an American guy that that's willing to do it.
Justin Shelley (21:05)
Right. Yeah. Give the, we'll pass that onto somebody else. But I mean, honestly,
Mario, it's a good point because everybody has a different tolerance to risk. And so I, I won't sit here and judge him. ⁓ I I'm not going to say I agree, but what I will say is if, if somebody knows what their situation is, knows what the risks are and makes a conscious decision to stay at a certain level, great. You know, at least it's a decision.
Mario Zaki (21:12)
.
Justin Shelley (21:34)
The danger is when you don't know your risk, you think you're protected and then things go sideways. So that's what this assessment is all about is just knowing what your risks are and then making intelligent business decisions. That is the biggest benefit to a business owner from this assessment that we keep talking about. You can make intelligent decisions based on your risk tolerance. Fair? Does that sound right?
Mario Zaki (21:48)
Yeah. Yeah.
It's very right. you know, I know that this is story time either, but like last week, I sat with two different companies, know, separate companies. ⁓ one of them knew that they didn't have security in place because, and the reason they knew that is because they didn't, they don't pay anybody to do it. You know, they don't have an IT person, but they have been in business for a very long time and they've been kind of, they're one of those companies that feel like, okay, well,
I have, you know, my main stuff is on a website somewhere. and I don't care about anything else, but when you, you know, when you actually did, when I, did do this assessment, we told them like, it doesn't matter that your website or sorry, that your database or CRM or whatever you're logging into, ⁓ is on a different platform than in-house. You know, your computers don't have an antivirus. Your.
Some of your computers are outdated. know, there's computers that have so much data sitting on like financial data sitting right on the desktop. Like where's your backup? Where's your security? Where's your, you know, and I swear to you when I tell you every single computer had the password written on a sticky note and it was taped to the bottom of each month.
Justin Shelley (23:24)
Yeah.
Mario Zaki (23:24)
You
know and and the reason I know this is because we're running the assessment and I'm like, okay Can you log me in on this computer? He locked me in on to the first one then I'm like, okay. Can we do this one? He's like you don't need me He's like all the passwords are written there. He knew what was happening and I'm like, well, that's not smart He's like, I know I know, you know, like they
Justin Shelley (23:43)
I'm going
to argue it is a level of security because at least it was on the bottom because I walked into a health clinic to be treated by the way this wasn't a prospect. The password was taped to the front of the monitor and it was left logged in with a different patient's records showing.
Mario Zaki (23:55)
Yeah. So.
Yeah. yeah, that I've seen all the time. I've been in there. I've been in there where they've left it open. And, you know, I didn't...
Justin Shelley (24:03)
Great. Great. Yeah.
But with the password taped to the front
of the monitor in the doctor's office, I guess it's already logged in. Fair enough. Fair enough. So, God, I mean, listen, I'm going to bring it back to, you know, when, when we talk about compliance, well, then we have to say complying with what usually it's a published framework. And if not, then it's a, an internal set of standards. All these things are okay. But the point of this is.
Mario Zaki (24:13)
Well it doesn't even matter what the password is if they're gonna leave the computer unlocked the whole time, you know?
and
Justin Shelley (24:39)
It's not just about the paperwork, which it is, it is paperwork, but the real benefit to doing this, to going through this exercise is risk management. mean, compliance, honestly, Mario is yesterday's breach lessons written down. Bad
Mario Zaki (24:55)
Mm-hmm.
Justin Shelley (24:56)
shit happened. Here's what we learned. Here's how to make it not happen again. That is compliance in a nutshell.
Mario Zaki (25:03)
Yeah, that's a very good way of putting it. Okay.
Justin Shelley (25:06)
So now we've got, you
know, we've got our, uh, our, our gap, we'll call it right. The difference between where we are and where we want to be or where we've decided to be given the risk that we're going to accept next step. You know, we, I learned this again from, uh, our, our little episode with, I'm going to forget his name. The insurance guy, Joe Brunson. Yeah. Um, poems that I've fallen in love with this term since that.
Mario Zaki (25:28)
Joe Brunson. Okay.
Justin Shelley (25:35)
Because that was, you know, the attorney he talked to, that was the get out of jail free card plan of action with milestones. So you've got a risk, you know about it. You, you have a plan to address it. And then you have timestamps on it. Like it's going to ha this is going to happen by this day. This is going to happen. So go back to our fictitious company that we created the manufacturing firm of 60 employees who got ransomware six months ago. They, they put off MFA. Clearly they didn't have a written plan that they were following.
Mario Zaki (25:57)
you you
Justin Shelley (26:04)
milestones because if they had said we're going to do this next quarter, that's fine. Put on the calendar and do it, right? Don't just just punt it down the field and walk away. That was the problem that they made, you know, the mistake that they made. So ⁓ any thoughts on that
poems or roadmaps or whatever you want to call them.
Mario Zaki (26:23)
No, no, that's good. You pretty much are hitting it right on the nose. you
Justin Shelley (26:28)
Okay. ⁓ So, know, when it, you know, a little bit of information kind of behind the scenes when we're doing these risk assessments, not all of them. In fact, most of them are not just yes, no answers. And I don't know how you feel about this, but so let's just say that we're, scaling on a one, a zero to three scale, a zero is absent. Like it's
not being done. The, whatever we're talking about MFA is a favorite example. ⁓ One is informal or it's partial. You know, it's kind of there.
to it. Yeah, it's it's defined. We've documented it, we've enforced it. And then optimized would be we've reviewed, we review
Mario Zaki (26:59)
Optional .
Justin Shelley (27:05)
it and then prove it on a regular basis, right? zero through four, or zero through three. ⁓ One that's not talked about very much. And this is just my own brainchild. ⁓ Probably doesn't mean anything to very many people. But if it if the answer is unknown, I gave it a zero. Because unknown is worse to me than
known absence, because then you at least know you have a risk. And I would, I would even maybe put unknown as a negative one, like unknown is the worst place you can be with this.
Mario Zaki (27:35)
I agree because when in its human nature when they see something that is unknown or N.A.
they just feel like it doesn't apply and they would skip over it. it's a zero, then it's kind of staring at you right in the face. a great example this is like my kids' report cards. So what their teachers do is when there is an assignment that's missing, they actually will give it like a 10.
like a very low grade so that it dramatically changes their GPA or their average ⁓ grade. If they put a zero there, for some reason their system recognized that it was never a part of their curriculum. So they give it like a 10 or a very low number that it is noticeable that something happened.
Justin Shelley (28:24)
No.
Mario Zaki (28:33)
So it's good not to just do an A or unknown. Put it as a zero because then you'll see it. It's going to slap you right across the face every time you're looking at it.
Justin Shelley (28:33)
interesting.
Yeah. Yeah.
And I have, you know, on, on our, ⁓ online free assessment tool. Yeah. It has the option for, you know, yes, no partial or unknown. And, ⁓ I don't reveal that while they're taking the test, but behind the scenes and the, the, the code for this to score the test, the unknown is the worst answer. And I'll, I'll stick to that all day long. So
Mario Zaki (29:10)
Mm.
Justin Shelley (29:14)
Listen, I think we probably beat this dead horse. I'll give you some closing arguments if you have anything else you want to say. But again, what we're doing today is we are introducing the kind of another mini series that we, feel like we made an attempt at it before, but I don't know that we did it justice. And so I want to go back through this and I want to, I want to do a better job of laying out what this baseline security model looks like. And A as a business owner, you know, understand this well enough that
Mario Zaki (29:24)
. you
Justin Shelley (29:44)
you can hold somebody accountable that you're right in the check too. And then, you know, be, if you're technical and you want to do some of
this stuff yourself and get your hands dirty, go ahead. I will always say, have somebody looking over your shoulders though. Go ahead and, and, and, know it well enough that you can be involved. but never rely on just yourself, Mari, I don't know about you. I don't rely on this. I, well, hell, that's why I started the podcast because I wanted other people's opinions. I want to, I want to be talking about this all the time. I don't want to rely just on
the limited knowledge and experience of the great Justin Shelley. ⁓ Cause Hey, I've got blind spots ⁓ anyways. So that's, that's kind of the, the logic behind this Mario. you have any closing arguments? Final thoughts are key takeaways for today.
Mario Zaki (30:31)
No, I mean, one thing I want to add is that this is exactly what you said a couple of minutes ago. You know, a security network assessment, let somebody else come in there and break it. You know, we, trust me, when I go into a prospect,
I'm not trying to go in there and rip up their network and say, well, you're doing this wrong. You're doing this wrong. Sign up here, sign here and we'll fix everything. We're not trying to do that. ⁓ What we want to do is kind of educate people. We want them to know if they're safe, if they're not safe, and if they're not safe, this is what we found. You have to, and even with us, we have companies that won't
Assess us, you know and We want to know is it being done, right? Can you break it and if you go if you break it? We need to learn what the you know how to fix it, you know, it's in a lot of industries, know like programming You know, said you love programming, you know, how many times will you pass your program along to somebody to beta test it? You know like test it. Let's see Break it. You know, if you break it then I need to go back in
tweak it or adjust or modify, know. IT is the same way. You know, if you can get somebody to break it, then it's, you know, you better believe hackers are going to break it. Or even an employee, you know, an employee is going to find that weird way of deleting all your data. And then he's going to raise their hands in the air and say, sorry, you know, I don't know what happened, you know. So.
Justin Shelley (32:01)
Yeah, right.
And then in turn, they're
going to point to their IT company and say, Hey, why didn't you prevent this? And that's where this comes down to, right? We, have to have, we have to all be on the same page. We have to know exactly what's happening, exactly what needs to happen and have the plan to get there. There has to be an understood and agreed upon level of risk.
Mario Zaki (32:17)
Exactly,
You know, as long as you can, if you can say you're getting 1 % better every day, then you're on the right track. ⁓
Justin Shelley (32:39)
That's right. And thank you. Thank you, Brian, for that sign off.
since Brian's not here, Mario steps up. I know. All right, man. Well, we're going to go ahead and wrap this up this week. And, know, like I said, this is the introduction we're going to start. So we'll have the next 11 or 12 episodes. think it is where we're going to dive into each of these controls at a somewhat non-technical, you know, high level, ⁓ standpoint.
Mario Zaki (32:45)
Freaking Brian. Yeah.
Justin Shelley (33:09)
But we will get into the weeds enough so that if you are technical in nature or if you have somebody employed that
is, you know, you can use this information to dig in and just find out where you're at. Always the offer stands to, know, like I said, we've got the online free assessment. We'll give you all the information you need to do it yourself. If you want to bring one of us in to do an in-person check, we can do that as well. But what you don't want to do is stand here, not knowing what your risks are and what your plan is to fix them.
mitigate them. that's what I've got. Mario, thank you for being here. Appreciate it as always. And ⁓ we're going to go ahead and wrap up for this week. So we'll, we'll see you next week. Take care guys.
Mario Zaki (33:45)
Thank you.
Bye guys.
Creators and Guests
