Welcome everybody to What's the Problem, the show that explores problems that buyers, practitioners, business folks, sales and marketing people, and anybody in the realm of cybersecurity faces in today’s world.
Today, we are fortunate to have David Cornish joining us.
Mike Krass: David, wave hello virtually to the listeners.
David Cornish: How are you doing, everybody? Glad to be here, Mike. Thanks for having me.
Mike Krass: I could hear the wind whistling off your hand as you waved. I love it.
David Cornish: It was a struggle wave.
Mike Krass: Let's get into it. David, can you tell the listeners why you are qualified to discuss security?
David Cornish: My day-to-day life is that I am a security analyst. I work for an international third-party SAS security company with clients worldwide. I have a long history with tech startups but have always had an extreme interest in the security side of things. I was able to take those experiences. I was able to get certified and attended a boot camp at UPenn. I'm a full-time security analyst working directly with security teams worldwide to identify, analyze and remediate risks across their entire security posture.
Mike Krass: I love it. We've got the academic and the practical professional experience. David. I appreciate you bringing that to the show today. And as we talk about the show today, let's get to the second question, name a problem in the security world that you'd like to explore with our listeners.
David Cornish: As we all know, this is an ever-growing and ever-changing field. There are a lot of gaps to be filled. And one of the things that we do, and that I do daily, is trying to fill those gaps as a third-party software service company. The problem that I would discuss here is how we view it, monitor it, and ensure that we protect our internal data. What are companies doing to protect their security posture externally? If you are doing business with somebody, you are doing data with somebody. There's an exchange happening, and it will be in your best interest to be aware of the security of those you are exchanging that data with. Their risks can become your risks, and I often explain this to people as a credit score. Are you going to loan and share your data with somebody who has a bad record of identity breaches and a low score? Are you going to want to make sure that anybody you're exchanging data with is also taking care of their security posture so that you feel safe in that exchange of data?
Mike Krass: If I'm responsible, say I'm information security or a security analyst for a brand. I heard you say something earlier, David, where you're a SaaS business external to your customers. If I'm already a little bit nervous, and a little bit's probably an understatement if I'm nervous about sharing data with other businesses, why would I want external eyes allowed in to look at my data, whether it's on-prem or in the cloud, or a combination of the two? Is that something that comes up a lot with this problem?
David Cornish: The number one answer is that what we do and the way that we analyze your data is that we 100% don't do any pen-testing. We are not a pen penetration testing company. What we do is scan the Internet for anything open and publicly accessible. So this means anybody with the knowledge or skill of how to look for this information could find it. And so the goal here is to find those vulnerabilities, identify those risks and remediate them before something happens. In the security world, if you're going to somebody after a breach or an incident, that means you probably are going to them after you should have been going to them. We're going to identify and prevent these things, which is how you look at different organizations' risk and risk profile. So, that's a question that comes up.
Mike Krass: And if you say it, what's out in the open? Is that including the clear web and the dark web? Do you split the middle there?
David Cornish: I would say we split the middle in certain ways. We scan the dark web, a service that would be requested by a customer specifically. So that would be our data leaks and analytics. It’s something we're capable of and something we do. Our focus is on the general, publicly accessible internet that anybody can access, and the security needs of a company and organization obviously, differ. So there are different levels that we can dive into.
Mike Krass: I also heard you say you didn't say the words exactly. I just heard it as you were speaking, if I am looking at purchasing to keep us more secure. As I'm evaluating different security vendors and products and services, one of the big questions I should be thinking about is, will you be doing any penetration testing? Am I going to have to open up to you in any way? And what does that look like? I’m putting myself in the buyers' shoes, and that's a question that I think many buyers might know. Some buyers might not think to ask, what kind of access? What kind of penetration will you get into our systems?
David Cornish: Penetration testing is something that many organizations want to do on a quarterly, yearly or annual basis. Penetration testing is not our specialty, and it's not something that we're doing. We're not trying to break into your systems. To clarify that work with us, most people are typically more interested in us monitoring their third-party vendors and the people they're doing business with, and their open and identifiable vulnerabilities. Most security teams, especially with the larger companies we're working with, have their internal processes for running those types of pen-testing. They hire us not to alert things and not cause alarms within our system but to show what's there. That is accessible to anybody. Penetration testing would be a specific service you'd be looking for. And most teams choose how to do that and run that on their terms.
Mike Krass: You said something that stuck with me when you're doing business with someone and doing data with someone. The first examples of data with folks that come to mind are who your vendors are, who you pay to do services, perform services or deliver products to you, and who your clients are. Those are kind of easy vendors and clients. When you're talking about doing data with people, would you think as wide as your competitors or somebody else that I'm not even naming in this question?
David Cornish: One of the key components that we're able to provide because of the services that we do, and because we do scan the entire open web is you do want to know where your competitors are at, you do want to be able to see what their security rating and history is, and monitoring them and being able to compare yourselves to them is a huge, not only business necessity, but it's something that when others are choosing somebody and as people look more and realize and learn more about how important cybersecurity it is. People will look at those comparisons and go with what they feel is safest. A key piece of the future of doing business, as everything moves to the web and most of the cloud, is the ability to see and understand your options. And as a company, it's in your best interest to be monitoring that as well. And one of the things we do is competitor analysis which gives you the ability to directly line up where your company stands with your competitors and with the people you're doing business with, so we can cover both of those in our third-party monitoring.
Mike Krass: It's really interesting. As you went into more detail there, the phrase technical debt came to mind, and then I replaced the word technical. I was thinking; it's security debt. Whether it's a competitor, a client, a vendor, or anybody you're doing data with, if you're not paying attention, you can take on some of their security debt, either directly or indirectly.
David Cornish: 100% and you can vicariously be at risk, simply by putting your email address to log into a customers account, which is why another thing that people are so focused on is identity breaches, the ability to identify anybody with your email domain and within your organization whose information has been breached and to be able to identify those things, and this is something we do daily as well. And that helps people monitor the breaches that have been involved that they might not otherwise know about. Because a breach doesn't just happen to your company, your information is usually breached by somebody else. So that's another thing that we can analyze, monitor, and help our customers stick a header. So I think more and more companies understand how important and how often that information is breached. And add to the pile of data transactions that we're talking about as something that how does a single security team, whether it's for a huge company, or whether there's one person on the IT team, how do you monitor and track all that. And I think that's where third-party specialists come in and help alleviate the responsibility and constant change occurring. And to provide a holistic view of security, not just what we're secure, we were changing our passwords. We're doing all the right things to keep our people secure internally. But are you thinking about that externally as well?
Mike Krass: I have enjoyed this conversation. Let's take it, take it around third base and run towards home here. Tell us about a terrible haircut.
David Cornish: My worst haircut is called the Charlie Blackmon. Charlie Blackmon is a baseball player for the Colorado Rockies. At the beginning of the COVID times, there was a lot of uncertainty. Everything was shut down. Everything was a ghost town, and nobody knew what was happening. And I said, “What better time to get a haircut I otherwise would never get.” And so I got the Charlie Blackmon, Mohawk, and Mollica, which I would call it. And when I initially got the cut, it wasn't so bad, and I was like, “Oh, this is cool.”It took a long to recover. A girl back was a process, but fortunately, I am a collector of many snapback hats, which helped alleviate some of the recuperation time.
Mike Krass: It’s like a fine line. Your hair continued to get better and better as it recovered. David, thank you so much. We've enjoyed having you on the show. And to all the listeners, thank you for listening to What's the Problem, the show that explores problems that buyers, practitioners, and other folks in the cybersecurity industry are facing in today's world. David, wave and say goodbye to the listeners one last time for us.
David Cornish: Goodbye to everybody out there. Thanks a bunch for having me, and I enjoyed the conversation. Keep doing what you're doing. It's great information. Thanks a lot, Mike.
David Cornish is the Community Support Analyst at Upguard, a cybersecurity business that combines third-party security ratings, vendor questionnaires, and threat intelligence capabilities for a complete cyber risk solution.