Matthew Dechant Podcast Transcript

131
Matthew DeChant headshot

Matthew DeChant Podcast Transcript

Matthew DeChant joins host Brian Thomas on The Digital Executive Podcast.

Welcome to Corzant Technologies, home of the Digital Executive Podcast.

Brian Thomas: Welcome to the Digital Executive. Today’s guest is Matthew DeChant. Matthew DeChant is the CEO of Security Counsel and Information Security Management Consultancy. Matt has over 25 years of experience building information technology and security programs.

As an in house CISO and through Security Counsel, Matt has managed the creation of cybersecurity programs for numerous clients and their executive teams, corporate boards, and high net worth individuals. He leads response events and conducts tabletop exercises with his clients to help them prepare for their potential worst-case scenarios, cybersecurity events are part of numerous cybersecurity best practice committees and boards and his passion about supporting quality cybersecurity education.

Well, good afternoon, Matt. Welcome to the show!

Matthew DeChant: Thank you, Brian.

Brian Thomas: Appreciate you jumping on. I know it’s late in the evening. We’ve got some travel plans, obviously. It’s this time of the year, Thanksgiving, so Matt, I do appreciate you making the time hailing out of Chicago, but let’s just jump into your first question, if you don’t mind.

With the rise of AI and other technology centric tools, how can cybersecurity protocols within organizations stay human centered, focusing on user interaction and benefits, rather than just technical prowess?

Matthew DeChant: Yeah, I think Brian, you sort of hit it on the head there with the human centered comment here.

We’ve got to take a people centered approach here to using what is turning to be some very, very powerful technology and sort of its early days. So we expect that we’re going to see some major changes here in the coming years. One of the first things that organizations should do is just assume that it’s already widely in use.

It may not be on the company systems or, or, or whatnot. But the tools are powerful, people are very incentivized to use them. And there should just be a wide assumption that the best approach here is sort of a yes, comma, and rather than a no, comma, but approach, figure out what kind of guardrails can be put in place with good policy, good legal terms, good due diligence on these AI systems are desired to be used and assume that they’re going to be used in some way, and that you need to sort of meet people in the middle about that.

You know, we faced something like this around cloud computing almost a decade ago here. In those days, it was almost unheard of that you were going to move your sensitive information to what was called the cloud. It was brand new for everybody. But eventually those offerings matured, the security around them was well demonstrated and it became widely adopted to see the same thing here.

Another thing to focus on, of course, is that these systems are largely recursive, right? Your question or query winds up potentially being part of somebody else’s answer. It’s all up to you.

And so, you know, we need folks at organizations to think a bit critically, you know, you certainly wouldn’t go to a bar and a restaurant and discuss trade secrets around your organization shouldn’t be the case unless you truly understand that these systems are going to keep that information private.

Finally, I would say here for all workforces, we really need to double down on training. We can certainly see from the cybersecurity point of view compromises. Very, very easy to achieve with the level of sophistication we have around audio spoofing and soon to be assumed very, very good video spoofing.

And so, you know, we need to revert back to some, some old methods here. Think about when you were a kid and a code word for picked up school. Ways in which we can circumvent the technology that’s trying to take advantage of us.

Brian Thomas: Thank you. And I appreciate you focusing on the human part of it. You know, in every podcast we talk about, at the core of everything, it’s people.

And uh, this is no different. I think security awareness, the training, the communication goes hand in hand with all these new technologies that we’re deploying and leveraging these days. So I appreciate your insights. And Matt, many tech leaders prioritize new features and rapid launches over long term security in apps and software.

How can companies integrate a secure first approach into their development cycles while maintaining competitive innovation?

Matthew DeChant: Yeah, that’s a great question. We don’t want to get in the way or the speed of business in any way whatsoever. And so we’ve got to measure on ramp with where the business is going.

In a meaningful way, but we’ve also got to keep people out of orange jumpsuits and breaches from happening. And so I think this question really kind of focuses on the concept of technical debt versus as you sort of phrased it here, innovations, feature improvements that may be our customer centric, you know, there’s a subset of technical debt, what we might call security debt here.

The end. We’ve got to really meet with those teams, those groups, and understand there’s probably also a customer need that is widely expected, which is the systems that they’re using are also going to be secure. And so when assumptions don’t match up to reality, that’s when you’re really looking back in the mirror as an organization, trying to decide here, look, if we’ve got a pie available of resources, some of them are dedicated to pure technical debt.

And some are dedicated to new features or new products are going after new customers. But there’s a general expectation that the ecosystem which we’re operating is going to require we showcase and actually execute on good security here. So organizations need to find room. I know it’s difficult and be hard.

There’s a lot of pressure. And we see this all the way up to the board level here, where features new customers are the easy prioritization here. And it’s because we see at all levels of organizations, a lack of true understanding of what it takes to run a professional information security program company.

And again, that comes back to education, teaching at all levels here, the importance of good security. You know, if we’re a company that’s designing software for a living, or it’s just part of our offering, maybe it’s the primary goal here, then, you know, we’d hope to have a fairly robust software development lifecycle document or policy.

That’s typically going to have seven or eight stages or phases of software development from initial design to eventual sunset, we should have an expectation or executives of a company, or the board should have an expectation that security is getting done at every step. It’s not to the end to figure out.

And usually the sale is pretty easy here because it’s just more expensive to do later. And so if we do it early and we get in at the early phases of development, sometime around the design phase, we’ll be in much better, much better shape. Another trap that companies find themselves falling into here is if they’re really truly part of their culture is to build versus buying.

We haven’t seen a problem we can’t solve by coding our way out of it. It’s usually not a good idea to make up your own security bolt ons to your, to your products and services. There’s thousands and thousands of vendors that are much better at this. It usually is a much better overall outcome to manage that through good vendor management, good supplier management, good partner management.

It is to try to build something and maintain it for the very reason we’re talking about here, which is over time, be a bit of a lull in interest, keeping that thing maintained.

Brian Thomas: Thank you, Matt. I appreciate that. Really do. And you highlighted a point that I like to, you know, focus in on is you can kind of basically, I’m paraphrase a little bit, pay now or pay later is you need to, you need to fold in that SOP in the beginning through the whole process.

You know, we’ve had this for years, as you know, people that are off boarding or leaving an organization. That gets forgot about and we’ve seen time and time again where people are left with full access to these systems and they may not have left on great terms with the company. I mean, that’s just one example that we can highlight here, but I do appreciate that.

Matt, with a critical shortage of skilled cybersecurity professionals, it seems like tech companies need to do more to attract, train, and retain talent. How can mentorship and better training tools be leveraged to mitigate vulnerabilities caused by this talent gap?

Matthew DeChant: Yeah, the talent gap is pretty severe, where we are short several million, you know, we have several million open roles here in the United States, at least, and much, many, many more globally.

Mentorship plays a big part there. You know, we need to have a robust farm league as it were, work to get people interested in this profession and get them interested early, there are plenty of opportunities to upskill. A quick Google search will produce many of these here. Obviously you can double down on a computer science degree to four year university.

You can do a master’s degree in cybersecurity. There are plenty of certifications that you can go after. There are universities that are more in line with sort of trade developments. I think, uh, DeVry University, there are certainly meetups for specific parts of cybersecurity programs if you’re doing identity and access management.

There is a meetup for you and certainly there’s a lot to be learned from conferences. So plenty of opportunities exist for upskilling and it’s really just kind of coming up with that secret sauce of both hard and soft skills that you want to develop. There are also a ton of ways in which folks can reskill.

The department of labor supports a number of great companies. One in particular is called Apprenti, where there are some folks that have maybe had a career. It’s mostly blue collar. Maybe they’re an electrician, for example, and they want to get into cyber security. And there are companies that will fully support both their training and also real apprenticeships, real firms where they can become cybersecurity professionals.

So there is governmental support in this way. In bigger companies. Understand that they need to train folks that are compatible with their company mission and culture as well here. So most of the big companies that I’m aware of here with fairly large cybersecurity teams, it’s a given or expectation to bring in, you know, fresh analysts and, and train them internally.

A lot of it is on the job training. We have some maybe perceptions, not meeting reality about what folks do in cybersecurity. Yeah. If you ask anybody that’s currently in college now, consider a job in this profession here and you ask them what they want to do, inevitably, they’re going to tell you something like, you want to do pen testing, right?

This is what movies and TV have sort of glorified here. Folks, they’re doing, fending off hackers with keystrokes, right? But there’s so much more to it here. You know, we do have, we have to focus on security operations. It’s a big component of running any program here. But there’s also governance, compliance, and risk that are hugely important.

And covered under there is the design of good security programs, the architecture of what good looks like. So there is plenty to do. I cannot think of a profession that sort of stretches your brain in 12 different ways simultaneously than this one. And so you have an open mind to learning all the various aspects of running a good program.

You, you will not be bored in any way. And then finally, you know, there are some organizations like the military are very good at producing very well qualified folks for cyber security. These folks are mission oriented, you know, how to achieve a goal that know how to follow a process and find helping to place folks like winds up a very good outcome.

Brian Thomas: Thank you. Obviously listed quite a few areas where folks could jump into this industry, get some training, some mentorship. Obviously there’s a lot to do, and we’ve seen a lot of success stories of people. You’d mentioned blue collar. Absolutely. I think you and I both know probably several folks that have jumped into this profession coming and doing a total career 180.

So I appreciate you sharing a lot of that, Matt, for the last question here of the evening for tech startups seeking funding or preparing for acquisition. Having a robust cybersecurity program is a critical part of due diligence. How can startups and the VCs who support them integrate cybersecurity into their growth strategy to enhance both operational resilience and investor confidence?

Matthew DeChant: Yeah, it’s a great question here. I think no matter what event this, let’s call it a scrappy startup or, or sort of the small guys are, are sort of thinking through here, every dollar counts to make sure they’re spending their money wisely. But, you know, let’s say they’re trying to go after that first big client or clients, or they’re going to be part of a merger to form a larger company, or they’re, Looking to get acquired, look to sell their company after they matured their technology or whatever, whatever they’re doing here, or maybe they’re going public, maybe it’s an IPO or it’s a spec or something like that, whatever it is.

We typically would recommend that the timeframe be. At least six months, if not a year out from that event, a lot of cyber security can be done very, very quickly with a startup that can move an agile way. And it’s not sort of bogged down by decades. Uh, this is the way that we do it or or our size prevents us from moving fast in many cases.

With those types of companies, they’re slow to change because they change slowly, just they move at a certain speed. Startups tend to move faster here, but there are other parts of cyber security programs that you just cannot move any faster. You can’t acquire a product and service quickly. You can’t stand.

I mean, the security services, you know, in a day or two, it takes some time and some effort and relationship building and signing contracts and all that good stuff. And so if you try to start this now in the 11th hour, you know, let’s call it a 4 weeks before 1 of these events is happening, then you may endanger that event from happening.

And so there has to be some preparation and you need to give yourself a better runway there. If we’re talking about sort of the other side of the equation, if we’re talking about. VC firms or private equity firms. There’s lots of advantages there as well. You know, let’s say they’re on the other side of this acquisition or, or mojo or whatnot.

These firms are typically operating in one of three modes. They’re either doing their due diligence on companies that they want to interact with or acquire. Once they do acquire, they need to keep them operating, maintain the value. Company, there could not be a thing that could result clear devaluation, a major incident or breach here.

The company will just be worthless. And third, they usually want to get out after a certain period of time here. And so that’s back to that startup mentality where they are. They need to be ready six months or a year from now. So the buyer is completely confident there are no issues around this company’s cybersecurity program.

So you’re going to give yourself some time and breathing room to get those things done and be ready.

Brian Thomas: Thank you. That’s, that’s really important, you know, and again, we talked about that in the first question I had around your answer in folding into kind of the standard operating procedure in beginning to end sort of thing.

And I know startups are pretty nimble and they’ve got a lot of deadlines and they’re trying to make their move. But it’s the one thing nowadays you just cannot forego is, is having a good cybersecurity program at all stages. So I appreciate that. And Matt, it was such a pleasure having you on this evening and I look forward to speaking with you real soon.

Matthew DeChant: Sounds good. Thank you, Brian.

Have a good night.

Brian Thomas: Bye for now.

Matthew DeChant Podcast Transcript. Listen to the audio on the guest’s Podcast Page.

Subscribe

* indicates required