Episode Transcript
[00:00:00] Guest: If instead you could have a 95% as much the same checkup as the doctor, but it takes a lot less time and it can be done every single day, then it's going to catch nearly anything that the full physical would catch and it's going to catch it a lot sooner. And that's really the name of the game. A lot of bad guys will break into your systems and they don't just immediately go crazy. They look around, they spend some time figuring out what can I attack, you know, what's valuable out there.
[00:00:35] Host: Welcome to the EdTechConnect podcast, your source for exploring the cutting edge world of educational technology. I'm your Host, Jeff Dillon, and I'm excited to bring you insights and inspiration from the brightest minds and innovators shaping the future of education. We'll dive into conversations with leading experts, educators and solution providers who are transforming the learning landscape. Be sure to subscribe and leave a review on your favorite podcast platform so you don't miss an episode. So sit back, relax, and let's dive in.
Welcome back to the show, everybody. Today I am thrilled to have Eric Smith join us. Eric is the Vice President of Technical Services delivery at Fortify Data, a leading provider of cybersecurity Solutions. With over 20 years of experience across multiple industries, Eric is a seasoned technical and operational leader known for his strategic approach to technology and cybersecurity. His expertise lies in helping organizations, including higher education institutions, navigate complex challenges with innovative solutions. Eric is a certified Information Systems Security professional and a Microsoft certified Systems Engineer. Everyone knows it as the McSen. He's passionate about leveraging technology to drive business objectives, mentoring teams and creating custom solutions that save costs, enhance performance. Welcome, Eric.
[00:02:04] Guest: Well, thank you. I appreciate being here. Kind of funny when you say it that way. It's had over 20 years. I'm actually closing in closer to 30 than 20 these days.
[00:02:11] Host: Oh, wow, that's impressive.
[00:02:14] Guest: No, no, it's not. I got a birthday coming up soon.
[00:02:18] Host: To make security worthy of a podcast. Sometimes I struggle to find the right guest, but I met Eric and we talked. I'm like, oh man, we should have recorded this because he's kind of makes it consumable. And I'm really excited to have you on the show, Eric.
[00:02:33] Guest: Well, I'm glad to be here.
[00:02:34] Host: Can you start off and just. You have a pretty varied background. You've worked in many verticals. I even saw you were in the health, health and beauty sector at a company from IT service providers. But most of those solutions, they weren't higher ed Focused, but now fortify. That's one of your big verticals. Can you talk a little bit about your journey into where you're at now and what you've learned in the different spaces that you're maybe using now?
[00:03:00] Guest: Well, sure. Yeah, you're right when you say it's varied. There's a few certifications I've got that don't show up on that list and that kind of date me. Like there's a I was a certified Novell engineer, so that tells you just how far back it goes. But I'd struggle to find a vertical I haven't worked in. My first job was doing as a network assistant for Georgia Tech, which is where I was schooling at the time at the College of Architecture. And that's honestly where I got a real good peek of what goes on behind the scenes at higher ed. But from there I pivoted. I was in the Marine Corps and then when I got back in the civilian workforce, I did network administration and systems administration. So I've been in IT most of my career. Everything I was a healthcare software provider. Then I did many, oh gosh, it's financial. Did consulting for a very long time for a lot of different organizations, data center design and so forth. And I've even, I like to say I've been in everything from like you, as you pointed out, I was IT director for a cosmetics conglomerate all the way up to I was managing the technology refresh program for Tennessee Valley Authority and their nuclear reactors. So nukes and makeup, that really is just span quite a bit. But your question was more along the lines of from, from a higher ed perspective. And like I said, it's kind of fun because that's where I started out getting my first experience of what it's like to work in there. And then during consulting I did a lot of higher ed. And now that I'm working at fortified data, we have made a sincere push in the direction of the higher ed market. It's kind of funny how much hasn't changed in the last 30 plus years in the higher ed market. As far as the challenges that are facing people doing IT and cybersecurity for.
[00:04:48] Host: Higher ed, my quick take on it is that so I've been in higher ed not quite as long as you've been in security, but higher ed technology for about 25 years and it's almost in the last 10 has taken a complete 180 in the way of we would secure vendors and one of the checks against them was that if they required us to Host in the cloud, which is like very new. Like, no, we gotta Host on prem to be safe. We gotta keep our security here. That is crazy. To give all our data up to where we don't even know where it's gonna live. And I think that's hilarious now that it's like, it's a race to the cloud to be secure almost in a way that we never maybe would've saw even just a decade ago. But can you share a little bit about fortified data's mission? And I've been really impressed with. I mean, I went to Educos and there were, I mean, hundreds of security companies. I mean, maybe high dozens, but it was at least a hundred. And how, how many there were, but not a lot of them, you know, have. They know, higher ed. How does fortified data really uniquely support higher ed?
[00:05:52] Guest: Well, we started off when we designed the product to try to solve a very basic question that actually applies across many different verticals, but is particularly important in higher ed, and that is, what do you look like to a threat actor? And then based on that information, what are your biggest threats based on? Not just your exposure, not just what assets you're exposing, IPs and ports and services, but what vulnerabilities and misconfigurations might be present, but also taking into account what are threat actors currently doing right now, feeding that threat intelligence data back in. And it's the combination. I'm trying not to use jargon here, but the synergy, okay, of taking, okay, if I can do vulnerability management, okay, that's great, and if I can do inventory management, that's great, gotta do that too. And I gotta do threat intelligence, okay, great. But if you combine all of that data together in an analysis platform, you can start to derive things that you could never derive looking at those data sets. Isolation. So that's really how I kind of describe the service to a lot of people, is don't look at it as a vulnerability management solution or compliance and risk or. Although it does all those things, think of it like this. It is a data aggregation and analysis platform that is geared towards cyber security. And we pull in all kinds of data, we feed it into the analysis engine, and then we do the hard work. That really is what everybody wants to do. They just want to know where are my risks and how big are they? Because then I need to prioritize them and figure out what can I fix? Because there are going to be some things that you can't fix, and then what am I going to do about it? What kind of mitigations can I put in place, what kind of controls can I put in there? And understanding where your risks are first and then tracking them over time because your environment's going to change, the threat landscape is going to change. You're going to do things differently now that you have this information. Being able to do all that continuously because there are people who can and try or try and some even succeed to do this point in time. You know, you can do this once a quarter, but we do it continuously.
[00:08:02] Host: When I was in Sacramento State, ransomware and phishing attacks were the big ones. We were. Phishing was like, we were all over, like trying to mitigate that. Can you talk a little bit? Are those still the two of the big things in higher ed with threat assessment? And if you handle, handle those situations.
[00:08:18] Guest: Well, we are looking at things like, for example, you know, we've got a dark web module, so we're keeping up with what's going on with credentials and so forth like that, which is a common vector of attack when it comes to things like phishing attacks. Okay, we do have kind of a philosophy, I guess is a way to put it here. We want to pick something that we want to do and we want to do it very well. We don't want to try to be everything to everybody simply because you just, you dilute yourself at that point, you end up not really doing a good job anywhere. There are plenty of solutions out there that do really, really good Phishing know before is one I'm very familiar with and a lot of people rely on. We integrate. So but we use that as a data source, you see, so we can pull in or like proofpoint, you know, proofpoint does spam and so they know what active campaigns are going on. We can integrate with that data, pull it in, apply it as a risk factor and then use that as a modifier for all of the other data.
[00:09:09] Host: That we pull in your platform to aggregate all your tools into one, into one place.
[00:09:14] Guest: Tool consolidation is a common play. It's not the only play, but it is a common one.
[00:09:18] Host: Can you talk a little bit about why higher ed is such a target these days? I think healthcare is up there too. But why are these, these couple verticals? Or am I wrong? You know, is it.
[00:09:28] Guest: No, no, no, you're. Well, the. I would say this in this, you know, we have data on tens of thousands of companies so we know what their security posture looks like. And to kind of sum up, imagine this, imagine if you could undergo a pen test continuously. Think about the data that you can get doing that, that's very close to what we're actually doing.
[00:09:49] Host: Can you talk about what a pen test is? I think some people might not, might not know.
[00:09:53] Guest: Okay. A traditional pen test is when you hire someone who is authorized to behave like a threat actor, more or less. Their job is to probe your security in any way they see fit. And if they find something that's exploitable, they actually will exploit it. And not to do damage or anything, but to be able to report back to you, hey, I was able to break in using these techniques on this asset because you have this configuration or this bug or whatever, and then you take that data and you use it to improve your security. A lot of people get pen tests done. Or I say pen tests, they're called penetration tests. Okay. But they tend to be disruptive for obvious reasons. You know, pen testers break things and they tend to be expensive and they tend to take time, which means typically people usually get them done once a year. Some people are more aggressive. They might get them done twice a year or quarterly. I've never heard anybody do them any faster than quarterly. I'm sure someone does, but they're incredibly rare. But if instead you could get all that same data or nearly the same data without going all the way through and exploiting and breaking things, then that's pretty good. I kind of liken it to this. You know, you might go to a doctor to get a physical once a year, but what's keeping up with you the other 364 days of the year? If instead you could have a 95% as much the same checkup as the doctor, but it takes a lot less time and it can be done every single day, then it's going to catch nearly anything that the full physical would catch, and it's going to catch it a lot sooner. And that's really the name of the game. A lot of bad guys will break into your systems and they don't just immediately go crazy. They look around, they spend some time figuring out what can I attack? You know, what's valuable out there? Because they don't want to. If they've broken in, they don't want to just waste it. Okay. Some do.
[00:11:48] Host: Is that part of the reason why hires a target is they have more valuable, valuable information? Or is it because it's easy to get into because they don't spend enough time on their stuff?
[00:11:57] Guest: Well, my personal opinion on that is that I would say that healthcare probably has the more valuable information. Or if I Had to pick anybody. I'd say financial has the most valuable information, but where higher ed comes into this mix is higher ed is a uniquely difficult situation. Okay, One, you don't have the resources, financial resources that say a fintech firm would have. They've got scads of money to spend on stuff and they take it very seriously. But you do have very valuable information. You've got student record data, financial information and things like that. So you're a valuable target. At the same time, higher ed is extremely unique in the, I'm going to just call it the wild west kind of environment you have to operate in most universities they have a centralized IT department that is charged with keeping the whole university or college more or less safe. But then you have various departments or other schools within the university that have high degrees of autonomy. They can set up and run their own stuff in many ways. And they tend to not be overly communicative with the central IT department. So you may not know what they're doing. And even if you find out they're doing something you don't like, you may have limited authority to force them into compliance. And at the same time you have the whole mantra of what is the purpose of a university? The free exchange of ideas and information.
And that plays against having the iron fisted grip that corporate IT normally has.
[00:13:25] Host: The decentralized nature is again the problem, as it so often is, which makes higher ed what it is.
[00:13:32] Guest: Well, you see, and here's where fortified data comes in to help that problem. Because the first problem everybody has is awareness.
What is my exposure? And yeah, there are any number of tools and services that can go out there and scan you and tell you what's going on. Most of them are point in time, not continuous. So that's one flaw. But then what do you have? Well, you end up with a 300 page report of vulnerabilities and things scattered all over the place. What are you going to do with that? Who's even going to read it? Nobody. Okay. It's too much, right? So what you need is not data, you need results.
And results is data that has been operated on by some kind of analysis. And that's where we come in and we say, okay, we're going to go and figure out what everything is. Then we're going to properly prioritize it based on the ground truth. How severe are the vulnerabilities? How important are the assets that are affected by these vulnerabilities? What are threat actors up to? What are contributory factors that could come into this there's probably 20 or 30 different metrics that we use to modify risk in order to generate the prioritization and you get to contribute to that. If you don't like how we decided something is, you can put it, well, I have a different control in on this and so forth like that and change effectiveness and so forth. So you have a lot of ability to tweak and tune it to make it fit your particular environment so it's an accurate representation of risk for you. And at the end of the day, what do you got? Well, you now you have prioritized list of risks and then you can operate on that. We generate a score continuously so as you improve your cybersecurity, your score will go up. Now you have a measurable metric to report back to the board of trustees or the chancellors or whoever they are and let them know that things are getting better. You can compare yourself to other universities. That's a thing that blew me away, that I didn't even know people did until we started going into higher ed. That a lot of universities, they want to know how they look compared to, what do they call it? Aspirational universities, I think it was.
But basically their competitors.
[00:15:42] Host: Yeah, that's what I'm kind of wondering is since this is such a behind the scenes service, like if you're out of the news, that's good news. Like the phone's not ringing. Security is such an undersung, you know, process in the background.
[00:15:55] Guest: Oh, it's horribly underappreciated. Everybody hates security because we're always telling you can't do that.
[00:16:00] Host: So marketers don't think about and care about until something's on fire or they hear about a sister school that they're like, oh gosh, I better check, make sure that doesn't happen to me. So you talk about these benchmarks or these numbers that we can track our progress. What types of metrics can we track to say, oh yeah, we're doing, we're doing better aside from we haven't got hacked or we haven't had a bad data breach or well, we'll start at.
[00:16:25] Guest: The most abstract and I'm going to say it's the score. Okay, so what we do is we analyze all the vulnerabilities that you have and all the attack surface that you have and then we, you know, pull in all those other data points I mentioned about threat actor activity and effectiveness controls. And again, my brain's not working correctly here, so I can't remember all of them off the top of my head. But like I said, There's 20 to 30 different metrics. And we feed all that in and we calculate a score. And our score model runs from 300 to 900, with higher numbers being better. Think of it like a credit score, because that's what we model it after to make it easy for most people to understand.
Now, it's not the end all, be all. It's an abstraction. And just like all abstractions, they are, you know, incomplete, but it serves as a useful metric, a good starting point. And then the score is sorted into buckets. We have the critical risk, high risk, moderate risk, low risk, and very low risk are what I think the buckets are based on what your score is. So that's an even further abstraction, I guess one level above even that. But when your score goes up or down, you can actually drill into the score and see what caused it to go up or down. So if it goes up, you go in there and you say, oh, well, the following vulnerabilities were addressed. Or maybe you didn't do anything and your score goes up. Why would that be? Well, maybe because threat actors were using a rootkit that you're vulnerable to, and it was on their list of things that they were filling with yesterday because CISA reports this stuff and so do many other sources, but today they're not. It's not real time. I'm very careful about using that word, but it's as close to real time as you can reasonably get about what is the actual risk you're facing right now.
[00:18:00] Host: Can you share a success story of a higher ed client that saw measurable improvements or even on the other side, a really bad situation that maybe didn't make the news or.
[00:18:12] Guest: Well, I can't share the bad stuff about our clients, but I can actually share some. I mean, I could give you some. You know, the names have been changed to protect the guilty kind of thing.
[00:18:21] Host: But yeah, or something just out in the wilderness. Client, you know.
[00:18:24] Guest: Well, I would like to share a one success story. And they actually did a testimonial for us, so I know they're okay with this, but we have a college called Pima Community College. It's run by a gentleman by the name of Isaac Abs. And he signed up with us, I don't know, about a year or two ago, something like that. And when we first evaluated them, their score was relatively poor. What was most interesting to Isaac, however, is that we discovered that he had a lot more exposure than he thought he had. He thought that he had a Good inventory and knew what he was actually exposing, so that that was not the case. And again, there's no shade against Isaac. Most people have that problem in higher ed. It's very difficult to keep up with this stuff. So, yeah, we identified that. And since he didn't even know it was there, nobody in his staff knew it was there, which means it hadn't been patched or addressed or factored into anything for God only knows how long. So it was in bad shape and it was dragging his score down.
So they took the data we provided, and it's like, oh, yeah, we need to do something about this. And they did. And over a period of about three months, from the time they signed up with us till that time period, their score went from somewhere in the mid-300s to somewhere in the mid-700s, and now it stays there. And again, like I said, the score is an abstraction. I hate people that only manage the score. You really do need to dig into the underlying data sometimes. But that being said, it's a good idea of just what your general cybersecurity hygiene look like right now. And his is very good. Now, of course, if you want some horror stories, you know, I went to a conference in California last year where they had a panel of, I think about four to six colleges that had actually experienced ransomware events. And they talked about it in amazing transparency and candor, which you would never get in the corporate side of the house. So that's actually an advantage for higher ed.
[00:20:17] Host: Right, right. And I've heard that. I haven't heard one for a while now, like the. One of these horror stories about ransomware. But I was hearing quite a lot a few years ago when it was. It seemed to be bigger. Maybe it's just not talked about. I mean, that's the thing. You don't want to give them publicity. Well, when you hear about these.
[00:20:31] Guest: Well, I actually learned some interesting stuff there about it, and it's really good nuggets of knowledge to pass along. Like bad guys for higher ed. They tend to organize their activities to time it for, like when you're starting your school year, basically because they know you're under stress and probably understaffed. They target holidays. They look at the news for your organization to see if you've recently been given large grants of money because they know, oh, they got money now. I should hit them up with a ransomware. I didn't think of that. That was one that was new to me. But the candor that these colleges went through about their experience, talking about Everything from, yeah, we knew we were in really bad shape, but we just. Nobody would give us budget to fix things. And then strangely, right after the event, budget magically appeared and they solved a lot of problems with it.
[00:21:19] Host: Speaking of budget, do you have any insight, since you've been in the industry for a while, as to the direction of the percentages of IT budgets at universities? Which way it's going? Are schools spending more on security or less? Or is it kind of like you don't know or like, is there. Do you have any grasp on that?
[00:21:36] Guest: I do, and it's not pretty. You know, obviously budgets are going to fluctuate with the economic conditions. So over the past few years, I've seen it either stay stagnant or go down a little bit in some cases. But what's really bothersome is this. It's very situational. If you've got an it, an infosec staff that is, for lack of a better term, eloquent, they can actually make their case. Because you can't go to money people and talk engineering, talk to them. You've got to make a business case. What you need is something that says we need to spend X because of this data here that says how much risk we're at. And oh, by the way, we look awful compared to our sister colleges. And if we don't do something about it, it's not an if, it's a when we're going to have an incident. But, but the other side of that is if people don't have that data or they're not good at using that data to make their case, then the inevitable happened. You get a hack and then what happens is, like I said, all of a sudden the funds flow freely. But I hate that you've got a multimillion dollar hit of trying to clean up this mess, you've got reputational damage and God only knows what else, and you're still going to have to spend the money that you should have spent six months ago. I hate that.
[00:22:57] Host: So if you could offer one piece of advice to universities that may be lagging behind to improve their digital and cybersecurity strategies, what would that be?
[00:23:08] Guest: Well, you know, the obvious thing, buy fortified data.
But. But, you know, in a more, I mean, more general sense, I know a lot of people in this industry and they are burnout. They're just like, you know, I'm just going to do what I can do. There's so much out of my control. I can't do this, I can't do that. And My response to that is, well, you know what? There usually is something you can do. You know, you're not going to do nothing. But the first thing you've got to do is you have to have awareness. You have to understand what your actual risk situation looks like. And by the way, I'm using the word risk very purposefully because there's a difference between vulnerabilities and risk. A vulnerability management solution is going to tell you what your vulnerabilities are. A risk management solution is going to figure out the risk and prioritize them, which is what you actually need. Because again, if you've got, you know, 10,000 vulnerabilities and let's say you can only fix 500 of them a month. Okay, well, you fix 500 this month. If you go in front of the board and they say, well, why'd you fix this 500 but not that 500. You need data to back that up. You need to be able to say why you did what you did and then point to a metric that said, because this had a measurable impact on, on our cybersecurity posture. A lot of people don't have that. Having that is great because it helps you make your case a lot better.
But awareness, you can't fix things. You can't even pitch to fix things if you're not aware that they're there. And people that say, well, you know, I do my own scans. I do them once a month. Once a month is not enough.
I mean, think about what a bad guy can do in 29 days. It's terrifying. So you need a continuous process. And let's not forget GLBA requires it. Okay? So this is not an optional thing. If those of you out there listening to this podcast, if you don't know what GLBA is, look it up, you would be amazed because it's not really being pushed down from the top like it should. But it's a very useful cudgel to have to say, we're not in compliance with this because of xyz. And this goes up to the feds and federal funding dollars for tuition. So it gives you, it gives you a go ahead.
[00:25:21] Host: Does GLBA apply to higher ed, not just financial institutions?
[00:25:25] Guest: It does if you accept any kind of federal loans for tuition, you know, any of that stuff, the instant you accept one penny of that, you have to be glba. And a lot of people don't know this.
[00:25:36] Host: This will be some homework for our listeners to go look it up. Yep, go look up the GLBA Absolutely.
[00:25:43] Guest: It could be very helpful in you getting appropriations that you know you need. But you can't convince them to loosen the purse strings because you can point to this and say, this is not optional and if we get audited, it's going to be bad. We need to fix this.
[00:25:59] Host: Yeah.
[00:25:59] Guest: Yeah.
[00:26:00] Host: Well, that was a really great conversation, Eric. I want to tell our audience that there's so many security companies out there and I've been really impressed with what Fortify has been doing for higher ed. Fortify data and we'll put some links in the show notes to get all of Eric and Fortify data. So thanks for being on the show, Eric.
[00:26:17] Guest: Thank you. I appreciate it.
[00:26:18] Host: Bye bye.
[00:26:18] Guest: Bye bye.
[00:26:24] Host: As we wrap up this episode, remember EdTech Connect is your trusted companion on your journey to enhance education through technology. Whether you're looking to spark student engagement, refine edtech implementation strategies, or stay ahead of the curve in emerging technologies, EdTech Connect brings you the instant insights you need. Be sure to subscribe on your favorite podcast platform so you never miss an inspiring and informative episode. And while you're there, please leave us a review. Your feedback fuels us to keep bringing you valuable content. For even more resources and connections, head over to edtechconnect.com your hub for edtech reviews, trends and solutions. Until next time, thanks for tuning in.
