Episode 3 of Ackermann Marketing and PR's new "Sweet Tea and Strategy" podcast features Avertium CEO Jeff Schmidt discussing the state of cybersecurity, emerging trends, and the future. Listen to the episode or read the transcript below:
Tommy Smith: Welcome to Sweet Tea and Strategy podcast, produced by Ackermann Marketing and PR. We're speaking with business leaders about challenges in the industry and communication strategies to take on those challenges. And we're going to talk cold beverages as well. So my name is Tommy Smith, vice president at Ackermann. Today we'll be talking cybersecurity with the CEO of the industry's newest company, Avertium. Jeff Schmidt is the new CEO of Avertium. He's here today with us on the podcast. Jeff, welcome.
Jeff Schmidt: Thanks Tommy, good to be here.
Tommy Smith: So we're in the south and the name of the podcast is Sweet Tea and Strategy. So where do you stand on this classic southern drink? Do you have a favorite?
Jeff Schmidt: We're all in on sweet tea. So when we moved here, that became the favorite of the household.
Tommy Smith: Alright. And, who makes it in the house or you only buy it from where?
Jeff Schmidt: We're the Chick-fil-A family, so got the Chick-fil-A sweet tea and we're good to go.
Tommy Smith: Okay. All right. So Atlanta, that makes total sense. Avertium is a brand new company, but the businesses that join forces through the new company have a long history in cybersecurity. So tell our listeners about Avertium and maybe those who may be unfamiliar with some of the companies.
Jeff Schmidt: The name Avertium comes from "avert", and then a play on the periodic table. So, Avertium, think potassium, calcium, we're the new cyber element - people, process, policies. So if you really want to attack good security, you should be attacking it really from the fundamental of what the framework is before you start to apply tools and automation to it. So those are really the five elements that we deliver.
Avertium is made up of three companies to date. True Shield, out of Virginia, Sword and Shield here in Knoxville and Terra Verde in Phoenix, Arizona. Three very similar companies providing managed security services, SOC-as-a-Service as a lot of cyber people may know it. Delivering compliance, HIPAA, PCI, helping companies really build the framework for the next generation of what compliance is going to be as well as things that are there today. And then pen-testers that are out there - white hat hackers doing the same thing maybe the evil guys are doing but doing it for good. And then we've got virtual CISOs that are helping out as well.
So a lot of small businesses are struggling with things like staffing or maybe direction, [asking themselves], "Where do I go? How much money should I be putting into this?" So being able to provide those services as well. So we got the benefit of three companies. The oldest company, 22 years here in Knoxville, which was Sword and Shield and the other two with 10 plus, in the industry as well, so we can call ourselves a 42 year old company, 22 or 10 year old or we'rea six month old. So we can play on those as well.
Tommy Smith: So what industries are you all in? I know that you're in healthcare, government and probably a broad array. Talk about some of those industries.
Jeff Schmidt: Hospitality fairly large for us, retail. A big issue is with PCI, in the retail space and small businesses as well as the large businesses are all targets. Fintech, from a financial perspective, manufacturing, I mean, we're kind of agnostic to what we're doing because the problem when you talk cybersecurity typically is the same. There's compliance, somewhere there's the crown jewels of the organization that you don't want to get out or you've got customer information you don't want out. Hospitality tends to be one that's moving fairly quick for us, retail. And then the smaller financial industry - credit unions, community banks that are looking for help and assistance.
Tommy Smith: So there's a lot of regulation around moving of healthcare, government, banking, hospitality maybe a little less so? Talk about what themes are kind of bubbling up for hospitality.
Jeff Schmidt: If you think about, there's been a couple of major breaches in the hospitality industry. Hilton was one. So they exposed customer data. And so I think the numbers were, their fine with some around, I think was 700,000 records that were, that were taken. I may be off on that, that might be the fine, but if they were actually applied to GDPR, which is the privacy act for EU, that potentially would have taken out their profits for an entire year. You have a lot of core data that that's sitting in these environments, right. Hackers aren't just trying to steal dollars, they're trying to steal valuable assets; social security numbers, driver's license, credit, credit cards. You've seen the article, you know, the advertisements on TV right, is your data's everywhere, sometimes not where you want it to be. Helping companies really kind of understand what that is and being able to buy that defense.
Tommy Smith: You mentioned GDPR, explain for our listeners what that is and also kind of the challenges associated with operationalizing that in an institution.
Jeff Schmidt: It's how information is collected in Europe and in what you have to do to protect that information. So the compliance wrapped around it is protecting information, being able to opt out, so, if you think about companies that have your information today, you have the ability in Europe, if you're a part of that EU union, to be able to say, "I don't want you to collect my data anymore. I want you to erase it."
If you're in the US, you don't necessarily have that same right today. I was playing around on the Internet, I just wanted to see how many companies I could actually find out, like what their process was to erase me from their databases and the number of things that came back with like, "Do you live in Europe? Do you have a residency in Europe?". There's a lot of pieces that are wrapped around that, and the intention is that you can't just collect data on me unwillingly without me accepting what it is.
Many of us in the US now see it where you're going to a website and it says the website collects cookies and there isn't like, "Do you accept it?" or "Do you not accept that?". It's like there's an "x", confirm that you know it. But that's the result of GDPR.
And so that's now spilling over into the US which is, you know, California Privacy Act, Texas is moving in that direction. I think it's somewhere now around seven, eight states that are starting to move this direction. The scary part is if we end up with state-based privacy acts, how do you as a company, deal with 50 different acts that are out there? So we need to have in the US is a Federal based privacy act and what we're doing. Concerns over California, I think it was developed in two weeks. So you know, almost like building a company on a cocktail napkin. So it takes time to think through the impact and any company falls into this, they're all in the arena now. So much like Dodd-Frank to the smaller banks, larger banks can deal with it. I have massive amounts of people that can go figure out Dodd-Frank, figure out how to make it work right. But, the banks that suffered were the smaller community banks, credit unions that are trying to figure out how to go do it. So having that ability for fractional services makes a huge difference. Like I can bring in an expert at a fractional cost. I don't have to be BofA to go do this. So I can leverage Avertium that has knowledge and capabilities to go do that.
Tommy Smith: I think of GDPR having the effect right now on the US slowly over time, the same way Medicare kind of leads all healthcare - big changes. And so that's happening slowly. What is the status of federal regulation associated with privacy similar to GDPR in Europe?
Jeff Schmidt: The CCPA, which is the California Act around privacy rights, is still not federal at this point. I have some concerns that our leaders unfortunately in government for all intents and purposes, a lot of them lack the technical knowledge living into this technical age that we're in. So we need to think about separating out what's happening in government, political factor to the technology aspect and there are some people who do get that, but these are things that have to happen quickly in our environment. You've mentioned Medicare, you know, healthcare, the longer that the gap is and we as individuals are under fire every single day that people are holding our data. And that data that they hold is either done with or without our consent. We're in probably millions of databases at this point in time, depending on how much you're out on the Internet collecting your information and how it gets used and what it gets used for.
Tommy Smith: Are there certain industries where you see businesses changing the way they deliver service to customers based on what they've learned from cyber threats? So you mentioned some of the cookies and acceptance of terms or some of those are more obvious, you know, Facebook's always in the news in terms of what's your kind of, approving them to accept and what they're doing with that data. But are there other industries that maybe aren't so familiar to folks that businesses are having to tangibly change how they serve their customers as a result of cyber threats?
Jeff Schmidt: I think we made a mistake in security early on, which is it became this kind of smoke and mirrors, you know, covert operation that we're doing to protect companies. And, in fact, John Chambers of Cisco said, look, if the Internet of Things takes the same route as the Internet has around security, it'll die before it ever takes hold. And so you're talking trillions of devices that are out there today that don't have controls on them, that are being put in the hands of people who don't know about securing passwords and other things. So flip that back; what we need to be doing is to take a step back and really look at the problem. What we tend to be doing right now is applying to the symptoms of the problem. And so we're chasing.
Attend an RSA Conference in San Francisco and look at the massive amounts of security companies that are going to solve the problem that happened this year. Four years ago, data leakage protection. This year it's, you know, AI and machine learning are going to solve all of our problems. A pragmatic approach of really thinking about it is, "What is my business is at risk? If somebody had it, what's the value that I can assign to that? And what's the chance of somebody being able to get to it?". And if you start with those three questions, you can start to build a program around them.
While we're all focusing on security, we're not necessarily focusing on business continuity and disaster recovery. So it's great that we've been talking about people not breaking into our network, but now ransomware has picked up. That's business continuity, that's disaster recovery - backups and control, right? So that step back and where I look at chief security officers that are out there today, risk managers that are out there, the ones who can pull back and say, "Let's take a step back for a second and let's go look at what we have to defend today without deterring our customers and determine the growth of our business?".
Tommy Smith: Ackermann is part of a global network of PR firms that specialize in cybersecurity and so we talk with a lot of folks like you in this industry, and so one of the things I always hear is you can gauge the maturity of a business as it relates to their cybersecurity kind of IQ by how much security is thought of at the strategic planning level of whatever projects coming down the pipe. What does it look like when a company takes cybersecurity extremely seriously, embeds it in its culture at every level?
Jeff Schmidt: That's a great question. So my vision of that in the companies that are doing it today would typically start board level. It's a board-level discussion that then flows to the executive suite and the leadership teams in these organizations, and it becomes muscle memory, right? You're thinking about it, it's part of the daily efforts that we do. So similar to a conversation about how we operate in our daily lives is we do think about safety when we're driving, we think about safety when we cross the street, so starting to embed that in.
The piece that becomes important to you though is a culture of understanding that we're gonna mess up sometimes. I may click a link in an email and you want to create an environment that is, say something. Don't just bury it away, right? Because if you bury it away, then it's like, I don't want to be fearful that I might get fired because I accidentally clicked a link. We're helping people. When you see something and then all of a sudden the blood flows out of your head and goes down to your toes and you're like, "Ah, I shouldn't have done that." Say something. And the organization says, "You know what, we know this happens sometimes. You're not getting fired, but thank you for telling us. We'll go fix it and re-mediate it" versus "I didn't know".
Tommy Smith: So that looks like maybe quarterly or monthly tests within the organization and reports that show employee response to that test and making sure training's wrapped onto the end of that or followed onto that.
Jeff Schmidt: Yeah training, absolutely ongoing, all the time. So it's just again, it's just feeding it through. So, I was sitting in a healthcare facility, unfortunately, but I was looking across the room and I'm looking at a monitor and across the monitor that's sitting with a machine attached to it is this flowing screen about passwords and lock your computer and go do these things. So we have a lot of visual ways to kind of push that out. So test, train, but use it as education. Don't use it as a stick, use it as the carrot. Find people who have it, find sponsors in different areas that can kind of help with "Hey look and I have a question, what's going on?". Not Everybody is as proficient and some people are going to be like, "Oh my gosh, it's scary stuff, I don't get it." So, but yeah, I think the program to get it to muscle memory, to work out every single day, you have to have something motivating you and something challenging you. And so you want to build that into your culture of the health of your culture.
Tommy Smith: Let's talk about response. We're in the communications business and so where we get called in as probably a lot of times where you get called in is after something's happened and so where have you seen businesses respond poorly or really well from a communication standpoint? And how do you advise them after a breach has happened?
Jeff Schmidt: I don't think I can point out any company as like, hey, this is the this is the echelon of great communication and what's happening because there's such a quick response to wanting to tell people what the problem is, how big it is. The typical process is if you look at what happened in the credit bureau area, it's this many million records. So then three weeks later, so I know we're wrong, it's actually double that many records, and then pretty soon it's 300 million records. Yahoo went through the same thing.
Tommy Smith: And behind the scenes, what's going on from your standpoint?
Jeff Schmidt: People are digging through data and information and what happened, how many systems were exposed. So I mean, it's a maze, right? So, how do I put the puzzle pieces together?
There's certain compliance that says, by this time I have to get out reports and have to tell people what the exposure is. I keep peeling back the onion. It's like, oh, that's not the only server that had something on it, this other one had it over here, oh, there was outbound information going out. It's kind of Pandora's box. And so the expectation is you can give this information and respond, but how long have they been inside the network? How much information, where are the fingerprints, where is that? And that's this whole forensic process that you have to go through. It's important to respond. I'm not sure that the industry has it right, that you have to start giving numbers right away. Because in my opinion, if I'm giving a number and it's wrong, and my typical line is to give it another two weeks before they get closer to the right number. You know, Yahoo took, how long? Two years, before they got to even a close number.
Tommy Smith: You start to lose a little bit of credibility.
Jeff Schmidt: Unfortunately, think about the team that's on the inside and the pressure that's coming down. We have to look at what we're asking and where it comes from and how to get there. All these companies have smart, intelligent people. They're not stupid. They happen to be part of this breach that happened somewhere along the lines. And now they're trying to debug what that is, and it takes time. In the search for information, board meetings, quarterly reports, whatever it is, I'm pressuring people to give me information without getting all the facts. We wouldn't go to a doctor and say there's something wrong with you, I don't know, start with, let's just start dissecting me and figuring out what this is. You take time to research, to get information, come up with a prescriptive process, and what to do. So I think there's some opportunity to be better at it. So, the good or bad, the organizations that are responding I think are doing the best they can with the tools and the systems that they have.
Tommy Smith: So if you have one wish that you, that you wish the industry would kind of move towards, whether it be, regulations associated with the industry or technology that your firm's pursuing that you don't have now, where's the magic wand, you know, what would you kind of layover?
Jeff Schmidt: Shut off the Internet.
Tommy Smith: [laughing] Fair enough. Back to pen and paper.
Jeff Schmidt: There are two things. One is security isn't as spooky as everybody thinks it is. And I've been preaching this now for 20 years.
Whatever you do in your physical life to protect yourself, whether it be how you protect your valuables at home, your family, these things are really important. Do the same thing in business. What's most important? Break it down to just a very pragmatic approach. Start with that, and if somebody got this [breach], I wouldn't be happy about it, but it's not the end of the world. Right. So I think that's one.
I think it's just starting with that pragmatic approach of just getting a security policy. The number of companies I walk into pre-coming here and my past jobs and we're servicing, you know, fortune 500 companies [we'd ask] Do you have a security policy? No. Are you sharing passwords? Yes. What are you sharing? What are you sharing them in? We're saving them to a chrome browser. You're doing hundreds of millions of dollars in business, but you're still operating as a small business because, and well, we don't want to do security because it's gonna slow us down.
You have to stop. Nobody would drive a car without brakes. And so sometimes you have to go slower to go faster. And the problem is, as we've said, you have to have the Maserati of security. No, you just have to have a basic framework. My wish would be is that we are building security into the fabric and the framework that we're moving forward with and so, and we have to get ahead of the next generation. So part of fixing today is starting to look at what next is and thinking about how we protect next and actually building this into the fabric and the framework of what we're doing so that people don't think about it.
And I use this terminology, if I told you got to pay an extra $5,000 when you bought a car to put airbags in, you'd probably opt out, right? If I said seat belts were another $5,000 well I just need the driver's seat belt because nobody's in my car typically. Whatever it is. Right? But we make decisions based on costs. But if it's all built-in, we're not thinking about, hey, that airbag probably cost $5,000 to stick inside of the car. You know what the cost is when you have to replace it. But built-in takes the cost aspect out of it and says, look, it just has to be smart.
Somebody said Le Mans racing is probably one of the most unsafe sports you can do, but the security controls that they've built into the car to make it work the way that it's supposed to makes it also one of the safest sports today that exists. And they go through the statistics. That same thing that we're moving towards is just one of the three to five things you have to go do to be smart about it and make that fit into a budget that you can actually live with.
Tommy Smith: Thinking of things that are next, talking about the Internet of things, as we put AI and the power of the Internet in new places, where are you a little concerned that maybe innovation is moving a little faster than security? Or it's quite innovative as a security industry, we don't really have our head around how to control this yet.
Jeff Schmidt: So somebody said to me a while back that everything that can be used for good can be used for evil, right? So, best of intentions. The hard part is actually understanding it.
The other day somebody was showing me an AI hack that took a turtle and actually fed back in the system that the turtle was a machine gun. I'm like, "No, I'm looking at the turtle. Visually I can see a turtle here." But the AI system is saying, "No, it's a machine gun," because somebody hacked the system and figured out how to do that.
So if you take that a step further and you say, to your comment on driving autonomous vehicles, "What if I can actually change what actually is?" We're still talking ones and zeroes, right? So we always think in three-dimensions, at least in the world that we live in. Computers are ones and zeros. So, it's just rearranging the ones and zeroes to be something different.
I'm worried that we're moving so fast. IoT is one of those areas that I think is extremely dangerous because we're booting up computers that are pretty smart and pretty fast that can be used - we saw the Mirai virus, the malware that came out. Botnets have always been a big concern of security people so the ability to do command and control has transformed us to a certain extent. So, if you have all these computers that have horsepower all over the place and you can go drop stuff on it, they can't be detected because we as individuals, as consumers, aren't managing this. I don't know what my camera's doing when I'm offline. Watch your phone at night, look at how much activity on your phone is happening when you're not around it. We don't pay attention to it. From my standpoint, without being overly paranoid, we're deploying these assets all over the place, that while they're used for good, they have a high-value asset to somebody who wants to do something bad.
Tommy Smith: Thinking of communications as it relates to organizational strategy unification, you're leading this new organization that was formerly three, talk about how you think about communicating the vision of this new company to a larger employee base and everybody's new to one another.
Jeff Schmidt: We were at dinner last night having this conversation about, you know, as we're all kind of learning how to work with one another is to make our customer's worlds safer and that's our mission. And if you take the world that we're in, there's a passion with our team members. We want a team that's passionate about cybersecurity, and we live and breathe this. When we go home, we're thinking about it, you know, it's just kind of part of the DNA and it takes a special person.
We want a team that's not full of ego, but people are passionate about solving our customer's problems. We want to be the choice of our customers when they won't accept anything less. We want to be the de-facto standard. If I want the pragmatic approach to security without being scared to death - fear, uncertainty, and doubt - but I want to talk about pragmatically is how do I go do something that's right, come to us.
If you're in that mid-market space and you're trying to figure out, "How do I go create a security program?" or, "What should I be doing differently in my security program?" we apply a reasonable approach and we're looking to help you, not to just make money off of you. Our goal is to make that world safer and hopefully, we can influence the community.
We can influence what goes back in. We talk about government. I would love to see us at some point as an organization influencing the way that the US works, the way that we apply security policies. We're establishing market leaders in cybersecurity that can take this forward to the next level. That 10 years from now, we didn't see Avertium coming but look at the people that they have that are influencing the way that we work and live on a national level that they're influencing the way that senators, our representatives, our government, local, what we go do. We're influencing schools, communities, and how they think about cybersecurity. But without the glaze over on the eyes, like this is really scary stuff. It seems pretty simple, you know, look both ways.
Tommy Smith: This can be as helpful as it can be scary.
Jeff Schmidt: I haven't been in an organization in my past where you take three companies, throw them in a blender and just expect everything to be okay. But we have a phenomenal team all the way around. The question behind every question is how do we go make our company great? How do we go get this to the next level? How do we go do the next big thing, and how do we make sure we're helping our customers? We want to win, but we want to win for our customers. I don't have the egos of "My business did it this way," or "My customer wants it." It's very much about to let's go make the world better and let's go figure out how we apply ourselves to that. And let's get more people here that have the same passion.
Tommy Smith: That sounds like a great challenge to wake up and try to tackle every day.
Jeff Schmidt: I love it. I'm disappointed sometimes when Friday rolls around and I'm excited when Monday comes in, so sometimes that pushes me through Saturday and Sunday doing things.
Tommy Smith: Fair enough. When you care about something enough, that's what it does. Well, thanks for joining us today. We appreciate it. Good luck with that challenge, with Avertium and the vision you're trying to cast. Congrats.
Jeff Schmidt: We're excited. Thank you. Thanks for your time.
Tommy Smith: Well, that's the future of cybersecurity. Thanks for listening to the podcast. To listen to more Sweet Tea and Strategy about communications and business strategy, visit thinkackermann.com. Thank you.
Hear the podcast here.