Dominic Vogel, Chief Security Strategist at Cyber SC, joins Megan to discuss how small businesses can use basic security tools as a great entry point. Dominic emphasizes the need for firmly rooted foundational building blocks for businesses regardless of where you are in your process, and how he leverages comedy in the cybersecurity space.
Top 3 Quotes
- “I'm a firm believer that cyber security is very much a journey.”
- “Do the basics and do them well—that's a strong foundation.”
- “Doing security from a sustainable point of view is trying to develop the right people, the right processes and technologies, which would allow for cyber resilience against whatever the threat landscape might be.”
DOMINIC VOGEL: It's very interesting to see cybersecurity tied to a very clear business driver, which up until recently was just not the case and it's definitely seen as being a core need for why security is so important.
HOST MEGAN PHEE: Hi, I'm Megan Phee and this is GRC & Me where we interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends, and more to learn about your methods, solutions and outlook in this space. Today our guest is Dominic Vogel. Dominic is a chief security strategist at cyber se and today's episode, Dominic will share advice for small to mid sized businesses on their journey to cybersecurity. We'll discuss global trends and security issues that you is in Canada and lastly we'll talk about how he leveraged his comedy to bring light to an often dry topic. All right, Dominic, thank you so much for joining us today on another episode of GRC & Me.
DV: Thank you for having me, Megan.
MP: Great. Well let's get started. We'd love to learn a little bit more about your background. How did you come to be in the position that you are today?
DV: Yeah, I always love sharing my career narrative. Uh, I'm definitely one for oversharing. All the [inaudible] I've always wanted to be in cybersecurity and I've been very fortunate. I've only done that my entire professional career. Uh, I remember entering first year of university, I knew I wanted to do cybersecurity and I was very fortunate enough to get an entry level job when I graduated, uh, with a liberal organization as a security and men just running their McAfee endpoint suite. It was just a fantastic way to start my career. And I like to say that I, I serve my corporate time. I served about 10 years in various corporate roles, mainly in the credit union system here in Canada. My last corporate role, I was in charge of a cyber security team. And then one day I realized that I no longer enjoyed the corporate world. And I believe it was about four years ago this past summer. And when I went out on my own and formed cyber SC, which is my consulting company and something which I've just been, uh, lovingly growing over the past four years, serving the small and midsize businesses.
MP: Oh, fantastic. That's a really interesting journey. You could take your experience from the corporate world and bring it now to this and SMB market. So that's great. So since you help startups and the SMBs with their cyber security, you probably see organizations wrestle with these challenges at every step of growth and maturity. So in your experience, what is the right time to incorporate cyber security into their strategic planning and how can start ups or smaller organizations lay the foundation?
DV: Yeah, that's $1 million question there, Megan. It's that point. When do you start? And we've worked with organizations and stripes as small as three people. I'm a firm believer that it's never too early to start doing cyber security, right? Even if it's just a matter of using multifactor authentication for whatever systems a three person startup is leveraging. That to me is still being able to put out some foundational building blocks. So it's never too early. But when we're talking about that broader strategy in terms of what type of cyber security controls, governance or start up you're looking at, I truly believe that the sooner you do that and the earlier you do that, it'll save a ton of money and pain down the road. A favorite story of mine is actually a one of my earliest clients. They were I when I joined them, I believe they were a 20 person company.
Very early on they realized that they wanted to do security well and they see what, tell us what we're not doing and tell us what we need to do and we're going to be aggressive with that because we know that down the road we want to make sure that we're in a good space when it comes to cybersecurity. So we went through the CIS top 20 security controls at the time that was very malleable for a startup and you'll go in through the different security journey with them when they became a 50 person company than a 75 person company. And then one day they were a 200 person company and the security aspects that they tackle it was very different. That's why we always say security is a journey. It very much more with the organization and it was fulfilling at the end of my time with that organization because they got so large that I said, you need an in house CIS, so, and they were shocked by that. They said, we've never had a consultant say you no longer need us. I'm a firm believer in understanding that cyber security is very much a journey and that regardless of where you are in that journey, you do need to plan for cybersecurity. It's just what it looks like is very different depending on where you are.
MP: Yeah, and so for small businesses, when they're on that journey and they're just starting out, how can they remain mindful of budget concerns as they're starting to develop a cybersecurity program in your opinion?
DV: For sure. I'm a firm believer in being able to at least do the basics and do them well. And then even just choosing a framework, I'm a big fan of using the the CIS top 20 critical controls and even for a, when I start off with a lot of these startups or smaller organizations rather than even fully saying on all 20 let's break that down into the most critical, the top six and that's covering items like asset management, vulnerability management, controlled administrative privileges, having a sufficient logging and monitoring. Those are all foundational building blocks and where a business and organization is able to do those basics and do them really, really well. That's that strong foundation and without that other security technologies like SIM or next generation firewall or what have you, all those tools and platforms to be truly effective, they need a very firmly rooted foundation and that's where being able to sort of break down those controls into the most critical ones tend to really resonate with small and midsize businesses.
MP: I'm glad you had talked about the CIS controls. I actually just learned about this personally within the last week. I've been familiar with NIST and ISO, but I wasn't really familiar with the CIS controls set. And after I dug into this 20 core controls and learned, yeah, how it is a really great entry point to understanding, you know, where do you need to address areas within your business and then eventually you can map those to NIST or ISO or other requirements that you have. So I'm glad you mentioned that. Yeah, I think that's a great tactical and practical way for folks to begin their journey, um, into cybersecurity. So other than scale, how do you think small businesses when it comes to cybersecurity, how do you think differs from the corporate or the enterprise needs?
DV: Yeah, yeah, it's definitely a different beast. I think it's both on the needs where it's different, but also with the firm, the resources are the resource restraints where it's very different as well. With a lot of these smaller midsize businesses, it varies so much in terms of what type of it team they have. Some of them will have just one it guy or girl who handles everything or there may maybe two or three people, others there'll be no internal it team whatsoever. There's fully outsource relying on an it managed service provider. So there's a lot of different wants is there in terms of who's ultimately, at least on the it side, we'll be able to help from that implementation point of view for the, for a lot of the security controls when we're talking about the needs, I definitely see that the needs, especially with the small midsize businesses being acutely tied to the uh, broader vendor risk management movement, we're seeing with larger organizations and more in the enterprise realm as we're seeing larger organizations and enterprises really clamped down on their supply chain that's really affecting the small and midsize businesses.
I'm really seeing that as being one of the main motivators for doing cybersecurity well. We've had diamonds, I would say more than 50% of our clients reach out to us based on the fact that they are struggling with a lot of these vendor questionnaires or vendor risk management that the companies that they're trying to supply their tools, platform or services to, they're clamping down on them and they're not sure how to answer those questions and they don't want to lose out on these contracts. So it's very interesting to see cybersecurity being tied to a very clear business driver, which up until recently was just not the case. And I'm definitely seen as being a core need for why security is so important.
MP: Yeah, I think that's a really interesting point. You mentioned this trend here on the implications on vendors and even folks having to think about the way that they manage vendor management internally and there is a lot of trends and security and compliance that are global in nature simply because business as we know has very few borders. But that being said, would you be able to share a little bit about security issues that you see in Canada and how they differ from anywhere else in the world?
DV: I would say a lot of the, uh, at least from the user perspective in terms of fishing business, email compromise, there's been a huge uptick in that type of activity in Canada. The Canadian businesses, they definitely were not in the cross hairs in prior years, but I would say within the past couple of years, stuff like ransomware, business, email compromise, and these are all things which were relatively low from the [inaudible] perspective. But there's been a huge uptake. And I think one stat I read recently that can, is a in the top three in terms of countries that get hit by those types of attacks. So it's interesting to see that threat profile change so quickly. I would say the other core difference in terms of the underlying cyber risk is that there's a different privacy landscape in Canada compared to the U S I'd say the Canadian privacy landscape is rapidly changing and it's certainly closer to the GDPR in the EU. And also we're seeing that in the States as well. With California, the privacy landscape has been rapidly changing and that's very much affecting how cyber security is approached with Canadian businesses.
MP: Thank you for sharing that. And you know you're kind of a self appointed chief security strategist, which I love. So what would you say are things that are top of mind for you as a chief security strategist? What keeps you up at night?
DV: A lot of what keeps me up is worrying about my clients and then our clients in terms of being able to really understand that the fact that more so than at any point in my career, the threat landscape is just changing just so rapidly and trying to keep up with the threats, with the risks and what are the right technologies. Are we using the right tools or platforms? It's a very, very confusing time at this point in history for even for the most seasoned cyber security professional. It's very much that unknown piece that keeps me up. Just trying to figure out are we doing enough? It's a question which is becoming increasingly more difficult for me to answer. For me, one of the saving graces I truly believe is the advancement in a lot of these frameworks. Michael, I mentioned CIS. Another big one which I'm very eager to learn more about is fair framework, which really focuses on being able to quantify cybersecurity risk and really attach key business metrics to why cybersecurity investment is warranted. Being able to have those types of more business level discussions rather than focusing around qualitative risks or qualitative metrics. That adds a lot of comfort to the levels of discussions that we're having with our clients. So that's part of what's helping me sleep a bit better at night as well.
MP: Good. That's good. Great. Well thanks for sharing that. And I know Dominic, in our conversations before, you've talked about this term sustainable security. So can you talk a little bit about what that means and how can companies attain that?
DV: That's the term and I can't take full credit for it. I did see it somewhere about three years ago, but I don't remember where I saw it. So I'll take partial credit. I suppose for it, but we're very much at this point in history and what the whole notion of any endeavor it needs to be sustainable. To me, doing security from a sustainable point of view is trying to develop the right people, the right processes and technologies, very much acting in a very strong symbiotic fashion, which would allow for a greater cyber resilience against whatever the threat landscape might be. To me, unsustainable security is trying to solve the security problem or paradox I suppose by just trying to put in random technologies without any rhyme or reason and just trying to find the problem with various technologies that's not sustainable that might help you in the long run, but without a very cohesive governance and risk based approach to how you tackle cybersecurity. And like I said, laying out that from a people process and technologies point of view, that is the way to do things from a sustained fashion, not just choosing technologies haphazardly. And unfortunately we see a lot of security professionals who do that. So that to me is the difference between sustainable versus unsustainable security.
MP: All right, Dominic. Well, thank you for that guidance. And lastly, as you heard in my introduction of you today, we learned that you're also a comedian, so tell us more about that. How did you get into comedy and do you ever use your comedy in the business cybersecurity world?
DV: Yeah, call me is something which is, which is core to my personality and ever since I was a little kid, that's all I ever wanted it to be. Jay Leno, Dave Letterman, those were my heroes and I like to brand myself as being a no cyber comedian just because it helps with it from a dialogue perspective with non technical people, cybersecurity is a very dry subject. Even on a good day, I'm someone who's been doing this my entire career and I still have a tough time reading my way through various white papers and listening to people giving the same old boring advice. I very much tried to inject the comedy and flair in my talks when I do you have any presentations? When I'm meeting potential clients, when I'm dealing with my existing clients, that's how you end up with really engaging dialogue. I'm a firm believer in comedy and it's power to lead a systemic change. And in the field like cybersecurity, where sometimes you need to make advances in leaps and bounds, you need a very core and important fueled to to make that happen. And to me, comedy is that fuel to make incredible change happen.
MP: Awesome. I love that, Dominic. Well, thank you for sharing more about your advice, how you work with customers today, and then your personal experience of leveraging comedy in the cybersecurity space. Megan, thank you again so much. This was an absolute blast. Awesome. All right. Thank you listeners for joining us on another show. Until next time, this is Megan Phee with GRC & Me.