In this episode of the Redefining CyberSecurity Podcast, Sean Martin and Robert Fernandes, CISO at the Investment Center, discuss innovative strategies for transforming cybersecurity from a cost center into a profit center, emphasizing trust, proactive measures, and interdepartmental collaboration. Tune in to discover how integrating cybersecurity into your organization's core business strategy can enhance value, attract clients, and secure long-term growth.
Guest: Robert Fernandes, Chief Information Security Officer, The Investment Center, Inc.
On LinkedIn | https://www.linkedin.com/in/robert-fernandes-cybersecurity/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
In the latest episode of the Redefining CyberSecurity Podcast, host Sean Martin engages in a compelling conversation with Robert Fernandes, CISO at the Investment Center, a financial service provider based in New Jersey. Together, they delve into the concept of viewing cybersecurity not merely as a cost center but as a profit center. This innovative perspective is fundamentally altering how businesses approach their cybersecurity investments.
Sean Martin opens the discussion by addressing the evolving landscape of cybersecurity. He highlights how traditional views of cybersecurity — such as those held for an insurance policy — are outdated. Robert Fernandes agrees and emphasizes that times have changed; there's a growing need for businesses to leverage their cybersecurity posture as a competitive advantage. He advocates for the proactive use of a robust cybersecurity program to attract clients and secure trust, much like other marketing strategies.
Drawing parallels from various industries, Fernandes notes that grocery stores and restaurants don't just sell food; they sell safe and high-quality food experiences. Similarly, automobile manufacturers sell not just vehicles but also safety and comfort. In the same vein, cybersecurity should be seen as an integral part of the product, enhancing its value and appeal to customers. For Fernandes, this shift in thinking can transform a company's cybersecurity program from a necessary expense into a key marketing asset.
Fernandes also discusses the importance of breaking down silos within organizations. Effective communication between different departments, such as marketing, operations, and cybersecurity, can lead to a more cohesive strategy where cybersecurity is embedded in the company's culture and operations. This integration can significantly enhance the company's security posture, making it a selling point rather than an afterthought.
One particularly intriguing point Fernandes makes is the role of education in shifting perceptions about cybersecurity. He stresses the need to inform and educate stakeholders - from end-users to executives - about the importance of cybersecurity. By moving past buzzwords and misconceptions, businesses can better understand and articulate the value of their cybersecurity measures to clients and partners. Martin and Fernandes also touch on the role of cyber insurance in conveying trust. A robust cyber insurance policy can serve as a testament to the company's strong security posture, further building client confidence.
Ultimately, the conversation underscores that by rethinking cybersecurity - from product design to marketing and beyond - businesses can realize substantial benefits. This episode is a must-listen for business leaders looking to turn their cybersecurity efforts into a profitable and strategic advantage.
Top Questions Addressed
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
Inspiring Post: https://www.linkedin.com/pulse/cybersecurity-profit-center-transforming-risk-robert-fernandes-uskwe
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Cybersecurity as a Profit Center: Transforming Risk into Opportunity | A Conversation with Robert Fernandes | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody, you're very welcome to a new episode of Redefining Cybersecurity podcast. I am your host, John Martin, where I hope I help, uh, Security leaders and business leaders get a different view for how we can redefine cybersecurity for the benefit of the business. And today's topic is no different.
Uh, what better than looking at cybersecurity program as a profit center, not as a cost center. Uh, not necessarily a new topic, but perhaps things have changed enough where This is something we can explore and, and achieve perhaps. So, uh, we're going to do that, uh, with Robert Fernandez. Robert, thanks for being on the show.
Robert Fernandes: Yeah. Thanks for having me, Sean.
Sean Martin: Yep. Pleasure. Pleasure. And, uh, as with many of my conversations are usually triggered or inspired or, yeah, usually drawn from, from a post that I've seen. And, uh, today's session is no different. Uh, you, you did a cybersecurity as [00:01:00] a profit center, transforming risk and opportunity post on LinkedIn.
Robert, and, uh, we're going to, we're going to dig into that with the end and go beyond that, uh, wherever we're seeing what the conversation goes. But before we get into the topic, a few words about who Robert is, uh, I like to say where I was hatched, but, uh, kind of look back in time. What have you been up to and what are you working on now?
Robert Fernandes: Yes, I'm see. So at the investment center, uh, financial service provider out of New Jersey. Um, so I deal a lot with, um, obviously risk and, um, you know, executive buy in and things like that, which is where this sort of topic kind of arises from. Um, I also run a nonprofit. I do free cybersecurity training for at risk and underprivileged individuals, uh, partnered with Google for that.
Uh, I've been working on that for, for a while now. Um, and I'm just kind of, uh, you know, do it, do a lot of public speaking, um, keynoting and things like that.
Sean Martin: Fantastic. I don't know. Maybe there's another conversation in the [00:02:00] nonprofit. I'm, I'm always interested in that stuff too. So, uh, perhaps we can line something up there.
So what was the, what was the catalyst behind putting this post together on LinkedIn?
Robert Fernandes: Yeah, I mean, kind of like, like anything in the industry, you know, when you, um, deal with a lot of different. Uh, situations on a daily basis. There's certain things that just kind of pop into your mind. Well, that's that's really what happened here.
Um, you know, I do see a lot of misconceptions today about cyber. Um, and I think kind of to your point, things have sort of changed over the years, um, which which sort of draws a completely different picture around cyber today. But I don't think a lot of people Who are outside of the cybersecurity, um, uh, practice or are the cybersecurity realm really understand what these differences are.
And a lot of them still have old misconceptions that are driving their thoughts and driving the way they're doing business around cyber.
Sean Martin: And, [00:03:00] uh, So for what it's worth, a lot of my background is in bringing security products to market, uh, many years at Symantec doing that. And we often looked at the cost of buying and using technology as a way to reduce cost and expense, and obviously risk for a cybersecurity program, ultimately for a business.
But this is beyond that, what you're talking about, right? This is not just the tech stack we're using, but how do we actually Take a cybersecurity program and drive value and not be a cost center. I mean, maybe explain a little bit more about what your, the scope of what you're talking about here.
Robert Fernandes: Yeah, absolutely.
And I think, you know, as you and I both mentioned now, um, the times have changed. Um, you know, you're starting to see more things such as, um, you know, third parties that are sending out security questionnaires, um, you know, potential clients that are sending out security [00:04:00] questionnaires, insurance companies that are sending out security questionnaires, um, there's so many things that are driving it.
Now there's more regulations than ever. And I think there's just going to be more coming. And really, you know, you can't even be in business anymore in a lot of areas without, you know, concentrating on cybersecurity. And I just think that there's ways that, you know, we look at cybersecurity. historically as that it's only been a cost.
It's only been an insurance policy and nothing more. And now with, you know, now if you utilize your security posture and promote that and market that in a way that this will attract clients, I think it can be as good of sometimes even maybe better, um, a marketing campaign than, you know, your typical, um, marketing campaigns that are, that are pushed out there.
Um, I mean, you know, for, for [00:05:00] example, right. So, um, you know, everybody knows about the damages and the costs of a data breach. Uh, they know that it could, it could potentially harm your reputation. Um, and I just think that if we. Get our ducks in a row with the way that we approach security and we can understand and how it could make us, um, you know, a market leader in our in our own industries.
If we're doing cyber security, right? And use that as a selling point as opposed to just kind of this insurance insurance policy that's trying to protect us sort of just in case
Sean Martin: and do we there's a few things rattling around in my brain. But do you have any Yeah, Parallels from other industries we can draw upon some thinking of, you mentioned, we know the cost of a breach and if I look at like something in the manufacturing, there's always the cost of somebody getting hurt and there's a big board on the wall that says so many days of, of no acts or being accident free, right?
Sure. Um, which then [00:06:00] presumably. paints a better picture and then a better business, right? So the shop's not shut down. You can actually produce more and you can get better coverage from an insurance perspective. Partners probably want to deal with you more if they know you're not harming your employees.
So are there, there, That might be a parallel, but there are others like that you can think of that. Yeah,
Robert Fernandes: I, I, I could actually think of, um, numerous parallels. Um, for example, I mean, you know, grocery stores aren't just selling food, right? They're, they're selling safe food. Uh, restaurants aren't just selling safe food.
They're selling safe food and services and, you know, an experience and, you know, making sure that they have a good experience, right? So there's a lot of. safety and things included in that. And to your point about, you know, automobile manufacturers, you know, they're not just, you know, providing vehicles of transportation, right?
Some of them are providing comfort, luxury and, of course, [00:07:00] safety. Um, so, you know, there's a lot of parallels there where, uh, it, it You know, and I, and I think it even goes a little bit deeper than to just using cybersecurity, um, uh, your cybersecurity posture as a marketing campaign, but I think it's also important to rethink the way we look at security altogether and understand that it is part of our product as a whole.
It's not just something that's keeping our product safe. It's something that is part of our product. It's built into our product. Um, whatever that product might be. And if we look at it that way, you know, the same way, like I mentioned, the grocery stores and the restaurants and the car manufacturers, hospitals, so on and so forth, um, I just really believe that, uh, cybersecurity should be, um, a selling point that's incorporated as a core component of the, of the product.
And not only the product of the company as a whole, especially, you know, when you start to get into more areas where you are talking [00:08:00] about things that are highly sensitive, such as. Data, um, you know, hospital, you have P. H. I. P. I. I. Um, things like that. And, you know, it's, it's, you know, the fact that organizations still look at security as this sort of added on thing.
That's like after the fact of their, you know, their product design and their product builds and all of this implementation they're putting in place. And then, okay, maybe we'll throw some security in around these other things. Networks and our servers and our firewalls and so on and so forth. Um, I, I really think that, you know, the security is part of the product itself, the core part of the product.
And if you're selling that as part of it, I think it's definitely, um, it will transform things from that. You know, cost center to a profit center. Um, and I think it's, it's just a way of thinking that historically we have, you know, thought of it as an insurance policy. And nowadays people are seeing more data breaches, um, seeing more security [00:09:00] incidents and they're starting to demand it more.
So it, it, it is in, in essence, a selling point.
Sean Martin: Yeah. And I was going to ask so many questions in my head, but I was going to ask, is the market ready? Is the customer ready for that marketing pitch? Um, and will they recognize. The value or will they. Be misguided if everybody just says we're secure, how, how do they know, right?
How, what, to what level is security built into the product or service?
Robert Fernandes: Yeah. I mean, that's a, that's a great point, right? Because, you know, I find that one of the biggest challenges that I have in my position is, you know, Educating those around me, whether it be an end user or whether it be an employee or whether it be a board member or an executive, um, education is really key to making sure that everybody understands these things.
So I do think that, you know, as we move forward with this, I do think you're going to start seeing [00:10:00] more, you know, Educational campaigns that will help the, um, you know, the, the, the end user or the potential customer to understand the differences between, you know, the fluff and the, the shiny things and the, the, the, the buzzwords and, you know, I mean, I feel like a lot of us security practitioners are still trying to weed through all of the buzzwords and, and things like that.
Uh, and you know, we, we get, we, every time we get a new RSA or a new black hat conference, we get new buzzwords and it's, it's kind of weeding through a lot of that noise. Um, but I think, you know, as security practitioners or practitioners are concerned, we're used to it. Um, the, you know, customers, clients, not so much, same things with dealing with like cyber insurance, things like that, understanding what's in your policy, you know, a lot of these things are very, um, education based.
And I, yes, um, you know, I think that. Actions always speak louder than words in our industry. Um, I always, you know, I always like to tell [00:11:00] people, you know, everybody is susceptible to a breach or an incident. It's a matter of how you react and how you learn from those incidents and what you do moving forward and looking at a track record of an organization and not just their words that they're throwing around in their marketing campaigns.
Sean Martin: Yeah. So what, um, I'm just thinking here, the. Built into, well, I guess if you think about like service level agreements, right? So if you're going to commit to, I mean, I think it's easy to look at B2B, right? We're, we're gonna, we're gonna have a relationship. There's a trust there. It's a very. Very finite number of customers or partners we're working with.
We can have those conversations and, and kind of work through the language and what we're offering and, and why we're able to meet a certain service level because of the investments we're making in our security programs. When you get to the consumer end user, it becomes a little more difficult. Um, [00:12:00] so I don't know any, any thoughts on that too, how to translate what we offer and bake in the, the security into that.
Robert Fernandes: Well, I mean, just sort of taking a, taking a, um, a step from the, the business to business, like what we're seeing a lot now. Um, I don't know if this will translate to, um, customer facing, but in regards to, you know, a lot of business to business now, what we're starting to see more from a lot of these cyber security, um, you know, product solution providers, things like that is we're starting to see more warranties on their, on their products.
Their offerings. Um, maybe we'll start seeing that on more client facing things as well, where there are warranties built in that if there is a breach as a result of, um, of our product, then we will we will provide you with a warranty. Um, you know, some sort of a guarantee You know, this sort of thing won't happen, [00:13:00] um, as a result of our product.
Um, maybe consumers will start demanding that more because we, you know, we're getting more and more breaches. I know a lot of things have to change and I mean, we could probably have whole conversations around, you know, the fact that we're still using social security numbers to identify ourselves and, and a few other things that are kind of, you know, really, really piqued my curiosity as to why we're not even having the conversations of, you know, using nine numbers to identify ourselves for some of the most.
critical things in our lives. Um, you know, but but I think a lot of a lot of this conversation needs to be moved forward to how do we protect the consumer better? How do we educate the consumer better? Um, you know, because a lot of it is, you know, unfortunately, You know, education only goes so far. I mean, we have to, we have to do a lot more as far as security controls in place and things like that.
Um, so I mean, reaching out to the consumers is you're, you're right. I think it's a hard sell, but I think a lot of it needs to be more the way that us, we, the [00:14:00] security practitioners are designing and, uh, Um, putting out and releasing these products. You know, I think even a lot of the security practitioners, we still have an older mindset from that whole fortress, and it's become so embedded into our thinking that we think that just this defense in depth and, you know, stacking one control on top of another on top of another and then another vulnerability comes out and another exploits comes out and then we stack another control on top of all the other controls that we have in place, you know, and, and, you know, I do, I am a real Big fan of, you know, zero trust and going that sort of model.
Um, not zero trust the buzzword, but zero trust the actual implementation. Um, you know, but, but, but these sorts of things I think are, are, are just ways that we need to approach things a lot better and we need to make products more secure by design, um, you know, and, and I think that that's, that's part of our problem as a security, as security practitioners is [00:15:00] that we're dealing with a lot of, you know, um, Legacy thinking of around security that, you know, we always had that fortress in mind and that fortress no longer exists.
So it's, it's, it's really a whole new way of thinking that we need to sort of evolve and get away from, um, You know, it's always been sort of reactionary. We're playing cat and mouse with the, with the thread actors. Um, you know, we think we're doing a great job until we're not right. And then there's something else we have to figure out, you know, but it's, it's, I think it's educating our, our it practitioners, it's educating and users.
It's ed, you know, Um, you know, I shouldn't even need to say this. Every, every listener of yours probably knows this already, but it's obviously getting the buy in from, you know, the board and the leadership to make sure that it's baked into every aspect of it. And it's thought through from, you know, the original concept all the way to implementation and, and, you know, development and, and release.[00:16:00]
Sean Martin: Yeah. Well, let's, and I'm glad you went there. Cause that's, that's where I wanted to go is getting the buy in because Looking, bringing it back specifically to a profit center. There's no question that some deals are often tied to one security posture, right? So there's probably some third party questionnaire to evaluate, or do you have this, uh, do you meet this ISO?
Do you meet this NIST? Do you follow this NIST? Do you have this SOC 2? Whatever it might be right there. You HIPAA compliant.
That's unlocks. Revenue, right? So that I think that's an easy one to say you can only get this profit if you unlock this opportunity by being secure. Um, so that's an easy one to follow. I'm just wondering, is there something in your experience where we can kind of dial that up a notch to say, don't just answer the questionnaire [00:17:00] so we can unlock that deal?
Let's evaluate what the questioner is really trying to get at and then ensure that we're doing this right. So that we can repeat that process. I know a lot of CISOs now go on to Sales calls and BD calls, biz dev calls to, to put a face to the questionnaire as well, to help sell some of the stuff. So I'm just wondering, are there things companies can do to move that needle just a little bit further beyond unlocking a deal through a questionnaire?
Robert Fernandes: Yeah, well, I mean, obviously, you know, like you said, getting involved in the sales calls and everything like that is important, but it's doing the work before the calls, right? That's even more important. Um, but, but I would say that one of the biggest, um, things that I think every organization can do if they're not already doing it is to, um, Start breaking down those silos that are within all [00:18:00] the companies that we that we that we deal with.
Um, it's it's way too often that, you know, security is in its own silo as marketing is in its own silo as operations is in its own silo and understanding that, you know, This the world we live in is very dynamic and things are changing so quickly and rapidly and we need to be all on the same page. Um, you know, we need to be very agile, so to speak.
And I think in order to do that, we need to have direct lines of communication with everybody. Everybody needs to be involved in the process when, especially when it comes to security, because we already know about all the different, um, Um, Uh, ways that attackers can get in from, you know, from, from the receptionist to, you know, the source code to, you know, developing to the website to you name it.
Right. Um, you know, so when we're, when we're working through a lot of these process, I think that one of the biggest things is [00:19:00] communication and making sure that everybody's on the same page. Um, you know, I do, I do believe in bringing marketing in a lot because A, they're great at communications. That's what they do.
Um, so if you can work on educating them about the importance of security and why you do what you do, A, you get buy in from other departments to help you with your security efforts. And if you can get that from the marketing department, I mean, that's a, that's a great department to get, to get in, um, to get in with, I mean, you know, explaining to them that, Hey, you know, if you spend, you know, Hundreds of thousands of dollars on this marketing campaign, or this recruiting campaign, or this cold calling campaign, or whatever it is that you're doing, and you know, you, you, you, you get that one big potential, you know, quote unquote, well, that's, you know, you're, this is going to change everything for the, for the organization.
And if you're not already doing [00:20:00] the security things, like we said, the work put in making sure you have the controls in place. So when those security questionnaires come around, you know, maybe to your question, maybe instead of just answering it, say, you know what, maybe we'll one up you and we'll, we'll, we'll.
Give you a little bit of a tour of how we're doing these things, show them some, some dashboards and show them some things that we can show them, um, to show them our posture and show them what we're, what we actually have in place and how long we've had it in place. And, you know, if, if, you know, you've gone through audits, obviously that's a great thing, but a lot of time that ends up being another check box.
Um, but I, I think showing, showing organizations that. Security is part of your culture to me is, is one of the bigger selling points than just answering the questionnaires and showing that you have somebody that's thinking about security for your organization, showing that, that that person is embedded into all of the leadership conversations and decisions within the organization, um, and things like that.
So I, I think that, you [00:21:00] know, breaking down the silos, working with those teams, um, educating, um, working with, um, You know, marketing showing that, you know, here, here's the ramifications of, you know, you putting all the effort and money into making that one big sale, and then now you can't make it because we're not doing the right.
Sean Martin: Ah, so much there. And, um, um, I'm glad you brought up marketing because another thing in my mind, what is marketing it's bringing in leads and prospects so that sales can close a deal, what's R and D building something that sales can sell. What's security? Can it not, can it not be both? I guess you, you make investments in marketing, you make investments in R& D.
Those are cost centers designed to enable something to be sold and, and to enable sales to. To, uh, connect and reach, reach and connect with the, uh, the [00:22:00] prospects. I'm a firm believer in many of the episodes recently. I've kind of looked at this where I believe security has information, data, knowledge about how things work.
So in, in partnership with the CIO, for example, we might, you might be able to say we can gain efficiencies by tweaking. This tech stack, modifying our controls around it because we've modified the tech stack to be less exposed or whatever. And that's going to unlock the opportunity to close 10 times more deals or to offer a new service in the product that we weren't able to before because of the way we're developing the stack and, and.
Control putting controls on top of it. Do you have any experience or first thoughts on that? Or maybe any stories that might shed some light on that's an opportunity where security is part of the R and D process to [00:23:00] enable more, to be enabled, a better product to be sold and the marketing. Which we kind of talked about to help communicate.
We have a better product, not just because it's more secure, but because it's also faster and more nimble and scalable or whatever else that matters.
Robert Fernandes: Yeah. I mean, it's, it's so, again, I work in financial sector, so, um, you know, we don't create a product so to speak, but our products would be sort of investment products and things like that.
And, um, I mean, when, when the way that I look at it, a lot of it in the, um, in the financial world really comes down to a lot of trust, right? So to me, trust is the product. And, you know, if, if you're, if you're working with a financial advisor, it's because you trust that financial advisor, because you're, you're trusting them with your, with your life savings.
Um, You know, you're trusting them with your retirement. You're trusting them with so many different things [00:24:00] with your, you know, the potential for your child to go to, you know, the university. So there's so many things that you're thinking about here with, with trust. Um, and if we are as CISOs for financial service providers responsible for, you know, everything that goes around that, then we are ultimately responsible for that trust as well.
And, um, you know, It really is a selling point. Um, I, I like to make sure that security is a conversation in all of the conferences that we have, all of the events that we have. Um, you know, I, I put myself sometimes in front of, um, clients, if, you know, financial advisors have questions, um, or, or I'm sorry, if their clients have questions about the security, um, I say, you know, anytime reach out to me, I'm more than happy to have that discussion with your clients.
We could talk about security. That's, you know, around your, where, where your funds are stored, how we handle things, um, how we secure your, um, [00:25:00] your assets and so on and so forth. Um, you know, so, so, so that is always a selling point. I haven't seen any good sort of metrics, um, on how we can, you know, sort of, uh, or, or maybe I just haven't taken the time to put it together.
Um, as far as how, you know, securing X, Y, and Z can generate more leads and more, you know, um, potential clients and things like that. Um, but that, that would be a good number to take a look at. Um, I always find that for, for like the, the, the good numbers for me. Always looking at the insurance companies are one of the best areas to look for those sorts of things.
Um, you know, because I feel like as security protect practitioners, we always have a hard time sort of, um, quantifying like the, the, the efficiency and the value of certain controls that we implement and things like that, you know, but, you know, insurance, insurance. Uh, providers who are paying out cyber policies and things like that, they tend to do it really good because they're, you know, their, [00:26:00] their money is on the line for that.
So, uh, they end up having a lot of really good data. So, I mean, but, but, but in regards to, you know, implementing this control in order to, um, you know, say that we're going to bring on this much more revenue, um, I haven't actually seen that or done that yet, but that is a good, that is a good, uh, idea. That's something to think about
Sean Martin: because I, I can't.
Tell you how many times, well, companies spend a lot tuning the marketing dial, right? You can find that best. And I'm just like, can we not do the same for security and have it do, have it do that same type of thing for the business. And I'm glad we have run the same wavelength here in terms of what we think about.
Cause you mentioned shy cyber insurance. And I want to tie that back to your point on trust. Trust is your product. And. How do you communicate trust to your clients? Um, then they don't care about what controls necessarily, but if you, if you have a great policy [00:27:00] from a cyber insurance company or broker or whatever, that increases your level and you're able to also save a lot of money on your policy costs, right?
That the premium, uh, To me, that says trust because to your point, they, they're the ones with the money on the line, right? So they've evaluated, they trust you're doing the right thing, which to me translates, or at least relays to, to the customer. That, uh, they should also trust you. So I don't know how we leverage the cyber insurance message as a part of communicating trust, but I think there's something there as well.
Robert Fernandes: Yeah. I think there's definitely something there as well. Um, but, but, but I do, I do, um, I do like the. The idea a lot of just getting out in front of people, um, getting out in front of your employees, getting out in front of, like, in my case, financial advisors, getting out in front of the clients, showing them that you're proactive about things, explain to them your thought process.[00:28:00]
Um, again, you know, going back to the silo, um, uh, reference earlier, I think that not only are we a lot of times within the organization, very siloed, but I also think that oftentimes. The way we speak to people can Appear to be siloed. Um, because a lot of times we speak in our acronyms and you know, we, we, we use terms that people don't understand.
And I think explaining to them like the method behind our madness of why we do things is really shows them that we're, you know, forward thinking. And we're not just being reactionary because I do think a lot of people believe that, you know, it's, it's That security is always reactionary, and I don't think that a lot of people understand how much work goes in for before the fact, um, to try to prevent and mitigate a lot of these risks that are out there.
You know, but having those conversations with people, I think, is a very important, um, issue and and and going [00:29:00] back to what I said a lot. earlier was, you know, I think there's still a lot of misconceptions. I, I know that, you know, I, I see business owners, um, more, more small, medium sized business owners that, you know, I have conversations with sometimes, and they talk to me about cybersecurity, things like that.
And, you know, it's like, oh, I'm going to go ask my, my MSP, or I'm going to go ask my tech person. And I'm like, okay, you know, but just understand that, you know, they're not really, you know, experts in cyber security. They might understand the cyber security controls and the cyber security tooling that they're putting in place.
They might really understand the the firewall that they put in and their configs that they have on the firewall, and they might really understand those things really well. But you have to understand as a business owner that cyber security is way more than I T. I. T. Is just a small component of cyber security.
And you know, the bigger picture is that You know, as cyber security practitioners, it's our jobs to help to manage business risk as a whole, and the I. [00:30:00] T. Risk is just a small portion of that. So I think that, you know, educating business owners to understand where, you know, a lot of times you get, like they, it's like when, when the, when the person comes to you with their problem and they tell you their problem and you're listening and you're like, Oh, wait a second.
That's not actually your problem. I will tell you what your problem is. Um, you know, they think they know the problem, but they don't because of misconceptions they have around cyber and, and, um, things like that. And I think that, um, educating the, the end users and especially the business, um, business leadership, as far as what cybersecurity really is and where it needs to sit, um, within the organization and things like that are also important.
Sean Martin: Can agree more, can agree more. And I think you make a point at the end of your, your post about, uh, sustainability. And I think the ultimate goal is to grow and sustain that growth, right? And to build upon it. And if the weakest chain in the link or link in the chain or [00:31:00] whatever, uh, is cybersecurity, that's going to ultimately prevent you from achieving your desired outcomes there.
You might want to think about your investment and how you, how you communicate and invest. I encourage everybody to read, um, read this article. Uh, there's a lot of cool stuff in there we didn't get to touch on today, but it's transforming. Risk into opportunity. And, uh, Robert, it's been great chatting with you and, uh, hopefully this gets people thinking, certainly got me thinking a little bit more.
Robert Fernandes: Yeah. I appreciate you having me on. It was, it was a good conversation.
Sean Martin: Appreciate it. Thanks for everybody for listening and, uh, and watching. If you happen to catch the video and please do subscribe, stay tuned, uh, many more chats here on redefining cybersecurity. Thanks again, Robert. Keep well, everybody.
Robert Fernandes: Thank you.