Get IT Started Podcast

EP 13 – Den Jones Talks with Craft Ventures’s Bil Harmer

Hello and welcome to Get It Started Get It Done, the Banyan Security Podcast covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer Den Jones speaks with Bil Harmer. Bil is Operating Partner—Security at Craft Ventures, and describes himself as a “virtual CISO to 185 companies.” We hope you enjoy Den’s discussion with Bil Harmer.

View Transcript

Speaker 1:
Hello and welcome to Get IT Started. Get IT Done, the Banyan Security Podcast, covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer, Den Jones, speaks with Bil Harmer. Bil is operating partner security at Craft Ventures and describes himself as a virtual CISO to 185 companies. We hope you enjoy Dan’s discussion with Bil Harmer.

Den Jones:
Okay, everybody. Hey, welcome to episode 13 of Get IT Started. Get IT Done. I’m your host, Den Jones, Banyan’s attempt of podcasting. If the software game doesn’t work, then maybe we’ll fall back to this, but I trust our software is good enough and we don’t have to rely on my nonsense and crap shit talks. Anyway, let’s get moving on. First of all, happy New Year everybody. All the best for 2023. I am blessed to have Bil Harmer from Craft Ventures on our podcast this week. Hey Bil, welcome to the show. I’d love you to explain to everybody who you are and what you do.

Bil Harmer:
Sure. Well, thanks for having me and happy New Year to you as well. I’m glad that I’m on the lucky 13 episode. I’m an operating partner with Craft Ventures, which effectively allows me to be a virtual CISO for 180 portfolio companies. Part of what we do is provide services to effectively protect our investments with the companies that we invest in. It allows me to get into all sorts of different tech, all sorts of different areas that I never thought I would get near, but I still do what I’ve been doing for the last 20 years and that’s providing guidance and security advice and education to all of our different portfolios.

Den Jones:
Awesome, awesome. How could people understand what’s the main difference between the regular CISO job and the CISO job you’re doing? Is it that you’ve got just way more spread out responsibilities with different businesses and you’ve got to try and learn them all?

Bil Harmer:
I think it’s more think instead of mile deep and an inch wide, I’m a mile wide and inch deep with them. It can go as much as they want or as little. This is mostly voluntary stuff, but we can have… Some companies will say, “Look, I got a head of security. He’s solid, she’s solid, no issues.” I send them updates and things that I may hear because I have connections with the FBI, I have connections with industry. If I find out there’s an attack or if there’s a vulnerability or something, I can send them out guidance and help on that just via Bil Harmer’s update. On the flip side, I can be there for them when maybe they’ve had an incident and they’re unsure of how to deal with it because they’re an eight-month-old company, engineering-led, they can build really good software, but they’re not really sure what their legal or data privacy responsibilities are when it comes to notifications or how to handle it or dealing with a customer.

Den Jones:
Yeah, no. That’s awesome. Awesome. Yeah, it’s funny. It’s an interesting angle for any career path. What made you go down this career path? Or how did you get into being the virtual CISO?

Bil Harmer:
Yeah, I would never have even thought that this was a role. I worked with a woman named Hillary Smith, who’s an amazing GC. She and I were together at SuccessFactors dealing with a lot of German data privacy back then. I was talking to her about solar power. It was just one of those… I had installed solar at my house and she was installing it at hers and she had some questions. Craft came up with an opening for a security person on their operating team and she said, “Hey, would you be interested?” She said, It’s not full-time or anything, it’s just a consulting role to be there if needed.” I said, “Yeah, let’s give that a try.” Within a week of joining as a contractor providing, I don’t know what it was, 15, 20 hours a month or something like that, I was finding myself just working, doing a lot of work. I wasn’t building them for it, which tells you something. I was just really enjoying what I was doing.

Den Jones:
You were doing.

Bil Harmer:
I was back to it. If anybody knows me, you’ll know that I build stuff, I fix things. That’s what I do. I don’t do corporate really well. I don’t like it. I find it just not my gig, not my shtick. I love to find startups and be there at early and help them solve problems. That’s what this is. This is just literally doing that day after day in different industries so nothing’s repetitive. It just worked out. They asked me to become full-time last July and now it’s just continuing that same thing.

Den Jones:
Awesome. Awesome. One of the things that I noticed, so you’re doing a lot of speaking engagements, you’re involved in the community and stuff. What’s new on that path? Because on LinkedIn, if anybody follows you on LinkedIn, they’ll notice that you’ve been pretty active in January. The year’s just kicked off and already you’ve got speaking engagements and you’ve got different communities. Do you want to share a little bit there?

Bil Harmer:
Sure. Yeah. I guess I’m following somewhat in the footsteps of my father. He was a professional speaker for 15, 16 years. Coming up in July, I’m on the board at the CISO Forum of Canada for siberX and we’re putting on a two-day event in January in Toronto. It’s promising to be just fantastic. We have some really hardcore guys. Chris Roberts is coming, he’s one of our keynote speakers. I love listening to that guy speak. We have Wendel Clark coming, I’m a Leafs fan. You’ve just hit the double header right there with an all-star in security and an all-star in hockey. I’ll actually be master of ceremonies for day two of that. Yeah.

For me, public speaking presentation, I spent a lot of years when I was at Zscaler trying to educate the world on what the concept of zero trust was, of digital transformation, of no longer working from home. I had no idea the pandemic was actually going to prove everything that we were building was absolutely valid, but here we are. We’re all sitting at home doing our thing, and if you’re doing it correctly, you’re doing it in a reasonably secure way. I won’t say totally secure.

Den Jones:
Yeah, yeah. I was just going to say that it says a couple of things there. Already in the buzzword bingo. We’ve got digital transformation, and zero trust, and Zscaler.

Bil Harmer:
Don’t make me say SaaSy.

Den Jones:
I know, right? Well, it’s funny because it’s like SaaSy and then SSE, all the buzzwords are coming out. Both of us, if we’re on the confidence trail and I’m like you, I’ve done quite a few events, and I don’t think I can get through one presentation, either mine or somebody else’s. Now mine, obviously, I work for a company that treats themself as a zero trust remote access and you can’t go through one presentation without the term zero trust. For me, like yourself as a practitioner, what I’m trying not to do, I’m trying not to sell Kool-Aid and shit like that. I’m trying to tell people, “Hey, this how you can get started. This how you can get it done.”

Again, the theme of the podcast really is getting shit done. I don’t want to be in a position where you’re just mind numbingly, buzzword bingo-ing the crap out of people. It’s been really interesting because… In your mind, the shift over the pandemic and stuff and everybody working from home, what do you think? Maybe this is a good one into the trends of what did you see as a trends of last year, 2022, and then what do you see in the trends of this year? What are the themes and how do you think they’re going to change?

Bil Harmer:
Honestly, the theme’s cleanup. If a company or a person isn’t thinking cleanup, reset your priorities and cleanup. So many, far too many companies ran into the pandemic, as you would expect them to, which is, “We can’t shut down, we can’t stop doing business, make it work.” None of them were prepared. Very few were prepared for a full work from home. Look at Cisco. Cisco builds remote access and their concentrators crashed because they simply didn’t provision 100% remote access, because nobody in DR or BCP provisions 100 remote. Well, when I was doing pandemic planning back at Manulife in Toronto, our concept of a pandemic was 40% dead. It’s the way you build it. Your 40%’s dead, another 40% doesn’t care, or they’re dealing with something else, or they’re locked in their house with boards across the front door because we’re doing the zombie apocalypse kind of stuff. Nobody provisioned that kind of thing. A lot of changes that happened at corporate were, “Get them working immediately.”

Holes were punched, compromises were made, and more to the point, on-prem policy was used to dictate remote access and far too many companies did that. They’re now sitting with either that still in place, which is a nightmare, or as you know, the best time to attack a company is during moments of chaos. When you’ve just taken 20,000 employees and said, “You all work from home,” and those phone calls are coming in to help desk going, “I can’t get in. I can’t get in,” I guarantee you somebody out there has had a new account created in their name. It’s Bil Harmer Two or Bil Harmer whatever, and they’ve created that one to get somebody working who wasn’t an employee.

I think right now there wasn’t enough… I don’t think there was enough cleanup being done last year, because as the pandemic was winding down because we’re kind of not in it anymore and the market turned sideways so quickly that the layoffs started happening, so now you’ve had two years of non-standard changes for a non-standard work environment that became standard, and then you laid off a whack of people, and you know that there are roles in there that were cut that were the only people that knew how to do something and the only people that knew what was done because nothing was documented, I think you should be looking at cleanup. Go back and audit the crap out of everything to ensure, especially around identity and access. Those two things, if you can at least nail those down, you can [inaudible 00:11:48].

Den Jones:
Yeah. It’s funny because I joined Cisco actually in 2020 just as the pandemic was starting. Cisco’s sales obviously were going great because people who had deployed old clunky VPN, any connect, they had no choice but to double down. They’re like, “We need to get more. We need to get more because we need to scale up.” They had no choice. When you’re going into that pandemic emergency, that’s not the time to suddenly deploy a new technology. It’s really funny because at Banyan, we’re like, “Holy shit. This will be brilliant for us because we do this forward thinking, new zero trust, remote access. We’re going to be the shits. Everyone’s going to want us.” What we realized was, well, people don’t have the ability or time to think about shifting from an old legacy VPN solution to something that’s forward thinking. I totally agree.

One thing I would say is I was really fortunate. At Adobe, we deployed our zero trust implementation in late 2017, early 2018. By the time the pandemic hit, we already had 40,000 people using our ZEN platform. For the audience, our definition of zero trust, and the one that I go to first, is usually employees accessing apps and services from anywhere in a more secure way and assume you don’t trust the network. That network could be the network in the Starbucks and it could be the network in your company’s corporate environment. In both cases, but mainly in the Adobe case, we were responding with proactive strategies on how we saw attacks coming in over the course of many years, including nation states and other ones. For us, that was a strategy that we adopted long before the thought of COVID.

COVID arrived after we had even done our shit. We were like, “We’re done.” Now we’re improving on what we’ve done but we never went into that because of any pandemic. We were just really fortunate. Adobe didn’t have to invest in more Cisco VPN routers and concentrators because we had already deployed our ZEN platform, which was kind of cool. By the time I got to Cisco, they were obviously able to scale their VPN access, but we weren’t in there with the technologies they had on how to do a zero trust implementation, so they weren’t going to be a VPN. It’s kind of cool when you can see it. Like you say, I think companies need to double down on now looking at what they’ve done in haste, and start to clean that up, and think of strategies to… And limited budgets, especially this year. We’re going to have to see how that plays out.

Bil Harmer:
For sure, for sure.

Den Jones:
Ideally, they’re now looking at a strategic investment to clean up what they’ve done and then move forward. Now, talking about moving forward, so 2023, well, 2022, there were a lot of high profile security incidents around identity management or identity-based attacks. Not talking about other vendors, but they’re talking about the themes of the attacks, a lot of identity. A lot of people who had access, but their account were compromised so they used the access they had, so least privilege. Well, we’re still doing these privilege, but the attackers still used that privilege. What do you think, from an attack perspective, what guidance do you give people, as you think of 2023 when you think of the attacks that happened? How should they think about protecting themselves?

Bil Harmer:
You’re touching on identity and the whole reason I left Zscaler was to go to an identity company. Because to me, identity is the key to unlocking all of this. For a lot of years, people were going through and building their zero trust infrastructures where they were providing Palo, Cisco, Zscaler, you name it, they build good software. All of them build good software, it all works. They all have their challenges, but they all work. But every single one of them is predicated on [inaudible 00:16:30] sample token and. After that all happens, the DLP, the inspection, the behavioral analysis based on the sample token that is based on the password. It’s based on the identity. I think hitting it, seeing what was happening with the identity-based attacks, that’s all we’re going to see from now on it.

Take, let’s say, 90% in there. That is going to be the majority of everything that you see. They’re going to use those identity because we do have access. We have that privilege, we have the access, we have the different pieces that are required to start or finish an attack. I think it’s going to have to go to constant inspection. What the true meaning of zero trust is, it’s not that I don’t trust the person, it’s I don’t trust the digital entity, the device, the account that is being utilized at that point because I have to understand what’s happening. We’re going to see more SSL decryption. If companies are not decrypting SSL, they’re blind to 90% of the traffic coming in and out of their environment. It’s going to go down to AI, I think, will be utilized to understand behaviors and watch deviations in… I mean, minor deviations because slow-footed attacks are simpler. They’re more expensive, they take longer, but that’s what nation state does. They have no financial interest in what’s happening. They are going for a different objective, so investing money in these attacks makes total sense.

I think you’re going to start to see a heavier, or should see a heavier, amount of work put into marrying digital and carbon identities. Me, what is my digital identity? Because we all have more than one. How do you understand them, protect them, and make sure that it’s self-sovereign identity? How do I own it? Not a company or a government, or maybe the government has part into it and a company has part into it, but how do we start to see the building of these digital identities that will be the future of how we represent ourselves if meta is even remotely correct? I kind of think they are. I the way they’re going about, it’s kind of goofy, but the concept of doing more digitally is absolutely coming. Because if you start looking at the generations that are behind us, I got a 21-year-old son who lives online. His friends are online, their relationships are online. Those things will continue to manifest and grow and become more.

You absolutely have to find this way to create non-repudiation between the actions, and the digital identity, and the physical person as well. I think we’re going to start seeing that tied into biometrics. We’re going to see that tied into almost background checks for digital identities. You were hearing about it on Twitter. Twitter’s going to have validated accounts, they’re actually going to check who’s setting up the account. It’s going to lead to a whole bunch of issues around anonymity and some of the places where you don’t want that human piece attached to it because there’s repercussions of other countries. But I think that’s where we’re going to start seeing a lot of work being done or at least I hope we do.

Den Jones:
Yeah. I mean, it’s funny because I look at it like tying the digital identity to the machine identity, both of those, for me, are really important. This is one belief system I had in Adobe, as we were going through our project, was I’m going to be logging in as Den but I’ve got many devices and I want to make sure that Den can’t log in from an unknown device. I want to make sure that the device is known entity and that device meets a minimum bar. Because what we recognize was we were just blindly allowing people to log in regardless of the state of the device. EDR tools are brilliant though, but they’re not always catching all the malware and all the bad stuff. You’ve got to say, “Well, look is this device patching?” We were looking at device security posture and device identity as part of the human identity.

As you say, identity proofing as an industry, I think it still got a long way to go to get what it needs to be, but we’re going in a better direction than we were when we weren’t trying to do it. It’s funny. Twitter-verified accounts and stuff, I’m excited to see some progress with some of the social platforms getting towards a world where in order to have that online presence, especially when it comes to abuse, there’s a lot of abuse online because of the anonymity, and I’d like to see that cleaned up. But I think we’re quite a ways away and I think there’s a lot of bad actors and social engineers out there that they’re going to be able to take advantage of this for quite a number of years.

Bil Harmer:
It’s why they pop accounts now. They pop real accounts so that way they can create what appear to be real accounts. There’s entire industries of people who are setting up accounts and creating behavior to make them look real. I mean, you see them pop up in things like LinkedIn where you’re looking at it going, “It has a history.” You get a LinkedIn request and you look at it and the things three days old, decline. But you see these ones that are a year, year and a half old, and they seem to have a history and they have postings and they have likes, they have behaviors. That’s what the long-term attacks are doing. They’re creating these accounts to do that. When you look at social, social media, their whole thing is eyeballs on for advertising. Facebook has very little incentive to remove fake accounts. You see some of these ads where they say Facebook spent 16 billion over the last couple of years removing accounts. They wouldn’t have had to spend 16 billion if they had simply verified an identity before it was created.

Den Jones:
Yeah, exactly. Exactly. Now, okay, so shifting away, we’re 20 minutes in already. Time is flying by. Believe it or not, I got my sparkly bag questions and I’ve not even hit on any of these yet, I don’t think so. Researching Bil, I discovered that you’re a huge fan of writing mechanics, all these kind of things. Why don’t you share with everybody, what’s the passion there?

Bil Harmer:
Riding became a thing, it’s how I met my wife. We both ride motorcycles, we’ve ridden for 25 plus years. It sort of became out of a necessity of zero trust, if you think about it, because I didn’t trust mechanics at shops because they didn’t seem to have a vested interest in the safety of the bike afterwards, just based on experience that I had. I started fixing my own bikes and then I started building them. Last year, I had my first bike in a show, which was the Austin Handbuilt Show put on by Revival Cycles. I rebuilt a 30-year-old bike. To me, it’s cathartic. It’s a lot of problem-solving, because when you take a 30-year-old bike and put modern day Bluetooth electronics in it, there’s some things that you got to figure out.

I can slap on a set of headphones, put some music on, go out to my garage, and my wife will come out nine hours later and go, “Are you going to eat?” Because I just get lost in it and I can let the world slip away. Everybody has to find something like that. To me, that’s how I get through the day. That’s how I get through the challenges because there’s stress, and anybody who knows me really well will tell you I don’t do stress. There’s just no point. I don’t find it helps. I think it causes you to make bad decisions so I don’t do it. It may come off as cavalier at times, or disinterested, or borderline psychotic because bad things will be happening all around and I don’t do stress. I continue to focus on the task at hand and move forward. It just became a thing. Building trucks, building cars, building bikes, work with your hands and balance out this whole digital world that we’re still in.

Den Jones:
Yeah. I’d say are there any lessons learned from that activity that you’ve translated into your professional life?

Bil Harmer:
Yeah, details matter.

Den Jones:
[Inaudible 00:25:37].

Bil Harmer:
People have asked, do you need all the nuts to go back on? The truth is no, you don’t. But that’s a risk-based decision. How much risk are you willing to accept will determine how many bolts you have left over. Yeah. I mean, it is absolutely detail-oriented where it’s understanding torque values and you get these guys, they’ll go out there and say, “Ah, I can torque it by hand. Yeah. Going to go with no.” There’s very few people on the planet that can do that. There’s probably a couple, most can’t. Go buy yourself a good tool, follow the instructions on it, and repeat. Consistency over how you build a bike or how you build a car will determine whether you get that car home alive.

Den Jones:
Yeah. No, yeah. I think when it comes to bikes, because I’m a new rider, I’ve been riding pretty much just during the pandemic. For me, the safety of that bike and how well that bike’s put together matters way more than the car. I mean, a car, provided those four wheels stay on, and even if they come off, provided you’re not doing 110 on the freeway, you’re probably still going to be not too bad.

Bil Harmer:
Put a seatbelt on, right?

Den Jones:
Yeah. Yeah. You get a seatbelt, you get airbags. But on a bike, you don’t have a seatbelt, you don’t have airbags, and hopefully, you’re wearing the right gear.

Bil Harmer:
Yeah. It’s awareness. You look at your outs, you’re always looking… Always, when I ride, I always know where I can go if somebody tries to kill me and I assume everybody out there is a bad actor, either malevolently or just out of ignorance. I don’t care what their rationale is as to why they ran a car into me. I need to know that they will and where am I going to go. What is my plan B, and what is my plan C? Always have two outs because that out could close up real quick and you need to be always aware. Again, riding keeps you focused on what you’re doing. As long as you’re focused on what you’re doing, you’re not thinking about other things.

Den Jones:
Yeah. It’s funny, because for a minute then, I forgot you were talking about riding and thought you were talking about our CISO gig, right?

Bil Harmer:
Yeah. Same approach.

Den Jones:
That is very bloody similar. Now you said you don’t do stress, so what do you mean by that? And then what strategies do you use when you’re in stressful situations?

Bil Harmer:
Yeah, it’s a really easy one. My father taught it to me years and years ago. There’s two big things in life that you have to deal with. One, you’re born, two, you die. Everything else, you just deal with it. You can look at each situation and say, “Can I affect change on it?” I cannot, move on and find something that you can affect change on. If you can affect change on it and somebody else can, can you influence that? Meaning, yes, you can affect change, but there’s a different rationale to how you get it. You start to realize that there’s no point in worrying about something that hasn’t happened yet because it hasn’t happened yet. You get a lot of people go, “What if, what if, what if?” Yeah. What if cars ran on pee? I mean, there’s all sorts of different what ifs you can… What if yourself into the ground.

You just take a look at what you can handle, what you can accept, what you can function on, whatever it is, whatever role you’re in, whatever job you’re doing, whatever’s happening. How do you get past it? I think having a kid was probably one of the biggest lessons learned because we operated on the, “This too shall pass.” That can be good or bad. The kid can be screaming all night, this too shall pass. They’ll get through it. It can also be the good stuff. You might find yourself in a place where everything’s going perfectly for you. Remember, this too will pass. You have to be thinking about what happens and what can you affect change on.

Den Jones:
Yeah, no. That’s awesome. It is funny because I don’t know when I learned this, but years ago, and I lived my life like this, which is I learned years ago, I don’t… Or my friend says to me, Den doesn’t get stressed. He just gets busy. Because when you’re in the situation, you’re in the situation. Going back to years ago in Adobe, we’d be in situations where the shit has already hit the fan. How you respond to it is actually your opportunity to shine. Your response can be one or two things. You can either just jump in, roll your sleeves up, and try and figure it out, which for a problem solver, actually I love it. I tell my team this, it’s like, “Hey, okay. Shit’s hit the fan.” Now whether we are running services and you’ve got a service outage or not or you’re under attack. For me, the under attack is always an adrenaline rush anyway because you’re watching a bad actor actively try and go after something in your company. [inaudible 00:30:18]

Bil Harmer:
They do some really cool stuff too. It’s kind of cool to watch some of the things happen.

Den Jones:
Yeah. You sit there, and in the security game, ideally, this is what we’ve prepared for. The reality is no attack, especially as incident responders… Now I was never an instant responder, but when we were under attack because my team delivered a lot of the identity services and endpoint security and stuff like that, or network security, we’d always be part of the incidents. You just love that challenge and that problem that’s underway. I wouldn’t stress over the fact that the bad thing has occurred. Going back to what you said, is if you can influence it and we can influence the fact that bad things already happened, so you can’t stress about that. You just got to jump in. The other thing is, I learned years ago, and we’ve got a terrible goose Scottish guy, so we’re always full of shit about these old terms that we use.

What will Bil be or what’s for you won’t goodbye you. Ultimately, if it’s going to happen, it’s going to happen. Don’t stress over it. Look at the risks in front and just try and prepare for them. At the end of the day, I really try not to stress over things I have no influence or control over. I also don’t stress over decisions I’ve already made. That was another one for me. Or the fact of if you’re going to make a decision and it’s a decision that can easily be changed, I don’t procrastinate over those decisions that can never be changed. I procrastinate over those a little bit more.

Bil Harmer:
Give it a little bit more thought.

Den Jones:
Yeah, more thought and see guidance of other people in the team or other people in my life around me because sometimes it’s your personal life. Now, let me go a couple of things. How do you explain your job to parties or to people who are not in our world?

Bil Harmer:
Normally, I stop bad people from doing bad things to good people. That helps people understand. For those that are a little bit closer to what I do when I’m… Now, because I’m at Craft, I’m able to say I’m a virtual CISO to 185 companies. For other CISOs, they understand that. But when I’m talking to my mom or my mom’s friends, stop bad people from doing bad things to good people.

Den Jones:
Awesome, awesome. Yeah. I used to say I was an igloo repair man, because when I moved to California back in the early two thousands, I’d already been sick and tired of people asking me to help them with their computer. I decided I’d say I’m an igloo repair man, because in California, there’s not many igloos and certainly none that need repaired. I was always [inaudible 00:33:19].

Bil Harmer:
I still have remote desktop to my mother and my mother-in-law’s computers and I still get those calls. When you’re in the computer industry, it’s going to happen. I’m sure you’ve had that invite to dinner, had the lovely dinner, and then got, “By the way, my computer’s acting funny.” It’s like, “Oh, really? Just next time, ask me. Let do it before dinner.”

Den Jones:
Yeah, yeah. Let me do it before I’ve drunk all the wine I’ve been drinking. Yeah. As we wrap up, Bil, I’d love one piece of advice from you that you can share with the audience that you think is going to help them in their career as they’re navigating going through this, the security EMAT career path we’re on.

Bil Harmer:
Know your business. The struggle I find with a lot of security folks is they focus on security. How do I protect something? How do I write good security code? How do I analyze? How do I do a good incident response? How do I write a policy? What they don’t often do is understand how their company truly makes money, or whatever the objective for the company is, nonprofit, et cetera. Because unless you understand how it happens, you won’t understand what risk can be accepted by the company and you’ll try to protect everything. Protecting everything, you protect nothing. This is an industry or a world where things break, stuff go shit, go sideways on you.

You have to know what your company can survive and what they can’t survive. Target lost 80 million credit cards. I think their sales dipped for two weeks before it went right back because they could accept that they could handle it. It was a horrific, egregious mistake they made. But they could get through that. God, look at Uber, Uber’s been popped, what, three, four times? People still use Uber. Why? Because it’s an ingrained service. Now they might flip to Lyft, they might flip back, but you have to know what your company can survive, right? FTX sure as hell isn’t surviving what they went through. Understanding where you make money, how you make money, why you are in business will help you approach your security role better for your company and you will do better work for that company.

Den Jones:
Yeah, no. That’s awesome. That is great advice. Yeah. Excuse me. Going back to my Adobe days in 2013, the very public reach there, if you look at the Adobe stock price then and the Adobe stock price now, or before 2022, when everything all went downhill a little bit, you could see that rise. I don’t know if it’s like 250% increase in stock value. But these breaches, I think the thing is now is everybody’s immune, I think, to the news of another company got breached, and your information is out there. I think that’s old news now. What’s really exciting or what people watch for more I think is how transparent and honest a company is when the shit hits the fan.

It’s not that they got breached, it’s how did they respond? Going back to our, “Let’s not stress. Let’s respond in the right way,” I think it even happens when a breach. Bil, hey, thank you very much. I really appreciate you taking the time to catch up today. Love having you on the show. Would love to stay in touch, and ideally, at conference, we’ll catch up and grab drinks at some dodgy conference somewhere soon where we’re trying to make sure that our information from that conference provider is not getting… Oh, no. Wait. We want them to tell and advertise who we are.

Bil Harmer:
Yeah, absolutely.

Den Jones:
That’s old Bil.

Bil Harmer:
If not, we’ll grab some time on the bikes and go for a ride.

Den Jones:
Oh, that would be awesome. I’ll be about five miles behind you because I’m the slowest rider on the planet.

Bil Harmer:
No worries.

Den Jones:
Thanks, Bil. Great having you on. Cheers.

Bil Harmer:
Thanks for having me.

Speaker 1:
Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, Summer Silk, and all their music at urbanpunks.com.

Close Transcript

< Back to Resources

Free for 30 Days
Simple, secure, & free!

Quickly provide your workforce secure access to corporate resources and infrastructure.

Get Started Now