Decoding Cybersecurity: The Nuances of Securing Tech
No one has security “figured out”, and that’s OK. Matt Lee from Pax8 dives into nuances of cybersecurity from impacts on businesses to customers, and what we really mean when talking about securing technology. In this special event edition of Logically Speaking, Tatianna and Matt review the history of technology and how its advancement requires a new lens to understand and adapt to today’s expectations and standards. Learn as Matt shares his experiences in IT and Cybersecurity and the major challenges he sees businesses facing in the wake of artificial intelligence.
Listen wherever you podcast and share with your networks.
Tatianna Harris, Content Marketing Manager @ Logically
Matt Lee, Senior Director of Security and Compliance @ pax8
October 18, 2023 | 28 mins
Key Takeaways from the Episode
- Learn who is actually responsible for securing the technology and systems we use
- Understand the history of technology
- Discover the cascading importance of cybersecurity from businesses to people
- The best piece of advice for businesses trying to “tackle” security
Decoding Cybersecurity: The Nuances of Securing Technology with Matt Lee at Pax8 – Episode Transcript
Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to protect your data safe, how to keep your operations sound, and your business ready for whatever comes next.
TATIANNA HARRIS
Hello and welcome to another episode of Logically Speaking. This is our events edition. I’m Tatianna Harris with Logically. In this episode, I talk with Matt Lee from PAX 8.
You are the Senior Director of Security and Compliance at PAX 8. Yes, that’s correct. Could you tell me a little bit more about yourself and how you got into security and IT in general?
MATT LEE
Yeah, sure. So I actually started as a younger person doing… I was a banker. I had been a stockbroker when I was 19. I moved in and every three or four years I would change entire careers. I either get offended by something or bored by something or felt like I maybe mastered something where it wasn’t like a fun thing to play with in my head anymore. And so I went from investments to banking and banking to mortgages, mortgages to non-numerous and numismatic gold brokerage. So I started trading in collectible and non-collectible gold and bullion. And then I traveled around and was a diamond buyer for a few years, buying and selling milli or small diamonds, 0.1 carat or less diamonds, with a couple of Armenian guys. And so I just have generally been always curious and always stepping into different jobs. The challenge is when I moved to Wichita, Kansas and started as a break-fix technician at a small MSP, I was hooked.
Because I could never get broad enough to understand all the technology. I could never get deep enough to understand anything to a point where I was at an exhaustion level or couldn’t learn more. And so it just kind of kept me into a constant sense of curiosity. But it also led me, just like you guys get to experience at Logically, it led me to be able to go and ask questions of hundreds of different businesses, different business types. How do you make money? What makes you happy? What drives your world? And be curious there too and never run out of that. It always kept allowing me to keep broadening my understanding of the world and then use that to help them be more successful with technology, with security. It’s always the same. How did I get into security, however, was as we became a very large MSP, we got punched really hard in the face.
And we lost a bunch of money to Soda No Kibi Ransomware Gang through an acquisition where we lost an entire million dollar acquisition from a revenue perspective. We lost the insurance claim from a cost perspective and we missed the opportunity. We could have bought another MSP that would have been better for us, that wasn’t screwed like that. And so when that played out, the next 18 months of my life were in lawsuits or threatened lawsuits, conversations with attorneys and forensics responders and federal authorities and all of that for the next year and a half. Which allowed me to then focus so very heavily on security in general and driving that for that MSP for the next few years before we sold successfully and I got my first exit. But that’s how I kind of came into cybersecurity as a practitioner. Now I find myself as an educator and as a subject matter – I won’t ever say expert because you can’t ever be an expert – but I would say a subject matter student perpetually and trying to drive and change subject matter where possible throughout our industry.
So I’m lucky enough and blessed enough that Pax8 sponsors that. I like to say they sponsor my breakfast, lunches and dinners and help my mission to drive us all to have a better life through technology and security. That’s kind of the background.
TATIANNA HARRIS
I love that you don’t refer to yourself as a subject matter expert. No. Like in a constantly evolving field, you can never be an expert.
MATT LEE
That’s exactly it. It’s too fast moving for you to be an expert. Now you can be very experienced in it. You can have a lot of losses and failures and successes that build up our life and understanding of things. But I just don’t think experts a fair term in a non-static body of knowledge is my point.
TATIANNA HARRIS
Yes, that definitely makes sense. So as someone in like a security and compliance role, what do you see on a day to day basis that maybe the average person wouldn’t think about or they might consider it, but not really to the extent that you see it every day?
MATT LEE
Great question. I don’t think people realize how bad it really is. And I don’t mean that to paint this fear and situation. I mean, nobody’s got it figured out. Right. When it comes down to the vendors that write your software, that prepare your stuff that you consume all the way down to what you do as a service, all the way down to what your customers and consumers are doing to scare themselves. We’re all at the state where we’ve defined security as tools, we’ve defined certain things, but we aren’t really prepared for security being the very fabric of how we make decisions and what we do around around our technology.
It’s not built in. Like in a car, I have an airbag and it’s already there and I don’t have to turn it on when I get it. My seatbelt dings at me relentlessly if I don’t buckle up and I didn’t have to do anything to make that happen. Yet in security in our world today with technology, you’re going to buy something that will be the least secure you’ll ever see it and you must then improve it. And so it’s not built in and even at the manufacturers that create this software. Right. There’s a call to action from CISA right now that says secure by design, secure by default.
Basically saying you need to make it where the airbags are turned on. But additionally, you need to make sure there’s airbags. It kind of comes into that conversation. So we’re in that stage of cybersecurity today. Yeah, that’s a huge topic around the event today, too, like not just a I but just security by design. Yeah. Like having having everything and having that mindset set in security. And the only reason you can have that as a just exposition is you’re from the other side of that just exposition. Right. And you’re not secure by design. You slapped it together and said it’ll be fine. It needs to work. And I’ve had executives say to me, Matt, a lot of money is made on shitty software. Right. And I genuinely believe that. And they’re right. There’s been no repercussions. Right. If you look at CISA, they released with the president the national cybersecurity strategy back in March. And in that, they said markets often impose upon the weakest essentially, I’m summarizing, upon the weakest of those consumers, the risk while the profit rides on the ones creating that risk. And it’s this very interesting point where that’s the case. Right. They’ve made software they know they’re not investing in to make better. They’re not going to do the things to make it cursorily more secure. And yet they still make the same profit.
In fact, they’re rewarded for not making it more secure. Right. Right. And so you’re in this weird world where now the call to action is be secure by design, be secure by default, because it wasn’t before. And so I think that’s a great call to action right now and change in our world that matters a lot.
TATIANNA HARRIS
So how do you feel? I’ve heard someone mention, I think it might have been at ChannelCon last week, about switching the onus of security to the end user. And not that it has changed to the end user, but that’s how it is. Like the security by design mindset that people are wanting to implement now, it’s shifting from putting the responsibility for the end user to buy its driver software or do all the things that are trying to make insecure technology and systems secure like as an add-on.
MATT LEE
And you’re saying it needs to move up the chain and move up. Yeah. Right.
I think that’s a part of just a byproduct of how this has worked. I mean, think about even as an MSP, five years ago serving the SMB or small mid-sized business, nobody cared about a lot of the things that are offered today. Right. They didn’t want a SOC as a service. They didn’t want EDR. They didn’t want to do MFA. They didn’t want to do all these things. And yet we then had to add costs to sell that as an a la carte thing instead of making it part of our world. Yet today, more and more it’s becoming part of our world and you can’t choose not to have it. And so you have this drift of it moving.
I think the challenge with asking the consumers to make a decision on what they want to do or not is phallic in the sense that they don’t understand enough to even make that decision. And oftentimes you’re having to do stuff like this to try to teach them so they can then make a decision. But my attorney, my CPA, my doctor, they don’t do any of that. They don’t go, man, I really need Matt to understand methyl acillin resistant staphylococcus aurora. Because if you don’t understand MERSA and its resistance to common antibiotics, then no, they go, you need to take this pill or you’re going to die. It’s kind of that way, right? But yet in our world, we have to educate and they want to understand and they want.
So I say all this to say I actually think the burden needs to shift uphill. And at some point, Logically, is going to say I’m not taking you as a client because if you’re not doing these base things, I’m not it’s not worth it to me for you. And you’ve probably even seen that in your organization just from the caliber of the humans I know that work with you. I know that’s probably part of their world. So I think you’re seeing it go to, yes, the identity and the human matter at the end of that chain. But the the onus to your point is going to shift up and shift up to the service providers like Logically. And it’s going to shift up to the software manufacturers to say, why do I buy Microsoft tenants at their most insecure state? Why do I get my Google tenant with nothing turned on from a security perspective? Like at what point should that be your responsibility and it also at what point should that be part of my stack and my skew, which follows those same patterns logically at some point sold? I’m sure security tools separate more and more. Those things become part of the skew. And that’s what we’re selling. And there is no there’s no dilemma. And I think that’s a very important aspect there. Right. It’s it’s the whole package. And to your point, there are always going to be those people that you tell them and you educate them time and time again. Like, hey, enable multi factor authentication. And they’re like, no, it’s too much. It’s inconvenient. Yeah. Yeah. Yeah. 100 percent. We’ve all heard it. And those same people, there’s an interesting aspect of this, though, too. That may follow their own Darwinism in that regard. And I think you’re seeing that more and more where there’s such a separation. The people that don’t do it. The cost is there. They do go out of business. They do get punched in the face. They do lose. And at some point, the market rewards the ones that don’t and destroys the ones that do make that action.
And I think that’s what we as an industry have to be better about being OK with and saying if you don’t choose to move forward at some point, somebody decided, no, that internal combustion engine is a bad egg. Let’s stick with steam. And then they went out of business. Right. There’s you look at, you know, blockbuster versus Netflix, even to bring it more proximal. They said, hey, maybe we’ll stick in this normal distribution while somebody else was changing to a modern method of distribution and change the world. And so I think that we’re in that space where those people at some point will be destroyed enough that there will be an acceptance of that standard more and more or they just won’t be in business. The best piece and and consumers, it’s an adapt or die type of situation. Yep. And it always kind of has been right. This is just a different front for us to focus on than before.
TATIANNA HARRIS
I think that kind of falls in line with one of my other questions, which was AI – it’s a huge topic. It has been practically all year. What do you see as some of the biggest benefits, but also maybe some of the toughest challenges that companies are going to face over the next few years with regard to AI, like in technology and security, like across the board?
MATT LEE
I think yes is a good answer. Yes. Just all of the things. No, genuinely, I think if you look back over history, there have always been fundamental technology shifts that that now everything changes as a result. Great example, cars invented in the late eighteen hundreds changed the entire landscape of the world from a city versus suburb perspective, especially in the United States overnight, right? Long before we ever had airbags, long before we had seat belts.
And I say that to say we build technologies that move and change our world fundamentally first and then sort out the negative bits. Right. We didn’t go maybe it’s bad to have a shovel roll or a pinto get hit in the back end and blow up. Maybe it’s and so then you start adding in the National Motor Vehicle Safety Act in like 1965, 1966. We’re talking almost a decade after the invention of that technology. So when you think about the fundamental nature of that, it changes more than just one thing. It’s a multifactor change. And if you look at tractors, tractors made cities. The mechanization of farm equipment made cities possible because I didn’t have to have 17 kids to put enough taters in the ground and tend them all year so we can eat. Right. I could buy that in bulk and I could move to the city and create all these industries and all these things that are magical. And we live with every minute today fundamentally changed from some piece of technology. I think A.I. or machine learning or LLMs or whatever flavor you’re calling it today, but really this understanding of more and more technical improvement of capabilities and in some ways removing human jobs, changing human jobs. So that’s my first point. I think technologies like A.I. and machine learning LLM, which I know I’m on a stupid bandwagon saying the same stuff, but they will fundamentally make it where I can use better robotic process automation, better ways to automate away a role or a job.
And so I think the advice is companies need to lean into the understanding of what this can bring and what it can do to free you up and can make it where you can dedicate that human to doing something way better. Look at what we talked about earlier about the background audio you’re going to have to edit out, which if you’re listening this now won’t have it anymore.
[as you’ve heard in this episode, the background noise was not edited out to give you the experience of the event atmosphere…]
But there’s more work to be done. And yet at the same time, Adobe has released a pretty awesome machine learning method that will remove the background noise. What if you had to do that for five hours instead of now 10 minutes? Can you focus on doing more interviews or better or putting out better quality product with your time? Yeah. And I think that’s what businesses need to understand with these technologies is that they will be used first to make a better product and better profit for your customers. Now the flip side of this coin, what will it do to introduce new risks and new vulnerabilities that come into play or new vulnerabilities that can create risks? Just because I’m now honoring my buddy that I had a call with earlier, Norman Clatchley.
But you’re going to see this increase. People are stupid. By nature, we always take advantage of what’s going to benefit us before thinking of the repercussions. Soon as OpenAI came out with their now easily accessible chat GBT, which isn’t the first one, it’s just the first one that’s been made massively accessible to people in a meaningful way that was more than just novelty and had huge adoption. I mean, like that growth curve was like this. But those same people in that, I guess they can’t see my hand motions and non-video things.
TATIANNA HARRIS
So I’m doing a hockey stick curve.
MATT LEE
Yeah. But or asymptotes, if you will. But the point is, is that when that growth goes up, how many of those humans put in sensitive information that then became a leak? Like we’ve already seen class action lawsuits about that very thing of people putting in sensitive data in a shared learning environment that then can be regurgitated to another human. We don’t think about the security first. So we will create more challenges from the vulnerabilities that we introduce that allow more threats to impact us, which means that our risk has gone up. But you have to imagine people are not in business to avoid risk. That’s a broken thought process. I mean, there’s still Alyssa Miller, famous CISO, she’s probably here, but she spoke last year and said, we’re told as InfoSec professionals that the language of business is risk, horse crap. The language of business is profit, raw, unadulterated profit. We take a risk. And by the time we started business, we have accepted all of those risks.
We’ve done nothing to mitigate them. We took those risks to make a profit. Do we deal with those risks and say that one’s too much and it will exceed my profit and I need to deal with that’s where the risk equation gets interesting around AI is that we will often receive a better profit, a better FTE or full time employee usage. All of those things far before we actually understand the risk profile we’ve created by doing so and how we chose to do so. So I think we will see a John maddening it here a little bit. We’re going to see fundamental shifts in what businesses do and how they employ humans as a result of more and more of these type of machine learning and AI type algorithms that they’re out there. But we’re also going to see at least initially a clamoring to create what what’s secure enough.
- What are the baseline standards?
- What should we actually do to secure this?
Most of that language hasn’t even begun to exist yet. Yet here we find it where people are actually having it right stuff for them every day. Right. And so I think it’s a little buzzword today. And even really the capabilities are somewhat that of a pretty angry teenager that might lie to you. Right. At the end of the day, it will continue to grow and you will continue to see more and more verticalized value out of these businesses that are just like that city being born where now there’s trash people and now there’s there’s movies and now there’s things we can go to because of that city density in the amount of delivery and demand from free time. We’re going to see those same things play out and it will be lovely. I mean, it will be amazing. It’s just going to come with a lot of challenges and loss probably as well.
TATIANNA HARRIS
Yeah. And there was one talk earlier on, I guess, AI and risk management and policy and setting in certifications and new ways of holding AI and machine learning to certain standards across the board. And one of the important points was getting technical people, people that understand those areas and having them having them and their voice heard and understood so that they can actually make standards that are applicable and that can grow into what they’re predicting.
MATT LEE
This is how the cybersecurity industry has always worked right RFCs request for comments. Yeah, somebody with a terrible idea puts it out there and ask others to say terrible things or good things about it until it becomes an actually accepted principle like TCP IP came from an RFC. We’ve seen these things play out forever and it’s always been a practitioners consensus model. Right. If you will. But I think we’ve gone a long way away from that. I think you’ve let marketing teams – Nothing personal – But I think we’ve let marketing teams define terms and muddy the language that we’ve actually all gotten a little dumber in cases. So, yeah, yeah, I completely 100% agree. Marketing will make things sound snazzy, but they don’t have. It’s not a lot of benefit or value behind those words all the time. Sometimes. Yeah, it makes a little bit more confusing.
TATIANNA HARRIS
I’d like to know since you’ve been working in in technology and security for what over a decade.
MATT LEE
It’s been a long time. Yeah. My hair didn’t come for free.
TATIANNA HARRIS
And yes, since you can’t see he’s got a nice long beard.
MATT LEE
I was finding the gray ones in there. Each one’s an incident.
TATIANNA HARRIS
Yes. I’d love your perspective on how you’ve seen technology change and how the imperative for security has grown and changed like over the last decade. And I know you’ve kind of alluded to some of these things in some of your response earlier.
MATT LEE
I just wrote as well. Yes, exactly. You know, what’s interesting about our world today is we are all starting to get it right. And I mean by that is the SAS providers or software service providers, the software manufacturers, the tools, the security, the practitioners, all of us are starting to wake up and get it. And at a time where we’re also shifting from a very infrastructural view of the world, what I mean by that is if I start a company tomorrow, there’s almost zero chance I buy a server, almost zero.
Right. There’s almost zero chance I can put a server in the cloud that I’m doing in a traditional server model, almost zero. I’m probably going to have an identity. I’m going to sign in with that identity in the cloud applications and SAS applications. And that’s my world. What’s interesting about that is there’s such an interesting difference in what we can actually script and automate in those two. If I think about having that server and infrastructure world and then just the variables that have to account for to do some type of update or protect it in a certain way, I’d have to have the network type and structure delineation. I’d have to have the server type and what server version it is. It is server 08, 8R2, 12R2, 16, 19, 20, 22. Is it those?
Is it 4th function 2003, 3R2, 8, 8R2, 16? Where are we? All these variables that make it where you just have a very hard time normalizing and coming up with an automation that works universally. But let’s look at that picture I just described of an identity provider and a SAS provider. Like to make it easy for anybody in your audience that isn’t as technical, think about signing in with Facebook for the first time into some other application. You wanted to play that bird game or something and you signed in with either a password or your Facebook. You just click Facebook. That’s the concept of an identity provider being Facebook and a consuming entity being Angry Birds.
Well, in our world, that becomes Microsoft as the identity provider or Okta, but probably Microsoft for most of your clients. And then when they consume their Salesforce, they just sign in with Microsoft. That type of model means that for every Salesforce and every Microsoft, I have all the variables, I have all the commands I need from an API or application programming interface perspective. And it’s very known as it changes, it’s changed known, which means I can script an experience. I can script security the same way for a hundred customers exactly the same way. And if it fails, it fails systemically and if it works, it works systemically. That’s very different than, oh, which time did you last update your server? We need to buy a new OS. I can’t do that in eight. I can only do it in twelve. Whereas in Microsoft, it just grows as it grows and everybody has the same benefit from it, the same API calls, the same everything. Which means back to your real core question of what’s changed in security, what’s changed in our world. I can actually now do the nerdy bits in a script. I don’t have to have a nerd to do them. I can have one nerd that does it for all of them. And now I can focus on your business.
Now I can say, how do I make your decisions better, make you better for your end customers? And for a logically doing this with customers, it means that a lot of that commoditization of the tech goes away and you have to find new ways to add value. And that’s through coaching them to be better than their competitor. That’s through making their employees experience better than anybody else’s. Think about when you started Logically.
How cool is it if you get that laptop and your swag bag and your new t-shirt and that new sticker that’s so dope. And it all comes to you and you just open it up and it works and it’s intuitive and you don’t have to think about it. Compared to, we’re going to take you through tech onboarding. We’re going to have about the next two days of training. It’s just you are younger than me and you grew up in an Angry Birds experience where when you fired that up on your phone, you had zero expectation of it not firing up. Right. Every time. No matter what. It’s predictable. Yes. And that’s where we’re heading with technology that we weren’t 10 years ago.
We used to claim that our value statement as MSPs was, we’ll give you the best white glove experience and keep your pooter working better than anybody else. Like that’s now table stakes. How do we add value as a whole different proposition in today’s world? Right. And it’s much more around, I like the buzzword of security since we’re here at Black Hat, but really how do I make your technology system just work under a certain level of acceptable risk load, right? And have escalatory capabilities to protect data that matters more. Like it’s very, very scalable today, in my opinion.
TATIANNA HARRIS
Definitely. What are some of the key areas that you focus on for your clients when it comes to technology? And not just technology, but also security.
MATT LEE
So my clients are you. So at the end of the day, at Black Hat, I’m an external resource. I spend most of my time educating and driving success of MSP, MSSPs, and small business in our world. And so I think what do I see as the biggest challenge for me and my clients? What do I see as that technology conversation? It’s education.
You know, it really is that you in the same way, the more you can educate your clients and get them to a position of trust and get them to a position where they’re starting to win as a result of knowing you, that’s where we’re at, right? It packs a specifically knows that if I help you be better and be better at selling and be better at using and be better at protecting and be more profitable, be able to grow. Guess what? We grow by proxy. So win, win. So I do think that we are all in a state where we’re shifting from this marketing hyperbolas crap to you better provide value. You better teach me. And if you do, I will know you’re my partner and I’ll buy from you. That’s such a fundamental difference where you can’t just do some snazzy webinar to showcase what you’re selling. You must actually demonstrate an increase of what you’re teaching them around that thought leadership is driving their world. Show them that you’ve got this. Show them that you understand it well enough to actually help them understand it. And that’s just a big difference. Maybe a little self aggrandizing because that’s what I do for a living. But I do think that’s such a shift in our world that it’s not just marketing hype. It’s education now. It’s actually presenting the benefits, the value that people get. Yeah, 100 percent. Right? Because it’s not features, it’s benefits. We don’t care about features. I don’t care that car can go this fast. I don’t care about how well it turns. I care about how it makes me feel and how I get somewhere. Right? And so there’s a very difference in features versus these benefits that I actually care about.
TATIANNA HARRIS
Yeah. I like the one of the famous analogies for Apple. It’s like, oh, like five gigs of space or memory on your iPad. Or it’s like five thousand songs in your pocket.
MATT LEE
Yeah. Right. Way different. Right. Speeds and feeds versus, dude, I could listen to five thousand songs. That’s a long road trip. Yeah, exactly. Like you see it in your mind. All the value. Way different. That’s a great point.
TATIANNA HARRIS
Awesome. Well, OK, my last question, and this is however you see fit to answer… What is some advice that you could give to our audience, whether that’s to other MSSPs or MSPs? Or to individuals looking for solutions like Logically?
MATT LEE
I think one of the things that I would say as a statement is that we can’t focus on protection. We can’t focus on this understanding that I’m going to stop all threats or that I can solve this problem. I think we need to focus on whether it be technology, whether it be change in general or whether it be security in this definition, that we always have to continue to change. There is no static point you get to. Even in your own business, if you’re not in security or if you’re not in technology and you’re just making widgets, at some point you must keep up with market demands and changes and you have to continue to grow and change.
So my advice is don’t ever feel like you’ve solved security. Don’t ever feel like you’ve solved technology. Always be malleable and be willing to change. One of the best compliments I got, and it wasn’t given as a compliment, came from this Belgian engineer who’s brilliant. And he often let perfect be the enemy of good, which is I know what the final right answer must be and until I get to that I’m not going to do anything. I’m going to go do this. No, start where you are and iterate.
And what he said to me one day is, Matt, you hold extremely loosely to passionate beliefs. And he’s right. While I believe something, I’m going to go scream it and drive it and do it wholeheartedly. But I’m always looking for data that says I’m wrong. I’m always looking for data that says I need to change what I’m saying.
And for anybody out there thinking about where they are in security, if you put those two concepts together of, don’t let perfect be the enemy of good and start where you are, right? I right now can only do this. But then also understand I need to grow and change, then you’ll iterate to where you need to be from a security perspective, from a technology perspective, from any perspective. I gave this as a talk at ChannelCon and I started with a two-minute rocket video. And this was just a video of SpaceX every time they blew up a rocket trying to land it and failed, right? And they showed it over and over again, all the failures they made. And at the end of it, they finally succeeded. Did they win because of the success or did they win because of the failures? And the argument is they won because of the failures. The company that can fail the fastest for the cheapest amount of money and with the highest ability of tenacity and persistence to continue doing it, wins at the end of the day. And so it’s really about leaning into those failures, leaning into those gaps. And for anybody trying to choose a service with somebody like Logically, can they give me an assessment of where I am and where I really want to be, at least on today’s standards? And do I have confidence that they’ll take me to where tomorrow’s standards go? That’s what I would be looking for if I was trying to hire a company in that way.
TATIANNA HARRIS
Well said, very well said. Thank you.
MATT LEE
I get one a day, you know?
TATIANNA HARRIS
Well, thank you so much for your time, Matt.
MATT LEE
Absolutely. Thanks for having me.
——-
That is all for this episode make sure you tune in next time to Logically Speaking and stay cyber first and future ready.