Zero Trust and Governance Are Key to Regulatory Compliance
Zero trust with comprehensive governance is critical for any cybersecurity program and must be extended to the content layer to facilitate regulatory compliance.
Over 20 years ago, Evgeniy Kharam launched his career on the “high seas” as a cybersecurity engineer for the Israeli Navy and in his subsequent professional career spent over 40,000 hours in pre- and post-sales support as a cybersecurity architect and consultant working with private and public sector organizations across the spectrum—from those with 500 employees to those with more than 100,000 employees. He sees zero trust as a critical ingredient for any cybersecurity approach and argues in this podcast interview that protecting sensitive content requires appropriate governance tracking and controls. As part of this process, least-privilege access and employing zero trust when it comes to governance policies are crucial in managing security and compliance risks.
Kharam sees zero trust as a critical ingredient for any cybersecurity approach and argues in this podcast interview that protecting sensitive content requires appropriate governance tracking and controls. As part of this process, least-privilege access and employing zero trust when it comes to governance policies are crucial in managing security and compliance risks.
Check out Evgeniy’s podcasts at https://linktr.ee/ekcyber.
Patrick Spencer 0:00
Hey everybody welcome back to another Kitecast episode I’m here with my partner in crime. Tim Freestone. Tim, how are you doing today?
Tim Freestone 0:31
Hey, good, Patrick, how are you?
Patrick Spencer 0:33
I am doing well ready for the holidays. We have a treat today. Maybe it’s our early holiday gift. Evgeniy Kharam. Who has 20 plus years of experience in cybersecurity is joining us today? It’s going to be a really interesting conversation, he promises me right promise me ahead of time anyway, that he wouldn’t go into too much technical detail, because you’ll probably lose me.
Evgeniy Kharam 1:01
I’ll do my best. Thank you for having me here.
Patrick Spencer 1:04
Well, it’s always a treat. So, let’s talk a little bit about your background. You know, you’ve spent a lot of years in network security. And you’ve launched two podcasts recently that are both related to cybersecurity, and you’re doing consulting on the side. Start off, tell us about yourself.
Evgeniy Kharam 1:22
So, I think I’m doing podcasting on the side. And consulting is the main business. I spent 16 years working for one of the biggest VARs and MSPs in North America, private one for Herjavec group. And I left earlier this year, last year, not this year in July, and decided that it was time, you know, as it was a very good time, a lot of interesting things. I learned a lot from Robert and the company. And I was thinking what I want to do. And after realizing that I basically spent so much time working with these vendors and MSSP Why would have no go and consult to vendors and MSSPs. So instead of going and consulting to end users, I decided I will just basically consult to MSSPs housing to create a better program help them align better vendors, in some cases, touch base, definitely with end user to guide them there. But it will be down my alley, this is what I did. This was I like to do, and I enjoy vendors. So, I started the second part because let’s talk about the first pocket before this, to talk to vendors and understand more about their inspiration to start their own companies. And for me, it’s basically a way to, to have a networking with new vendors understand who’s coming. Also create a better literature was existing vendors as well. And saving inspiration had 25 episodes, at least right now out with as many small companies and big companies as well. And I had the opportunity to understand how they work and also potentially to consult them as well. I also consult to one of the vendors here in Canada, to help them better with your product. And also, the virtual system in a way to house I was internal cybersecurity. So, this is my consulting business. Right now, my consulting business is kind of merging slowly with my media business. And three years ago, I had no idea about podcasting, I had no idea how to start the podcast, I had this idea that sounds like I wanted to do. And a friend, the meteorite man said, Thomas, if you would like to join me in doing this with me. And we started security architecture podcast with the idea to kind of prevent people to have shelf ware to buy products and not deploying them to have better integration to have better design. And basically, in a way, and we’ll watch are not in marketing material. So, we want to connect the dots between how it’s working and what people should ask the vendors as well. So, it came with the idea of seasons, basically you take a space, let’s call it album browsing. You mentioned networking. And we’ll create 10 questions in invite candidates and vendors and each of them will answer the same question. So, it’s become like a mini RFI request for information. And apparently people liked it. It was very technical and is still very technical. But people like the idea because it didn’t crew search in a space found it very, very useful. We probably have the majority of links and videos of covering the sassy SSC album browsing remote access space. Right now. The last season we’re doing right now finishing, it’s about brand-new category related to browser security and some browser isolation as well. That people started the company didn’t even exist a year ago. And they were on the show talking about this. And as you mentioned, I did spend a lot of time networking. I work in checkpoint back in Israel before I joined Herjavec group in Canada. And this is where I learned more about how network is working TCP IP all the major protocols and basically spent two years debugging firewalls and going to very, very deep level to understand how I was in the world. Instead of I came here, I went kind of higher, higher and higher and higher, until I move away from working with my hands. And now it’s mainly speaking
Patrick Spencer 5:12
Now, all of us experience in network security, you know, we hear a lot about zero trust. It was all about the network initially. And then we start talking about infrastructure started talking about applications. When did you see that shift happen? And then Tim’s going to have a question. I guarantee it in regards to content after you answer that question.
Evgeniy Kharam 5:33
So, me personally, and we had a panel with the Cloud Security Alliance around two months ago. And there were three people on the panel and always networking background. And all of us in one way or another, started to explore the idea of zero trust without knowing it calls your trust. So, I was working during this time, and deploying next generation firewalls. And there was the idea that I know who you are, I know who is the user, I know the application. So, I can be much more granular on what I can do not just give you a subnet or IP, I can actually create policy by who you are. But this is amazing. Let’s transform our customers. But then they notice that okay, I do this towards outbound. But what’s inside the company, we have all these routers, and levers, researchers and people can go anywhere they want pretty much why cannot use the same methodology internally. So, we started to do network segmentation, and started the idea of not zero trust, but more network segmentation. And then came the idea of micro segmentation inside a data center. And then of course, the zero-trust model became much more popular. John is a friend as well, amazing human being Chase Cunningham has moved it and pushed it to the different level. And right now, of course, we talking about zero trust inside the network, zero trust from outside to inside the network. And what is the identity? Space, there is water, there’s multiple things happening there. One, what’s happening is the data, do we trust you don’t trust users? If I hired you, I don’t trust you. And all these ideas?
Tim Freestone 7:09
Yeah. So, Patrick, teed me up there? Well for the question. So, we talked a lot about that evolution of zero trust in that, you know, as you were saying, you got the network, and users with, you know, what’s the least privilege access for users in the network? What’s granular controls that you can have and users in the network? external or internal, right? And then there’s then the web applications, right? So, network agnostic, the what applications are in the web, and you’ve got, you know, in band and out of band, application controls that you’re, you know, plenty of tools like Caz, B’s and things like that. But they always tend to be controls at the technology and the user. Like, what’s the, what’s the control we’re putting on the user and the particular piece of technology. And our perspective is, that’s all great to do. But what’s next, and the next is putting those granular controls on the assets in the technology themselves, the content, the data, so that it’s irrespective of the net, you could have, you know, I’m being a bit grand grant here, but you could have no network controls and no web application controls. But if the X if the data that’s being accessed has controls on it, then you can sort of have the, the ultimate layer of protection, because ultimately, network and applications are there for data anyway. So, if you bring the zero trust down to the data and say, this person has least control over this individual piece of data, whether it’s in a web application, whether it’s behind a firewall in a local server, you know what I’m saying? Like just bringing it
Evgeniy Kharam 8:53
Yeah, I think in the way if we can refer to this to document security, for example, not always good example, for web. But if I created a document, and let’s simplify it, I have a Google document, I can share this document with everyone because I’m lazy. And I want Patrick and team to edit the document with me, then it’s not a good control and say, oh, but do I need to have access to this document and what is in this document, maybe just our menu for the evening? Okay, fine. But in theory or not, in theory, practicality, I will share this document this only Vatican team. Great. So now we’re moving level nauseam, to document but can every control what Kim party can do is document then I can download the document, and it was shared with everyone else. So, I created one level of controls, but then I don’t have any control of what you do with the data. Or if I send you this document, this document, then you cannot do anything. But today we’re talking about document security when actually can create a grant or control not just who can ask to the document, but what you can Use a document-oriented standard may be time sensitive, I think it’s actually important and it is part of your trust, I think it’s going to be under the Data Domain. There is number of places. And I think Microsoft is one of them pushing this envelope as well, was when they acquired clinical Ireland around five, six years ago, and created their own IP as your information protection. And there’s other companies in this space as well. Me personally, actually, I can share your link when I was writing about document security around probably 18 months ago, that I think this will coming in five years. The problem right now, in my mind, is another technology is the use of identification, the ease of use, because if t need to say is it his team, this team wants to spend seven minutes installing an agent doing a retina scan, and putting his palm to actually show it this is him.
Tim Freestone 10:53
Yeah, yeah, I think there, you’re right, that user experience, often if it’s impeded too much crit shadow IT, they’ll just don’t use it. Right. And so sometimes security teams will put policies in that are too granular. And yeah, Microsoft AIP, and then, was MIP, as well, and they got a lot of IPs. That was, to your point, you know, four or five years ago. And now, I think a lot of companies are being one of them, has advanced this sort of, let’s call it enterprise digital rights management, for lack of a better word at the asset level, to where, you know, you can’t you can obfuscate the user experience, there’s technology now where you can make it so that the user experience is seamless, relatively enough, so you can create those controls. And is it being the world perfect, no, but that same imperfection of just the fact that security of security is across network and applications as well as content. The idea is how close to that data asset itself? Can you put zero trust without impeding productivity? And then what you’ve done is you’ve lowered risk as far as it can go, you know what, I’m
Evgeniy Kharam 12:04
just productivity. I can tell you personally, when I was working this Herjavec group, it was driving me nuts. At every after every meeting is the customer, the salesperson would say, do you want me to share the PDF of the presentation with you? Yeah, share. And then somehow, six months after, will come and present. Like, oh, yeah, the other guy came yesterday. And they present the same idea is like how? So ideally, we understood that the presentation we sharing with people somehow ended with a competitor desk. Okay, I can understand in the logical space, but can I easily prevent this? Can I share, here’s the PDF a presentation, thank you very much. But they actually not allow to send it to your company, watch it, look on this, send it to your friends in the company, but don’t send it. And guess what, in 30 days, I can say bye, bye. It’s gone. You know?
Tim Freestone 12:55
Yeah, yeah. Now I will, because this is a podcast, I won’t get into the pitch of it too much. But the whole idea is exactly what you said, put granular controls that are bound by domains bound by geo locations. So, if I send something to you have Ginny and I say, this has to stay within the domain of whatever the you are, then that person can’t forward it can’t. Because you’re leaking IP in that scenario you just gave me as they are leaking IP. And if you if you put the domain around it that says camp, Evgeny cannot send out of his.whatever.com domain, at least then you’ve got that control, right? And can’t download can only view because if it’s if it is really highly sensitive, you got to be able to put those guardrails around that document otherwise, you’re never going to reduce your risk of exposure. Right.
Evgeniy Kharam 13:50
So, you should do a different show when you pitch your grades. How good or is it the patient? You’re saying?
Tim Freestone 13:55
Yeah, good, good. Good. All right. So, your turn, Patrick?
Well, I think this is an interesting concept in terms of, we’ll stay on this and we’ll talk about some of the cool things that he’s been doing like this ski conference for cybersecurity, I want to hear more about that I need to I want to, when can we go? The concept of controlling at the policy level, users can control it right, Tim can decide when he shares a document, who can view it, who can edit it, who can share it, where it can be sent, but also has an Uber level, right? Where the compliance of the risk management team needs to be able control that across the organization, you can you speak to that dynamic right? We’re probably farther ahead in regards to individual users, but we’re lagging at that Uber level where we control how everything is set across the organization. I
Evgeniy Kharam 14:42
think it’s I think it’s very similar to the fridge the food in the fridge, the kids can decide what they want to eat, but they can kind of bound what’s in the fridge you know, because apparently you can get the foods then in order not to get it anything else. But joking aside pretty much all that hierarchy idea you have like a levels of robust access control some other control Rudock has admin access, when you create kind of metrics inside medicine, the metrics will be will can do the same with documents in this way, you create a policy that describe recently, what can cannot be done as part of this policy, you create categorization of internal secret, whatever you want to do, is there usually the three, four? No, no, not much in this. And then you have a template of a document and you can organize the documents, and you provide people access on what they can do. But then you have security controls that potentially may disagree with your kind of idea, and say, no, this is not a public document, because it contains internal information XYZ. And we’re going to search this document to this level. And then when you send this document or in this document, you have the lovely DLP security controls, let’s say, Ooh, what are you doing? No, no, no, this stays inside the company. Right, in theory,
Tim Freestone 16:02
when that would be? Yeah, when it’s working, a hierarchy of controls, right? The DLP trump’s the individual user’s perspective, sort of a deal, right? Yeah.
Yeah. Now you referenced when you decided to start your consulting business you looked at possibly working with end users actually using the technology? And you looked at MSPs? How do you decide Gee, MSPs, need a there’s a there’s a great opportunity? There’s a lot of gaps in this market? How do you make that decision? You know, what was the rationale behind you deciding to focus on MSPs.
Evgeniy Kharam 16:39
I’ll give you an interesting analogy that let’s see if it works or not. I like white water. So, I do canoe and kayak, whitewater recently set up and a bit of rafting as well. And when I was learning white water, you basically learn that the water is much smarter than you. You want to watch how water flows in the in the rocks. And you’ll always take the easiest path forward. So don’t try to outsmart the water because it has tons of years of experience and you don’t. And you’re not always need to fight you choose the right way, or the easiest way forward. And my knee working with customers as part of MSSP, I always heard about, oh, we don’t have a budget, we need to have a budget constraint. We don’t know what I want to buy. Okay, why do I need to go and fight this part? And also, there’s a lot of other smart people that basically competing on the same level, why don’t I go to MSSP and vendors that they already have users, but they need to grow. Because we all agree that you cannot stay kind of steel in the same moment, you need to grow your business need to grow your opportunities, and I can provide them an opportunity to grow and increase their business to provide better offering to better experience for their customers. And if my offering is correct, then why would you not use it? Same as the vendors, if a vendor hired or hired, raised $20 million yesterday, you can’t tell me if any, I don’t have a budget for you tomorrow. It’s mean, I need to give them something they need from you, Danny, and they will use me. So, it’s not zero problems become my problem to suggest what do you want to do. So, this was the logic. And I like to create, I like the research part. And I know the vendors pays very well. And I kind of stay in the vendor space and have a podcast there as well. So, it was kind of all connected in the same moment. And this is what I like to do as well. Yeah.
Patrick Spencer 18:38
So, the MSSPS they’re lacking your level of expertise, do they understand what’s happening from a business requirements standpoint with their end customers, or they’re looking for you to actually come in and help them make that definition?
Evgeniy Kharam 18:51
It really depends on the size and level of the MSSPs. Some of them definitely understand. But some of them, most of them just don’t have time to do research and create new offerings for the customers, or they need the guidance. For the second time of the knowledge IRA, I have an I kind of created to myself and have the experience to talking with the end user or to potentially navigate with the customers, or in some cases there as a potential competitive information competitive landscape. How do we navigate this part? Which product will go with? I am as an architect, and I’m by training architect. I like the idea of complete picture. Just choose a product that will be nice and shiny. I want this product to integrate with the rest of your environment. I actually don’t like the name best of breed, or I’m honest with you. I don’t think we should use it. Because it’s referring to places where we don’t know which hardware we’re buying. And right now, everything’s in the cloud. So, there’s all the same hardware. So, it’s everything in the software right now versus hardware components. And all in the brain of people so maybe best people know best of breed of hardware and in mind If it’s more about the integration and the components of the software that this particular vendor has, how to connect to the rest of my environment, from one customer, it could be vendor a for customer could be vendor B.
Tim Freestone 20:17
Now, you mentioned the cloud, the cloud presents new challenges, obviously, when it comes to how data is exchanged, you know, to whom it’s sent, how is it stored, and so forth. You see, as we look at, say, into 2023 2024, that this is going to be a bigger and bigger challenge for organizations as they move more and more in the direction of the cloud.
Evgeniy Kharam 20:38
Definitely. And there’s a couple of reasons. But just do a step back, when Iman was invented, or DNS was invented. It was invented for solving a problem. Nobody was actually thinking about the security, and how can it be used later on for that. So, DNS poisoning was later on, we tried to move to DNS, sec and other protocols, tons of immune security problems that we know all the spam or the malware everything going over in. So, we created a lot of products to secure email, same as the cloud, we have, we found a lot of ways how cloud can innovate, how cloud can be better Kubernetes serverless are making our lives better, and then figure out okay, now is there are we protected right now? Right? And if we add the COVID part, and the digital transformation, okay, everybody goes to the moon, everybody going through cloud, let’s go to cloud as well. Doesn’t matter how we have to go there, because somebody told us to go, then we moving all these components to a cloud, with many times understanding, are they designed to work in the cloud? Do we need to actually be writing from scratch, or lifting shift? And wednesday there? How do we control the identities, the access and the other problems we have there? That’s why we have all this ESPN products, and many media reports in the clouds, it helps to protect us. And it also dialoguing with them. And as a problem. I used to have everything on pram, so let’s say documents, okay, for example, we’re going to talk about documents before, if I have a share with all my documents on prem, great, it’s on prem, nobody physically can actually go and take it, only it only physically. Now if I have it all documents in Dropbox, and I have nothing against Dropbox, I think it’s amazing company. Guess what? I don’t have them anymore. Now I need to trust Dropbox that they will guide them really well. Now, just Dropbox. Maybe it’s some kind of small company that created their own product. What about other SaaS companies that now I give them my data, and I will now bound to their SLAs and to their security. So, we also created another problem right now that in many cases, it’s like, I think it’s easier because we took something that we’re not doing very well and give it to somebody else. But we need to trouser. So, we need to do vendor management, and vendor assessment, to us, this particular vendor will actually guide us and tell us that everything is okay. And it will secure stuff and nobody will have access to our data, unintentionally or intentionally, because and all this becoming more and more as a problem we need to solve next year as well.
Tim Freestone 23:20
Yeah, there’s a lot to unpack there. I’m going to start with one and probably move through it. It’s more of a philosophical question. All of all, this technology we’ve gone through in the last 15 years, maybe 20. Now has agree or disagree with this is designed to enable business like that’s the point, the point of technology is to help business do business better, more revenue, bottom line, that’s the whole point, like without? Okay, so with that agreement, at the same time, everything you just said, all of this new technology is creating complexity. And when you have complexity, it slows business. And so, it’s almost like to some degree, there’s this cycle of Business and Technology life, that you get one step ahead, the complexity that’s created, put you two steps back, and then you get you try to solve all the complexity to get one step ahead where you were before and then there’s, you see what I’m saying. And then you add the security components to it, which is always in tow. It’s always in tow. Its never security driven. Right? So, then you get complexity from just the security. And so, it’s sort of like, how do you balance? How do companies balance the need to use technology to drive business while maintaining that it’s not too complex to?
Evgeniy Kharam 24:41
Singular, I think you bring a very valid and important point. And we always talk right now for the last several years security by design. So don’t dictate the security later on. Try to come up with a security by design when you create the product. Not always it’s happening. But we see more and more on this. And in some cases, we say okay, we’re going to actually outsource the security component for somebody else. So, let’s, let’s take the example of identity, you create a product that will sell, I don’t know what case, okay? Online? Do you need to have you here any Patrick and team identity in the guide website? Or you may potentially do an SSL with Google, Facebook or the bank. So right now, you basically it’s not, I’m not going to take this risk on me, I want to outsource this to somebody else, you’re going to be easier for you to create an account, if you trust Google or Facebook, but I don’t have that anymore. And that can be okay. I need to be the database and, and save as information. Because besides the username, password, I need to know what is your size? How big you are, how tall you are, how much weight to make sure the client is working for you. What is your strengths? And what kind of flying you like to do? I need to save it somewhere; I can create my own database. Oh, now we speak a lot about basically no cause, you know, called products. Yeah, well, I can outsource it to AWS DynamoDB, for example, or have something else like air table. And we have much more options right now to actually outsource some component. To do it differently. Of course, we need to trust these components, if you want to use this, but then we don’t, we’re not putting all the eggs in one basket. I’m not saying we shouldn’t trust; we should need to some kind of understand who do we trust that data with, we will aim to have a better security for us and for the end user as well. And of course, when we’re building new applications and new programs, we have this idea of fantastic when you want to pen test this. Now to take it back. Dan testing used to be done once a quarter, once a year, quite expensive. So basically, a one-time event. For the last several years, we already have bounty hunting. So, I can put some money. And people will constantly try to attack and understand what’s wrong with my environment. So, there’s a lot of things happening to improve the security of the component as well. And there are other ways to do it as well.
Tim Freestone 27:11
Yeah. And you bring up another good point there, which is trusting can assist like this whole cycle of zero trust, third parties, you know, if you were to apply concepts of zero trust to third parties, well, right now, most correct me if I’m wrong, but my understanding is most of the vendors in the third-party risk management space, are surveys, that the survey the vendor that they’re going to do and get a score with maybe some technology that can do some automated assessments themselves. So, it’s survey and assessments get a score good enough to work with go. And that just seems like 20% of the way to protecting your data from, you know, from a third party. Because if you lose the always on monitoring, you know, again, back to zero trust, right?
Evgeniy Kharam 28:00
I think you’re going to have a concept of what we call zero vendor trust. Yeah, you know, basically, not just this part. But I may pass all this course in your question here. And I’ll repeat the question in a second. But then, let’s say Patrick has a company, and team is the support person. Do I know if the team has access to my data, as a support person, or the team need to ask me to actually have access to the data? Because back on prem days, if I have an invalid gateway, for example, or an antivirus team don’t have access, because you just physically don’t have access, he need to ask you again, can we do a share screen, when we look on the information, collect the support files and intermediate, they’re only in very rare companies, they actually told you, by the way, our support has an options to connect to your clients for blah, blah, blah, and you can just say this in a SAS, by definition, you probably have access to my back end, and doing stuff. And I think this will change dramatically in the next few years, when more companies will have the segregation, when they’re not going to allow the support people the R&D people do have access to your data, you will need to create some kind of control some kind of questionnaire, because why would you know why? What is the reason
Tim Freestone 29:21
we have? We have a concept where not a SAS by design for that very reason, which is as a as a company Kiteworks, we cannot access our data or company or customers data because they own the keys. And we just even if someone asked us to like the federal government under the cloud act, we couldn’t access it for that very reason. There’s like the zero trust principles, not trust yourself and no one else when it comes to your data. Right. Yeah. And I think that will, I think that will become the rule less the exception in the next five years as well, like you said,
Evgeniy Kharam 29:56
And taken to the next level, the question is about the third-party vendor If it’s not there, but I think the insurance companies will help it as well. The same idea as the insurance companies for driving ask us to put as, like a device in our car to see how well we drive, and then decrease our rates. We only have similar devices, as a vendor or the success party in the companies to basically show that you are complying to what you claim you’re doing. So, you claim you have a firewall, you clean, you have an antivirus, you clean you have a backup, can you actually prove it? Right? I will not there yet, because people don’t want it. But we have small kind of steps forward, for example, some companies create a shareable questionnaire, you know, you upload once to a vendor, and then the minute every vendor wants, they’re going to share it with them. And of course, we have companies that CPRM that check your posture outside and always change it, but it’s towards outside. Inside, we don’t really know, if the company has to do the center’s and now has one, because they immediately understand by external IPs, but it’s very hard. If you do not do backups, and then delight moving from green to red, it’s really hard to know the company don’t have a way to collect it, and kind of push it up the chain.
Patrick Spencer 31:21
So fast, that station is almost the equivalent of the fox guarding the henhouse in many ways. So, your point about some type of SAAS vendor that you can overlay to verify that the self SS station is actually true, I could see the validity behind that that’s, that’s, that’s quite pertinent, like this,
Evgeniy Kharam 31:39
The entire SOC 2 compliance is focusing on this part, not perfectly, but is doing a relatively good job. Maybe there’s an A lot of the sock two companies of helping you to cram complying. They have automations that connect to certain parts of the environment to actually say that you have the right controls in the right evidence. So maybe this part, eventually, by agreement, of course, people will push it up and say, yes, I’m doing this,
Patrick Spencer 32:04
is there a role for the MSPs to come in and help certify or validate that these controls are in place? And moreover, I assume you’re seeing in the companies you’re consulting with or the MSPs you’re consulting with, they have a lot of more in users that are finding that they do businesses, certain entities that have compliance controls in place, it’s a DOD and suddenly, they need to vet their entire supply chain because their ability to comply with that regulation is contingent on their supply chain actually being compliant. Is that going to be a greater and greater pressing concern as we move forward to 2023 and beyond
Evgeniy Kharam 32:46
So many companies doing GAP assessment and MCPS as well. There’s also a relatively new domain of product that called breach attack simulation. They do assess some of the controls. So not getting scores. But the law says, hey, can actually take this file and email it to someone is your office actually working? So, the monitoring of the controls, but the gap analysis kind of testing out where you are right now where you’re supposed to be on your readiness assessment that people do towards sock to uninstall anything else as well, and it seems on par to become a better company, I have a better metrics to see that you moving up and not moving down in your cybersecurity program.
Patrick Spencer 33:29
Makes a lot of sense. All right, let’s talk about this SKI Cyber Conference that you’re leading right now. Let’s do originate number one. Number two, what is it? And number three, how to Tim and I get invited to attend?
Evgeniy Kharam 33:43
Sounds good. Okay. So last year, I was doing a snowboard training level one because I want to teach my son and I realized a suck in teaching. So, I said, okay, I’m going to go learn and figure out how to do it correctly. And it was amazing training. I learned a lot that how the entire deal building blocks I like a lot in our industry as well. And when it downloads it comes with a training. Like why we don’t do fun events. And his he’ll, why we do golf tournaments, but equally, like skiing and snowboarding, why not? So, kind of run-on LinkedIn and ask the question, and I get a lot of responses. Like yeah, it’s a great idea. And oh, yes, one company did it in one point. Okay. But it was end of the winter. And the bad ideas stayed in my head. And in the beginning of the winter, we’re talking about probably October, I was talking to people started my consulting business, and my friend Tony, Tony of Guinea. I actually part of a private club in your Barrie it’s a city near Toronto an hour drive. And I think we can do it. Like Norway. He’s like yes, because in my mind that like I have no idea how to actually go to a ski hill and say we’re going to want a hill. So, he went and spoke with them and we realize we can actually do it, we realize, because it’s a private shoe, and it’s opening on the weekend, if it goes Thursday, we were able to have the entire heel to ourself. Now don’t get me wrong, it’s not a rocket, there’s not vast. It’s not a very big heel, but it’s still heel, there’s different kinds of green, black and blue. And we also can do it. Now the assumption was is okay, people want to go ski and networking. People right now, always going to conference and they say the best part of the conference was the talking in the hall with other people. So, wouldn’t it be smart to go to a conference and pad the entire day of speaking engagement? Probably not. But we don’t want people to mingle and talk to each other. And lodges are better. So, the idea will be k will give people food in the morning, we will do some presentations during the lunch when they eat. We’ll let them ski and snowboard more, we have some games. And then we’re going to have pop dinner and food and drinks. And we’re going to have some kind of panel discussion with a focusing on customer experience. And kind of let people enjoy everything. So, we’re right now looking for sponsors for vendors to do it as well. It’s quite hard to build ourselves, we started registration, we have around 15,20 people by now, probably by the time it’s airing going to be much more the venue can have 200, it’ll easily, I think 150 will be a very good number to have there. From kind of logic understanding, it’s March 2. So, we want to kind of handle the winter, but still not a full end. It’s Thursday, and it’s quite easy to get denser, we can put a link, we can talk to spartan team how you guys get in as well. We right now working towards accommodation across the street or the hill to stay there as well. There’s a hotel right like literally 200 meters away from the from this hill to have a better rate. I hope I answer all the questions.
Patrick Spencer 37:02
Someone listening to this podcast, how do they find out more information? And where do they sign up.
Evgeniy Kharam 37:07
So, I’ll put the if you guys can put in the show notes and event or you can just go to my page and my page probably bombarded by the promotion of this information. But there is a LinkedIn page to sign up and there’s Eventbrite link to kind of get the tickets as well. We’re not asking for a lot of money, but you want people committed to come because it’s quite a lot of things to make happen. And we cannot have 500 people saying they’re coming and only one hundred people to come up. Yeah.
Tim Freestone 37:35
I’m sorry, I might have missed it. But it’s Was this the first one you’re doing? Or have you done this a little bit before?
Evgeniy Kharam 37:40
It’s a first event I’m doing myself on this level. And I’m pretty sure that the first skiing and snowboarding event Toronto area was I know for a fact there was events in Colorado in the past, but in Ontario, Toronto in Canada, I think was the first one. Good.
Patrick Spencer 37:58
That makes sense. So, for your two podcast shows are on different subjects. So, they’re covering different materials. So, they’re both worth watching. Where can our audience will obviously put this in the show notes as well. But we’re interested to find out more information or subscribe to those two shows.
Evgeniy Kharam 38:13
So, security architecture quite easy to find security architecture.org. This is a very technical one. We are finishing season four right now about browse secretive isolation. This is one cyber inspiration is very special podcast, you’re able to find it as well, on my LinkedIn profile, there’s links to both of them. And cyber inspiration is again, focusing on the people ideas, and why what was the motivation to start the company had some very interesting interviews with the meeting amazing tips from the founders.
Patrick Spencer 38:48
What’s the most interesting founder interview conducted? So far? Any big surprises there?
Evgeniy Kharam 38:55
Oh, this is going to be unfair to some people. But I can tell you one of the biggest things that I liked from the recommendation perspective; they’re going to be two one that was from Dean from Axonius. I was asking him about what can you recommend? Or what will be your advice to starting entrepreneurs? Off Sorry, I was asking him when you have like a dark moment, like how do you kind of go back to yourself as a founder. And he told me again, I was doing one of the interviews with Elon Musk. And he was asked, what do you recommend to intrapreneurs during this dark time? And Elon says, accordingly, that if you’re an intrapreneur and you need encouragement you are in the wrong business. Yeah. And I think it’s very, very, very, very deep. And the other one, it was VP of sky high. We were talking about sales. And he told me about an idea that somebody else was teaching him that you finishing a sales call and the customer tell me, oh my god, oh my God, I want this product, I want this product. And you want to validate if it’s actually true, or it’s a full of tell them, we’re going to be so busy, we love to meet you in two weeks, we can meet you in six months. And if the customer tells you Yes, yes, and it’s been there actually don’t want the product, just basically busting your balls. And I say, No, no, no, no, we needed earlier than, you know, actually, truly, we have a real deal here.
Tim Freestone 40:27
Yeah, yeah, absolutely. Um, they also have along those lines, but you know, just from a sales standpoint, you know, if the customer says they’re always interested in what’s the innovations in the industry take it as a red flag, because it means they don’t have any sort of project. They’re just going to sit there and learn from you. And one year later, right, kicking tires.
Evgeniy Kharam 40:49
So, when I was in this Herjavec group, one of the questions I’ve asked all this as the customer, as a Mr. Customer, just to understand from a deployment perspective, I want to make sure my team is aligned when we want to deployed this quarter or next quarter or q4. And it doesn’t tell me Oh, yeah, we need it right now. Oh, why don’t we just check in right now when you didn’t q4, and I think it’s totally valid and good answer, but at least give it understanding. How urgent is this project? Sure.
Patrick Spencer 41:19
Yeah, very true. Well, we are unfortunately out of time, if you have any, we really appreciate your time today. This has been fascinating conversation. It’s always fun to talk to others who have podcast programs on similar topics as ours, and then you have two plus decades of experience in cybersecurity. So, thanks for your time today.
Evgeniy Kharam 41:40
Thank you. I really enjoy the conversation. Thanks.
Patrick Spencer 41:43
For anyone who is listening to today’s podcast you want more information on kitecast, check us out at kiteworks.com/kitecast. Thanks for joining us today.