INCH360: Nick Mirizzi

Welcome to this, uh, live special
edition of the Cybertraps podcast.

Uh, excited to have Nick Moritzi here.

We are here live at the Inch360 event
at beautiful Gonzaga University.

Nick, thanks for being here.

Tell us a little bit about who you are and

what you do.

Yeah, thanks Jethro.

Thanks for having me and it's
great to be back in Spokane.

Nothing like, uh, The Bulldog
on the yard right outside.

Wished I could have gone to
the basketball game last night.

Oh, no kidding.

Couldn't make time for it.

Great team.

Yeah.

And it's a lot of fun.

And everybody around here gets excited
when they're, when they're doing well.

I bet.

Yeah.

Yeah.

A little background on myself.

I'm about 30 years in high tech,
building businesses, many startups,

some large companies for the
last 10 years in cybersecurity.

Um, Cloud Cyber Security
specifically, so I actually

didn't do much network security.

I went straight into the cloud
world when cloud actually hit.

Like right around 2012 when AWS started
to become really popular and AWS

and Azure and Google were launching.

That's when I Landed in
the cloud security space.

So, been an interesting eight years.

That's for sure.

Very bloody, very bumpy, very bruised.

Not a lot of knowledge on how
to secure the, the new world.

Yeah.

You know, we all, we knew
how to do network controls.

Yeah.

We knew how to do internet security.

A bit.

But we didn't know how to
really secure the cloud.

Definitely things have changed.

Yeah,

and, and would you say that
the cloud is secure now?

I would say the, the folks who do
it well definitely secure it, right?

And you have to own that.

It's, you know, it's a
shared responsibility, right?

The cloud is, it's, they own the
infrastructure, but we own the results

and the outcomes of that, of that cloud.

And, um, so I would say for sure,
You know, over the last, call it

five years, I'd say the tools have
become very purpose built because

we know what the problems are.

Where ten years ago we were
guessing what the problems were.

So we were building solutions
that were more guesstimates

than they were right on point.

Yeah.

And so over time you, you, you hit,
you get, you guess some right and

other times you guess some wrong.

Things wrong.

Mm-Hmm.

. And so now I'd say that the purp, the
pro, the solutions that you can deliver,

that, you know, after you've architected,
after you've done the work to figure

out what you want to do, that the tools
that are there are very purpose built

so you can actually really succeed.

Yeah.

And it's easier to succeed.

It's not a, a big lift and shift motion
that we've gone through the last decade.

Mm-Hmm.

, it's definitely very purpose built.

Yeah.

So there are normal everyday folks
running businesses, leading organizations

who rely on cloud services and don't
understand how, how they work, how

they're secured, uh, any of those things.

how do you help people like that?

Stay aware enough that they, that
they do what they need to do?

Yeah.

But not go over their head or above their
level as you're trying to help them.

Yeah, sure.

Good, good, good question.

Um, so I work for a
company called HP Aruba.

Um, we have a very solid cyber
security enablement program, so

we can, we help companies do that.

Now, really it boils down to
what type of company you are.

If you're, typically if you're
an SMB type of a client.

You, you want to outsource that work.

You don't, you want to focus on your
core business, like you Jethro, right?

You're, you're, you run a podcast company.

Right, yep.

You don't want to manage
your own cyber security.

No.

You, you need that outsourced.

Yep.

You need to just be secure.

Yep.

So you, I would advise you to go find a
strong managed, managed service provider,

managed security provider, managed
IT provider, somebody that you trust.

There's lots of them now.

That's the difference.

Ten years ago there wasn't that many.

Now there's lots of them.

So you can compare and
contrast very easily.

But obviously as you move up that chain
from SMB to more like mid market, large

enterprise, multinational corporations
where we're hiring large staff, we're

managing lots of products that in
that situation what I would do is,

you know, I would want to engage them.

Go through some enablement,
go through some architecture.

Um, understand what they're
trying to accomplish.

What's the business value
for doing what they're doing?

Because at the end of the day, if
we're just trying to secure stuff and

we don't know why, What's the point?

Yeah, exactly.

So, you know, I'm always
trying to understand the pain.

Right?

The metrics of the change.

Like, if you're going to do that,
what's the value to the business?

Um, are you going to save some money?

Are you going to generate
a bunch more revenue?

Are you going to Protect your IP better,
mitigate risk, what are you trying

to accomplish, what's the outcome?

this is interesting because, uh, one
of the school districts that I was a

principal for, uh, we outsourced all of
that security to, uh, GCI up in Alaska.

Sure.

And they took care of all of that for us
because, we were on a small remote island.

It was really difficult to get I.

T.

professionals to come there because
they would only be coming for the job,

and, uh, and it was just, it was just
tough to find qualified people to do

that, and so, rather than, you know,
paying a six figure salary for someone

to come and be that, we were able to pay
that or about less to, to have all of

that managed, but then over time, uh,
as expertise grew within the community,

then it made more sense to move, uh, in
house rather than have it be outsourced.

And it's just, it's interesting how
those growing pains, like, the school

district size didn't change, but the
proficiency within the organization did

change.

Yeah, I agree.

Actually, you see that just in general.

That it's good you have very explicit,
you know, school analogy, but reality

is that The biggest challenge is lack
of talent in the world right now.

Cyber security talent.

There's um, I read just a month
back, there's 700, 000 unfilled

cyber security positions in the U.

S.

alone.

Really?

That means globally, there's
probably close to 2 million.

Wow.

700 here, 700 in Europe, Middle
East and Africa, and probably

another 600 in Asia Pacific.

That are unfilled.

Yeah.

So we're talking about probably a 2
billion dollar lack of talent problem

that's growing at close to 25%.

Yeah.

Wow.

So there's no end in sight
to solve that problem.

So I would say most organizations,
it doesn't matter how big you

are, you're trying to find ways
to manage that problem, either

becoming more operationally
efficient by managing less tools.

Like, I've got my staff, I've got
20 people, I can't find any more.

I've got 10 unfilled jobs, but I've
still got a hundred cybersecurity

tools I've got to manage to, you
know, secure my, secure my company.

How do I do that?

And the only way you can do that is to
become more operationally efficient.

So reduce the amount of
tools that they're buying.

Consolidate, so that you can
do more with less, essentially.

Or, outsource.

Yeah.

And it's definitely a big problem
and it's only getting worse.

My son.

My son's, uh, just finished his fifth
year out of, uh, college working.

So he, right out of college
he went into cyber security.

Um, I won't share, um, his income
figures, but his first job was a

computer science in cyber security.

Uh huh.

And, um, he made a good pay, pay.

Yeah.

But he was an entry level guy, right?

So he made good pay.

But then five years later, he 5X'd.

Wow.

Wow.

If you're a student, if you're a stay
at home mom who wants to go back to

work, um, you know, go start looking
into cybersecurity types of roles,

because they're in high demand and
they're paying a lot for these people.

Yeah,

I don't know the right way to
say this, but Do you need to

be a nerd to get these jobs?

I literally, I had a coaching call
yesterday with a friend's friend.

So one of my lady friends has a friend
who's been trying to get into cyber

security and so I did a little networking
call with her and my answer to her was,

you really actually, the technology is,
this is a really simple problem, right?

We're trying to stop the,
the hacker, the threat.

And the threat comes in a couple
different varieties but, but the easiest

one that we can think of is the threat.

I always use myself as an example, you
know, my whole life for many, many years

until I got into cloud security, I always
stole data whenever I left the company,

I would always, you know, and so I was
the biggest DLP data loss problem, right?

It was just my nature and I was not alone.

I think this was the way
people did it back then.

It wasn't because I wanted
the data for myself.

It was because I wanted to make sure
I was prepared for my next thing, you

know, it wasn't to try to hurt anybody.

And, and so what you'll find in that
problem is that you have to stop Nick,

right, because Nick still exists, right?

And so that's the, that's the internal
employee who's, who's doing that

which is the hardest one to stop.

Yeah, interesting.

And then you've got to solve for the
external ones, which are easier to stop

because they're easier to control access.

Um, and then you've got the social,
which is an external hack attacking

Nick internally, but he's unaware.

So he plays along and he ends up
getting hacked because he gets

socially hacked, but I look like
an internal threat at that point.

Yeah.

And, and so it's tricky for sure.

Yeah.

So tell me a little bit about you,
stealing data as you leave a company,

because it doesn't sound like you were.

Uh, maliciously doing that.

It was just part of your workflow.

Tell me about that.

Well, I mean, that's just, you know,
like you think about the old days, right?

You were, your, you did some work
and it was saved on your computer

and you put the pop it on a USB
port and you walk out, right?

That's, that's the concept, right?

So that's the simple concept now today.

, that person is not
putting it on a USB port.

They're putting it in their
personal Dropbox account.

Right?

Right.

So that's a CSS B use case technically.

Right.

So that's why we invented CSS B.

CSS B.

What is that?

Cloud access Security broker.

Okay.

That's the, the, the acronym.

mm-hmm.

. But the real purpose of that is
to crop, to stop data loss to the

personal Dropbox or the personal box
account, or my personal Google Drive.

Right.

So I'm on a managed device.

I'm on my work device.

I'm getting ready to steal that data.

In the old days, I'd pop a USB port in.

In the new days, I upload that
stuff to my personal drive.

It's the same workflow, essentially.

So that's CASB use case.

These are technologies that we
built over the last decade to

solve for that data loss issue.

And so now, like, you
can't do that anymore.

Right.

Like, even if I want to, I can't.

I get stopped.

I think Brant said it in there.

We have to stop people.

from doing, right?, Cause there
was no maliciousness in me It

just was part of my workflow

that opens up a whole line of questions.

We're going to have you back on the,
on the show again in the future.

So, uh, so we'll get into that more later.

Cause I think that's a really
interesting use case, especially

for schools specifically where
there's, there's so much there

that can be done, uh, with that.

And teachers are notorious
for, for that kind of thing.

And some districts have policies
specifically to prevent teachers from

doing that and others don't care at all.

And some things that you create
while in the employ of the

district are the district property.

And other districts are like, you create
it, it's yours, we have no claim to it.

And, there's some blurry lines there.

That would be a great,
uh, philosophical talk.

The policy.

Yeah, no kidding.

so what's your big takeaway
from Inch360 so far, Nick?

What I would say is it's great
to see the local cyber security

people come out in groves, right?

That's a pretty darn full
room of cyber security people.

Yeah, it's pretty awesome.

Um, and, uh, and then also it
was wonderful to see students.

So it's like, it's definitely,
not just a problem of the people

today in the workforce, but it's
a problem that the students are

recognizing and they're looking to.

You know, they want to help, right?

You see that the youth is so much
more interested in, you know,

solving the climate problems.

Solving the security problems.

They really want to do this,
you know, they really want to.

And so they're here and I like to see

that.

Yeah, very cool.

Uh, Nick, any, uh, parting words?

You want people to

reach out to you?

No, thanks, thanks for having me on.

And, uh, definitely appreciate
the H360 for the, for the time.

Yeah.

Thank you.

Appreciate

you being here.

Creators and Guests

INCH360
Guest
INCH360
A regional industry group focused on connecting cybersecurity and compliance professionals of all levels. The group will promote education, collaboration, and communication about resources, regional companies, and jobs.
INCH360: Nick Mirizzi