S6E11 - A Conversation with Chris Foulon

[Music] w hi I'm Greg schaer and welcome to the virtual ceso moment Chris Fallen joins us today he is at cpf Consulting LLC Chris thank you so much for joining us today thank you thank you for having me on and uh quick correction cpf coaching and actually I'll give you a little bit of background why I went with that is I've been while I've been a consultant a technician uh security person person for so many years I help I I love helping to educate people so while I'm providing my services I find myself more with the education to justify why they should be going with security rather than hey this is the right way to do it or this is the best way to do it no this is the best way to do it for your organization and just like coaching an individual coaching a company everything everyone's different every company's different they all have their unique circumstances but that's the end that's where I'm at now let's jump back to the beginning well and I appreciate that and actually that's what I had written down I just couldn't read my own writing and and I I think I was more more focused on making sure to get your name correct so but thank you for the correction and yes would' like to hear about your journey how you got started and where you got to where you're at with cpf coaching today to day perfect so I grew up in the Caribbean uh people that that had followed my podcast uh that I still still do breaking into cyber security kind of shares that Journey where I came from an island boy living in an internet cafe at 10 or 11 upgrading computers from Windows 95 to XP and removing viruses for fun um those were the days of lime wire and Napster and everyone that wanted music ended up with viruses so I ended up being that the island kid that helped get rid of that that fueled my passion for cyber security but when I came to the states as a teenager and I was looking for college degrees everything was focused on the science computer science this computer science that and I'm not much for for the physics or the the algorithms behind all this I like to connect the people with the technology and help them use it the best way so I said I'm gonna go for a business degree and I did that with emphasis on Information Systems how can I help businesses use information systems better that went on for a while then the economy crashed in 2008 and I'm like if if at that point I was in more of the sales uh type roll I'm like if I'm going to do this might as well do this for something I love so quit my job um at the time you needed certifications to get in still like today unfortunately um I had the The Experience so passing the certifications for me was easy but when I saw all the folks going through the boot camps at the time as well it made me realize how not good of a model The Bootcamp model is while it helps people past the exam if you're in it for the wrong reasons they just get a piece of paper and they don't really help themselves so a lot of like book knowledge but not not practical application um skill sets yeah or or even they passed the test and they don't know why they passed the test they they knew the right answers but that was it um I had construction people I had um math majors and quite a collective group of folks in my boot camp class and the the the ones that were the most successful typically were the ones that wanted to do that for fun and not were being paid by government grants to do these boot camps um I I took out loans I I I did it the hard way I paid him off but I loved it along the way and then I got my first help Des job and long long behold what do I find on their keyboard on day one their password on their keyboard I'm like ah there's got to be an easier way so that started my my way down okay let's let's help you create better passwords help Let's help you manage it better back then there wasn't really good password managers there there was a couple that lived on your iPhone and that was the only existence of all your passwords so if your phone died all your passwords went to and for for most people that was too big of a a bet to take so they would rather save it somewhere local so ended up helping them create like password protected files where at least it was encrypted at least there was a password on it so so that if a thread actor did get the file they didn't get all passwords uh they they got an encrypted file but along the way I wanted to do more and do more in security but I was seen as a help desk person I was seen as an infrastructure person and I didn't have that security title um I'm hearing some background noise is it it could be out on side where there's a somebody with a leaf blower so okay yeah we'll just continue on we'll continue um so as I wanted to to transition into more of a security Focus role I found myself hitting up against that that stigma that people saw that I came from the health test that I I came from it but there weren't many security titles back then I mean there there were there wasn't even a CIO so title except for maybe some of huge Fortune Banks but smaller companies that they maybe had a manager and that was it um so I started a podcast once I got my first Consulting role in cyber security and I called it breaking into cyber security to share my knowledge but also to share the the Journey of other people that are doing just what I did and transition from another field could be it could be not into cyber security and their path along the way and it's been five years 500 plus episodes between myself and my co-host so we we've been going for a long time um we even I even started a new um version of it breaking into cyber security leadership but rather than folks that have broken into leadership I'm trying to pull back from VC Souls like like yourself or other cesos to share their Journey so that folks that are looking to get into those roles they know that you don't have to be just a technical person you need to know the business you need to know the soft skills the people skills absolutely and that understanding the business is just as important as understanding the security aspect of it so been doing that as well um the economy hit me I was part of a a bank I got laid off and I'm like why not why not try doing some Consulting on my own uh so I started cpf coaching with that background because I've been doing it in the past usually for other people this is the first time for myself and being an entrepreneur is is a tough job as as you might know um it it's not just delivering on the role you have to find the find the work you have to sell the work and then you have marketing is a four-letter word and then sales is even worse yes so no I hear you it's a that's that's what I one of the things that um people ask me a lot um just as a side no it's like well well how would I start off doing this on my own and it it's like you know 80% of this is is nothing to do with the technical stuff or whatever it is you're delivering it's like you you you literally the hardest part is getting the business out there because there's a lot of people out there that are doing the same thing and especially with the the V ceso title you I've found prolifically within the past two to three years you have these large Consulting companies that are selling Consultants as virtual cesos but they're just the ones delivering the mid-tier work they're not the on ones guiding the strategy you're not the ones helping the business come up with how to implement a security program or a framework to use you're usually ones helping them to implement something more in the engineering side but selling them as VC so services so that that's another reason that like I I while I have a little bit of disdain for for the vciso and when I got my role as a VC so I went with one of the acronyms that someone else went with fractional and I I like their the reasoning that they use behind that is because they're still one person they still have they're they they can't clone themselves they can't virtualize themselves they can't containerize themselves they now have to split themselves up amongst how many of businesses you're supporting so it's really what it is you're fractionalizing yourself to help small or medium-sized businesses to deliver on the security program because they don't need one of you all the time they they maybe need a couple hours of you to help with their risk assessment or to help with um a security questionnaire or to help with a modernization effort but they don't need you all the time they might need Engineers most of the time they they need analyst most of the time but they they don't they're not at the stage where they need full leadership all the time and that that's a big difference for many small mediumsized companies that that it's okay that you don't need a full-fledged leader just yet but you need someone that understands the need for that strategic guidance and then someone that can guide the engineers that understand what needs to be done and this could be someone in it this could be someone in Risk different aspects of the business but that understands the need for security within your organization and not just thinking well who's gonna pick on me I'm a tiny SMB um yes but you're in the supply chain yes but you support DOD contractors or you support the Health Care system or you support the financial system you're just that little fish that they want to up so that they could get to the next big fish so that's the importance why small mediumsized companies really do need to think of security as part of their survival is because they're part of the ecosystem and the supply chain and their bigger partners are starting to see that and are starting to require some level of maturity even for their scale for them to be able to be part of their vendor ecosystem well I think you brought up several excellent points during that one in particular the the the vcso fractional ciso V ISO whatever it's like a um and I think you're you're right on the two to three year time frame is when you've really seen this sort of morph whereas prior to that um the virtual X you know cxo was pretty much understood and I think it was the the most was was the uh the virtual CFO uh is the one that really started that whole virtual craze but really I think for small and midsize businesses in the end of the day it doesn't really matter what you call yourself but you have to show that you have that risk management experience if that's what it is that they're looking for they have to understand what it is that they're looking for and um you have to be able to deliver it so if you have someone an SNB that's going to get a a virtual ceso thinking that they're or a fractional ceso even um that that they think that they're getting risk management experience but they're really getting more tactical stuff that all needs to be worked out prior to the engagement wouldn't she say absolutely and I I think that's part of the marketing or sales that we need to do is that we really do need to qualify the need for the engagement and sometimes it's that they need our services and sometimes that they need more Technical Services and we're happy to connect them with our our security Partners or our colleagues that provide those Services whereas I myself I I like the coaching aspect I like coaching the Business Leaders and the and the Security leaders or even the compliance leaders as to why they might need that maturation strategy why they might need that modernization strategy to help their organization grow and usually it's to help them make more money and that's what they want to do in the end yeah yeah exactly so uh the the risk management portion the smb's understanding that they that they need that is certainly I I would say is is a risk to them at this point in time because they they if they don't understand it but but outside of that outside of the not having the um the proper experience or to the coaching if you will which is which is a huge thing that they need what are some of the other uh currently from your perspective threats um from the Cyber side that SBS face today well I think the whole evolution of cloud not understanding the shared responsib shared responsibility model that's used within cloud services or software as a service while you do inherit some security controls some level of expertise that you would not otherwise have if you built all the services yourself there are still things that you need to control within a SAS environment there's still things that your SAS provider will not do for you they will not help end to endend with identity and access management you still need to vet your people you still need to vet your business processes you still need to vet your process flow and how you share your information and where your information ends up and what type of information you have and how you want to protect it these are all things that the businesses still need to do no matter how small or big they are and I think for a lot of the smaller mediumsized companies this is where that they are finding some of their challenges they're there they might say okay well we're all SAS okay well do you understand how you're controlling your identity or how you're controlling the data that you put within those sass environments and where you have stricter controls versus looser controls and that that's still something that they're they need a lot of coaching on they need a lot of guidance on to help them as to where they could strengthen their controls without inhibiting their business so that they can seem um more on top of their game when they go out to their V vendors when they fill out security risk questionnaires that their vendors are asking them to fill out things like that um because they're going to lose sales if they can't show that maturity if they can't show that understanding and I think that's the evolution that um they they're needing to go through and that that's the journey that I like helping them on well on the SMB sometimes they'll come back and and and in the beginning of a due diligence process you touched on it they said they would say it's like well we're all SAS and and here it's like we have these sock 2 reports from all of our SAS vendors um okay you looked at them yeah they're fine there are no exceptions like okay that's fine all right well what how do you actually meet the complimentary user entity controls and then they go what and it gets to your point about control because they they don't realize that even within their vendors those reports have the little nuggets of clues about what they should be doing and yet uh and correct me if I'm wrong uh from your perspective but from my perspective for the most part first starting to work with smbs they really don't understand first of all what a sock 2 report is and is not um and nor do they know how to use it they they don't they they really use it as a sticker to put on their website to um make them seem more marketable and they think that once they have that there they can wipe their hands clean of it but as I remind many people it first of all it's a point in time and second of all as soon as that auditor is gone you don't know what happens in the background so um it it's your business it's your reputation and while you might stake it on their sock true report it's still your reputation if you if they get breached and you're the one that loses your business you're the one that loses your business they might survive but you lost your business so because you relied on them and you didn't even double check put any due diligence back into understanding that sock to report reading that sock to report and not just taking it and going oh yeah here pass it on to someone else there's a lot of um risk acceptance that happens like that that people understand you're accepting almost unknown and and and and the misconception in that that the sock 2 is not a certification it's just an attestation of like you said a point in time and for for most of the times it's a self attestation because their Auditors will depending on how much they want to spend take the the SMB at their word they might verify a couple of the more Salient points but you're not going to go through with a fine tooth and comb or the small mediumsized business can't afford for them to go through with um a fine tooth and comb to make sure that everything that you're attesting to is really true so um that that's another challenge that I find small mediumsized companies have is some of them are are willing to say oh yes we do that and then when you you drill down well we don't really do that like we have a policy okay well how do you implement your policy how do you validate your policy how do you test your policies and you get to the test and the validate part and that's that becomes a harder nugget to crack and that's where the the coaching and the guidance comes in because sure you have a a disaster recovery plan or you have backups but have you ever tested them have you ever restored them do things still work after that uh most of the times it's an unknown for them too so it's that seems to make sense that that again sometimes uh sometimes smbs they're they're triggered to help build their Security Programs because one or more of their prospects or clients are asking for a sock too and it's almost like a backward way because it would seem to me that it would make more sense for someone to um build a the security program first by choosing a framework and then building that framework and then when audit for whatever comes whatever requirement comes then you should be able to map and meet that whatever that requirement is is is that an an adequate way for smbs to start in your opinion I think it's a it's a practical way for them to start um because when you're when you're a small one two person company um it's easier to control your data it's easier to control who has access to the environments and things like that but as you grow to 40 50 people um you put trust in those new hires you expect them to put the same level and due diligence and care that you did Growing your baby to this size but they they some of them are there just for a paychecks some of them are there just just to sell your services they don't have that same love and affection for your small medium-sized company like you did when when you were growing up so if you if that's not inherited when they come on and if that's not practiced and preach when they come on they look up to you and if you're flying by the CD ear pants they're gonna fly by their CD pants so I think at a certain stage you have to go okay um we're going to Implement a framework even if we can't develop it fully we're g to do as much security as we can at each stage of the business and um one of my one of my colleagues wrote a great book and um it's called UND there's two books I want to recommend one's called um understand and measure cyber risk and the other one is called startup secure and between both of those they start with the inherent framework that you need to understand we're all humans and we all make mistakes just by that fact we need to implement security at all stages of the business and it's not always going to look the same in the beginning it might be that MFA that extra layer of protection over your identity as you grow it might be Extra Protection around your data and how you share data and then as you grow you might need more control over the things you develop how you bring things into your environment how you inherit uh controls from other vendors and do they really meet your requirements and it kind of lets you grow and evolve your security and compliance program because there there will come compliance the bigger you get the regulatory bodies will will look at you whether you're in finance Health Care government someone will look at you and then your vendors will look at you right the people that you're selling to your customers so there will be compliance at some point in time so I don't say compliance as a four-letter word but sometimes you need to comply to a framework to help you improve your security program because if you take and choose controls from many random Frameworks you end up with an incoherent security program when you get to the end yes now if you take something that has um a Rosetta Stone like um NSF and you want to show how you're matching those controls and how it creates a great framework for you yes that's a different story but you you can't start oh CIS here nist here ISO here and just choose all the random controls because they're convenient for you you want to go in that with a sound methodology as you create this framework within your organization well even working with small and midsize businesses that have a lot of the same needs that larger ones do but don't have the um the uh the knowledge and the experience and sometimes even just getting in a framework even working there in smaller organizations everything information security and cyber security can be quite stressful and we have a little bit of a problem or more so than a little bit of a problem in our industry of burnout and in some cases um it affects mental health if we if we're too much ingrained into what we're trying to do we put too much stress on ourselves and there's a need to want to decompress what's one of the things you do to get away from the stress not only of cyber but also as you mentioned the beginning of the podcast the stress of being an entrepreneur I would say for me it's continuous education I I came into cyber and Tech because I love learning about what's coming around the corner um right now I'm learning a lot about Ai and large language models and how companies can use them to enable their staff but also how we can help them use it in a way but understand the risks that come with using it just like any technology these advancements in technology they come with hallucinations they come with um caveats that you need to understand when you're implementing them within your organization so I'm looking at what is the next thing that's coming down the pike that I'm interested in and then that I can help companies with because really if you're not doing it for fun at the end of the day and you're not having fun you're going to burn yourself out it's like someone saying I want to get into cyber and the first job I'm going to take is be a sock analyst and they have no clue what being a sock analyst is and then they get their first sock Analyst job and you're like I hate yeah so it's really about enjoying what you do and um for me that's how I try to minimize my burnout I try to find stuff that I do so that's authoring books like um hack the cyber security interview like breaking into cyber security uh co-authoring with other people doing podcasts getting to know people um one of a i h I'm in so many different slack groups with so many smart people just having those conversations and being able to step out of the one company that I'm in at any given time and go huh this is what this other tech company in San Francisco or in Canada or in South America is approaching these challenges how can we use the the knowledge that they gained to take a step ahead and share our knowledge between us because threat actors are doing it and if we're not doing it you're going to keep advancing at a a faster Pace than we do so we need to be on the information sharing as well so uh future plans future plans uh as much as I love being an entrepreneur I I think I'd rather uh work full-time for a company so I continue my journey to look for that fulltime role I don't think I have to jump straight to being a ciso um I I could be a deputy at a larger company I think there's enough challenges in uh small Enterprises that I could be happy with and continue podcasting and authoring and giving back to the community that that's where I want to focus um I love giving back I love helping the Next Generation so uh continue having great conversations with folks across the industry so if folks want to get a hold of you what's the best way to get a hold of you well they could find me at um cpf coaching.com they can find me on LinkedIn they can find me on YouTube all the major podcast platforms um they're just sharing information awesome Chris thank you so much for taking the time to chat this has been a great chat I've learned a lot and um appreciate you sharing your wisdom with us this morning and thank you for having me on and everybody stay secure [Music] wowowow