Feed Drop: Dave Sobel on Dark Rhino Security Confidential

[00:00:02] A special episode today, I wanted to share my appearance on Dark Rhino's Security Confidential. It's a freewheeling conversation about the status of security, how I find it interesting and boring, and my thoughts on whether I'd pay for security. I really enjoyed this conversation.

[00:00:21] Enjoy this feed drop of Dark Rhino's Security Confidential. Hello everyone. This is your host, Minoch Tandon. Welcome to another episode of Dark Rhino Security, Security Confidential. Today we have another really awesome guest for you. He is a podcaster himself. That'll save my voice a little bit here.

[00:00:49] Dave Sobel is a great guy. He's extremely well known in the industry. If any of you are into virtualization, he has a long illustrious history in the virtualization world. But on the business tech side, he's the host of the Business of Tech podcast, which is a

[00:01:06] leading IT services focused news and analysis podcast. He does it six days a week. I don't know how he does it. We're going to ask him that here in a second. He also co-hosts the podcast Killing It or Killing IT, depending on which way you want

[00:01:22] to say it. And he's the author of the book Virtualization. So Dave, thank you so much for taking time out of your busy schedule and joining us today. Appreciate you having us on the show. Oh, well, thanks for having me. I think it's gonna be great fun.

[00:01:36] Oh, absolutely. So I got to start with Business of Tech. You're doing this six days a week. How do you... You must have an army of people that do a lot of research. How does this work, man? I mean, what do they do? I don't.

[00:01:55] In fact, you're talking to the whole company. So I always say like, well, this is the only thing I do. This is my full-time job, is producing content focused on managed services providers, IT services companies. Like that's what I spend my time thinking about. And the basic...

[00:02:12] What's the problem you're trying to solve? Most of these business owners do not have the time to keep up with the various trends and technology news. And they want somebody who's done what they've done.

[00:02:23] I was a managed services provider for a decade to come in with some insights and analysis to say, okay, here are every day two to four stories that I think are important that you need to think about and be aware of in your business.

[00:02:35] And that's the basic premise of the show. So it comes out every single day. It's a new show, roughly two to four stories, try and keep it about eight minutes long. So just enough that you can get the insights and analysis you need every single day.

[00:02:48] And on the weekends, I explore longer episodes with some interviews and editorials to kind of explore those topics a little bit more in depth. That's still a heck of a lot of work.

[00:03:01] As someone that does this and has the benefit of great talent like Emily, my hat's off to you. That's fantastic and that's a great mission to be on. And I think those kinds of shows and topics are very near and dear to people.

[00:03:20] And if they listen closely, there's a lot of great information that you're putting out there. That's what I'm trying to do. So you're trying to leverage my experience both on the IT, you know, I've been an MSP, but I've also been a software vendor.

[00:03:31] I was a lead software vendors for eight years as well. So I can kind of combine the two level of insights and it's all about like, how can we help end customers? What's important in customers?

[00:03:41] What do they think about what are their needs and how can we deliver it for them? All right. You know, having been a software vendor, having been an MSP before that, how did you get into tech?

[00:03:56] Were you always a computer scientist or a technical person or what is your origin story? Oh, I had a computer when I was five. So my first computer was a Commodore 64. I remember that. Video watchers. That's the original childhood monitor that I grew up with.

[00:04:13] I learned a program on that thing. I then, you know, in high school was the computer geek. I took computer science in college. I have a degree in computer science. My first jobs were product development and consulting.

[00:04:26] And if you'd asked college Dave, I would have thought I'd still be building products all the time through. But after some fun rides in the startup space in the late 90s, when they laid off the whole development team and kept the sales and management team, my

[00:04:41] lesson was, huh, the leaders are the ones that get to keep their jobs. Well, I'm smart as smart as those idiots. I can run a company into the wall just as easily as they can. And that's when I launched my first MSP. That was my first entrepreneurial endeavor.

[00:04:56] And I ran that business for a decade. That's fantastic. So you went right from a job to entrepreneurship that where did you have family at the time or significant others that you had to take care of? I was I got engaged on the day I got laid off.

[00:05:15] So I know she loves me because I had nothing that day. But but she but she always said she goes, she goes, you work hard and always had a plan. And she said, I knew I knew you'd figure something out.

[00:05:28] So I had faith. But yeah, no, it's I it was it was my my then fiance and I and I launched the first business and, you know, and hard work and gumption get you a long way. Plus the benefits of good connections and some wins at my back.

[00:05:44] Well, you know, hard work and gumption, but just listening to your voice and looking at you on the screen here, you come across as someone with a very positive outlook. Was that always the case? And has that been a major driver in your success?

[00:05:58] You know, I'm naturally an optimistic kind of person. And my the life lesson is to be a little cheesy on this is the only thing I get to ultimately control is me. I don't I don't control anything else.

[00:06:10] I control me, how I feel, how I engage and how I choose to process information. And I always sort of smile and go, you get up every single morning and you can choose how

[00:06:19] your day is going to go. I generally try and choose that my day is going to be awesome because the other option is kind of a bummer. But and and I can control that.

[00:06:31] That's a choice. And by the way, like, you know, that is, you know, there are exceptions to that and everyone has bad days and there are there everyone has their own challenges. But it's how you deal with that, that really matters.

[00:06:45] And you can cultivate good relationships that support you during the rougher times. So, Dave, that leads to a question here on if you had if you had a top 10 list for any of our listeners who are who've

[00:07:01] contemplated, I've been stuck in this job and I want to do my own thing. What would be your checklist of? Am I ready to make the jump or should I make the jump? What what would you guide them through? What would be your advice having done it?

[00:07:19] It would be a lot of why we always and I almost start every single examination with why. So the first thing I would ask is, well, why are you thinking about this? Let's talk about what are the things that are bothering you?

[00:07:30] Because let's be honest, entrepreneurship is glorified, but it's really hard. And a lot of it doesn't work. There's a lot more failures than there are successes in entrepreneurship. I like to celebrate modern modest successes in entrepreneurship, too.

[00:07:45] Like not everyone has to have a billion dollar company to be a successful entrepreneur. But but I really want to ask the why, because navigating corporate America and being and being really good at large companies is a skill.

[00:07:59] And I admire the people that have it because I don't have it. And and it's one of the best ways to build economic security for your family, right? Is to write is to be really successful in a big company.

[00:08:09] So that's why I would start with why, because I'd like to understand, is it just a mismatching job like they're good at navigating bigger companies, but just that isn't the right one for them? Or is there some bad boss situation, which is 80 percent of the time

[00:08:23] or is it, you know, sort of structural? And I'll use myself as the examples. I'm kind of structurally not fit to be in big organizations. I don't do really well with the structure in the environments and such. And as you get into that, then it's understanding my next.

[00:08:40] You know, I'm not sure I have ten full questions, but it's the my next question beyond why is talking about risk tolerance, because it's my for me, entrepreneurs who are really successful has a have a really high risk tolerance and are willing to to accept that.

[00:08:55] And they are able to navigate that. And understanding the risk tolerance would be the next bit. And then the third is the obvious is, oh, you know, let's talk about your family. Let's talk about the people that are reliant on you.

[00:09:06] It's very easy to take bigger risks when you're younger and earlier in your career. When you don't have a partner, kids, pets, a house like like your risk tolerance changes over time. So I want to understand who's depending on you

[00:09:24] and what do you need to do to be successful? And once I've asked those first three questions, we can then start guiding into the specific match about whether or not entrepreneurship makes sense, because then it's about like, well, what are you going to do?

[00:09:36] What's the value that you think you can deliver to the market that people are going to pay you for? It's not as much about having a great idea. It's also the like, and will people give you money for that idea? Yeah. Then we work into the idea.

[00:09:53] And, you know. Well, there's a lot to unpack in what you said, but in that last one about the market, that that one is brutal for a lot of people, right? It because in their mind, they have a great idea or they have a great product.

[00:10:15] But the market is telling them we don't care. Yep. Yeah. Right. And the market is just brutal. The market is brutal. And by the way, incredibly fair. It will tell you, will judge you quickly and brutally, but incredibly fairly. Although, you know, again, caveats.

[00:10:34] But but but really your idea is great to you. What you have to do is you have to figure out is are there people willing to give you money for that? May not be money, maybe time, might be attention, might be resources.

[00:10:47] But whatever the value is, you know, they have to perceive that what you're delivering is of higher value than what you're asking for in return. That's really the key metric and the thing that we've got to focus on.

[00:10:58] And I push on entrepreneurs all the time when they ask me about something. It's like, well, who's the people that need money? Tell me what they look like. And in fact, oftentimes, the more they tell me everybody,

[00:11:09] the more skeptical I am, because, you know, you actually want to be really specific. I'll use myself as an example. Right. I focus on. Owners, managers of businesses and the IT delivery space, generally in North America, generally who are running businesses

[00:11:28] between half a million dollars and 10 million dollars, like the more specific I get, the more I can be tangible about the value I deliver to those people. If you've got some great idea and you're like, everybody will want this thing. Yeah, I'm not convinced that's actually a thing.

[00:11:46] The more specific you can get. No, if it's everybody wants it, it's a commodity at that point. So, yes. Yeah. Or or not specific enough. Right. And they're not specific enough. Yeah. Right. And back to the value.

[00:12:00] Are you delivering more in value than you're asking for in return? And that's the balance, the trick. You can be super valuable and that's how you command high prices, which, by the way, we like everybody. It's OK to be super specific

[00:12:16] and go really deep in a very small group of people because that specialization means it's rare. It's a high value. And you can deliver strategically. You know that ninja who dives in there and gets it right. You know, that's super valuable. I love stories that sound like that.

[00:12:34] And those are rare. I mean, a lot of the firms that we've seen and we'll get into this here in a second, but are mostly fast followers or it's a me to play in the industry. The genuine innovator. That's a you see those, but they're rare birds.

[00:12:52] They're not. And particularly for dividing between product and services. Right. Because the two are the two are different. And I'll freely admit I am much more focused on service. Which are it's it's almost easy. It's easier to start up. It's easier to deliver high value.

[00:13:09] It is much harder to scale. And they have limitations on that. And it's and it's a choice. Right. So like product, easier to scale, easier to grow up, much harder to get started. They are different approaches. They have different skill sets.

[00:13:23] But it's important to think through that kind of stuff. I love services because I can go super niche really fast. And I always joke and tease people is the more boring it sounds, the probably the more profitable it is. Anybody know anything about medical transcription in highly regulated

[00:13:41] industries deal? I mean, like, you know, I guess I could throw a couple of buzzwords together. And the more boring it sounds, the more I can tell you, like, yeah, that there are a bunch of people that do that well.

[00:13:50] And you can really excel in the value as boring as it might sound. That's a very interesting take. I have not actually heard anybody articulate that. But because usually you think of the polar opposite mentally, that you want excitement, you want, you know, the great offering,

[00:14:10] the one that generates a lot of buzz. I've never seen anybody say, well, that's kind of boring, but I can make a lot of money. I really don't. I've never seen anybody say, well, that's kind of boring. But I can make a lot of money.

[00:14:25] I well, because the other thing about it is, is remember, boring is all perception. Right? Yeah. It's the anybody that understands complexity knows that you can find really interesting things really fast in interesting, complex problems. And interesting is simply defined by the person working on.

[00:14:44] And I again, my almost fantasy ideas, medical transcription in highly regulated industries. Well, that means you got to know a bunch of stuff. You've got to know medical information. You've got to understand patient privacy. You've got to know data management. You've probably got to know finance management.

[00:15:03] It's like, and there are all kinds of subtleties to all of those little, those disciplines and anybody who becomes an expert in something actually ultimately does become really passionate about it because the subtlety, the complexity, it's really interesting.

[00:15:20] And that's where the interest stuff lies is like, oh, well, how do you make the determination between A and B when the criteria are super close and we get into these arguments and philosophical debates? Right. They all that kind of stuff.

[00:15:33] And well, that complexity can be really fascinating. Most people that are really deeply knowledgeable about something also know they don't know a lot and keep loving learning. That's. Well, that was worth the price of admission to this. I mean, I love writing this cool stuff like ever.

[00:15:52] And by the way, like everything that is glitzy and glamour, tons of people are chasing, you know, why do you think everyone wants to be an actor? Right. Because it seems really exciting. And you know what? There are too many actors.

[00:16:06] They're not they don't get paid very well. Most of them don't get paid very well because there's too many of them. And so you kind of have to know that sometimes glamorous, exciting, that should be a consideration of a warning signal.

[00:16:21] There's probably too many people trying to do that. And if I'm in the business of finding value and finding ways to build businesses and create ideas, I like areas that aren't well explored. And you know, that that's actually a foundational tenet of our entrepreneurship

[00:16:39] is that you have to be willing to do what others are not willing to do. So that means you're going to go into unexplored regions or do something differently that someone else isn't willing to do or hasn't figured out on you yet. Right.

[00:16:56] And by the way, oftentimes they call it boring. It's those people who go, oh, that sounds boring. That doesn't sound very interesting. That's why they didn't go there. But you know what? Maybe it's the exploration and the learning. That's that's a good portion of the fun.

[00:17:12] So then you're familiar with a bunch of the news and the trends out there. Give us some trends that you're seeing in the business from the business of tech. What what are some big idea things that you've seen come across your desk in the last year?

[00:17:27] Well, I mean, I would be remiss if I didn't lead off with AI. Like that's just the absolutely. I mean, I have a lot of experience with AI. The absolutely. I mean, I mean, come on. That's the whole bit.

[00:17:39] Now, I will tell you my my approach on it is the I think there's a fascinating space for service providers around helping with frameworks and ethical considerations of implementation for customers. This is a fascinating technology. The reason it's interesting was the adoption was so fast in the integration

[00:18:01] into product lines, so obvious in many places. And, you know, a solid C-level writer for every single deployment that we're seeing can actually be very useful. But there's a lot of open questions around what's appropriate use? What are the right ways to do it?

[00:18:20] How do we handle issues of copyright management, data privacy management, bias? You know, all of those kinds of issues. And every organization is going to need to take on those questions themselves. And I love spaces like that, because that is exactly the kind of consulting and guidance

[00:18:42] that IT services companies, managed services providers should be delivering to their customers, because it's not just what technology to use, but why and how. And the why and how is the interesting bit. So here's the thing with this, and I'd love to get your take on this.

[00:18:58] I'm going to ask it. All right. Why does common sense not prevail? Now, let me also give some color to that question. So when you look at AI, it is, you know, as someone in the engineering field, to me,

[00:19:16] it's very fancy matrix multiplication, linear algebra, it's pattern recognition. You're finding things that already existed and were hiding in plain sight or were always available. It's not like these things were discovered. These patterns have always been there.

[00:19:33] Also, the data that enables those patterns to come to life was freely given by us or by whatever sources that they were gathered. But it was not like someone put a gun to someone's head to get that. It was given to them.

[00:19:53] So why is there such an ethical issue or guidance needed where simple common sense, why doesn't that just prevail in driving the adoption and deployment of the technology? Oh, well, because why doesn't why does that apply in almost every area?

[00:20:12] Why doesn't common sense apply in legal jeopardy, for example? Because that's I mean, like literally our system of laws is not just, hey, judge, have an idea of common sense. It's the it's the subtlety around it. That's the interesting bit.

[00:20:29] So let me let's give it let's give sort of a practical example, which I will say I am not a lawyer and I am not you know, I'm not such a deep scholar on this, but I can at least outline some of the basic problems.

[00:20:41] Is the ingestion of all of the information that large language models done, is that fair use under copyright and creating derivative works when used in a way to say, I'd like to just say my writing and a user then comes back and says, which, by the way,

[00:21:04] is copyrighted, I own the copyright to my own material. But if a large language model ingests it and then someone else comes back and says, write blog posts in the style of Dave Sobel. Is that a derivative work? Does it fit under fair use?

[00:21:21] It's generated by a machine versus a person, so it loses some of the obvious protections. It's not necessarily clear that it's exactly the same thing. And yes, you know, so you might say, well, let's apply some common sense. Yes.

[00:21:44] And I would say what's the difference if I copy your work? If I did what you're just saying and I wrote a blog post in the style of you. I think that would be considered plagiarism to some degree.

[00:21:58] Right. But it's also hard to do because it's just you. But throwing the A.I. at means that we have infinite capacity. So it's probably not worth your time to plagiarize me directly because it's a little hard to do and it takes time for you to do it.

[00:22:16] And by the way, me worrying about it is not as high because of the scale. But if there's especially with regards to me, you don't have to worry at all. But if there's an infinite capacity to do that by every person, every potential content

[00:22:32] writer with a click of the button, you know, by the way, I don't have such a big ego to think anyone's going to actually use me. But I can talk about myself in the example. Then the scales differ.

[00:22:43] Right now, we've got an army of content generators out there for every business out there that says, you know, I'm just going to steal Dave's stuff. And I'm just me and I can't fight back against an infinite army of bots necessarily. So it's so you ask what's different.

[00:23:01] It's like, well, the scale of this and the computer, because the compute is now cheap enough and robust enough that anybody can do it at any scale, at any level. That's some of the that's the area where I say, like, well, that now the dynamics of

[00:23:17] the market have changed in terms of the value of that stuff. My unique voice does actually have some value. Yeah, if we're talking about a security thing, there's no actual law right now that says I own my voice.

[00:23:35] So if it gets cloned, right, and reused in a deep fake scenario, well, there's no law about using my voice. Common sense says it's Dave's. It's unique. The sound and timber and the way that I speak, common sense says that's mine.

[00:23:56] But the legal protections aren't there for it. Do I own my digital twin? What happens when someone else creates one uses it? If they break the law, that's one thing. But if they just start generating content in my voice. What's that?

[00:24:16] But comedians do it all the time, right? Look at the impersonators out there. There's people who've built fantastic careers impersonating celebrity personalities and they aren't passing themselves as me. They don't I'm passing them.

[00:24:28] So they are not they are not that they are not saying they are that person. Right. And parody is allowed and satire is allowed. And I'm not talking necessarily about that scenario. I'm saying about what if somebody starts doing a podcast? Do you know? Right.

[00:24:43] I would say that's just like that to me is just theft then at that point. But I'm not protected. But but you say it's theft. I'm not actually protected under any actual law. But again, common sense. It's like.

[00:24:55] But but we have but but the moment you say common sense, we have to write it down in order to make it something that we can manage. Right. Because we're going to have every derivation of this.

[00:25:06] And if we leave it to common sense every single time, then people are going to interpret it wrong. And when I like to tie this back to implement it in a company, if you let common sense drive the decision of a 500 person organization, you don't give everyone

[00:25:21] guidance. Their own common sense may be slightly different. Sure. Because. Right. And so you're going to end up with 5000 different outcomes when the business is trying to get to a consistent set of outcomes in order to have predictable behavior. And I don't know, make some money.

[00:25:37] Right. And we all like predictable behavior. And in order to get to that, we have to define some of this stuff and we have to define the outcomes. And that's where and that's why any of us that are into people process

[00:25:51] and management, which is, I know, a big thing in security, right, is we've got to make sure that we're doing things in a process perspective. We can't simply leave it to common sense. And by the way, let's smile all those people where I'm on a security podcast.

[00:26:06] How's that common sense working on password management, everybody? We're going to leave it to users to pick that. How's that going? You know, you look at I mean, this is you. You're talking about user behavior.

[00:26:22] It's to me, that's the big one of the biggest, if not the biggest problem in cybersecurity. Right. And and you've and you have now made my point of why we don't necessarily leave that to common sense, because user behavior is not always predictable and reliable in a way

[00:26:39] that necessarily makes sense to the outcomes that you're looking for. Right. But you know what it is, because at least I'll just speak for cybersecurity. I think. In our field, inside in the cybertech field, InfoSec, I should say.

[00:26:55] Users, the average user, there's one a perception issue and perception is reality that cybersecurity belongs to a group of people that hide in a back room somewhere and do whatever it is that they do to the average person doesn't believe that they

[00:27:13] can actually impact their own security profile. And I think. Both of those stem from the fact that they don't understand. The whys of behavior, why certain behavior can become a problem, it hasn't become tangible to them like it is tangible, don't don't touch a electrical wire.

[00:27:42] Period, you know, don't don't play with fire. You know, those are tangible things where people everybody understands what the outcomes of those things can be. But when you look at cybersecurity, which is a behavioral problem, primarily, we haven't

[00:27:58] been able to make it tangible for the average person for common sense to actually prevail because they just it's not something that they are intimate with. So we've wandered into you asked what my top topics were that we've wandered into one of

[00:28:13] the second areas, which is all this stuff. So this is where I like poking at this. So I never positioned myself as a cybersecurity person. I'm a generalist IT person and I'm much more a business person than I am. Frankly, I don't like spending money on security.

[00:28:30] It doesn't make me profit. It doesn't make me more revenue generally. Like as a general rule, when I spend money on cybersecurity, it is a cost center, not a revenue generating center.

[00:28:40] So as a business person, I'll go, I got I only have I only have a dollar to spend. Cybersecurity gets, I don't know what, 10 cents of that. And yeah, maybe a quarter and a really bad. Right. So, you know, and by the way, I don't like spending it.

[00:28:59] The other 75 cents, I'm trying to get another buck back. The 25 cents I lose on security. Right. I like poking a little bit at the consequences. So what are the consequences we're looking at for a user? How many people lose their jobs over being the breach vector?

[00:29:20] I know not that many, really not that many, not that many. How many there's what the CISO does, depending on the size of the breach, they usually that's the fall guy. Maybe I mean, maybe, you know, like I'm going to poke at you.

[00:29:35] I got a lot of going. So disclosure, I work there. But but before the breach, solar winds. Right. Well, the biggest hacks we all have talked about. Nobody actually like went to jail or got like like over any of that stuff.

[00:29:52] Tim Brown's now under scrutiny from the SEC. Yeah. But but by the way, the company itself deflected lawsuit after lawsuit. Nothing happened over that. The U.S. government paid the bill. And so I look and I go like, I get it.

[00:30:04] But at the same time, what's the actual consequences of like really doing that stuff? It's financial for the business. But. Beyond that. Yeah, there there isn't much. And I guess I would poke at that the other way and say, should there really be a way?

[00:30:25] And by the way, I'm on board with you. Uh, but what's the realm of what's the realm where we actually want to have some, you know, like some some accountability? Research firms went out on the street and interviewed Americans and asked them if they

[00:30:41] thought their data was protected under regulation, under federal like federal law. And the majority of Americans believe that. And they're wrong. We know that you're wrong. You're totally wrong. But they believe it because, by the way, common sense, common sense, that is reality.

[00:31:00] Common sense says that there should be laws to protect that your data should be yours. Common sense says it should be protected. But it actually isn't. It's a fascinating. But you know, the flip side of that, Dave, is how are you getting these services for

[00:31:16] free? So there is nothing that is free. So when you sign up for Facebook or you sign up for Gmail or whatever. And it pops up that do you read the end user license agreement and what they can do with

[00:31:31] the data? It's not like these companies are hiding what's happening with it. If you read the agreements, a lot of most of it is all in there. Just read it. Sure. By the way, I'm on board.

[00:31:43] But but again, this is also like this is the fun of regulation, right? Is is that if I ran a chemical plant, the cheapest way to get rid of my waste is dumping into the river. So I'll put my plant next to the river.

[00:31:55] Right. But society has decided that it doesn't want three headed fish like on The Simpsons. And so we we have regulations to say you're not allowed to just throw your race into the river.

[00:32:05] And politics is the debate over what clean is defined as and all of that kind of stuff. But as common sense says, we don't actually allow what we want to have clean water. We don't want the chemical plant to put glowing green waste into the river.

[00:32:23] And so so that's the fun of the of the discussion here is is that we actually do need to get to a realm and I cover a ton of regulation and the discussion around it on the show

[00:32:32] because I think our communities, both of generalist IT and of security professionals, need to be involved in these conversations in order to get us to something that documents what we think makes make sense and puts in place some framework to make this real and

[00:32:50] make this a thing that actually happens. I'll give you another one that I think about all the time when I think about a cybersecurity thing. We talk about phishing and spam phishing and spam all the time, right? Why are we running on SMTP?

[00:33:05] It's a 40 plus year old technology that has no authentication running in it. Yet the backbone of communication still is an unauthenticated protocol that none of us have gotten rid of. And we keep bolting stuff onto the side of it.

[00:33:19] But at its core, it is not designed to do that. And you know what I would if Google and Microsoft decided to get rid of it and went from SD television to HD television, because by the way, we did that move and we all decided it

[00:33:34] was a good thing. You know what I do? I would give them money for secure email. I would give them money to actually know that the person I'm getting the email from is who they said they are. I would pay for that service.

[00:33:48] And I know most businesses would because by the way, they pay for email now. They pay for email now. They just want it. Wouldn't it be great if we could wipe out a good portion of phishing and which works. By the way, we know it works.

[00:34:03] If I actually knew I could validate who that user was on the other side. Well, you would also wipe out a whole bunch of industries that thrive on providing bolt on products.

[00:34:16] And what I say to that those portion is tough ass like, like, like, well, seriously, what what do we want? Do we want to have a world where we can actually build some level of trust?

[00:34:26] And do we want to build security into this where business owners can operate their business and know it's who they said who they got back? We have other systems for validating. We know we have to do that in analog. I'm not in the business of protecting bad ideas.

[00:34:42] That's those older industries. I mean, the end of creating value for business owners and you know how we can do that? Wipe out a whole bunch of those other industries. That is actually the way to get into that. I'm not in the business of protecting email protection software.

[00:34:58] I'm in the business of delivering value in it to business owners. And see, you know, the other side, I love this conversation, you know, playing the devil's advocate here, I'd say most people, most companies give cybersecurity lip service at best, it's a rightless sign up. Right.

[00:35:20] But they're really not interested in solving the problem per se. But they want to say, look, I met my compliance standard. Check, check, check. I, I have implemented ABC and D and that's per our industry norms. Check, check, check. Yep.

[00:35:37] That none of that good compliance doesn't mean good cybersecurity. That's a totally different ballgame. Right. But the first, the first time, the first time a CISO takes a perp walk, this industry changes.

[00:35:57] I'm just and just saying, because I and I in a way I'm advocating as as larger society outside the security industry, I'm advocating for business owners. And you know, the quickest way for me to I mean, if I was getting into politics, the way

[00:36:13] I would do it is I would say, I'm going to be run for Secretary of State in states and I'm going to protect small businesses. And the way I'm going to do that is I'm going to put actual consequences around breaches and violations.

[00:36:27] And I'm going to hold accountable. I'm going to start fining in serious ways the implementers of this if you are not doing those those protections. And you know what? It'll end up with somebody in jail. And, you know, who'll vote for me?

[00:36:41] The business community on both sides will happily do that. It rather because then they have accountability against losses on phishing attacks and breaches. And because we know it costs everybody money. And if I could pin responsibility on it, they would absolutely vote for me.

[00:37:00] Now, by the way, I'm not for all you security people that are cringing right now. I know what I'm doing is pandering to people that don't necessarily understand the role. But you can completely see how I get people to vote for me on that, wouldn't you?

[00:37:13] Oh, yeah. It's a great platform. You probably would get elected to office. Right. And then if I start doing it like that. So I just want you to have nobody being in the cybersecurity business. It'd be like, you know what?

[00:37:28] Forget it. But but actually think about that for a quick moment. No one would be in it. But then there'd be a void and new solutions would flow in. And it would become really interesting for us to reexamine the space, not wanting to

[00:37:44] do it the way we're doing it now under a different landscape. Entrepreneurs always figure out ways to deliver value in spaces like that. And I would change the dynamics of the game. So, you know, so here's the thing, you know.

[00:38:01] I love it because it's I, you know, if you don't like the way the chessboard is arranged, rearrange the chessboard, rearrange chessboard, which is essentially what you're what you're advocating for here. And, you know, one area, one example, like the Biden administration wants to hold software

[00:38:18] developers accountable for security flaws or that I'm oversimplifying. But yeah, but we get the idea and I'm right on board with you. Right. What about the concept of why is it? And I saw the secretary of state, ironically, for the state of Ohio, I believe is the one

[00:38:37] that's implemented this. They welcome hackers. They're like, look, if you can hack into our systems or hack into our website, if you tell us about it, there is no consequence to this. And you tell us what you found is the flaw so that we can go fix it.

[00:38:55] Right. If you why don't other companies or agencies take that approach where it's like, look. We are not going to catch everything system design is going to be flawed always. But right now, the laws are structured in a way for you and the good guys, you can't

[00:39:17] really go in and point out obvious gaps because technically it's illegal. By the way, 100 percent on board with you. We should change the rules of the game here. This is this is where I think and but I will also say, like, we do have rules that do

[00:39:34] allow this kind of stuff in other industries, by the way, particularly if we look at whistleblower style laws to reveal. We have structures that work. We have simply not necessarily applied them in software. But the way you can do what you wear protections for whistleblowers, we have processes

[00:39:52] that are managed for product recalls, for notifications, for the liability, for the differences in liability, in children's toys or in car manufacturing. Like we have structures that allow us. We're just not applying those same rules in software.

[00:40:09] And in fact, we sort of let software do whatever the hell it wants. Right. Because the ELA like if you put all the this is all in the license agreement and you can do whatever you want, you're completely at risk and all of those things.

[00:40:21] We kind of let software companies get away with whatever they want. So, you know, I think that the it's a matter of changing the rules of the game to apply them. And by the way, this is never perfect.

[00:40:34] And anybody who always says, oh, we need to get a perfect regulation. Well, that's not how regulation works, everybody. It actually they pass the regulation and then it gets tested and vetted through case law and precedent and actual implementations. Like it's an ever evolving field.

[00:40:52] Anybody in compliance, that's by the way how you all make money because you're tracking all of the various ways that this works. So in a way, we're creating a different version of the industry to apply these new rules and the way the new structures would work in software.

[00:41:08] We just create a new set of industries and compliance rules and value consulting and to change, change, change. Like I like all of this kind of discussion, but we're changing the rules of the game. Yeah. Which is at the heart of this, right?

[00:41:24] And that's a heart of a lot of things that you've said here is that change the way you look at things and change the rules of it. And that is because the existing, you know, at some point you reach a point of diminishing returns with incremental changes.

[00:41:42] You can only incrementally change so much before, you know, it's you never get to your final destination because you're incrementally just getting closer and closer and closer. But you never really get there. And it's the sunk cost fallacy, right?

[00:41:56] Everyone always talks about the sunk cost, the investments, the investments. Those are all in the past. Those have all been spent. You got your money back on all that. That is a fallacy to reexamine the previous investment.

[00:42:08] You simply have to look at the investments of the future and what the returns on those are. And that is the game. That is the way that you look at it. And you've got to look. Yes, you have assets and stuff you've done.

[00:42:20] But at the same time, the world changes and you need to invest in the new in order to create new opportunities. And that disruption is generally very good for most businesses to find new, interesting

[00:42:34] ways. And anybody that's holding on to the old ways, well, they're just protecting a previous, you know, a previous position in the market. I don't know. I'm in the small, disruptive business. So that's not my job to protect those people.

[00:42:48] My job is to look out again for those small to midsize entrepreneurs and smaller and midsize businesses that have the ability to be flexible and find new ways. Absolutely. But and as you've seen in the real world, there's so many examples of heavy resistance to that.

[00:43:07] But in the end, it's really impossible to stop change. I mean, if you look at it in the end, it's just a tide. And so you can slow it down, but you're really not going to stop it.

[00:43:16] Right. And by the way, you know, I look at this and say I don't necessarily have to change everything in order to find a cool opportunity. The opportunity actually can be in a much smaller scale with a much smaller group to make it make a difference.

[00:43:31] And I can build great businesses in those spaces that are that are doing great work for customers. I don't have to change the whole system. I just have to think differently for enough of them that I build out a build out a business and do something really interesting.

[00:43:46] And that's the key thing for me is, is that we think in the big terms and then find small ways to make changes in the way we do things that create a competitive advantage.

[00:43:58] So there was one item that I wanted to get your opinion on since you hear so much because I'm very opinionated. I love it. You're fantastic. You're fantastic. You know, again, getting back to our friends in the Biden administration talking about hackback offensive cybersecurity.

[00:44:20] What are your thoughts on that? Absolutely. We're already doing it. Why don't we just talk about it? Like, does anybody actually believe that the US government does not have an offensive cyber capability? Oh, of course the government does. So now he's talking about private businesses.

[00:44:37] So as a private business. I, I see challenges with that. So I think it's an interesting intellectual exercise. By the way, we do have physical competition and offensive capabilities within business. Right? There are tactics and implementations that could be called, you know, that are

[00:45:05] offensive, not in the kind of way, but in the I am going out and being proactive about it, being proactive aggression against competitors is a thing. Anybody actually want to dispute that corporate spying doesn't happen? Because by the way, I've had a corporate spy on my show.

[00:45:24] Like he's talking about that. Right. So this is a version of that. Right. The the offense, private offensive version of that is allowed is a thing. Probably, you know, and so so I I'm not necessarily interested in that space as much.

[00:45:43] I tend to skew a little bit more toward the like, this is a reason why I don't like private militaries, because that's what the that's a service that the government delivers for us. So I'm inclined to believe that the right place for that offensive

[00:45:57] capability is with the government because it fits the same parallel. But at the same time, I'm going to acknowledge that I live in the real world and I know that there are offensive capabilities within large organizations. I would not be surprised if cyber is one of those.

[00:46:17] And so I'll look at it and sort of say, like, I think it's worth experimenting and understanding that and then having a good feedback loop with government to make sure that we define the rules of the road.

[00:46:31] I like you know, I always look and say, like, the government defines the rules of the game and let's have a good feedback loop there to make sure that we're not getting into bad areas. We've decided as society to not use certain kinds of weapons.

[00:46:45] The classic example is both chemical weapons, but also there's offensive laser weapons that can blind all attackers on a battlefield. You can shoot a laser out and blind everyone. And governments have come together and decided that that's not a technology we want

[00:47:02] to deploy in warfare because that we've decided that that's not something we're comfortable with. That's a feedback loop that creates those kinds of good decisions and decides what the rules of the road are. I'm looking for that feedback loop.

[00:47:17] So in a way, I'll sort of circle back around and say the fact that the Biden administration is talking about it means that they're injecting themselves into the feedback loop, which allows us to have open conversations about what that means. And that's fantastic.

[00:47:34] And with that, we're already at the hour here, Dave. So I wanted to give you a minute if there's anything you would like to advise our listeners of. You can plug anything you'd like.

[00:47:46] I appreciate that. I hope everyone takes a chance to listen to my show, The Business of Tech. It's on all your favorite podcast platforms. You can find all the links at businessof.tech. You get the sense of the way that I think about the world.

[00:47:59] I'm looking for ways that we can find interesting opportunities out of the things that are happening around us. And what are the challenges that we can help business owners with and build good businesses around doing that? So I'd love to have you reach out.

[00:48:15] I'm easy to find. I'm on LinkedIn all the time. That's the easiest platform to find me on. And all the links, again, at businessof.tech. Dave, you've been fantastic. And don't be a stranger around here. Drop in every once in a while.

[00:48:30] Say hello. I'll come out and be disruptive any time you need me to be. I'm always happy to show up. This was fantastic, and we really appreciate your time. And we'll put links to your show in our show notes. Awesome. Well, thanks for having me.

[00:48:44] This is great fun.