How Startups Can Tackle Security Debt to Unlock Revenue: A Discussion with Brian Haugli

[00:00:02] Security Debt vs. Technical Debt. What's the difference? Is the VCIO model taking off? What should we think about what's happening in the Pentagon? And more, as Brian Haugli joins me, he's the CEO of Side Channel on this bonus episode of The Business of Tech. This episode is supported by Comet Backup. Not all heroes wear capes. Some live among us, quietly saving businesses one help desk ticket at a time.

[00:00:29] Whether you're battling ransomware, hardware failure, or human error, Comet's powerful backup and recovery solutions put you in control. Manage all your backups in Comet's simple, centralized platform. Protect computers, servers, virtual environments, emails, and databases. When disaster strikes, be the hero your business needs. With Comet Backup, you're not just saving the data, you're saving the day. Comet Backup, for the everyday IT heroes. Visit cometbackup.com to start your free 30-day trial today.

[00:00:58] Get $100 free credit when you sign up with the promo code MSPRADIO. Comet Backup, be the hero, save the day. Well, Brian, welcome to the show. Thanks for having me, dude. So you made a couple of statements that were the reason I really wanted to talk to you. And you were talking about the idea of security debt versus technical debt. First off, you differentiate that there's a difference between the two, which I thought was interesting. And I'd like you to tell me a little bit more.

[00:01:25] And then leading into, you've said that startups are drowning in security debt. So talk to me a little bit about the concept, unpack it, and talk to me about what that problem is. Sure. Well, I mean, those two things are as different as a CIO is from the CISO, right? Technical debt, I believe, is what every CIO is straddled with, whether you're an enterprise or you're CTO slash CIO at a startup and getting things going.

[00:01:54] Security debt is a subset of that technical debt. Although there are aspects of security debt that happen well outside the CIO's realm, right? Business decisions inform security decisions or indecision, which creates a vulnerability. So, you know, especially in the startup space, you're trying to move fast. You're trying to move to market. You're trying to sell. You're trying to get, you know, the first logos.

[00:02:17] You might not be building in security or actually looking at all the things that a regulation might need to be in compliance. So you can put those off to, well, you know what, we're going to tackle that when we go for Series A or maybe Series B. I've seen startups do that. And you start building debt, right? You start building that security debt, which is bad because you're kind of mortgaging the future.

[00:02:40] But you're also not actually building that muscle memory to start addressing those types of vulnerabilities and that cybersecurity, you know, concept from day one. And then you have to adopt it later after you've adopted all these other things. And then you get to the point where you're like, well, we've always done it this way or now we've always done it. We can't do it securely now because we've never done it before. And then you find yourself in a pretty bad spot. So, yeah, there's a difference. And it's a very real thing. So let's make this concrete for one step down the chain, right?

[00:03:10] So because you've implied in there in startups and that definitely implies the people that are building tools and building software. But we're talking to managed services providers and we're thinking about their clients, which are either the implementers or the users of these. I mean, I can oversimplify this and sort of warn of like, well, you should just stay away from anybody in their Series A or Series B, right? Because they're too early. Like that's kind of an oversimplification.

[00:03:31] But how do we make that perspective real for those that are trying to make decisions about tool sets and those S&Bs that are implementing technology? Right. Well, so Series A and B is never too early. We've helped a lot. I've also worked with Series A's that have raised 40 million and their Series B is 100 million. So some of them are smaller, some of them are bigger. The way that I always kind of couch how an MSP or any service provider that we're working with can help their clients.

[00:04:01] And our position is how can I help you help your clients, right? Is think about how you can help that client unlock revenue, right? If I'm a solid MSP, I'm not just sitting there providing the technical capabilities. I'm trying to actually provide aligned business capabilities and concepts. And one of those in the security space is if you don't address cybersecurity, it's going to create friction in your sales cycle.

[00:04:29] You're inevitably going to have a customer or customers that are going to hit you with a slew of questions about your security posture. And if you're that end client going, well, I don't think my MSP does that, that customer is going to pause. They're going to step back. And it's going to keep them from spending money with that client. It's not going to – that revenue is going to be locked up until that security concern by that customer is addressed.

[00:04:55] So we're always working with MSPs and they're white labeling us or they're referring us into their clients to help those clients unlock it. And what's great for those MSPs is now in the eyes of that client, of their client, they are this hero, right? They weren't just providing eyes on glass. They weren't just providing 24 by 7 knock or sock or whatever.

[00:05:17] They were providing business advice to address a very real problem to help that client at the end unlock a revenue stream in some way. That's – I mean, that's huge. And that's where I see MSPs really playing. And they're that amazing position where they are a trusted advisor. And they can kind of play more to that by seeing that – and kind of changing the conversation.

[00:05:43] Don't do this – address this security concern because it's security and hackers. Somebody – there's a regulation out there. There's a customer. There's a possible investor that is holding money back from spending with you. Help them see that that's the business reason that they need to address cybersecurity. If you can couple – it's an obvious push. The most like – I don't know.

[00:06:11] Altruistic way to look at it is it's the right thing to do, right? Like you should be secure. You should build secure. But security costs money, right? So that end client has to make a decision. Do I spend more on another sales guy to drive revenue or do I address this security concern and just address it as an expense? But if you can shape that narrative where you're combining those two – hey, we're going to unlock revenue and address a security concern.

[00:06:36] You're going to see a lot more people raising their hand in your client base willing to hear you out and see what other services you can do to help them and potentially other clients. All right. So I agree 100% on the premise of linking to top-line revenue. That's the obvious bit. And I want technology to be an enabler of that. Where I'm going to ask for a little bit – I'm going to push back and say I want a little bit more is, yeah, security isn't that. Like in most cases.

[00:07:05] You can definitely make a case for, hey, I must comply with the law. Like that I will do. But generally beyond that, it's been my experience that customers are much more happy to buy things that grow the business through more selling, more growth than they are to spend money, which often falls into an administrative expense. Like you're right. I mean security just costs money, right? And it doesn't necessarily tie back.

[00:07:34] So I'm going to kind of ask you, like talk to me a little bit about how you're tying security spend to revenue. Sure. I mean on the regulation side, that one's easy. I mean we work with a lot of health tech startups, right? You don't follow HIPAA. You're not selling into healthcare. Like forget about regulatory like fines and figuring out if you look good in orange. Like really just, you know, hone in on can you sell to the sector based on the regulations that they're held to?

[00:08:02] Finance has their regulations. OT has safety regulations. You know, there's, you know, education has theirs. There's a plenty of sectors that we now exist in and it's going to just continue to grow where it's not just the core business that that larger entity that is in that sector needs to comply. Their vendor supply chain now needs to comply as well.

[00:08:26] So that drives a conversation from those larger entities, those clients of those MSPs that want to sell into those larger entities. They have to now show that they can comply living inside that vendor ecosystem and that supply chain. And if they can't, that larger company is going to find a different vendor.

[00:08:46] So right there for us, like that whole conversation usually is like light bulbs for folks on, okay, I need to have security as part of my operations. I have to bake it into my costs. I can't just be like, ah, I'd rather spend over here and not do this. It's become table stakes.

[00:09:06] On the flip side, you know, if you're taking regulation just away, you are getting more and more organizations that are building their own third party vendor risk management programs where they are just playing out just assessing their vendor supply chains. Whether it's hardware or software or whatever it is you're buying, even digging into things like combating business email compromise, right?

[00:09:33] Where it's a simple thing, but it's costing billions of dollars across the way, right? Bad guys get into a CFO's email or get into the email chain in between procurement groups. And now suddenly the money that's owed somewhere is now wired to, you know, some bank in China.

[00:09:51] And so you've got these larger customers that are in their due diligence of their vendors are, hey, do we want to make sure we have the right processes in place so that we can't just haphazardly change a bank account routing number via an email, right? I mean, those are, that's a security concern that's coming into play.

[00:10:10] And then obviously just the data connection, larger company wants smaller company because they have a niche capability to provide either access into their infrastructure to support them somehow or do something with their data. That requires a level of security that now these larger entities are really honing in on because they're like, whoa, I don't want to just lay anybody in here.

[00:10:30] Like, I love what you guys are doing company X, but I need to know that you're going to securely be able to access my infrastructure or manage the data that I'm giving you securely so it doesn't get out of hand. Because if it does, now I've got a cost on my standpoint. So these TPRMs, these third-party risk management programs are becoming more and more, and that's driving the need for security by the smaller businesses. And those smaller businesses are predominantly looking at MSPs and MSSPs for their support because they can't do IT in-house.

[00:11:00] Now, there sounds like, it seems to me like there's still a disconnect here because what you're talking about is a lot of process management, right? Like being good at process management. Yet oftentimes when we have the cybersecurity conversation, it's about tools, right? So talk to me a little bit about the disconnect here and why, you know, I would sort of argue that the industry is a little bit of an alignment. You know, what say you? Like what's going on here in terms of that this is a process problem that everybody, every cybersecurity vendor wants to talk about selling tools?

[00:11:30] Well, it's because, you know, the tool vendors want to sell tools because that's what they sell. But the reality is cybersecurity is not an IT risk. It's a business risk, plain and simple. It needs to be at larger enterprises have started adopting that concept. And that's we're seeing it now move down market. One of our hallmark sayings with side channel, you know, with clients is because we've, you know, we've just turned clients away or we've, you know, you just never make that connection. Sometimes it's like, listen.

[00:12:00] Listen, we don't actually sell cybersecurity. You either believe it's a risk or you don't. That statement has nothing to do with technology. Absolutely nothing to do with technology. You can't hone in on just, is it just people? Is it process? Is it tech? It's all of these things. But really, at the end of the day is it is a risk decision that the business has to make. If the business owner and the CEO says in their health tech company that they want to roll the dice and not follow HIPAA for a little while, that's on them.

[00:12:30] Good luck. You know, they can make that risk versus reward decision. Would I do that? No. Have I seen others do it? Yep, sure have. And I've kind of laughed at some CEOs when they've like, oh, I'm a startup and we're building this app that's going to help, you know, college students with mental health problems. Like, oh, so how are we protecting and following HIPAA? Well, we're not really ready to follow that yet. What are you talking about? Like, how? You can't think that way. But some people do. They want to roll the dice. It's a business decision.

[00:12:59] It's not just tech. I think tech's the easy thing to point to because it's kind of obvious and cyber grew out of IT, just like IT grew out of telecom. But it's now matured where it's got to see the table or it's starting to get more see the table. Boards are talking about it, right? And boards aren't asking for technical details. They're not looking at the CIO to tell them about this. They're looking at risk managers to discuss, you know, cyber as a risk to the business.

[00:13:29] We'll be right back after this message. With every new breach and threat that I cover, it's clear that cybersecurity isn't a luxury anymore. It's a necessity. That's where Huntress comes in. Their fully managed cybersecurity platform is built for every kind of business, not just the 1%. Huntress seamlessly integrates their products and threat hunting team.

[00:13:53] Their EDR, ITDR, SIM, and security awareness training solutions are purposely built for their elite 24x7 security operations center to stop threats before anyone else even spots them. This potent combination of purpose-built cybersecurity and threat hunting expertise is one of the many reasons why G2 users have voted Huntress the number one rated EDR for growing businesses.

[00:14:19] To see what people-powered cybersecurity looks like, visit Huntress.com slash MSP Radio. And we're back. Well, I think that leads us then to the virtual CISO model, right? Where the idea of this at a fractional level. Like, talk to me a little bit about where you think this trend is, how it's evolving, and how valuable or relevant a virtual CISO is. Yeah, so, I mean, I might be a little biased, but I believe it's very valid.

[00:14:48] So, Side Channel right now is the largest VC CISO provider in North America. I started the concept of the company and our approach, and we weren't the first ones to do it by any means. But I think our approach is very unique and very different with subscription services and kind of former CISOs as our VC CISOs. And that's where that comes down. The VC CISO role for it to be impactful and properly done, experience matters, right?

[00:15:17] When you look at the Fortune 50, the Fortune 100, Fortune 500, they're hiring people who generally aren't a CISO for the first time. They've kind of already proven themselves. You want that experience. You want somebody who has an executive presence. It's not just a technical person, somebody who can have a business conversation. And what's interesting is the risks and the threats that exist in the Fortune 500 are actually pretty much the same as you go downstream, okay?

[00:15:45] You look in the U.S., there's, you know, yeah, there's 500 companies in the Fortune 500, but there's 9 million companies in the U.S. period. So, who's helping the 9 million? So, there's a need for cost-effective, strategic cybersecurity leadership. And I just don't see it going away. You see this backed up not just by market demand.

[00:16:06] I mean, we've got a slew of competitors, but we've also built a platform that we sell to MSPs, MSSPs, other VCSOs that use it to do client management assessments and all that. And we just see this gigantic kind of surge in that need because it's being asked for. But I think the real telltale is the regulations and the laws that are coming out are actually allowing for the VCSO to exist. They're not just saying, oh, you need a CISO, right?

[00:16:32] Or you need, quote, used to it, you just, quote, unquote, need somebody to be responsible for cybersecurity. New York State DFS Part 500, any financial institution in the United States that's operating generally has to follow NYS 500. It states right in there, you need somebody at the helm that needs to be a CISO or can be a third-party virtual CISO. SEC calls out the need for a named individual and allows for that fractional.

[00:17:01] And the reality is, look, starting salary for somebody like me as a full-time CISO is $500,000, $600,000 a year. That's not financially feasible for just about everybody outside the Fortune 500. And even if it was, is that what you want to spend your budget on? It doesn't make sense.

[00:17:19] So the VCSO role, the fractional CISO role, when done right, becomes a very, very cost-effective means to get access to that strategic leadership, build and manage that program, run everything you get out of somebody who, if they were your full-time CISO, they're going to execute on that same job, but at a fraction of the price. So doesn't this hinge on government regulators making sure that the laws they put in place are enforced and have teeth?

[00:17:47] Like, doesn't this all require that level of investment from the regulators for this to really matter? I mean, that would be for any law, right? I mean, look at, you know, I always use the example for speeding on a street, right? If it says, if it's posted 25 miles an hour and the cops aren't pulling anybody over for, you know, anything over or under, you know, 35, the speed limit on that street is 35 miles an hour now.

[00:18:16] Now, you've got to create laws that do have teeth, that do have an impact, are enforceable, but also fair, right? And generally, they're set to kind of make an example of the first few. And then everyone says, okay, cool, we're going to follow that now. The U.S. still doesn't have a national standard on cybersecurity. You know, we have privacy standards now in what, 30 something of the 50 states, and that's showing to be a nightmare. We have some cybersecurity standards at state levels.

[00:18:45] We have a few that are sector-based. But the U.S. lacks a national standard. And I've been advocating for some level of national standard for a very, very long time. Look, in 2014, Obama signed in EO, I forget the name of it, that created the NIST cybersecurity framework, which was supposed to be the standard that was adopted by, you know, folks.

[00:19:08] Now, SEC's adopted it, NYDFS adopted it, others have adopted it, but we still don't have an enforceable standard at a national level. And that's something I think we need to address. You know, we have seatbelt regulations in cars, right? We have, you know, green initiatives and all this other stuff for just about everything else around us.

[00:19:28] But for the technology that we all depend on, I mean, even this podcast, the laptops that I'm using, everything, we don't have a security standard for that. So, you know, who it falls to? I don't know. SZA, you know, adopt something like the FDA did. DHS, you know, I don't know. But I think until we solve for that, we're going to continually keep playing this kind of patchwork.

[00:19:57] Well, I have to follow this one, but not that. So, or, oh my God, I have to follow these three different things. Which ones do I do? What's the overlap? It causes confusion in the marketplace. And that event, that confusion causes the costs to go up. It's like, great, I got to follow three different regulations. Oh my God. Like most people have already enough time following one. So, yeah, I would love to see the U.S. adopt and kind of move towards a standard.

[00:20:21] I think it would be incredibly impactful and a huge benefit to really just kind of all civil society that we have in the U.S. today. So you and I are simpatico on this one. So it has two obvious follow-up questions. The first is, like, what do you think about software development companies having to have some manufacturer requirements around it? It feels like, you know, if you mentioned seatbelts, right? If a seatbelt fail or safety device isn't installed in a car, the manufacturer is liable.

[00:20:49] But software vendors can kind of throw out defective software all they want and not really have any liability. Like, what's your take on their role in the liability chain? Yeah. I mean, until a product is regulated, you know, to a safety standard, how can there be any acceptance by the populace that it's safe? I mean, we do it with food. We do it with cars. We do it with everything else. I think that's what they were trying to do with the S-bomb, right? The whole software bill of materials.

[00:21:18] Tell me what's in this thing, right? We have ingredients. I don't have any food with me right here. But, like, we have an ingredients list on the back of, you know, everything that we eat. So you know, okay, this is what's in it. Oh, I'm allergic to that. Can't eat this. Good to know. Same thing with software. Produce the list of what it is. Let and make sure that the buyers are fully aware. Be very transparent. What version of that software do you have in there that you're using? Because software today is built on other software.

[00:21:46] Are you using a vulnerable version? Are you using, you know, an unsupported version? Are you sure you're actually using the right version of the thing that you think you got? Or is it a, you know, a knockoff? So something like that, you know, and you're not going to see it get adopted until I think a regulation actually stipulates that it has to be produced. Because, you know, until, you know, while it's voluntary, it's just not going to be followed. Kudos to the companies out there that push that, right?

[00:22:15] I think that kind of forward thinking is good. That type of transparency is great. Those are companies we should be applauding and giving our business to first and foremost. But, you know, not everybody's there. So the second follow-up question that I think is kind of the obvious one is I've been covering some of the information disclosures going on coming out of the Pentagon, right? And if we look at what Secretary Heseth has done with information security, that feels like that would be the ultimate extreme of cybersecurity and information management.

[00:22:43] How would you think about the enforcement of those kinds of rules? Like how seriously should cybersecurity people take that case ongoing? And does it have implications ongoing with the way that we deliver cyber to customers? DoD is like a whole other beast. You know, I worked in Pentagon for years to the end of Obama's administration. DoD has its own standards.

[00:23:13] The intelligence community has its own standards. Obviously, those need to be followed. I'll also, you know, understand that mistakes are made. Nobody's perfect. Willful, you know, misconduct. That's a whole other ball of wax. But, you know, when you've got leadership in these organizations making decisions, they're setting the tone for how they want their organization to run. Maybe that's how they want their organization to run. I don't know.

[00:23:42] I'm not in Pete's inner circle, right? I can't say that. But when leaders make those decisions, they're setting their standard and they're saying, this is what I'm comfortable with from a risk decision. This is how I'm going to operate because I need to move fast or I need to do whatever. Now, if it's breaking the law to move fast, you've got to take that up with the lawyers and you've got to take that up with the judge when you get in front of them. But if it's not illegal, right? You're dancing that well. Is it unethical and immoral?

[00:24:11] Was it just wrong business practice? That's for the business leaders to decide. So when I look at, you know, the folks, you know, in that group and, you know, hey, you inadvertently added a journalist or maybe you purposely, you know, did it or what's coming out is, you know, did somebody in his inner staff purposely do this and, you know, create some kind of chaos that, you know, was who knows? We'll see how it comes out. But you also have to look at the timing, right?

[00:24:41] Like, I mean, I look at that example exactly. It's like, okay, so bad practice. If there's any other information, could it be construed as bad? But realistically, what's the damage done? You know, like it was happening, right? Those whole conversations were happening and a journalist got a hold of them and reports on all this stuff after the fact. Okay. Like we already went to Yemen. We did the thing. We came back. It's over. You know, we're talking about something in the past.

[00:25:10] If you continue to do something like that, that's probably something that's got to be taken up and that's bad. But, you know, like I said, I don't, not my bag anymore. I knew you had experience there, so I wanted to get your take on that. As we sort of wrap up our time here, I want to make it a little, you know, you've worked in some of these most secure environments on earth. Like what are the elements of that world that you think people, the MSPs in particular should be applying to their private sector work? Compartmentalization.

[00:25:41] I struggle in conversations with clients when they just, a lot of people believe that everybody's good. And I applaud that type of thinking. I want to believe that people are inherently good. But you will have good people that do stupid things. You will have good people that, for whatever reason, will turn and do evil things. And you will have bad people do bad things.

[00:26:08] You have to realize that those three other personas exist in an organization. And a lot of leaders believe that what they are themselves as an employee of their company is being represented by all other employees. And then they will not, they will just allow unfettered access to data, infrastructure, information, content, discussions.

[00:26:32] And the thing that I loved about, you know, working in the DOD was the ability and the need to compartmentalize conversations and programs and systems and groups from each other so that if something went wrong, inadvertently or purposely, in one area, it did not take out everything else. And that is just not something that we see a lot of in most organizations.

[00:26:58] I'll say probably the only place I've ever really seen it is like clinical trial R&D types of, you know, research in healthcare. Outside of that, not a lot. And when I kind of pulled the string back on, you know, why did that breach happen? Why did that incident happen? Why are we having a discussion at 2 o'clock in the morning with the board of directors?

[00:27:20] It inevitably comes back to some level of lack of compartmentalization, whether it's within the systems or the people or the communications themselves. Well, that gives us something to work on directly. Well, Brian Hooley is the CEO of Side Channel, a cybersecurity firm helping SMBs and mid-market companies build pragmatic security programs. With over 20 years of experience spanning the Department of Defense, Fortune 1000s, and now the startup space, he's a leading advocate for lean, effective cybersecurity without the enterprise bloat.

[00:27:49] Brian, if people are interested in getting in touch, what's the best way to do that? Yeah, you can find us on sidechannel.com. That's our main website. Or you can follow me on LinkedIn. I love putting content out and would love any kind of comments or feedback. Well, thank you so much for joining me today. Thank you, Dave. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.

[00:28:14] If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit patreon.com slash MSP Radio and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered?

[00:28:37] We take listener questions, send them in, ideally as a voice memo or video to question at MSP Radio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSP Radio.com slash engage. Once again, thanks for listening and I will talk to you again on our next episode.