About the Episode
Meet Cyber Security expert, Eric Cole. Eric joins us today to share his experience in the Cyber field and how he has conquered it. Learn how his work with the CIA, Fortune 500 companies, and top international banks have contributed to his expertise and passion.
About the Guest
With more than 30 years of network security experience, Dr. Eric Cole is a distinguished cybersecurity expert and keynote speaker who helps organizations curtail the risk of cyber-threats. Dr. Cole has worked with a variety of clients ranging from Fortune 500 companies, to top international banks to the CIA. He has been the featured speaker at many security events and also has been interviewed by several chief media outlets such as CNN, CBS News, FOX News, and 60 Minutes.
Listen to the podcast here
Watch the episode here
Before we even start, I’m going to tell you and I tell you all the time. I need your help and I’m asking for your help to join me in impacting more people. We don’t promote the show, we don’t take on sponsors, the only way we grow, the only way we keep helping more people is if you share this out and today you’re especially going to want to because my guest is in my field of cybersecurity and what’s even better is this dude has more than 30 years of experience. He’s got like a decade longer experience than me. I’m really excited to talk to him and pick his brain. He’s an expert cybersecurity guy keynote speaker, he’s featured on CNN, CBS, Fox News and one I haven’t done which is 60 minutes, his clients range from Fortune 500 companies to international banks to the CIA and I think the guy was even part of it. At one point, whereas I was just trained by them as a civilian I say that all the time and elicitation and surveillance, just some little tradecraft is where I was trading to as a contractor, you know, because I had a private security company, but this dude was in the agency, it’s awesome Dr Eric Cole, welcome to the show.
Thank you for having me. It’s a pleasure to be here.
Did I do you justice with your intro, my man.
I think you did but to me, I’m like a bio as a bio. Yeah, you’ll get to judge over the next 55 minutes whether I really live up to it or not, right, to me it’s about knowledge and experience and lessons learned that the bio doesn’t mean a whole lot if you can’t back it up.
That’s a good point before we dive in, that’s actually a really good tangent to go on because you know I have a branding company that I work with I have in the past and even some coaches and they always say hey you have to have this stuff in your bio because these are I was talking about this with my team too, these are authority statements, right because of things that you’ve done to, but really it’s to capture people’s attention right to say “Hey, I do have something to say that you will want to hear,” Then like you said you can be the judge after the head if that works, but we still got to capture their attention upfront, that’s the same in business too, right, when you talk to a prospect?
Yeah, I haven’t actually learned this from briefing some presidents, I call it my 90 second rule and my 90 second rule is when you first meet somebody, if you can’t address their question impress them. Give them solution and show them that you’re right person in 90 seconds, you’re not going to get the gig, you’re not going to get the job because when you’re talking about executives and people today there’s so much noise and cyber, they don’t have a big attention span so to me if you don’t have your 90 second pitch down. That’s what you have to work on because if you ramble on for three or four minutes, they always say it’s all about the first impression, and that is so true.
Boom. Man, I wish I had like a button or something like that because here we are like one minute into the show and you’re all already just bringing value that’s amazing. Let’s buckle up everybody with Dr. Eric Cole, right, my man. That’s incredible. I love how you’re, you have that perspective that I’ve never heard before. I’m assuming that’s your thing that you created the 90 second rule that’s awesome man.
Yeah, when you talk about very very busy people whether it’s executive CEOs presidents and people like that, they have very specific questions. They have very specific responses they want and they have a very short attention span so yeah I’ve learned you have to be able to impress, get the message and provide value very quickly and to me, one of the phrases that I think is so dangerous that we all grew up with is the phrase treat people the way you want to be treated, that’s garbage because guess what, we’re different. So if I go in and I treat you the way I want to be treated. That’s not going to meet your needs so my phrase that I always tell everyone is treat people the way they want to be treated. Find out who you’re talking to, find out what’s important to them, find out what resonates with them, and then you adapt how you speak to their language, so they can get value out of the conversation.
That’s amazing man and I’m going to call something out about our conversation right now, too, and about you and compliment you on this, is I get the same compliment a lot because I’ll start talking the same way you do and I do I’m super impressed because you’re extremely well spoken, and I look at you and it’s like wow, a cybersecurity expert and now I’m on the other side because I get the same things, saying that but it’s more of it’s like, “Wait, you’re you’re in cyber? You know tech stuff but you don’t speak like that’s what you do.” is like “You talk like a human, like a real human being?” You’re the same way man and I think this is something that people in our field need to understand and pick up on too. Are these real types of conversations, you know, you’ve reached a couple of presidents That’s awesome man I’m actually, I’m very much looking up to you right now, as a sort of a mentored, like position in my life to because I haven’t briefed the President, I’ve briefed the Secretary of Defense, the Deputy Secretary of Defense and the Secretary of War Room, you know, at the White House that was an amazing experience for me on AI and border security from a cyber perspective, specifically around human trafficking, but those conversations cannot be techie, because in that room that I was in man, I had CSOs from the CIA, the NSA DHS all lining up the walls of this room that I was in here I was at the foot of the table with the deputy, Deputy Secretary defensive, the head of the table, and the two owners of the AI company to my left and two special forces guys to my right awhen I was hearing the CSOs talk, they were going into all this technical stuff. Right and I’m sitting there and I’m hearing them. I’m like you know I raised my hand right and the deputy secretary is laughing he’s like “Rick, what would you like to say?” I’m just a guy. I’m just a guy that goes on ABC, NBC, CBS, FOX global media, I talk about cybersecurity, like Harvard NASDAQ you know all these places and here’s what I see and I went into a very human explanation of what was going on with the situation about these cargo crates these shipping containers of kids coming in across our borders, and half of them being dead when they get here because they’re going to be trafficked, and that that’s the stuff we were trying to put AI in place with drones and everything else to try to solve one of these problems, you know in in game this contract and it was just incredible the conversation that we had because it shut up the technical guys in the room, and instead of focusing on the technology we focused on human beings, and that’s why I commend you for having that perspective to man.
You’re spot on yeah you got to relate as a human, before you bring in the tacky and I just tying off what you said to me most technology and cybersecurity startups and companies fail, not because of the technology, not because of funding, but because nobody in the company can communicate in English to people that are gonna fund them, or sell their products so if there’s anyone that’s starting companies, you got to be able to communicate and relate to other people, because they don’t care about how smart you are and how much technical mumbo jumbo you can spew out within a short period of time.
No doubt my man, when I was on Bloomberg two months ago for the big Kasaya breach I was on twice in one day on Bloomberg Radio Bloomberg Business Radio, and back to my publicist, that he came back and said by far best tech guy I’ve ever talked to, and they let a three minute segment go nine minutes that’s a long time for any site, you know. Yeah, exactly. You know how long typical radio and TV segments are right there three to four minutes on average, you know, so for one to let it go nine minutes because of the engaging conversation that we’re having is just almost unheard of, especially on something like Bloomberg.
That’s what we’re talking about because you and I are trying to bring, and this isn’t for everyone listening to man, this isn’t us like touting what we can do this is a teaching moment, I feel for everybody that’s listening and if you can listen to Eric and I, right now, Especially if you’re in this field or any field, understand that you have to have the real human conversation because people don’t care about features so much, they don’t care about checking off little boxes on things they care about, what, what it’s going to do for them the outcome that it’s going to bring, and that you’re an actual human being and according to Eric, you have to establish that in the first 90 seconds
Yeah, and building on that is, to me, if you’re going to go in and either get funding for your company or sell your product or solution. People spend money if you go fundamental on two things, pain and pleasure. Unless you’re opening up something in Vegas, we’re probably going to go the pleasure route of cybersecurity more on the pain route. So as you said you need to be able to say, what is their pain. And why can you solve it better than anyone else and if you can go in and we go up against I mean the really big consulting firms, and we’re fairly small and we beat about all the time and the reason I’ll let you in on the secret is because we go in and research what our customers pain points are, we know what our competitors offer, and then we know how to alleviate that pain better, cheaper and faster than any of our competitors, and that’s how we win most of our gigs,
That’s amazing man. I want to hear more about you dude because obviously you know I know where I was 20 years ago and I couldn’t speak this well. I couldn’t do what I’m doing today right. It’s been a journey. Where were you, what were you like 30 years ago, do you have 30 years of experience in this, what were you like then man? You’re bringing the fire today, dude.
I always, always sort of had a high level of energy on it and I didn’t know about it 30 years ago, but it was only probably in the last seven or eight years that I finally really tapped into my purpose, and I know it sounds a little audacious but to me I believe I’m on this planet, to secure cyberspace, it base like you to end suffering in cyberspace cyber is the new method of communication is where we live and spend our lives, and there’s so many people that are getting broken into kids family money, other things and there’s so much pain out there that it doesn’t have to be that way so I’ve sort of always been trying to make cyberspace safe but yeah 30 years ago, as you mentioned, I was an employee at the CIA and a professional hacker, for many many years basically breaking into anything with a computer and a few things that didn’t have computers, but it was all about understanding and identifying the vulnerabilities and after working at the CIA I sort of learned two things: one, offense is boring, you can always break in and that’s when I said US defense, defense doesn’t have to be as hard as we make it out to be, it is, we tend to make it a lot more complicated than it needs to and then the second thing I learned is I don’t work well with others. I don’t like having a boss, so I went and started my own company but I knew when I left the CIA that I didn’t have the business accolades.
So, my first company I was 27 years old, and my three other partners were 53, 62 and 68, because they bought so many businesses, I didn’t. I had the technical ideas, but I needed their business experience so you always want to go in and find people that have what you don’t know and that are smarter than you and your weakest areas, and then team up with them. So that’s to me the key to success and then from there I bought and sold multiple companies over the years but it’s always, what is my weakness. What am I not strong at and who is better at that or the expert and then team up with other people to get to where you want to go quicker and faster.
Man, I love that that’s your you’re lifting me up today dude and I say that a lot with a lot of things but this is incredible. Yeah, well, maybe we’ll go two hours. We’ll make this Rogan style today right. I wish we could do that but, I mean we’re what, 10 minutes in something like that I’m already thinking we might have to have an episode to have this to do when you were at the CIA what area of the CIA were you in with the agency because there’s well you know there’s so many different areas, myself, I was only trained in elicitation and surveillance and I say only because I’ve also had a private security agency to I’m talking guns and guards high value asset protection. So when it comes to cyber I love blending those two together, and a focus in almost like a natural affinity of mine now is even insider threats from a threat actor profile, because everything begins and ends with humans. That’s one thing that I teach all the time, and what areas of the agency were you working in besides the hacking because I see the year what internet program team right what is, what does that mean?
Yes, so I was in the technical services sort of where the geeks are and to me, it was one of those things that I still remember it, it was a life changing moment, if you’ve ever seen any Tom Clancy movies where they go over the CIA, there’s something called the bubble where it looks like a bubble, and it’s an auditorium that I think houses around three to 4000 people.
You’re talking at the farm, right?
Exactly. Yeah, so, so they, they go to the torium there so where we had an all hands meeting of our Directorate there. This is the early 90s, and they’re talking about this new thing called the internet and how they’re going to roll it out and how they’re going to put it in place and I remember sitting there, and I had a question so I raised my hand and my boss, who’s in the front row happens to look back, she starts going like this. Now I thought she was waving to me, but she was like you do not ask questions at these events I was young, a little naive you could maybe argue a little stupid now and I’m like, neither question I’m gonna ask it.
That’s like me in the White house.
Exactly. But but but it changed everything and I always encourage people, one of my favorite, favorite phrases is smart people know the right answer, brilliant people ask the right questions right so many techies, they want to be the smartest person in the room by answering everything, but to me the smartest person in the room asked the questions, so I asked a simple question, that changed my life and that was this. How do we know these systems are secure? We’re putting all these things out on this internet which is new, we don’t really know what it is. It was right before the World Wide Web was invented and how do we know it’s secure enough?
Well, what I didn’t realize was that the government. If you ask a question that nobody knows the answer to, you are voluntary to solve it. So they were like “Ok, Eric, game on!” To figure it out, I figured they had some mathematical formulas. So I went and talked to scientists that NIST and NSA and DOJ and all those and what I realized is, there’s no way to prove a system is secure. The only thing you can do is test, verify and try to break in, which is whether Ethical Hacking pentesting whatever term you want to use. So that really brought me on the journey of okay, how do we break into systems, how do we find vulnerabilities and build out a methodology where you basically systematically can go in and identify any vulnerability in any system, and then use that to prioritize and ultimately fix it.
That’s incredible, and I like how you explain this too because I’ll say it is that there is no such thing as a completely secure system, you know, it’s almost like you have a relative comfortability with the amount of defense and offensive procedures and tools that you have in place to make you breathe a little easier, but there’s nothing that, that says okay you’re impenetrable at this point unless you literally pull the plug from the wall that’s the only way that you’re actually impenetrable at that point, with the exception of course of even insider threats. So there’s that part two. Yes, but I appreciate your perspective on that man but that you were saying, you know, there’s all these ways that you can do this to test the hardness of a system, how much it’s been hardened, but there’s still holes, you’re always gonna find holes.
That’s a big thing because there’s still executives out there that believe if they spend enough money that they can be a 100% secure executive a couple months ago “He’s like Eric. I’ll give you all this money, but you have to guarantee that will be 100% secure,” I said, “Absolutely, piece of cake,” “We’re relocating you to Pennsylvania, and you’re going to hire Amish people, because the last time I checked, you can’t hack a horse and buggy and a candle, right. So, if you want to be 100% secure from computer attacks, give up your cell phone, give up your computers, give up your tack.”
As you said I have a chart, and it’s a simple chart 100% Security equals zero functionality, and that’s where I’ve come up with what I call the law cybersecurity, just like the law of gravity, it’s always at play, and the law of cybersecurity is this: Whenever you add functionality you decrease security. So what you need to do is make sure that when you’re adding functionality you say what is the risk and exposure, and make sure the functionality justifies the risk, but as you said, if there’s functionality, you’re not 100% secure and we need to balance, mitigate and manage the risk, because you’ll never ever be able to completely eliminate it.
For sure and when you reduce functionality. This is also where the human element comes into cybersecurity too because if you, if you have that out of balance like you’re talking the amount of security surpasses the functionality. Now you have pissed off people because they can’t, they can’t do their job. Right, that’s such a it’s interesting because it’s very it’s a cycle of the people that play this game, Right, which you’re one of them. It’s a psychological game really more than anything else, you know because understanding that you’re trying to allow people to do their jobs and to accomplish even a mission, you know, even if it’s a nonprofit trying to save lives with whatever they’re doing, but at the same time trying to make sure that they’re secure, you know, because think about a power grid or some kind of critical infrastructure, right? There has to be people that are able to function in the systems that have to operate a certain way to provide power, or like the Colonial Pipeline or something like that, right, and everyone’s freaking out when this stuff happens, it’s like, I don’t know if it’s you, man.
But when this stuff happens like, “Okay, I knew that.” Like the T-Mobile breach I did a story on my Instagram, when that happened just a few months ago, and I was saying, you know, this is great. “Here’s what I’m going to tell you, T Mobile got hacked. There was a breach, right?”Then I go, “So what? In your youth if you think that your stuff wasn’t on the dark web to begin with, you have a wake up call, but here’s what you need to do. I always say that you know this is to consumers as an audience right, freeze your credit reports that way nobody can open an account in your name or at least it makes it extremely difficult to and the second just change your frickin passwords. I mean that that’s it, that’s the first two steps and then if you want to go deeper we can have a conversation but hey guess what, wake up call another company was breached Whoopty doo because your stuff is out there already.
Yeah, you’re spot on, and I have some these world class security engineers experts that have been doing it for like eight or 10 years they get mad at me because I go and I go listen. The golden rule of cybersecurity is if cybersecurity negatively impacts the business cybersecurity is wrong. You are wrong, you cannot negatively impact the business and to me, world class security people figure out how to put solutions in place that enable the business to be successful, like, well one of the things that drives me crazy. To me it’s just small minded people where they’ll go, “Okay, you can have functionality. You can have security, or you can have performance pick one,” and I’m like, “No! I want all three!”
Raising it just drives me crazy. You can have your cake, or you can eat it too. I’m like, why would you buy a cake if you can’t eat it, I mean that’s a stupid, so I mean I if I’m going to buy a cheesecake, that’s my favorite, I’m eating the cake right so we come up with these crazy phrases and I’m like, “Why can’t you do all three?” We spend all the time with our clients delivering functionality, performance and security. So, we sometimes get these phrases that people just sort of made up, and then we think they’re cool when we say them, but they’re actually limiting your career, limiting your potential and limiting your ability to solve your customers’ problems.
Hey man, I’m with you man on that man I love it, you’re still bringing the fire we’re 20 minutes in this is awesome. I’m going to tell you a story here and I want your take on this too right so I picked up my phone here, and I love that small paper of my youngest son and I when we were at Disney World, a few years ago the first trip he came with me alone and flew by himself on an airplane, it was awesome, you know, all my kids started flying by themselves when they were really young when I was when I was filming that there’s a documentary that’s going to be released, it’s a sequel I was in a cybercrime documentary a few years ago, and we started filming the sequel, right before the pandemic hit. So it was like January to the new people like I was one of the ones that was brought back for this, and it turned out pretty well. It’s something over like 15 million minutes streamed on Amazon now at this point which is a lot of watches you know.
Yeah, it was awesome, it was good basic information right it was cool, you know, there was some other MSPs that were in there and they still took it, You know from the typical like MSP techie perspective, but when I was around this roundtable where they started filming us like just talking about things, and I was a break and I’m looking at my phone and the guy next to me who is and he’s like, “I can’t believe you have Facebook on your phone.” I was like, “Dude, why not I’m a human,” you know I’m. He’s like, “You call yourself a cybersecurity expert,” I’m like, “Yeah I do. I also call myself a human being and I live in function. I’m also a public figure, by the way, do you see all this stuff that I do on global media?” This is how I’m able to interact with the world and get the message out there because that’s part of what my purpose is is bringing truth into the world.
The best way that I can do that is to be active on social media, that’s one of the outlets to be able to do that, but then that’s that functionality and the security that’s in place because you better believe I got a frickin VPN that’s on this phone, right, in order to do this and you better believe that I have certain tracking things turned off but it was an interesting perspective I’m wondering what’s your take on that do you get that too, if somebody looks at you like you’re an expert, why do you do this.
Yeah, my response is similar to yours but what I do is because I get that all the time with, like, really you have Facebook and you’re a security expert and I’ll go. “Okay, so you don’t use Facebook,” and they’re like, “No,” and I’m like, “You don’t have an account on Facebook,” and they say no I’m like awesome. Tomorrow I’m going to set up an account under your name and I’m going to scam all your family members, and they and they look at me to like think about it, if I’m on Facebook, and I have an active account, and I connect with all my friends, if somebody tries to set up a scam, I’m going to catch it, I’m going to be visible and they’re going to know it wasn’t me.
If you’re not present at all on Facebook, you’re leaving the door wide open for other people to be able to go in and set up again, and when I said that to them like, “Wow, I never thought about it that way.” I’m like, “Yeah, you can’t run away and hide, you need to embrace and own it.” I’m similar to you from a human. I know if I go in to executives, or even like when you briefed the Secretary of Defense and all those if you sit there and tell them okay the only way you’re going to be secure is if you delete Facebook you delete this you delete that they’re just not going to listen to you because it’s not practical. If you go to people, “Hey I use Facebook, and here’s what I do to protect and secure my Facebook,” so you can do it correctly, they’ll listen to you so I’m with you. To me, world class security professionals, you don’t say no. You say yes but here’s how to do it, you enable people to use technology in a secure manner, as opposed to saying don’t do it and then people won’t listen to you and turn their back.
I love that man I’ve got a canvas it’s in the office here with it that’s similar with the way word can’t on it and a big no sign through it or like some X’s on it, because when it comes to the technical side, it’s like people want to come to you and say “Hey I have this problem and I need to I need to get to this destination,” I hear that the people in our industry allowed say we can’t do that, you can’t do that, like that that’s, that’s gonna cause division and they’re never going to trust you. We never say canned what we will say is, we don’t do this because, however, what we do is, x y and z and this will get you there. How does that sound? So it’s always presenting the solution, but then explaining that, again, it’s a balance of functionality and security and performance that you’ve been talking about so much man.
Yeah, and the way I break it down is, I don’t believe security people should take aside in the fight, like, like most security people when they go to their customers, or they go to somebody that they’re very passionate and they like, “You must spend $100,000 on this so the world’s gonna end there, it’s over,” and they get very emotional and very one sided, and they’re like, “Well if I don’t pay 100 then everything’s fine.” So what I do is for simple things. Here’s what could happen. Here’s the likelihood of it happening. Here’s the cost of it happening and here’s the cost to fix it. What would you like to do? So, like one of our clients. Okay, you have a 90% chance of getting hit with ransomware, if you get hit with ransomware, you’re going to have to spend about $3 million and I want to spend 400k to fix it. What would you like to do? Those are really your options, you can run it, run the roulette table at Vegas, take your 90% chance to pay 3 million, or you can give us 400k and we can fix it. Which option would you like? Yeah, right, but now I’m giving you both sides of the equation and I’m giving you dollar figures and others to be able to justify it so now you can make an informed business decision.
That’s an interesting thought process, too, because it’s the same approach to what I have as well. And in our industry too, you know, because there’s not a lot of sales acumen and that’s another thing that I love teaching people in our industry as well as how to have these real human conversations. That way you can connect with them with somebody and actually do what you’re supposed to do because I feel a lot of people in our industry are very well intentioned man, extremely well intentioned and that they want to be able to bring in that it actually gives them value in fulfillments, to be able to protect people, you know, to be able to do something good for humanity and this is what they have to offer the world is their their talents and abilities, their technical skill set that’s amazing.
You come to the financial conversation, the money conversation, and it’s, “Hey, what do we need to do here with this balance?” Because a lot of prospects still will say well I just think that’s too much, I don’t have 400k Right now I understand the risk and everything and then our industry I see people get flustered, you know, it’s like, I try to be like “Hey, it’s okay,” Because you have to understand too that you’re still running a business, and it’s still a sales engagement, it’s still numbers, if you were selling widgets, you know walking in the door, there’s still a certain percentage of people that will say no for whatever reason. right and the sooner you can get to that know the sooner that you can move them into some other kinds of engagement and start to win them over, you know, from a sales perspective, if they say no right then, even to that 400k Like you’re talking about right now and that’s the thing is, it is okay.
I hope that people in our industry can respect that it is their right to tell us no, and that that is their choice and that is perfectly fine. Don’t let it get under your skin, because I know right we have such good intentions man in our industry we because we have something that can really help people and this is any industry if you have something that can really help people that you want to be able to close that deal not just for the money because you want to save that person and and be able to provide your services and do good for them and it fulfills you that way, but it is also still their right to say no and that is okay.
Exactly and and my thing is to go back to why they are saying no, because to me, if somebody says no, it’s really one or two things. Either you have the wrong customer, you’re trying to sell to them and you know something like that sometimes happens, or the way you presented your solution to them. They believe that you’re in a commoditized area because if you’re in a commoditized service you compete on price, but if you’re, and I’m a big fan of the books but the two things I always focus on with all my businesses, how do I find a blue ocean to become a category king of that blue ocean because if you own a space that unique and different. Money is not an issue. Nobody cares about money, and I always use the examples, McDonalds, that’s commoditized, right? You’re competing on price to get a crappy burger, and I got to be careful. I said that once and somebody got mad at me. Like, it’s a crappy burger! It is not a good burger!
I mean seriously, I know I’ve had the same argument and it’s like “It’s a good backup.” like “Are you kidding me?” I’m like, “Have you been to Five Guys?” That’s like the bottom of the barrel for me.
No, I always joke I’m like, when they started the company, it used to be called Seven guys, but two of them died of a heart attack for eating their own food so commoditize but Morton’s, you’re not going to go in, if you go to Morton’s and say how much is the steak because if you go into Morton’s, that’s more of a blue ocean and they’re a category king there so, to me, if people are going in and heckling or giving you a hard time on price, you need to steer that boat into a blue ocean because you’re way too commoditized, but in our area because we have such a unique offering and we own the space. We have people signing contracts, where they don’t even know how much it is and my sales teams like “Eric, they don’t know how much it is.” I’m like “They don’t care.” Yeah we’re solving such a unique pain point for them. They know about what it is, and price is not the decision point and that’s where you need to get to
That’s beautiful. That’s like a whole podcast in and of itself is finding that niche to no joke because it’s I mean it’s a blue ocean mentality I’m tracking with you and in our industry. It’s a little difficult because you think of cybersecurity we’re protecting but you can still find those blue oceans because there’s something that everyone is good at and nobody else really is, or even in the way that you presented the way that you put it together you know because even serving small and medium businesses that I do, it’s typically like 100 million a year in the Fortune 500 companies, I’m trying to go for like the masses here right and unify this industry small business, which is what the majority of Americans work for to begin with.
So that’s where I’m looking at those sub $100 million companies so that might be, you know, like a mid cap company to a small company there are SMEs, that’s what they are but when you, when you target them, there’s not a lot that have specific things that are for those industries, especially in our industry in cybersecurity, because that I look at other managed security service providers, and they’ll have you know, one, two or three things and that a keynote I’m presenting at Kaseya keynotes, on either scale or sell here in just a couple weeks and then there’s another conference I’m doing actionable security, and I have a picture of our board from three years ago with all the layers, you know, from, from tools from technical tools to human processes, and I see people like you know what’s your stack that’s a term in our industry is you know what, what did your stack look like, and I see things that are maybe you know they got eight items in them they got four items and then they got 12 I’m like, I don’t know what’s got I’m like guys I got like 27.
Then I look at the, you know I’m showing this board now I’m like I don’t care if you copy it down. Please go for it because this is my niche, and this is a very unique way because of what I bring to the table because I’ve had a private security agency with high value asset protection. I’ve been trained, you know, in certain types of trade craft, this is a blending of all of those. What have you done that’s unique that you can bring a little piece of you into this and make this a niche that you can carve out?
Spot on and the other thing I love that I’m also a big believer in is sharing your knowledge with the world, and your business will grow, because most people like, “Oh I if I tell anybody what we’re doing and how we’re doing it, then they’re gonna steal it. My business is gonna go under,” Once again, that’s a very limited mindset of how you’re approaching it. I view that even if I give my stuff out there and somebody steals it, I’m still going to be able to do it better and I’m going to have more passion than them because I created it, so I’ll still be able to compete with them, but it’s sort of like what you look at Elon Musk did with electric cars. I’m sure you know this but I don’t know if the listeners do, he has basically all the patents for the charging stations and everything for electric cars. He gave out to all his competitors.
He voluntarily gave them license free and the reason was simple, his industry was not going to grow if they were not charging stations on every corner, and he knew that so he gave away the intellectual property, knowing that his cars and name brands are better than anyone else. And sure enough, it’s no longer a blue ocean, but he’s the category king, but I sort of look at the same way as give your stuff away, so it gets traction and companies will still come back to you as the category King because you do it better and unique or better than anyone else out there so don’t be afraid to share your music with the world.
I love that man, I think he was one of the first ones to pick that up too, aren’t they, and start it. Yeah, I mean I’ve always loved outings to begin with, you know, I haven’t seen. I haven’t seen much Mercedes, come out with this stuff, they seem to lag behind a little bit. I had a Mercedes S 550 A few years ago, and you know, a beautiful car. I ended up getting rid of it only after two years because it felt like I was driving a sofa or really like riding a sofa down the road, you know, it was, and I came from an Audi S seven so I bet it was most definitely like a different, a different feel for me I was like this doesn’t work, you know, it’s like, I was trying to fit everything in a one card it just didn’t work.
Now I have an Aston and a BMW, you know, and that’s I got the best of both worlds, but I love it yeah yeah dude the Mercedes but that’s it you know they, they’re lagging behind, I feel, you know and you start to see more BMWs that are on the road right now and it’s because of the slow adopters of this stuff so I hope people listen to your advice today by saying look at what other brilliant people have shared, you know take even the show today look at what we’re sharing right now and take some nuggets out of this and adopted immediately, because it’s going to lift you up. Who cares if you’re like, “Yeah, I had to get this from somebody else.” Who cares if the idea wasn’t your own original one, if it’s going to help you serve more people and grow what you’re doing, sweet.
Yeah, you and I always tell everyone else playing I say, don’t be Pete. And what I mean by that is I have a friend of mine named Pete and he loves to come up with ideas and then, Pete Is that guy, whenever you meet with him he’s like, “Eric, that company stole my idea. I had that idea three years ago.” and they stole it, and I’m like Pete, what did you actually do to execute and commercialize it. Well I didn’t do anything on mic, then guess what they didn’t steal it, they just ran faster than you. Yeah, so Pete, what I say don’t be Pete. Pete has all the ideas in the world, but he’s afraid to execute, he’s afraid to take chances. He’s afraid to take risks, and everybody steals his ideas. What you want to be is that person, You only need one idea, but don’t be afraid to take risks and make it really easy for you, you’re going to fail a lot of times, and, and I always joke when I do my startups, I go to my team every week I’m like, How many times do we fail this week, and I like what I’m like, you can’t measure success, because you don’t know when it’s gonna happen.
Yeah, failure is predictable, and here’s what I know, the faster and quicker and more often we fail, the quicker, we’re going to get to success. So, if I’m not where I want to be, I actually increase my failures, because that guarantees me getting to the finish line quicker than others, and people that are new, they look at me like I’m nuts and I promise Certifiably nuts but, but to me it works is getting what doesn’t work, so you can get the results quicker and faster, it’s like the old, I mean you heard Thomas Edison and all these others where he didn’t fail 1000 times, he just figured out 1000 ways not to make a light bulb and my question anyone listening to this is if you’re doing a startup that’s not where it needs to be. Have you tried 1000 things that don’t work, and if you haven’t, increase your experimentation and failure.
Right on, brother. I got one last question today and I’d love to invite you back for part two as well.
I feel like to be honest with you, like, we’ve been buddies for years I mean I just, I feel like I’ve known you for a much longer time.
I love knowing you, my man, there’s one question I wanted to make sure that I got to you today, you know because you’ve been in this industry a long time you’ve seen a lot of stuff. What, what is one particular like doomsday scenario that’s always in the back of your head with things you know like critical infrastructure getting hits you know things like where even Russia started to invade the Ukraine years ago after they hit their power grid, you know, what’s a doomsday scenario that always turns in the back of your head.
To me, probably the doomsday scenario is what’s starting to happen right now, which is companies are getting really sloppy, they’re violating security rules, and they’re ignoring the fundamentals, like if, if you look what happened with colonial and everything else, to me, fundamental rule. Any critical infrastructure, and I did a lot of work with nuclear with nuclear reactors, all the critical digital assets are air gapped, no exceptions to the rule you air gap, you can do a data diode for a one way transfer, but, but it’s all air gapped that everything else, critical infrastructure must be air gapped but what we’re doing now is, instead of Congress in the White House, bringing in security experts like you or me or others that are unbiased, they’re bringing in big tech, who actually is incentivized to have vulnerabilities and incentivize for companies to get breached because that’s how they make money, and they’re going in and taking advice from them, which is making the problem worse and we’re just going to get to a point where, and I know a lot of people say this and I hope I’m wrong where you’re going to have major outages in the United States for days and weeks because we’re not fixing the fundamental issues and in my mind why I don’t like it. I think that Colonial Pipeline, should have been the Enron moment for cybersecurity, and I mean by that is when Enron happened, Congress said we need to regulate publicly traded companies. I believe that cybersecurity, especially in critical infrastructure, and other areas, we need to start regulating it, because it’s not hard. It’s not difficult, but people are ignoring it and we’re listening to the wrong advice, which is taking us in a bad direction.
That’s an interesting perspective man. Thank you for sharing that too because I lean moderately conservative right in a lot of my political views and somebody who knows that about me said this when I was talking about regulation in our industry. They were expressing it like, I’m surprised to hear you for a Forbes article call right and they Forbes is wondering how do you feel about regulation like you know what I actually advocate for it, because in this industry just like financial just like power that cybersecurity is becoming almost like a basic need for life in order to function because of how much depends on this right now because there’s regulation in healthcare to the in medical care that you see across the board, but what did I just say out of all of those industries, what do they depend on all of them lean on technology, every single one of these regulated industries are leaning on an unregulated industry, how does that work, you know, because, because now, somebody who’s servicing these companies can just be like, “Yep, let’s raise your hand and be like, I’m an expert I know what I’m doing”
Right and they’re not, they’re not beholden to the same, the same level of standard. The standard of care is They even called in health care that these regulated industries are in so how can they help with that and I think we’re seeing some progress in that, but this is something to where I’m not saying like full board regulation like the banks, that’s not my opinion, but at the very minimum, a place to start is I think a threshold, almost like you know like a lawyer has to pass a bar exam or something like that, you know, or doctors have to be certified by a medical board in order to practice so there’s some oversight, they can still practice, pretty much any way that they want to right, but they still need to be certified by a board to say yes, this person is of good moral character, they have some good to bring into the world and even more importantly, they have the knowledge that they need to be able to save lives. Eric Cole thank you for being on today, brother.
My pleasure, and I look forward to staying in touch.
- T-Mobile breach
- Dark Web
- CyberCrime documentary
- Five Guys
- Elon Musk
- Thomas Edison