About the episode:
Ishan Girdhar speaks on some best practices today with trusting other companies with your personal and professional information. Learn how to tell if the company is being secure with their data, and how they need to hold themselves accountable for breaches.
Listen to the podcast here:
About Ishan Girdhar:
A born entrepreneur, Ishan has always looked for ways to make things work better. So when he found himself in a vendor role in a previous business venture, he immediately recognized the bulky nature and time investment involved when companies tried to tackle the complexities of cybersecurity data flowing downstream internally. As data breaches and hacks became the norm, Ishan saw a need for third-party risk management solutions that would not only be easier to implement but ubiquitous to companies of varying sizes. Taking these insights, he went on to found Privva in 2016. He did this with the conviction that Vendor Risk Management is a more effective and efficient undertaking for small to mid-range businesses when the platform is easy to use and has an interface that requires no integrations for quick deployment. While focused on empowering small to mid-range-sized businesses to take control of their security, Privva’s Vendor Risk Management dashboard is a sound and powerful cybersecurity tool capable of serving any size enterprise.
—
Watch the episode here:
The Security Hole That Will Destroy Your Business | Ishan Girdhar | CYBER EDITION
This episode is CYBER EDITION. Share this out with at least three people. That’s how we grow. We don’t advertise. We don’t do any. We don’t take sponsors. None of that. This has become such an amazingly successful show because of you and we still need your help. Share this out. You are going to want to because my guest is a born entrepreneur, always looking for ways to make things work better and has amazing history in the network security field in protecting people’s privacy, intrusion prevention, all of this amazing stuff and founded this awesome company called Privva. Ishan Girdhar, welcome to the show.
Thank you, Rick. I appreciate you having me.
We’re going to give people some awesome knowledge because we’ve got security professionals. We have many service providers, general entrepreneurs, consumers and the public reading the show. It’s a wide range but in this episode, we’re going to gear it towards cyber security. You’ve been in this field a while. How long?
Many years now.
A lot of people will be like, “That’s not that long to be in a field.” When did cyber take off?
It’s still pretty nascent. I always say to people, “iPhone is still pretty early in its infancy in cyber. Albeit it’s been around for a while, people didn’t care until years ago.” That’s evident. There are not enough people to fill the jobs that we need.
Tell me a little bit about Privva. What does it do?
We help companies evaluate the risk of using vendors. Think of supply chain risk management. That’s becoming a huge problem. A lot of companies have access to more data, whether it’s business, enterprise data or consumer data. At the end of the day, you’re giving your information to a company and then they’re sending it to probably anywhere from 10 to 1,000 of other companies. If we’re not doing the right checks and balances downstream and any one of those downstream companies get tagged, at the end of the day, your data is going to get exposed. We built a workflow tool to make that whole process easier and scalable. We are trying to make the UI simple. I’m not that smart. I tell the team, “If I can’t figure it out, then nobody can.” They made it dummy-friendly for me.
That’s the way it’s supposed to be.
Unfortunately, it’s not that easy. That’s why I hired a well-in partner who’s great with a great CTO.
I come from this industry. I have an engineering background. I was a Microsoft certified system engineer back in the day. I was the one that was in server closets crawling under the desks, doing everything in our launching. My biggest rollout was something like 15,000 servers, right over 100,000 workstations for Merrill Lynch. Still, I’m like, “I just want stuff to work.” That’s all that it is. I don’t get off on doing the tech work itself. I get off on the outcome that it provides and it sounds like you’re in a similar position too to where you’re like, “We need to achieve something here and tech is going to get us there but the achievement of this outcome is what’s going to thrill us.”
A funny story about that is being a second-time entrepreneur. I used to tell my CTO, “Just turn the button yellow.” I expected it to be done overnight and he then politely explained to me that there’s a lot of nuances in the backend of code. Turning that button yellow impacts twenty other buttons on the software. I think I’ve evolved a lot and it’s not easy. At the end of the day, we’re here because of him. I started to be the ugly face on the front end.
You were talking about supply chain risk management. Things have been insane over the past years, especially with supply chain. There are issues that I’ve seen with being able to find a product quickly. What types of industries do you typically work with when you do the supply chain management?
Our two biggest markets are the legal industry and financial services. Legal industry because your lawyer is your most critical third-party vendor. You probably tell them everything, anything and share everything. There are big vulnerabilities that go underlooked. Financial services are being driven by the regulators. They have access to the keys to your kingdom and your money. There’s a lot of pressure on them. They’re always trying to stay one step ahead of the curve and that’s using better products to make their business more efficient. Those are the two markets that we focus on.
It’s ideal both with attorneys and the financial services industry. I’m sure everybody reading does in some fashion or another. What’s a point to where your ears should perk up a little bit like a warning sign that something’s not right?
Financial services, for the most part, have done a pretty good job. If you’re thinking and you see a new log in and you see somebody else’s bank account information when you log into your account, there’s a red flag. Trust me, that app is more than you paying. Pretty much everything you can think of when you’re looking at your banking. There’s somebody else that has that data. Generally, we try to think about working with companies that are more mature, especially in the FinTech space.
There’s a lot of cool technologies that are coming out or out helping consumers manage and invest their money, find out how old they are, take a look at their privacy policies. Do a little digging on their website and see if they have a security officer on their team. Those are the things you want to check. If you go to LinkedIn and you see that they only have four employees, your data is probably not very safe. I can tell you that for sure.
They run everything in a spreadsheet.
Those are the red flags you want to check. If you’re looking at an earlier stage company and there are some cool ones, which I love them all, check how many employees they have. That’s a big tower of where you want to send your data.
Law firms are similar in that too because they get into a lot of things, especially if they’re dealing with healthcare records or anything. There’s a chain of custody that’s involved that can be broken extremely easily and violate HIPAA or anything else that has to apply to them. Give me an example. You work with those two industries. Are you protecting individuals from those two industries or are you working a lot with those two industries to bring them up to a certain level of compliance?
We’re bringing those firms. Those are the two bigger markets but we also work with school districts. That’s another market that we like, healthcare technology companies like Mindbody, which many people probably use their software to schedule a fitness class or a yoga class. We’re helping those companies make sure that their vendors have the right security in place to protect that information. If you’re giving your data to a bank, you’re asking and looking at how many employees the bank has, what we’re helping those banks do is look at how many employees and what security all those vendors have.
They’re doing that ultimately what your fourth party is. All those other companies that have access to information, we’re helping them figure that out and normalize it. We send out a survey, a security assessment questionnaire. It can be as short as 50 questions. Some of my clients ask 800 questions. It’s that exhausted. Ultimately, they come back with a single risk score and make you say, “We use 100 vendors in our system that have access to personally identifiable information. This is the ranking.” They’ll put them from 1 to 100. It’s kind of that old cliché. The bottom 10% start thinking about a new supplier because that’s a risk. That’s what we’re doing. It’s a thankless job for the banks, lawyers and law firms. Our job is to try to make it easier for them.
I commend them because in the cyber, I serve SME, which is typically sub $100 million companies. It’s an educational barrier that I’ve seen because if there’s a breach that occurs, which my crew is amazing and that doesn’t often happen at all. I say not often because no matter what and however much you can protect any organization, there’s still going to be a breach of some sort at some point. There’s no way to completely put this shield that’s around everything. Just wave a magic wand and have everything be okay forever. It doesn’t happen that way in our industry. I’m sure that’s the case because even when you’re evaluating the supply chain, that bottom 10% you’re talking about, that’s probably a shifting target if they have 100 vendors.
Breaches are happening. Every company has probably experienced a breach. If they haven’t, they just don’t know it yet. It’s only getting worse. How do we combat nation states to be funded to try to disrupt operations here and there are not enough people? I go into every meeting and my old dad joke is I’ve never met a security or risk team that has extra time on their hands. They don’t have enough bodies that know this. Going back to that first question, I’ve only been in for years. I had no background. I was in investment banking before I started this company. Learn fast. Be smart with your information and pick companies that you trust.
You’re honing in and you haven’t directly said it yet but I love what you’re pointing towards. It’s the responsibility of that entity to make sure that you’re protecting the PII data that you have under your protection and umbrella. There is another shifting of responsibility. Let’s take it from the consumer perspective. I’ve seen this with Equifax and Marriott, two of the biggest breaches we know. All of a sudden, it became, “It’s their fault.” Something I’ve noticed that exists in the cyber field is that, “We were breached but how did that happen? Some data that was within our purview was breached by somebody we’re connected with though it’s got to be their problem.”
If you want to call that supply chain, they’re a vendor if we look at it from that perspective. The organization itself, where that breach originated, never took responsibility to evaluate their vendors in the first place to make sure that those communications are solid, that the protection exists bi-directionally. I’m sure you come across this all the time.
That’s the biggest challenge in our world. You can only go so far as all set. Pick on Marriott. Even if they did some level of diligence, they only have so much authority to enforce change and act as that dictator to say, “You don’t have third-party penetration tests. You must do one and you have to have it done by PWC.” In Marriott, you have to pick and choose your battle. They did some diligence. They probably accepted some risks but it’s not foolproof and that’s the hard part.
I like how you said they probably accepted some risks and even with everything that you do. Privva sounds amazing and I commend you for everything you’ve accomplished. Even when you talk about that bottom 10%, let’s take that above 90% because there are varying scores. You’re still almost forced to accept some risk somewhere in order to continue doing business.
We tell our clients, “If somebody ends up with 100%, that means they’re failing because they’re lying. Nobody has everything in every aspect of security. If they get 100 %, we test them a little bit more and ask them to prove it to us.” You’re going to have to accept risk. Otherwise, you’re never going to have a vendor. The biggest investment is looking for it.
You’re running solo if you don’t accept risk.
I don’t know if Salesforce is a security budget. Bank of America or JPMorgan, 1 of the 2 just came out. They spent $1 billion a year on cybersecurity. Both of them have had security incidents. It doesn’t matter how much money you throw at the wall and you hire the best people. It’s going to be challenging and it’s bringing it back to you. You probably see in this. Hackers are saying, “Let’s go after the SMBs a little bit more. They don’t have $1 billion. They’re probably easier. If I go and hack ten vendors of Bank of America, it’s probably faster, easier and cheaper. I’ll probably get more information than if I went after Bank of America in years trying to twiddle my thumbs breaking into their system.” They’re smart. They’re going after the smaller SMBs too. I’m assuming you’re seeing that as well.
You were dead on. From the educational space in this field too, that’s always one of the challenges. One of the myths that exist too is, “I’m too small for a hacker to pay attention to me.” No. You are within their sweet spot because you communicate with these large vendors that exist like Bank of America and JPMorgan. You communicate and transmit data with those entities. You’re the easier target because you don’t have $1 billion to spend. You have to accept more risk.
From a philosophical perspective, that’s a gap that I hope continues to close over the next years. I see it there because the protection that’s needed that those large entities use from both human resources and technology is expensive to get the stuff you need but at some point in time, it’s going to trickle down like a lot of things do. Hopefully, that gap closes where it becomes more affordable for SMBs because it’s needed. There’s no difference in the need between the two. There’s just a difference in the amount of money that can be spent.
That’s why I like what you’re doing because they don’t have the expertise, knowledge and budget. They don’t know the difference between silence in CrowdStrike. I’ve been doing this for years. They need somebody to come in, show them a roadmap and try to figure out how to make this affordable. The key is don’t do it as a checkbox exercise. That’s what we still see a lot that people are saying, “I got to pass their audit.” Don’t think about it as passing their audit. Think about protecting the consumer’s data that’s going to go into your system and the impact on your company, their lives, if something does happen.
I didn’t think about it from that. These audits are almost treated as like a credit check. We are going to have to fill out a personal financial statement or something like that. “I’ve got to go through this to maintain business with these people.” That’s the only reason why they do it versus from a financial it’s like, “Let’s make sure our finances are sound but also let’s make sure our cyber sound.” That’s interesting. It’s like, “Here’s my busy work, checking off these boxes.”
I do have endpoint protection. I watched a video about cybersecurity. I’m trained. We’re still seeing them. It’s evolving. It’s still immature. It’s a growing market. Most people don’t understand it. We’re seeing this in the Department of Defense. They’re coming out with something called the Cybersecurity Maturity Model. The CMMC is what it’s called. You have 350,000 defense contractors that support the Department of Defense.
Eighty percent of them are small to medium-sized businesses that had never thought about this and all of a sudden, you’ve got the DOD putting down a hammer. I read those controls and requirements. They’re confusing to me and I lived this. I can’t imagine the mom-and-pop shop that’s making widgets that are going to Boeing that have to follow 117 security controls. That’s not feasible and that’s where experts like you come in. “Let’s do an assessment. Let’s figure out where you are.” Don’t just write a check and say, “I passed the DOD. I’m good.”
It would help if the DOD talked to CSO, the CIA or the NSA. They all communicated back and forth fairly frequently in a productive fashion. That’s all I’ll say on my soapbox.
I don’t know if you saw the news but the person at the DOD who was responsible for putting this whole program plays just got put on administrative leave because she didn’t exactly have a security background then she was breaching her security clearance. The person writing and running this program wasn’t even properly educated on what it was.
You were in investment banking before. I like how you said you’re a second time entrepreneur. How did you make that transition? I can see you’re helping financial institutions. What made you think, “I’m going to jump into security?”
My first venture, which didn’t work out, was I was selling software to hospitals and I was vendor. I had to go through a security review because I was going to connect to their network. Sometimes it was a phone call, email or Excel sheet. That was my first foray into this. I didn’t think too much about it. My business partners sold their company and then they started selling to the enterprise. They were in school districts and all of a sudden, they started getting these security assessment questionnaires. Years ago, they got one from PwC, PricewaterhouseCoopers. It was in Excel sheet. It was that moment that we said, “The number one consulting company in the world still uses a manual process. Let’s go give this a shot.”
We looked at the market and saw a couple of people dabbling in it. I remember that moment. I walked into my boss’s office and said, “I got this opportunity.” I had a good relationship with him. I said, “I want to try it. I want to do it with your blessing.” He says, “What’s the deal?” I said, “I want to do some meetings. I want to try some client pitches. I’m going to take a day off here and there. That’s option one. I do it with your blessing.” He says, “What’s option two?” I said, “I quit.” He said, “You got 60 days to figure it out.” I got a school district in New Jersey that’s interested selling a PowerPoint presentation. You know what I was talking about.
What did that pitch look like, your first one?
It was dumbly than dumb. It prevailed. We got some interests. I quit my job and dove in. It’s been fun years.
Where do you see the competitive landscape? Are there still few that are dabbling in this? I know it’s not very prolific.
It’s getting worse every day, for sure. There are SolarWinds, Microsoft and all these breaches. These are front-page headline breaches that are coming up. The market evolves, which isn’t a bad thing. It’s taken a lot of the education part of it out during the sales process. We embrace it but it’s getting more and more competitive. You’re seeing more companies understand that this is the risk. How do they bring this in compliment, in endpoint protection and network security product that they may have and bring it all together? Cyber is getting more competitive because people see a greenfield job opportunity. Nobody in any aspect of cybersecurity has risen to the top and is truly the best in a breed like you have in other industries because these companies existed years ago.
It’s still an open market. The Blue Ocean mentality that you hear about. I’m excited to see where it’s going to go over the next years. I’m looking to play a big part in that role along with you too. It’s going to get more competitive but I also think there’s going to be a weeding out over the next several years too because there’s a lot of individuals. I’m in the SMB space. I’m looking to make a dominating brand in the SMB space. I mean, no joke. That’s the reason why we’re going public.
For you, you’re looking to do supply chain risk management but I doubt you’re in that to be number 7 or 8 on the list with the passion that you have but there’s going to be some weeding out over the next couple of years in this industry to where a lot of those who dabbled and realized that, “There’s a lot too. This is going to fall to the wayside.” That’s also an opportunity for mergers and acquisitions too for consolidation is what I see. Like what you’re doing, it is not something that reaches out does because there are so many different competencies that exist in cyber security that are mind-boggling and you can never possibly have them under the same roof.
One of the challenges that we see is there’s a lot of buyer fatigue because everybody is opportunistic, present company included. I’m not going to hide that.
We are non-for-profit businesses.
You’re getting these CSOs who are getting calls talking about like our competition. There are more players calling them. The CSOs are trying to figure out who’s a real company, who’s started and has three people in a garage that created a cool front end. “Does this product work? Is it defensible?” We’ve seen the number of proof of concepts that we’ve had to do to win deals go up about 1,000% because people need to make sure it’s that old cliché. You don’t get fired for hiring the big four but you could lose your shirt if you hire the wrong cybersecurity vendor, their technology sucks and you’ve suffered a breach.
That’s going to be the challenge. You’re right. You’re going to see a lot of consolidation, a lot of M&A, products that got contracts but didn’t have good technology and companies who have the good technology just to say, “We want to absorb your clients.” You’re going to see a lot of consolidation. You’re going to see a lot of companies fade out because you don’t know who’s good. It’s hard to sell to CSOs, directors of securities and CIOs, especially coming after COVID.
It’s a tier point of the proof of concept. That’s probably going to be one of our biggest challenges, yours and mine. Over the coming years, we’re going to come across CSOs in the SMB space and CFOs. For the most part, that have been burned hardcore because they’ve hired the three guys in a garage.
You’re going to see a line and a lot of burnouts in CSOs also. It’s a tough gig.
Who doesn’t cut it anymore like what we grew up on?
Red Bull is not strong enough. They’re getting woken up at crazy hours in the middle of the night and the DLA Piper, which is one of the top law firms in the world. I know the CSO of that company at the time lived in San Diego and that attack started in Ukraine. You think about that time difference. You got woken up at 4:30 in the morning to every system of the top law firm in the world shut down and trying to react instantaneously.
One of my clients is the largest snow removal company in the Midwest. It was years ago. This was back when I was still on the keyboard and doing things when I knew how to do it. I’ve got smarter people. This was 2014 or 2015. I was up, thank God. That was nice. I was already 7 or 8 drinks in because it was New Year’s Eve and it was 1:00 AM. They have about fourteen international patents and there was an active attack coming from China. It was the nightmare that was disgusting, especially when you’re not expecting it like that years ago being a CSO in that realm. Things then are probably maybe like 1% or 0.1% how bad they are now. That sucked. Imagine doing that as a CSO every single week. It’s disgusting.
Did the client know you were seven drinks in?
The client didn’t know. I don’t know if it made me better or worse. I’m just going to say that it made me better because it only took about 45 minutes, which that’s not bad at all to stop the breach. That’s pretty amazing, especially with, “Poor me another. We’re just going to go to town with this.” I’m looking at IP Traceroutes and seeing this bounce all over the world in the midst of this thing like, “Where are we going to find these idiots?”
They’re smart. They know the time that everybody is having a cocktail.
That was the best time. This was a company that does maybe about $40 million a year in revenue, which is a prime target for anyone, even for a nation state. It emanated from China but what you’re saying with the nation states and this is what I think a lot in our industry don’t understand is that a lot of it funnels back to that, even eCrime groups. If you look at the threat actor profile, it’s the five main ones.
If the nation states have the motivation for geopolitical destabilization, they will fund eCriminal groups in order to carry out these attacks. They carry out attacks, not just against SMBs or these large corporations like JPMorgan or Bank of America. They’re attacking you and me too because they know that we have access. We’re one of those vendors that you’re talking about. We have the keys to the kingdom for a lot of these companies too.
They’re fishing. They have money to fish all day and find that vulnerability. What’s tough about it is job security. That is one of those that didn’t make it and we get it.
I don’t intend to be that and I don’t think you’re going to be that either. Where do you go from here? I’ve thrown out a lot of future predictions. What do you see for the future of Privva and supply chain risk management over the next years?
Take the second part first. I think it’s a growing market. It’s price pressure, business efficiency. People don’t want to work anymore that we’re seeing you just got to hire products that are going to make your life easier and do things cheaper. In the legal industry, everybody on here has probably paid a lawyer a lot of money for an hour of work. It’s not going to fly anymore and they need to embrace technology. It’s going to get worse and expand. That’s where we’re seeing it. There are cool companies that do what we do. We work with a company called RiskRecon. They got acquired by MasterCard. They’re doing cool things and looking at public information saying, “Can we quantify this from a risk?” You bring these couple of products that are going to help scale these set.
Supply chain is going to get worse. Better for us. For Privva, we got heads down. We want to always try to figure out the problem our clients are dealing with. How can we fix it? Security people are in a thankless job. It’s like technology. You expect the computer to turn on and when it does, nobody thinks about you but when it doesn’t, they lose it and they want your head on a platter. That’s what security is. “We didn’t get breached. Are you valuable to the company?”
They let go of that person and all of a sudden, they have an incident and realize the value. They don’t realize they’re getting calls at 12:00 on New Year’s Eve and having to deal with stuff. We want to be heads down. I say to the team, “I used to work at Disney. We customer support to a fault.” The team does hate it. If we make our client’s lives easier and then we won. They’re going to stick around. At the end of the day, there are going to be competitors that are going to come in but we don’t worry about that.
I’m excited to see where you and this industry goes to. Let’s keep educating people. That’s probably the biggest hurdle that we have.
The general consumer reads about it but they don’t truly understand. If you do get breached and you’re using the right companies, don’t get mad at them. They didn’t do it on purpose. There may have been some ignorance or negligence a little bit but the industry is working hard and they’re trying to do the best they can. It happens probably to everybody. Have a little compassion for them.
Celebrate the wins with them too. That was the thing. After we stopped China in this incident that I was referencing a couple of years ago, I took my client out to lunch, just the high fives but it should also be the other way around I feel too. Show the appreciation because all of those individuals are going to work so much harder for you. If you have an in-house CSO, the stuff that you don’t see that’s going on with those individuals is insane.
If there are any business owners on here and you have a security team, I agree. It’s the same banks. It means the world.
If you don’t know Ishan, you might soon, especially if you’re a vendor to somebody at this point. He might be knocking on your door under the banner of Privva. Go to Privva.com. Find out what you need to do. Ishan, you’re amazing. Follow Ishan on LinkedIn. Thank you for being on. I’ve enjoyed our conversation. There’s a lot of passion.
Thank you. I appreciate it.
Important Links:
- Privva
- Salesforce
- Bank of America
- JPMorgan
- RiskRecon
- LinkedIn – Ishan Girdhar
- https://en.Wikipedia.org/wiki/Supplier_risk_management