Episode Transcript
Speaker 0 00:00:00 It doesn't actually matter if you've got three customers or 300 customers. An attacker is quite, let's call it cost efficient. Mm-hmm. <affirmative>, they're going to find vulnerabilities in attacker platform with massive bang for their buck. So if they can get a hundred customers compromised, wonderful. That's gonna be really big payday for them. That's why you're seeing all these ransomware attacks. It's not about those companies. No. The attacker probably didn't care in advance. That's right. They just knew the technology was there and they could exploit it.
Speaker 2 00:00:25 Welcome to the Agency Hour podcast, where we help web design and digital agency owners create abundance for themselves, their teams, and their communities. This week, we are joined by the Mary Poppins of Security. Laura Bell, main Laura has worked with every type of company that you can imagine, large and small from mom and pop stores, companies that take care of the widows of firefighters to N A b, Lockheed Martin Prosper, and many more in the financial sector. In this episode, we dive deep into security and discuss the importance of bringing security into your core offering and the reality of trusting the security of SaaS and hosting companies. Everything is not what it seems. We also touch on the tale of Laura getting a book offer in a Mexican restaurant with a Marati band. Why security attacks are not personal and can, and do happen to smaller companies, and how your WordPress plugins may not be enough. It's jam packed. I'm Troy Dean, stay with us. And without further ado, please welcome to the podcast Laura Bell, Maine. Laura, welcome. Thank
Speaker 0 00:01:29 You so much for having me. It's great to be here.
Speaker 2 00:01:31 Likewise. Thank, thanks for joining us here in the agency. Now, this is, uh, a, a slightly, um, a slight departure, I guess from our usual programming. We spend a lot of time on this podcast talking about growth, marketing, hiring people, operations specifically for the agency business model. For those that don't know you, and I imagine most people in our audience won't be familiar with you and your work, who are you, what do you do, and what are you doing here on the agency hour?
Speaker 0 00:01:55 <laugh>? I know, right? I, I'm, I I'm gonna push you all in a, a little unexpected direction. Um, so I am a security specialist. So my, my job in the world is to bring security into organizations big and small, uh, without getting in the way of what they actually wanna spend their time on. So, in its own strange way that we can use security as a tool for growth and for resilience and surviving as organizations. So none of that doom and gloom fear stuff, much more of that. What can we do to really stand out and to make sure that we are growing and using this as a tool in a, a toolbox?
Speaker 2 00:02:32 I just wanna give a few, I I just wanna give our listeners some context here, because I personally know if you think security's not important or it won't happen to me. Right. I personally know, uh, friends of mine who run, uh, either software companies or run, uh, WordPress plugin companies who have their own checkout mechanism and store thousands of clients' credit cards on file. I know people who have been hacked and who have had data stolen, customer data stolen for ransom, uh, in Australia. I can't remember the who it was, but there was a big organization recently with like within the last few days. Yeah. That was targeted. There's
Speaker 0 00:03:10 Been so many in Australia. Yeah. It's, it's been a bad year. Um,
Speaker 2 00:03:12 It's been a bad year. And, and, and my brother, who is a general manager of a large, um, non-profit in Adelaide, he was talking to some colleagues recently in, because they're obviously, you know, aware of this and they have to be ahead of the game with this stuff. Uh, but the cybersecurity team that they were talking to have said that in the last 12 months, cybersecurity attacks in Australia have doubled. And, uh, that trend looks like it's gonna increase because we are, if you don't, you know, realize this in Australia, one of the wealthiest countries on the planet, and we get targeted by people who wanna steal data and then show us what's called a proof of life. They show us proof that they have the data, and then they demand lots of money, otherwise they're gonna release that data publicly. So this is not, and I'm not saying this to be, to, to, to, you know, scare people into taking action. I'm just letting people know this is a real thing. It does happen. It's happened to friends of mine. We have been very fortunate over the last however many years we've been trading online that it's never happened to us. But, uh, you know, you've gotta take these things seriously. And sot tell me, um, first of all, how, why, why security? Why this <laugh>? It is, do you have a personal story? Like you, obviously at some point when I'm gonna spend my life devoted to helping organizations secure their software, why
Speaker 0 00:04:34 A complete accident, if I'm honest? Um, so, um, the two big influences in my life are my, the, on the, the female side of my family. They're all storytellers. Um mm-hmm. They're the type of people who can sit next to a person on a bus, and within three minutes they've got their life story and been invited to their grandma's birthday party. That's just, just how they work. Um, and it's beautiful to watch in a slightly weird way. Mm-hmm. And my granddad and, and, and a lot of the, the men in my, in my family, just because of, you know, the way that the education worked back then are all engineers. And my granddad used to kind of pull me aside on Saturday and he'd say, Laura, what do you wanna build today? I'll be like, oh, cool. Let's build stuff. Wow. And he'd just appear with stuff.
Speaker 0 00:05:13 Now, as an adult, I've learned that he was stealing bits from my mom's and my grandparents' furniture upstairs, <laugh>. But what he gave me with this, this sense of creativity of you could use things in unusual ways that you could play around with them, and that anything was possible if you would just thought about the problem in a different way. Wow. Now, I eventually became a software developer, and I found that my, you know, my enjoyment of looking at problems in strange ways, and being the person who was like, oh, all right, there's three buttons on that screen. What happens if I press all of them at once? And mm-hmm. <affirmative>, um, that's really not that helpful in a software team. Um, but insecurity, that's exactly where it starts. It starts with creativity and curiosity. Um, now the difference between someone like me who's insecurity and someone who is, you know, doing crime, is that my motivation is helping people.
Speaker 0 00:05:59 I like finding these things like a puzzle and then fixing them. Mm-hmm. But there are other people who have the same sort of creative thinking, but they have a motive to, you know, for personal gain or, you know, I want to do this and use it to get wealth, or, or whatever it is. Um, so yeah, that's how I ended up there. I I essentially moved from software into security. And then over the last 20 years, I've had an amazing career working with every type of business you can imagine, from tiny, tiny nonprofits who look after the widows of firefighters Right. The way up to big name companies like Salesforce. Wow. So, um, I really have seen every sort of operating model, every sort of kind of culture that security can bring in, uh, the good and the bad,
Speaker 2 00:06:45 I must say. I, I was checking out, I didn't know much about you and full transparency. You was talking the green Room. You came to us via a podcast, booking agency who mm-hmm. <affirmative>, who reached out and suggested that you come in our podcast. Uh, but I, so I was checking you out yesterday 'cause I had no idea who you were. And, and I, you've got some pretty impressive client logos on your website, n a b, which is a, the big National Australia Bank, Lockheed Martin Prosper, who are a finance company. Is that right? Mm-hmm. <affirmative> Prospect, they're a lender, is that right? Yep. Um, I imagine finance sector security is a big, uh, issue, which we can talk about f before we get there though, how did you, what was your pathway to become a software developer?
Speaker 0 00:07:19 Um, I needed to get a job when I was 16. I come from a, a small town that is famous for teenage pregnancy and car theft. Excellent. And yeah. Sounds like where,
Speaker 2 00:07:27 Sounds like where I grew up.
Speaker 0 00:07:30 Um, um, and so, um, I, I was very lucky, um, in my hometown, there was one tech employer that was e d s, and they were doing an apprenticeship scheme, and the interview process was solving puzzles. And so my mom was sick, I needed a job, and I went to solve some puzzles for an hour and ended up as a junior cobalt developer, age 16. And then I put myself through night school to get my qualifications and then eventually put myself through university. So, wow. Um, it was more of a, a necessity than it was a choice. I didn't wake up one day and go, yeah, computers are my thing. Right. Uh, but I, I just love, it just speaks to a part of my brain that, uh, just lost puzzles.
Speaker 2 00:08:07 Yeah. There is something, I remember in, when I first moved to Melbourne, there was a company back then that, I dunno what they were called now, but back then they were called the Computer Power Training Institute. And they used to run these television commercials, and they would invite you to come in and sit at a test, and if you pass the test, you would have a pathway to become a software developer. So I went and sat the test, and turns out I'm just very good at solving puzzles as well. And, you know, kind of like finding patterns in numbers. Mm-hmm. <affirmative>, and here's a series of numbers, continue the pattern. And, and so I blitzed the test and, um, got a, and I was working at Crummy job as a sales rep in the head dressing industry at that point, <laugh>, I was driving around Melbourne selling bloody shampoo and hairspray to hairdressers, and it was awful.
Speaker 2 00:08:47 But anyway, um, they rang me and said, look, you've, you are like in the top 1%. We want you to come and do the course. Uh, it's 15 grand to come and do the course I didn't have at the time, and I didn't, I couldn't get, so I missed out on that opportunity. I wonder how different my life would've been if I'd had that formal training. But I do remember at the time, this is in the late nineties, 97, 98. Right. I do remember at the time thinking, you, you ha this is the future. You have to understand how computers work, otherwise, you're gonna be left behind. And, and this was when we were accessing the, the internet on a, you know, 28.8 k or a 14.4 K dial up modem. Right. So, how far things have come. Um, so well done. Congratulations for, for, uh, pursuing that pathway. And then at some point, you, we were talking in the green room. You end up consulting with companies before what you've done now, which is pivot to an e-learning platform, which we'll talk about, which is something that's very, uh, near and dear to my heart. Um, talk to me, were, so you were employed as a software developer. When did you go out on your own as a security consultant?
Speaker 0 00:09:51 So, um, I made the big leap in 2014, so just coming up on 10 years next year. Um, and I, I'd just come back to work after having my first child, and I was working for a single organization in the FinTech space, and it was great. You know, it paid well, it was a good job, but I was frustrated. Um, I, I knew that you could build software really, really fast, and I knew that security was important, but the way that security happened was super, super slow at that point. And, and it was all about, no, you can't do this. And as somebody who likes creativity and innovation, that was just really grinding with me. And so, um, I had about $300 in my bank account. Um, <laugh>, it was really not a great life choice at this point. I had a 10 month old daughter.
Speaker 0 00:10:33 Wow. And I quit my well-paid job, and I went out looking for my first consultancy clients. Wow. And my first client, thankfully, was Pushpay. So, um, so yeah, it, it was, it was a big leap of faith. Um, uh, I literally wheeled my office chair from home down Queen Street in Central Auckland to a shared space that had, you know, those pallets you get from shipping companies, Uhhuh, <affirmative>, that they're always giving away at the side of the road. Mm-hmm. <affirmative>. So the desks were made of those, but they hadn't even bothered sanding them <laugh>. And you had to put, uh, a sheet over your desk at the end of the day because it was in the eaves of a building. And overnight the pigeons would come and roost. And you wanted, you had to make sure that you didn't get your computers covered in, you know, pigeon.
Speaker 0 00:11:12 Wow. Uh, waste it. It was, oh, you know, one day I'll laugh about it. At the time it was kind of hard. <laugh>. Yeah. Um, so yeah. Um, in the first three months though, it was really clear that there was this massive need for particularly software led companies who were building software, either to sell or to make their lives easier to do security. They really cared, but they needed to be shown how to do it fast and to make those pragmatic choices. And so that led to a very successful consultancy practice. And then, um, my first book, agile Application Security for O'Reilly. Um, and so I, I kind of sat at the front of what became DevSecOps and, um, the fast-paced security space for software.
Speaker 2 00:11:54 Wow. What, what was your, um, wow. There's a lot to unpack there, and I have some, some questions <laugh>. Uh, no, but what, what, what was your outreach like to get your first client when you went out as a consultant? Were you like cold calling or like, were you on like, stalking people on LinkedIn? How did that work?
Speaker 0 00:12:06 I was literally making phone calls to anyone that I knew was in software and saying, Hey, can I buy you a cup of coffee? And, you know, pounding the pavement, going office to office. Wow. Just chatting about how they did things, and, um, go.
Speaker 2 00:12:20 That's awesome.
Speaker 0 00:12:21 That's
Speaker 2 00:12:22 So good.
Speaker 0 00:12:23 It was terrifying at the time, of course, from the book I read, um, the Challenger Sale, which got me through it because it made me realize what I was doing was selling, but without being gross. 'cause I was kind of consumed by this idea that suddenly I was a salesperson as well as a consultant. And those two worlds were a bit of a, a, a funny mix for me. So yeah, big, big growth journey.
Speaker 2 00:12:42 The Challenges Sale, I'm not familiar with that book. Print Adamson and Dixon, Matthew, according to Google. I'm definitely gonna put that on the list 'cause I haven't read it. Um, okay. So then, so you grow this consulting firm, uh, you're doing, you know, things are going well. Um, what was the, at some point you then decide to pivot to e-learning, and, and, and you, you wrote a book. You, you wrote another book, and then mm-hmm. Also, actually, before we do get there, how did the publishing deal with O'Reilly come about? <laugh>?
Speaker 0 00:13:12 Oh, no, Troy, um, I could give you like the, the Polish version. Should we do the really formal version? Who these give the sense I went to the right, I went to the right, uh, meeting with the right person. Right. And I was bold in my ideas and thinking, and they offered me a book deal. Right. What actually happened was I presented at Black Hat in 2015, which for my community is a big deal conference. Mm-hmm. <affirmative> mm-hmm. <affirmative>. And I went out with some friends, um, one of whom happened to be a, uh, an editor and, um, uh, an agent at O'Reilly mm-hmm. <affirmative>. And we got very, very drunk in a Mexican restaurant. Excellent. And literally, there was a mariachi van involved. Fantastic. Um, and I believe that me and one of my co-authors had some very big feelings and opinions over dinner about how wrong security was and how it could be done differently without it getting in the way. And how it didn't need to lead on fear. It could be about growth and enablement. And two days later, I had a book offer in my inbox saying, Hey, thanks for offering to do that. So, um, yeah. Um, uh, spoilers are never go to Mexican restaurants with book publishers, <laugh>, um, it ends badly. How,
Speaker 2 00:14:14 How, um, how arduous was the process of writing the book?
Speaker 0 00:14:19 Uh, it was a lot harder than I thought it would be. Um, and in fact, I promised myself I would never do it again at the end of the first book, and then promptly three years later did it again, <laugh>. Um, so, you know, that tells you something about me, or books, one or the other. Um, the hardest part is, is finding your voice, um, in it and, and having that kind of discipline to sit down and just keep writing. Um, you know, I, I'm quite a creative person. I, I, I can switch very quickly between things. I'm quite a fluid person. I'm not the type of person who is very good at going, okay, I need to write a thousand words every day. Mm-hmm. And having that structure, and it took me a long time to really figure out how to get into that rhythm.
Speaker 0 00:14:58 Mm-hmm. Um, but once I had found it, and once I'd found my confidence in it, um, I, I really enjoyed the process of writing and not just about the, like, the only person who really cares about me having a book is my mom. She's incredibly proud and has no idea what it is I do for a living. But there's a book, so that's mm-hmm. <affirmative>, you know, it's an anchor for her mm-hmm. <affirmative>. Um, but for me, it was just really good to crystallize what I had been doing. Mm-hmm. And then it was able to connect with this audience, and they were sending me emails back going, oh my goodness, I needed this. Um, I've, I needed this advice in my life. We've been using this for X, Y, and Z and that, that's been really, really great to extend from just what I was doing as a small ripple in a pond to something that was bit much bigger.
Speaker 2 00:15:41 Great. What, what was the second book you wrote? Sorry.
Speaker 0 00:15:43 Security for everyone. Security for how to do security for whatever size business you are. So starting from individuals up to high growth companies. So whatever stage your organization is at, it's a really practical guide of the basics you need to put in place to secure your organization. So we expect you to have no budget, no people, um, that you're trying to do something big in the world in your own way. Um, and it's, it's really a how to guide for those in those non enterprises who wanna get started with security.
Speaker 2 00:16:12 Great. And is security for everyone.com? Is that your domain?
Speaker 0 00:16:15 Uh, no. Um, but I can give you a link and you can share the link. That
Speaker 2 00:16:19 Would be great. We'll put a link in the show notes to the book, and we'll also put a link to, uh, safest Stack io, which is your current learning platform. So I, you know, um, I've produced a lot of e courses, e-learning, online courses, whatever you wanna call it, over the years. And I imagine, I haven't written a book, but I imagine in a similar way, what it does is it really, like a mentor said to me once, if you, if you think you know something, teach it, because it really forces you to identify the gaps in your knowledge. And the act of explaining it really forces you to fill in those gaps. So, um, how did you know it was the right time to pivot to an e-learning platform and get out of consulting? Because I, because the, it's a completely different business model. Mm-hmm. <affirmative>, and I wanna talk, I do wanna talk about security in a moment, but I'm really sort of fascinated about this journey. Uh, it's a completely different business model. Um, it's, it's, it's, it's a higher ma more volume. You need a lot more customers. It's a lower ticket product you're selling. Mm-hmm. <affirmative>, how, what, at what point did you, were you confident to go, okay, there's enough demand here than I'm gonna wi and why did you wind out of consulting Yeah. And, and pivot into this e-learning business model?
Speaker 0 00:17:23 So, I, I'll share the, the kind of the transitionary period. 'cause I think that's probably gonna answer most of what you're asking there. So we first, we, we'd been talking about it for a long time. Like, most, if you're in an agency or a consultancy or a service company, everyone has like this little bit in the back of their brain. They're like, but this is like a hamster wheel. It's doing the same thing over and over. Can I turn this into a product? And we've all had those thoughts from time to time. And so we had this inkling in the back that we could do this. Then Covid hit in 2020. Mm-hmm. <affirmative> and, uh, consultancy dropped 94% of revenue overnight. You know, it, everything rebounded. But in that moment, in that first lockdown, we had almost three months where me and my co-founder, we, you know, we were still doing some consultancy remotely, but, you know, it was a, a moment of reflection. And we, we both decided it was a terrible idea to run a product company because we had young children and houses, and all of those responsibilities that you're not supposed to have when you're a startup founder mm-hmm. <affirmative>. Um, so we did it anyway, <laugh>. Um, and so we started building it in the April, 2020. We released it into market in the October. Um, and by the, by the end of December, we had already passed, um, 200 K in recurring revenue. Um, and we were really certain at that point that we, there was something here.
Speaker 2 00:18:41 Wow. Now, now, okay. Uh, how, what again, what was the outreach or the go-to-market strategy, or like, how did you get that initial cohort of, because if I'm not mistaken, I'm on the safest stack.io website, right? And your, um, your price point is not enterprise, right? We're talking about a hundred bucks, mid-market, a hundred bucks a year. Is that right? Mm-hmm. <affirmative> for individuals for 300 bucks a year for team, so, you know, per learner, but that's a year, right? So if I've got like five developers, it's 1500 bucks a year to have them mm-hmm. <affirmative> train, right? So we're not talking, this is not enterprise B two B, you know, software where we're spending a hundred thousand dollars a year. How did you get the first cohort of customers through to get enough traction to say, Hey, we've got product market fit here.
Speaker 0 00:19:27 So I, I think, you know, most of us find our careers, uh, cumulative, the things you've done before add up. Um, so a lot of the initial, particularly the initial five or six customers, was the same way as I built consultancy. I, you know, opened up my contact list and went, Hey, we haven't caught up in a while. And I went and talked about what we were doing and, and got people to try things out. And a lot of people are enthusiastic. And then, you know, I'd started already growing an audience through social media, through LinkedIn and things not particularly strategically. I will be very honest, and I'm still working on that a lot. You mm-hmm. <affirmative>, we, we don't, with only three of us in the team in sales and marketing, we are teeny tiny mm-hmm. <affirmative>. Um, and so we started kind of experimenting, you know, sharing MSEs, sharing value.
Speaker 0 00:20:09 Our audience are primarily software developers who are mildly allergic to salespeople mm-hmm. <affirmative> and do not open cold emails that that's just the end of it. Mm-hmm. <affirmative>. So we needed to be authentically there sharing what we do, what we believe in, what the mission is. Mm-hmm. <affirmative>. Um, so we started doing that. We did a bit conference speaking. Um, and yeah, it's grown from there. A lot of our growth is organic. A lot is fire referrals. And that's something actually we are working on now in the next 12 months is, you know, how do we reach audiences outside of this initial, um, you know, first couple of years. And that's an exciting problem to solve.
Speaker 2 00:20:41 Great. Which hence probably why you're here on the podcast. Right. Exactly. That's, that's all part of it. Now, um, I do have a question, question you, it looks like I'm looking at some screenshots on your website here. It looks like the community, you might be using something like Circle to host the community. Is that right? Yeah,
Speaker 0 00:20:56 Yeah.
Speaker 2 00:20:57 Absolutely. Awesome. Uh, and the and, and is that where all the course where stuff is? No.
Speaker 0 00:21:01 Right. So we have our own l m s that we've built. Originally, we, we did what many companies is, we had a, a WordPress Frankenstein's Monster of an L mm-hmm. L m s for the first six months. Mm-hmm. 'cause we just need to get it going. Yeah. Um, and then over time, we've actually replaced that with our own custom platform that does what we need. Got it. But we intentionally choose Circle for our community partner because running a community platform on top of an L m s, that's not our core specialty. So we use a platform that we know and love. Yeah.
Speaker 2 00:21:26 Love it. What's the security like on your learning platform?
Speaker 0 00:21:30 <laugh>? Oh, it's terrible. We'll do it later. <laugh>. No, of course. It's great. We, you know, we, we pick the problems we wanna solve, and then we use experts on the rest. So we use things like auth zero as our authentication provider, because, but as a security company, you already have a big kick me sign on your back when it comes to, to security. Yeah. So, yeah, we're gonna pick the best in breed and work with them. So we solve the problems that are unique to us, and then we work with really good folks to make sure that we, uh, are are doing the security in the right ways.
Speaker 2 00:21:59 Now, I can hear virtually everyone listening to this podcast saying, Troy, Laura, this is really interesting, but we are just building websites on WordPress and we're just gonna plug in the security plugin or one of the standard plugins that comes in the repository, and then we are done. Right? Like, this is not relevant to me. And, uh, I would like you to debunk that myth if possible.
Speaker 0 00:22:21 Yeah, absolutely. Look, um, and I'm not gonna bang on WordPress, you'll have a lot of security people who'll be like, oh my God, you're using WordPress. Don't do that. Look, there's a reason we all use WordPress. It's because it's incredibly versatile, because it has that ecosystem of plugins and, uh, and pieces we can use. There's a reason we do that. But the, the thing that we have to remember is a lot of your audience will begin, well, they won't attack us, we're little mm-hmm. <affirmative>, they've never heard of us. Mm-hmm. <affirmative>, when you use a platform that's shared by hundreds, if not millions of other customers, the attacks stop being about you as an individual mm-hmm. <affirmative> and about being opportunistic for the technology you're using. Mm-hmm. <affirmative>. So it doesn't actually matter if you've got three customers or 300 customers. An attacker is quite, let's call it cost efficient.
Speaker 0 00:23:03 Mm-hmm. <affirmative>, they're going to find vulnerabilities, an attacker platform with massive bang for their book. So if they can get a hundred customers compromised, wonderful. That's gonna be really big payday for them. That's why you're seeing all these ransomware attacks. It's not about those companies. No. The attacker probably didn't care in advance. That's right. They just knew the technology was there and they could exploit it. Mm-hmm. <affirmative>. Now, the thing with WordPress plugins is it's amazing, you know, the, the selection you have, and it can be quite overwhelming to get started with mm-hmm. <affirmative>, and no doubt, many of your audience have favorites. You've got a whole set that you use on everyone, and you bring them in each time, and they're known. I get, I get it. I totally do. But you need to start thinking about what I call the puppy principle. And not to insult your intelligence, but it'll help you remember this later.
Speaker 0 00:23:44 Yeah. Think of every plugin, like a new puppy, uh, is gonna make your life really exciting when you share the results of this. It's gonna be really cool. People wanna see it, but every puppy, you have to look after it. So you've gotta poop some, uh, you've gotta do some pooping, scooping. You've gotta feed the thing, you've gotta look after it. Mm-hmm. Um, every single, uh, plugin you bring in is another puppy. So, you know, three is great and a lot of fun. 30. And you are actually, you know, you're basically a doggy daycare now. There's no time for fun. You're looking after stuff all day long. So you've gotta make sure that every time you introduce a technology, that you have made some space in both your budget and in your time for keeping it, uh, up to date. Now, in a service model, this is really challenging because, you know, we bill our customers up front.
Speaker 0 00:24:31 You know, I'm gonna build you a lovely website. Maybe sometimes they have an ongoing maintenance contract with you, but a lot of the time they don't. Maybe they come back ad hoc for, for updates. Now the trouble is that attackers are working continuously. They don't know that your brief is done and that you've delivered the end thing. They're still gonna be looking at that website. And so you have to find a way to manage those, you know, those bits of hygiene that we need to. So keeping it up to date, making sure that there's no alerts that we need to be mindful of, make sure we change plugins if there's something that goes outta support. Um, and at the same time, we have to figure out how to do that without breaking our business model, because we've gotta do it for the sites that we're still associated with, or what we need to educate our customers on how they need to do it themselves, which your customers may not be in the technical space, that they can actually do that for themselves.
Speaker 0 00:25:18 So I see it less as a hindrance, less of a, you shouldn't do this, so, you know, it's gonna get in the way more of an opportunity for us all. If we think that delivering a high quality product to our customers, uh, is what we're aiming to do, then we need to accept that securing it is part of that quality. It's part of the measure of what makes you stand out. And that means factoring that into the ongoing services you provide, how you bill for them, and educating your customer as to why you are doing that. Mm-hmm. And why it might impact them from time to time.
Speaker 2 00:25:48 I think this, and you're preaching at the converted here, but I think this is the interesting piece, is how do you get a small business owner who uses Chrome as a browser every day mm-hmm. <affirmative> and doesn't even know that it's being updated in the background, doesn't even know that security patches are being flown in remotely, and because they're not even aware of it, right? Mm-hmm. <affirmative>, how do you educate that person that, hey, you're gonna have to pay whatever it is a month to make sure that your website doesn't get hacked, and to make sure it's secure when on, on top of the hosting, which also has its own layer of security mm-hmm. <affirmative>, what's the, apart from telling warning stories, which I'm a big fan of, but what, what's, what's the, what's the, because it is an, it's an education process, isn't it? Mm-hmm. <affirmative>.
Speaker 0 00:26:27 Yeah. And for me, I, I think of it like gardening. Um, uh, gardening is much more effective if you do little bits over time. If you go and, you know, weeded a bed each week, um, if you come back to it any year's time, it's gonna be a feral mess. Mm-hmm. And nothing is gonna be growing there. Mm-hmm. <affirmative> looking after the security of site is a hygiene practice. It's not necessarily about, you know, the big bad monster is coming to get you on the internet, and you should feel bad. It's about saying, Hey, you have this asset and you need to maintain it. And that means doing a little bit of maintenance each month. Mm-hmm. <affirmative>, now here's the maintenance you would need to do if you did it yourself. Mm-hmm. <affirmative>, or we can do this for you, and we're gonna help keep this in the best shape it can be so that it delivers the results you need.
Speaker 0 00:27:08 And so, focusing much more on the maintenance of an asset and of something that is so key and crucial, rather than the fear that something bad can happen. If you lead with the fear, people are gonna shut you down. Mm-hmm. Um, there's so many things in the world to be scared about, especially as a small business. You know, there's 42 things that are gonna kill your company. Payroll and cashflow are number one and two. Mm-hmm. <affirmative> security probably isn't even number 10. Mm-hmm. <affirmative>, it's somewhere down the list. So you have to reframe it, reframe it in terms of what they care about. And that's maintaining their revenue growth, maintaining their presence, keeping track of what they've invested in, and making sure it's still worth it.
Speaker 2 00:27:42 So, you know, updating plugins and keeping your client's websites secure is a really important part of the service that you provided. Of course, you should be charging to do this as part of your care plan. However, if you're anything like me, I get it. This is really important, but I'm not the best person to concentrate on this because it just bores me to tears. Like, it's like doing the dishes, right? It's gotta be done, but for me, it's just super, super boring. Now, I know that we are making an argument here that you should be using this as part of your growth strategy, and you should, but maybe you don't want to click the buttons. Maybe you don't want to be the one actually updating the plugins and updating WordPress and making sure that the backups are done and making sure it's secure and all that kind of stuff.
Speaker 2 00:28:20 So you should just delegate all of that to someone on your team. And if you don't have anyone on your team to do that, then you should be delegating it to a partner, preferably a white label partner, like E two M Solutions, who yes, they are our podcast sponsor, E two M solutions.com/agency Mavericks. And they will just take care of all of your WordPress care plan stuff for you, completely white labeled so you don't have to worry about it. So the job gets done. You can just concentrate on selling the value prop to your clients and using it as part of your growth strategy like we've been talking about. But you don't have to worry about clicking the buttons and making sure that things are going into the right spot. Right. You can just have a dedicated developer at E two M solutions do that for you.
Speaker 2 00:29:01 So go check out E two M solutions, E two M solutions, and the letter E, the number two, the letter m solutions.com/agency-mavericks to get a very healthy discount on your first month. And a big thank you to those guys for being the sponsor of our podcast, and of course, our mcon live events. What about hosted platforms? Because we have a lot of mm-hmm. <affirmative> and, and, and you know, what's interesting is that you are talking about security for software platforms, right? So if I look at something like, you know, I mean, Squarespace, we're a very, very large company. Mm-hmm. <affirmative>, but if I look at some of the smaller players, like I'm, I'm, um, testing and experimenting and exploring some options like framer.com at the moment, which is a A C M S really designed, it's a web hosting platform designed for design team. So it's, you know, it's designed to be no code.
Speaker 2 00:29:48 Um, yep. You've got a lot of people relying on things like Zapier every day to run their business. How much trust are we putting in these companies to, to, and, and, and what do we know about their security vulnerabilities, right? Because we, we've been a WordPress shop for years, and I can tell you the admin and development overhead that it's cost us, I probably could've bought another house, right? Because we've been managing and the hosting fees. And so I look at something like Framer and go, wow, would, it's really appealing for me to go all in and pay them a hundred bucks a month to just do it and look after it. And we have this beautiful interface to manage our content, but how much trust I'm putting my company's, which is my asset, I'm putting my company's security in their hands. What, what do I need to be? What are my blind spots there?
Speaker 0 00:30:31 So I, the way I frame it is that trusting is good, but verifying is better. And so knowing how to ask the right questions of a provider before you take that leap of faith and, and go all in with them can be really helpful. Now, there's a whole bunch of, of ways to do this. Um, many people send out little questionnaires, but there's some kind of shortcuts if we were trying to be like this quick as possible. So firstly, ask them, do they have a security certification? So something like ISO 27,000 is a good benchmark. If they've passed that, they've been audited for quite a considerable period. They've got some stuff in place. So that's like a, a nice shortcut. Do they have ISO cool? Um, also look who their other customers are and ask for testimonials. So if they're dealing with a bank or they're dealing with an airline or a regulated industry as part of the procurement process, they will have had to submit answers to security questions.
Speaker 0 00:31:24 Mm-hmm. <affirmative>. So if you can talk to and verify that they genuinely have customers in those organizations, that's a good sign. If you, you're a smaller organization that somebody much bigger than you has probably put them through the ringer before you. Mm-hmm. And the final set of things, how you want to be talking about is the control you have. So bring yourself a little experiment. So sign up for your little demo account. Have a play around. You wanna always ask yourself, what data is this asking from me? And where's it gonna keep it? You know, is it all in one big database? Is it in a file somewhere? You know, what do I know about that? If I chose to delete something, does it really delete things? Can I get rid of stuff? If I chose to change my mind tomorrow, can I back outta this?
Speaker 0 00:32:06 That's always important. You should always be willing to say no to a tool, especially if the terms of service change, et cetera. Um, and thirdly, how do I control access? Mm-hmm. <affirmative>. Now, if the tool is charging you per, per person per year, and actually, you know, that budget wise, you can't do that. So you're all gonna end up sharing an account. Mm-hmm. <affirmative>, that's a big red flag. Mm-hmm. <affirmative>, um, 'cause our biggest compromises, most 80% of compromises are really what we call the boring basics. They're account compromises, things like, I had a bad password or a password that was shared with 20 people. Um, if we can't have individual accounts on that tool so that we can, you know, if somebody leaves our company, we can take the tool access away access, then we've probably got some challenges there. So look for those three things. What data is being stored? Where is it being stored? What control do you have? Can you delete it if you change your mind mm-hmm. <affirmative>, and then look at that access control piece and look for that evidence that big customers have used them before. You don't necessarily wanna be the first adopter of a cutting edge technology, uh, all the time. Mm-hmm. Sometimes that can be a bit high risk mm-hmm.
Speaker 2 00:33:09 In a sandbox, it's okay. Right. Yeah. But not, not not in production life. Yeah,
Speaker 0 00:33:14 Absolutely. We just ease into the big scary stuff.
Speaker 2 00:33:16 I'm gonna ask you a very nerdy question because I've got a couple of friends of mine who are agencies, but are getting into building software. And I, we also use some software platforms that are built on top of things like a w s Google Cloud. And I know that, uh, so the question is, if a software company is saying, and I'm gonna read something here, I'm not gonna say who the software company is, but they're gonna say something like, you know, um, our, our software is built o on a cloud infrastructure provider such as Google Cloud and Amazon Web Services, and they are ISO 27,000 certified. So therefore we are all good now. Right? So this was, now for those who are not watching, Laura is vehemently shaking my head, shaking your head, head no, that is not okay. No. 'cause they're building interfaces and APIs and databases on top of that hosting infrastructure, right? Yeah.
Speaker 0 00:34:06 So think of a w s or any of those hosting providers, Azure, Google Cloud, it doesn't matter. They're all the same mm-hmm. <affirmative>, think of them like a giant Lego set. Mm. So yes, those individual components, the bricks, the, the foundation pieces are certified, and a w s Amazon itself has good practices. However, you can build whatever you like outta those Lego blocks mm-hmm. <affirmative> and it's only gonna be opinionated in certain places. So a w s is only gonna tell you in certain times not to do things. That's a silly idea. Mm-hmm. <affirmative>, so like an infinitely big Lego set. You could build something that was a fortress mm-hmm. <affirmative>, and it could be gloriously secure, or equally you could just poke holes through every bit of configuration, turn on everything. Yeah. And it could be wide open. Yeah. Uh, what you choose to do with those tools affects its security. Yeah. Yeah. So it's great you chose a trusted provider and that they have the ISO certification, but now you have responsibility for what you've done with that Lego set. Yeah. So unfortunately, that's where your practices come in. Yeah.
Speaker 2 00:35:05 I, I'm gonna give you a very practical example of this. Sure. Um, I had a bucket once in S three, and this is a, this is like a super dumb, super nerdy example, right? But I just want to exemplify Laura's point here for the listeners. I had a bucket in SS three once that we had a bunch of documents in, and we built a, I built a prototype of a little desktop app where customers could have like a little Google Drive icon in their and their thing. And every time we uploaded a new version of our templates into the Google, into the A three bucket, it would like pinging them and go, Hey, there's a new version here. And Amazon sent me an email. I mean, it wasn't them, it was one of their robots sent me an email saying, Hey, this bucket has got the wrong security permissions on it.
Speaker 2 00:35:41 You need to actually have these permissions set at a file level, not the bucket, because the entire bucket is open for the world to do whatever they want with. Right. And at the time, I'm like, well, that's right because I want my customers to have access to the bucket, blah, blah, blah, and I'm not gonna give individual permissions to the individual things in that bucket. And I had no idea what I was doing because I was an amateur, and I didn't think it would happen to me. And luckily nothing did happen. But the point is, uh, that I could keep tra I could keep doing that and have an insecure bucket. And Amazon were like, well, this is your, we've told you it's your problem. If anything happens, not our problem because it's all new. Absolutely.
Speaker 0 00:36:14 Um, I had a similar fumble. I'm happy to share mine because it might be relevant to your audience. Um, back when we were still a consultancy and I was dabbling around in some, uh, coding myself, um, I had one of those moments where you're coding at the wrong time of day, you're really tired. And, um, something was left as an open source repo that should have been private, and it had an a w Ss key in it. Mm. And I didn't think much of it. Um, you know, just flip it over the next day. Great. Fine. Good. Except for in the 12 hours I was away from my desk. Whereas, you know, at home with my family, some very opportunistic automated robots somewhere, uh, found that key and then spun up new resources in a w s using the key and mine $3,400 worth of resources to try and get Bitcoin.
Speaker 0 00:36:55 Oh, wow. And so, you know, this is, this is Amazon. The first thing they do when you run up an ex exciting bill like that is they charge a credit card. Yeah. But there's no like, debate at that. Yes. So, you know, even as a security person, we all make mistakes. Totally. We all misconfigure something from time to time. Yeah. And these can have really fast, really material impacts for little companies. Yeah. So, you know, not many of us can take a several thousand dollars unexpected credit card charge and just wear it. Yeah. So, yeah, you've gotta be careful and, and remember every change you make, you just gotta think through what's the impact of this on security. Mm-hmm.
Speaker 2 00:37:31 And this is why in software companies, like things like code reviews and security testing before we push live is so important. It's not something that is so common in the web, um, space. I mean, even though we do have, you know, a good host will have a, like a production server, a staging server, and then a li mm-hmm. <affirmative>, you know, li sorry, a development server, a staging server, and a production server. Um, but to make sure that, you know, sometimes, particularly with WordPress, for example, if you're pushing changes to your code live from staging, the database may not be synced between live and staging. And so then you've got mm-hmm. <affirmative> data that's interacting with that code, which may open a vulnerability, uh, which you're not aware of in the, in the staging environment. So you, you just, I, I'm curious as to you, you've said this a couple of times that you see, this is not a hindrance, but an opportunity, right?
Speaker 2 00:38:16 Mm-hmm. <affirmative> and the mindset of a lot of people listening to this, including myself, is this is a massive pain in the ass. It's gonna take me time, which costs me money. How do I monetize this? How do I turn this into an asset for my company? How, you know, what is the growth strategy for security? Is it, is it we skill up and we go and find, uh, we, we let our clients know what we're doing for them, and we also go and find potential prospects with security vulnerabilities and reach out to them. Like, what is the growth strategy to, well, how do we make security a growth mechanism for us?
Speaker 0 00:38:47 Yeah. Well, I'm, I'm gonna call that that last one as ambulance chasing. We don't do that. No. Good people don't let other people do that. Um, so no friends don't friend, uh, try and exploit friends if they have vulnerabilities. Um, but we, what we can do is, firstly, it doesn't need to be this huge thing. Um, we teach a program called One Hour AppSec. It's, um, it's completely free. You get a newsletter every two weeks. And the aim is you do 60 minutes of security every two weeks. That's it. Just one hour. Mm. And the aim is not to try and do everything, but to try and do that minimum viable security that little bit each time. Now, as you are building up those practices for your own organization, you can start to see which ones of those you can help a customer with, and you can articulate then why they matter.
Speaker 0 00:39:30 'cause you are doing them yourself. And so building up slowly and, and being able to talk about it as part of your value proposition, I, I, I don't have a lot of support for organizations who try and charge it as a separate service line item. So, oh, you know, have an optional security package for a hundred dollars a month or whatever, nobody's gonna buy it. No. Um, but they actually, without realizing it, already assumed you were doing it. Mm-hmm. <affirmative>. So just having the line item then often causes this jarring friction point where you go, Hey, hang on, what do you mean you weren't doing that already? Mm-hmm. <affirmative>, um, you know, their expectation is you are providing a high quality service, and that for them means keeping them safe. Mm-hmm. <affirmative>. Um, so you've got to find a way to bring it into your core offering and to articulate it in a way that, you know, if you do have to raise your rates a little because of it, that you can explain in non-fire driven terms why you're doing that.
Speaker 0 00:40:21 Mm-hmm. <affirmative> and how, you know, don't be grand about it. Don't say, Hey, we're gonna do it. We've got a security operations team, we're gonna be monitoring it 24 7. And if you don't have that, don't do that. But if you, again, go say, well, we're gonna spend two hours a month, we're gonna check all of your patch levels, we're gonna update things that need fixing, and we're gonna just have a quick check and see if there's anything needs changing in the world, you know, that's much more pragmatic. Mm-hmm. <affirmative>, somebody's gonna see the value in that and go, oh, cool. So yeah, that's two hours I don't have, and I don't have those skills. So yeah, sure. Go do that. That's cool.
Speaker 2 00:40:51 From a content, uh, cheat point of view, which I'm always looking for a leverage point too, that, so the one Hour AppSec is a free email program you sign up for, you get an email every two weeks, it shows you how to do, you know, one thing in 60 Minutes to upgrade your security. Yep. I would be, uh, I adopt my, the philosophy of my friend Miles Beckler, who's got a great philosophy, learn, do, teach. I would learn that I would do it, and then I would blog about it. I would create content about it. Say, Hey, check this out. I just learned this, blah, blah, blah. This is super cool. And that position you as someone who knows a bit more about security than you did last week. So, um,
Speaker 0 00:41:23 Exactly. Look, all of us, every single one of us are here doing an amazing thing, but we didn't get here by like the ray of lights shone upon us and we suddenly knew how to do it. Our whole industry has massively evolved in the last 15 years. Mm-hmm. <affirmative>. Um, I can't count the number of ways that software has changed in that time. So, you know, oh, no, be authentic. Share the, you know, okay, this is a, an emerging space for us. This is something we want, we care about, here's what we're doing for it. Your customers are really gonna be, uh, impressed and probably quite connected with the idea that you see this and you are looking out for it because you then look out for them.
Speaker 2 00:42:00 I, it would be remiss of me not to ask this question. And, and I'll, I'm conscious of everyone's time, so we'll, we'll maybe finish up here, but, you know, this could be a whole other, whew. This could be a whole other two day seminar. I think. How is AI impacting the cybersecurity space?
Speaker 0 00:42:17 Okay. All right. So, um, I'll, I'll keep it really focused. So yes, AI is scary, but like, everything's scary to a security person. <laugh>, like we're we're permanently in a split personality between super excited and terrified that that's just my world, <laugh>. Um, it's not coming to take the jobs. We all know this, but it is a massive productivity boost. Mm-hmm. <affirmative>, I think we're only just seeing the start though of what this will become. There's bits of law coming in Europe about AI needs to be able to explain how it made a decision. And I think all of that evolution is gonna be really important to watch. So watch that space, particularly in Europe and see how explainability comes to ai, because you never wanna a trust decision if you don't know how that decision was made. Mm-hmm. Um, the other side of this is, the best thing you can do is still experiment, still use it. AI is a glorious tool. I use it to construct social media posts and to write stories for my 10 year old girl who wants a fan fiction between Harry Potter and god knows what else. That's so good. Totally stealing it. Ultimate bedtime stories. Like that's absolutely right. You name your favorite characters, they can be eating burgers together in a cafe in Netherland. Uh, it's wonderful. Um, so yeah, there you go. Life tips. I've earned my value already.
Speaker 2 00:43:26 Well, my son Oscar always said, we read books at night and then I lie down with him and he always says, tell me a story from your head. And I'm like, oh dude. Like, really? It's late. I'm tired. Uhhuh, I'm, I never even thought about that. Dumb. Yeah. Yeah. Thank
Speaker 0 00:43:38 You. Well, my, that's why I got it because my four year old likes to go, mom, I need a story that's about the poor patrol. It needs to have Everest and Sky. Yep. And there needs to be a dinosaur and a puff in. I'm like, what, what is going on here? Anywhoo coming back to ai. Um, so what we need to remember though is it's an exciting tool. It's gonna help you in lots and lots of ways, be creative, do play, but the most powerful, valuable thing you have is your data. Mm-hmm. So be really, really kind of conservative about what sensitive data you share with ai. And remember that AI is an evolving engine. Anything it eats, it turns into new content. Mm-hmm. <affirmative>. So that means that stuff you share as your prompt is could turn up in other things later. So you don't wanna be sharing things that are really sensitive IP in there.
Speaker 0 00:44:24 You don't want to be popping things out there that you wouldn't be comfortable sharing, and you certainly don't wanna put client data in there. Mm-hmm. <affirmative>. Um, so the final bit of tip is all of your tools, every single tool you're using right now is probably updating its terms and service, uh, because a lot of them are embracing AI and using your data to train the AI models. So do keep an eye out for the change of terms and conditions and make sure you are happy with that. I think Zoom got itself into a little bit of, uh, hot water a couple of weeks ago mm-hmm. <affirmative> by changing their terms and conditions. Um, so keep an eye out and make good choices. If something has gone too far and there's too much data being shared, or you don't feel like you have that control, if you remember from the three things that we're doing when we choose a tool, then maybe it's time to change tools or, or slow down a bit and see how it's going.
Speaker 2 00:45:08 Love it. Um, this has been, I I, I must say this has been a super interesting conversation and, uh, I didn't, I'm just scratching the surface here. You don't realize how much this plays into our everyday working life being, you know, doing what we do. Um, so thank you so much for your generosity and your time and coming on the agency, our podcast. I do wanna give people a way to reach out. What is the best way for people to get started? Uh, safest stack.io has a free plan. Mm-hmm. <affirmative>, absolutely. So you can go and start learning stuff over there for free. And also the one hour AppSec email, if you go to safest stack.io, you'll see a banner up the top, other one Hour AppSec. Uh, just sign up for that and, and, and get started with educating yourself on security.
Speaker 0 00:45:49 Yeah. The other thing is do feel free to link, uh, LinkedIn me. So connect or follow me on LinkedIn. I'm sharing content all the time that is specifically aimed at businesses that are not huge, that just wanna get something practical going. Um, and, you know, reach out, share your stories. The one thing that we need to do more in security is talk about it. And not just in a doom and gloom sense, but what we're doing, what was hard, what we learned, so that we can do all of this together. Mm. Because the more of us spend a little bit of time, the more powerful the change will be overall.
Speaker 2 00:46:17 Love it. Laura Bel main thank you for joining us on the Agency, our podcast.
Speaker 0 00:46:21 Thanks so much for having me. It's been fun.
Speaker 2 00:46:25 Hey, thanks for listening to the agency, our podcast, and a massive thanks to Laura. I seriously love your story and what you do. Truly inspiring stuff. It was great having you on the podcast, and I'm glad we connected. I'm definitely gonna start using chat g PT to write my kids stories about Octa aut and Cory Carson. Okay. Folks, don't forget to subscribe and please share this with anyone who you think may need to hear it. I'm Troy Dean. Lock your doors and protect your agency.
