Back to Basics! Understanding Your Digital Crown Jewels with Evgeniy Kharam | Part 1

Show Notes

 In this episode of the Cyber Savvy Podcast, host Mike Shelah interviews cybersecurity expert Evgeniy Kharam about the fundamentals of effective cybersecurity. Evgeniy shares insights from his journey from firewall engineer to security leader, emphasizing that the biggest challenge in cybersecurity isn't technical knowledge but communicating complex ideas effectively. 

They discuss the importance of understanding a business's "crown jewels" - the critical assets that need protection - and how these vary across different industries. Through real-world examples, they explore why basic security practices often get overlooked and how businesses can better protect themselves by partnering with security professionals who understand their specific needs. 

This conversation highlights the intersection of technical expertise and soft skills in building effective security strategies. 

Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!

Transcript

Mike Shelah (00:00)
Hello everybody and welcome to the Cyber Savvy podcast. I am your host Mike Shelah and today's podcast is powered by DTC and remember at DTC we make shh.

IT work to learn more about us go to www.dtctoday.com. Our guest today is going to be a fun departure from some of the normal topics that we discover. Yes, we will certainly talk about cybersecurity as he is an accomplished cybersecurity expert. He is also an entrepreneur. He is also an author and I cannot wait to nerd out about his book which is

called Architecting Success. Evgeniy Kharam thank you so much for joining the Cyber Savvy Podcast. Welcome to the show.

Evgeniy Kharam (00:49)
Thank you very much. Thank you. Happy happy to be here today. We definitely want to dive into cyber security soft skills and maybe connect between them as well, because in my mind there is a connection.

Mike Shelah (01:01)
I wholeheartedly agree. So, Evgeniy and I kind of met on the road together. We have a mutual friend in Phelan Roe and Phelan has had us speak at several of his events over the last few years and we talk on similar subjects.

I'm very much in the sales side of the world and Evgeniy is very much in the social skills and soft skills and communication aspect of the business, which are all very crucial to being effective in technology. know, today, so many people think that IT simply means tools and technology, but they forget how critical the people aspect of the business is.

Evgeniy Kharam (01:47)
The interesting part is that my core expertise came from being a firewall engineer. So I started as a firewall engineer. I moved to become a manager. I managed several teams in endpoint security, network security, cloud. Same. So I had quite a long career in security, very, very deep technical. Funny enough, when I was working in Israel for ChatPoint as a QA analyst,

and I moved to Canada, in my mind, I was thinking everybody know how to debug a firewall. It's very common. just open up the console and you go and understand how everything is working. Not really. But as you mentioned, the biggest aha moment for me was is not what do I know is not what my people knows is how we communicating this idea to other people. Because if you are very smart.

but we cannot explain our ideas in language, not always simplifying. The other people understand that it doesn't matter. You're going to just be geek, you're going to be very smart, and some people will admire you how geek you are, but this is where it's going to

Mike Shelah (02:56)
Yeah, I think you make a very good point that from the customer partner relationship standpoint, that when we are talking to a customer, their expertise lies in another world. It lies in another niche, another industry. And so while they may understand some of the words we say,

to presume that they understand all of them is dangerous.

Evgeniy Kharam (03:25)
I have a funny story about it. We were doing a workshop. I was already VP of architecture at Herjavec Group who had been running quite a lot of different people, doing a lot of pre-sales activity, a lot of architecture designs for enterprises. And we were doing a workshop for a company that basically make chickens, not make chickens, but basically take chickens, know, prepare them and ship them later on. And we spent a lot of time on OT and IoT, network security policies.

But we're trying to get like, what is your biggest fear? And me and the team is like all set on technology. He's like, not really like what salmonella is our biggest fear. And that the breach will break down until coming across an island tour manufacturing facility. Like, okay. So we are not talking the same language. You know, we care about different things.

Mike Shelah (04:16)
Yeah, talking the same language is a critical piece to all of it. Whenever I talk to prospective client, the very first thing I say to them is, today is not a technology conversation. Today is a brand and revenue conversation. I just happen to do that through

Evgeniy Kharam (04:37)
it is very important to understand and speak the language of what the customer wants and understand if they want to talk business terms, if they want to talk technology terms. What is the biggest and most important outcome of this conversation with a customer or with a particular person we're talking to?

Mike Shelah (04:53)
So, so let's, let's go back to the beginning as the saying goes, if getting, you've been in this industry a long time now, you've done a lot of work around cybersecurity with and for businesses and you've got your finger on the pulse to what's going on in the marketplace today. If you had to identify

Evgeniy Kharam (05:10)
Thanks, everyone.

Mike Shelah (05:15)
that one thing today that businesses are missing as far as cybersecurity is concerned, what's the number one thing that when you talk to a business that they more often than not they seem to be missing or they seem to be overlooking?

Evgeniy Kharam (05:30)
is not sexy as it is. We're coming back to the basics and the basic is understand our assets, understand what are we protecting and this is a fundamental step to later on understand what's our crown jewels, what is the most important parts out of our business that we need to protect and the

I can give you simple examples. If you are a company that basically provides internet, you're an ISP, your availability to provide internet will be very, very important. If you're marketing company, you may don't really care about the internet. You can probably do a hotspot from your phone, but the designs, for example, if you'd like digital marketing, let's say the designs of the companies you have, let's say you're, work with a company that doing digital marketing for some of the

brands in automotive like Audi, BMW, the intellectual property of the cars that the BMW is going to be releasing, this is their crown juice. So this is their assets they need to protect and everything else is going to be less important. So every company has something unique about them. What they care about. Like we spoke about the chicken manufacturing companies, know, all about the chicken. So

understanding the assets we have and understanding the priority or the crown jewels of these assets and what do we need to do to protect them. And in many cases it's the brand protection, in many cases it's the availability, it's really understanding what's happening. If you're medical doctor, for example, probably the people identities that you have and you maintain and the records

going to be the part you want to protect because the knowledge is in your head, but people trust you with their medical records. So it's really going to be depend on the company. And inside where we have this answer is it depends, but I'll start with assets. I'll add the crown jewel part to understand what are we protecting. And then we need to understand how. And of course we can go left and right or, you know, up and up and down because there are so many different ways to do it.

Mike Shelah (07:44)
Yeah, I love that you use the marketing example because I had never thought about that until a little over a month ago. I met with the owner of a small advertising company here in Baltimore and I gave her my 10 minute. Yeah, I've got this little concise 10 minute basically says you're either going to hear this and go, that makes sense or you're going to hear this and go, I don't care.

And that's how I approach every new prospective client. Digest this 10 minutes, love it or leave it. Either way, I'm OK. And she had pointed out to me that if we had to recreate all of the IP that we've created for our clients over the years.

we couldn't do it. Like if we were suddenly locked out of all the design work, all the logo work, all the concepts we've come up with, we couldn't manually recreate that stuff. We could probably maybe 20 % of it we could manually recreate, but it would take a hell of a lot of time. And you know, they would be functionally dead in the water. And that was a real

eye-opening moment to me as you put it the crown jewels because so often as cyber professionals when we talk to a business, you know, we talk about, you know, protecting your data and so many businesses go, well, I don't have any data. You know, I don't have any data anybody cares about. And the answer to that is, well, there's always somebody that cares enough to steal it from you.

Evgeniy Kharam (09:19)
And I got even, even more, unfortunately, they may not care. They may just learn an automatic attack and you just fell in basically from friendly fire. We can say this, or you're a casualty of some, something else. You were just part of a bigger attack and you just fell for it. Like there is evidence of bad guys putting malware on different companies and these companies call them and saying,

Hey, I'm a non-profit, I am XYZ. Oh, sorry, we didn't want to attack you, we will remove them over. There is evidence of this, you because the bad guys, as bad as are, not always want to hit everyone. But you may fell under a massive attack. We had a lot of DDoS attacks in the past that will just hit a lot of different companies. Guess what? AWS from time to time goes down.

for the last 10 years at least three, four times from a DNS errors, from a config errors. Guess what? You're going to be going down with them if they're going down on Microsoft. So you're not always you, you may go down because of somebody else. And you brought an interesting point about protect. So if you're taking this marketing company, I want to, I probably want to create different security controls to protect the data, but it will not fall to the bad hands.

But you mentioned that the fear was not just to lose the data to somebody else. It's just to lose the data. Do not have them accessing the data. So in this case, my mind going to recovery. How do I backup the data? Where do I store the data? Who has access to this data? Is this the same girl or guy that access to your data center using the same password using the same credentials? Do you use MFA? So can we understand?

Mike Shelah (11:01)
Great point.

Evgeniy Kharam (11:15)
and create a scenario and in many cases when you tell the person, we don't have any data. What you're describing, it's almost like a tabletop exercise. Okay. Let's kind of, let's pretend what will happen if blah, blah, blah, what will happen if blah, blah, blah. And you know what I find very interesting when we talk about security awareness and it's a part of security awareness, which is on a different level. You'd be like, it's boring. I don't care. And I always reflect to something they care.

gentlemen, lady, do you have kids? Like, yeah, when you go to a park, do you educate your kids what happened? Did they get lost? yeah, definitely. Do they have a phone number? Do they run by phone number? We tell we're going to meet near the post. Okay, when you're going skiing, when you're going somewhere, do they have a way to communicate? Do they have, maybe they have a phone, maybe they have something else. Do they have a store? And in majority of the cases, the moment we're talking about something personal, or not just kids, it could be elderly people.

Do you care about your parents? Do they have a button to contact you? Do they know what's happening? Is it emergency? People always have an answer. It's like, of course, if you're not so like now think about it for a second like, this is what you mean about security awareness. Like, yeah.

Mike Shelah (12:13)
Sure.

Yeah, and even beyond that, because we just covered a really important topic, which is losing something of high value to the company, like intellectual property. I met with a friend of mine, owns a small solar company, and this was just the catch-up. He and I hadn't spoken in a while, wasn't a sales pitch, but it ended up turning into one.

Evgeniy Kharam (12:49)
Wait a second, isn't

this ABC always be closing? Is that always a sales pitch?

Mike Shelah (12:54)
You and I could have a very long conversation about Glen Gary Glen Ross and how that ruined the sales industry

Evgeniy Kharam (13:00)
Okay,

don't forget, I worked with Robert Hergerich for 17 years. I, beside the movies, I saw it live all the time. I saw in front of my eyes how this every conversation somehow we turn to a sales. Robert, can we take a selfie for my daughter? Definitely. What are you guys doing for the business?

Mike Shelah (13:18)
Yeah, there's definitely a seed of truth there. so this friend and I were just chatting back and forth and he didn't have an ISP, or I'm sorry, an MSP, and someone got a hold of his username and password for his Microsoft 365 address and used that as a spam bot.

sent out 10,000 emails through his email to the point where Microsoft shut down his email because they thought he had just gone rogue and was so now he's dealing with several things. One, huge brand damage because all these people got these bogus emails supposedly from him. From a functionality standpoint, his legitimate business can no longer contact him through his old email.

and he now has to create a new email, which is not the end of the world, but when you think about just the basics of, you my website has my email on it and my business card has my email on it and all these things that came out of that and that's just simply because this person had access to his username and password for his 365 account.

And then that begs the question, what else was he doing within 365? Was he utilizing SharePoint? Was he utilizing Excel? Was he utilizing Word? The whole suite that comes along with that was utilizing Defender. So was that the same login for all of those things? And I think that's the piece that particularly your small business owners, I think if you talk to your average CIO or CTO,

they get that concept that it's a domino effect that can quickly knock over several things. But I think your average business owner walking the streets doesn't think about that impact.

Evgeniy Kharam (15:15)
This is very interesting and it is psychological problem in my mind, not a technology problem. You mentioned this particular friend has a solar business. He's talking to my accounting. They're like, hey, here's my finance. Then let's do a zoom call. I'm like, oh no, I don't like zooms. Don't work for me very well. I'm okay, I'll come over. We're coming over and she sent me some document and I start asking her basic questions. Like, no, no, I don't know. This is not understand. I'm like,

Do you understand you're holding all my finance? Like who's taking care of your IT? Now it's personal for me because she has no idea. my, she's a brilliant finance person. But the way she stores documents, what she does is out of her understanding. So we end up talking to her IT person. I explain my frustration and some of the things how she does. But where I'm going with this is people focus on their core business and they should focus on their core business.

If you were accounting, accounting, you're doing ice cream, ice cream, solar, solar, mechanic, mechanic. You shouldn't. you maybe if you just really want to understand everything around it, this why IT, MSSP, MSSP companies, people that doing this day by day, subject matter experts can come and help understand this. Why you and me not trying to do our own financing, we're going somebody else because this is what they do. And this is the

Mike Shelah (16:37)
Absolutely. You don't want me doing

that.

Evgeniy Kharam (16:39)
the part people don't understand sometimes. And coming back to passwords, are like, I cannot remember 25 different passwords. Leave me alone. I want something easy. And like, okay, fair. There are solutions for this. But if you're not doing this, if you're reusing the same password everywhere, you're potentially creating a much bigger damage to yourself. There is stories right now. We don't have to go deep to companies. There is stories about influencers.

It's a one person job that basically selling pictures or something funny online and they losing their accounts to the bad guys that now using the credit cards and using the other people to sell crop just because they were not kind of paying attention enough to understand what can be done better.

Mike Shelah (17:28)
Yeah, I've visited several websites in preparation for a meeting with a prospective client or, you know, I'm visiting a new networking group or I'm about to have a one-on-one call with a new referral partner. You know, it's always a good idea to take a look at things and see where they are and I'll go to their website and, you know, it's not their company, but it's, you know,

Japanese cash casino slots. They're like, wait, what happened here? Well, somebody hijacked their website.

Evgeniy Kharam (17:59)
And this is, I think, bring an interesting point as well. I'm talking about interesting points quite a lot is in many cases, you as a business owner will not going to build your own website. Why? Because it's not sexy anymore. You're going to trust Joe, Julia, someone else to do it for you. And it's good. It's fine. We just mentioned that. Let's let's the professional doing this. But you need to do due diligence, understand what this particular person will do for you.

How they maintain this? How you understand where are your assets back to assets? Because you want to know, cannot protect everything. It may happen to anyone, but at least you want to know that somebody did this and you can fix it right away. Or you know it even exists. And many things that people don't know.

Mike Shelah (18:47)
Yeah, and along with that, when you choose somebody to create your website, what is their philosophy on security?

Evgeniy Kharam (18:54)
Good topic.

Mike Shelah (18:55)
you know, is that a top five priority for them when they're designing or is it something they sort of check the boxes to say they did the right things? Yeah, that's a big topic for me when I talk to business owners and they say, we have that taken care of. And I go, well, how do you know? Well, my IT company takes care of that for me. I go, okay, well, let me ask you this.

When's the last time you sat down with your IT company? They reviewed all the assets that you have on your network and asked you about who's been added and who's been removed in the last 90 days. They go, what do you mean? I'm like, you know, Bob was with you for six years. Bob left the company last month. What did you do with his laptop?

What did you do with his email login credentials? What did you do with his other credentials to the rest of the software that makes your company work? You hired Mary. Did Mary get Bob's old laptop or did you give her a new one?

Evgeniy Kharam (19:50)
100%.

It is definitely a problem. is definitely a part people need to understand. But you know what we sound, we make it this a bit very, very complicated. And I think it doesn't have to be very, complicated in many cases, the same as you doing a test for file alarm. You're not going and every month you need to do a task like, what should I do today? You hired someone or you have a checklist and you go to the checklist. So

The same with security. You establish the basic principles and you go into the basic principles and you have a procedure to do it. You don't want to hire anyone. Do it yourself. Ideally hire someone. Take this responsibility to give this responsibility to somebody else. Focus on your core business. Please make them accountable. As you mentioned, understand what is going to give back. Check with them. And if they're not doing what you expect them to do.

Or you don't know what to expect. Ask somebody else, ask a friend, then change to somebody else. But I expect that my IT company, my MSSP company, if I will work with someone will chase after me and tell me what's happening, good or bad versus me chasing after them.

Mike Shelah (21:06)
Yes, agreed, which is, you know, why something like a quarterly business review is so critical. I am very fond of the doctor-patient analogy when it comes to MSPs and their clients in that you're going to talk to your doctor, you know, you're going to go for your annual physical, and at the end of that annual physical, nine times out of ten, they're going to tell you nothing's wrong, which is what you want.

Evgeniy Kharam (21:33)
This is good.

Mike Shelah (21:35)
Yeah, you want them to tell you nothing's wrong. Now that tenth time where they discover something, well I'm glad we discovered it now. So let's lay out a plan to deal with the bad thing.

Evgeniy Kharam (21:50)
And if you go on with this analogy, if you're doing tests and everything is okay, he's not going to call you, but if there's a problem, he's going to call you and tell you there's a problem.

Mike Shelah (22:00)
Yes. Yeah, and think that's the dynamic that seems to be missing a lot, particularly in the small business world. So many of the managed IT providers out there are, hey, we'll set up a firewall for you. We'll put on some antivirus. If something breaks, call us.

Evgeniy Kharam (22:15)
Yeah, but it's also... You know we call ambulance chasers? They will call you at the end of the year like, hi Mr. customer, how are you doing? The renewal is coming next week, is everything okay? He's like, now you're calling me? When the renewal is coming, where have been the entire year?

Mike Shelah (22:19)
Shhh!

Yeah, it's gotta be proactive and it's gotta deliver value for the client. So Evgeniy, this has been a great first segment. Would you please, before we wrap up, tell our audience how they can get in touch with you. And in the second segment, we're gonna talk about your book. I'm very excited.

Evgeniy Kharam (22:37)
Yeah.

The easiest way to get touch with me is going to be through LinkedIn. So go to you go to LinkedIn type Evgeniy Kharam E-V-G-E -N-I- Y and last name, Kharam K-H-A- R-A-M and probably they just want to do it there. Yeah. I'm always on LinkedIn

Mike Shelah (22:56)
Okay.

As a fellow LinkedIn nerd, I appreciate your mindset, All right, well, to our listening audience today, thank you for tuning in again to the Cyber Savvy Podcast. Be sure to come back next time because we're going to talk about Evgeniy's wonderful book, Architecting Success. And remember, this episode was powered by DTC. To learn more about us, go to www.dtctoday.com. And remember, at DTC, we make shh.

IT work. Thank you.