Recently, GreyCastle Security CEO Reg Harnish was featured on the Cybercrime Magazine podcast as part of the “Small Giants in Cybersecurity” series. You can find the video and a full transcription below.
Speaker 1: Welcome everybody to Cybercrime Studios we’re brought to you by Cybercrime Magazine and Cybersecurity Ventures, the world’s leading researcher and publisher covering the global cyber economy.
Georgia: Hi everybody. It’s Georgia from Cybercrime Magazine and I’m here today with Reg Harnish. He’s the CEO and founder of GreyCastle Security, which GreyCastle is on our cybersecurity 500 list.
Reg Harnish: Actually we’re number one in the services category, so proud of that.
Georgia: That’s awesome.
Reg Harnish: Yeah, thank you.
Georgia: Congratulations. How long has GreyCastle been in business?
Reg Harnish: We started business in 2011. The idea was born more like 2010 and it’s been a good run so far. Seven and a half years of significant growth last three, 650%, I think 5000 a couple of times. So we’re pretty excited about what we’re doing and I think the market has really responded to our approach, which I think is a little bit unique to what we’re seeing out there.
Georgia: Yeah I definitely want to talk about that approach that you have with all of the virtualization. First off, just tell me a little bit about yourself Reg. I know our audience loves to get to know the CEOs behind all of these companies. So how did you start out in this business?
Reg Harnish: Great question. So I had owned a couple or started a couple of businesses before GreyCastle and the business directly before we were also quite successful. We had a very large client who was interested in buying our software. And so the last step is for you to pass a cybersecurity audit. And for me, this was back in 2002 really the first time I’d ever even heard of the term. And I think we had, we’d been doing security but not, we didn’t call it information or cybersecurity like then. And so the pressure was on. I was the chief technology officer and it was my responsibility to get us over this last hurdle and it was painful. But I loved the process. I just love the way the assessment work and I love how risk treatment truly directly affected the business and our ability to respond to us. The largest deal in our history was dependent on how well we did cybersecurity. I fell in love with it back in 2002 and just kind of started gravitating to it from there.
Georgia: And so tell me a little bit about what GreyCastle does that makes it so different and your unique approach to cybersecurity.
Reg Harnish: Yeah. So we believe that cybersecurity buyers needs something new, a new solution. And if you look traditionally at what has worked in Cybersecurity, it’s been very simple solutions that address point areas of risk. Things like firewalls and antivirus and intrusion detection. And that’s been great. But what’s happened is that the market, our threats, the complexities, regulations. These all are much more complex than they used to be. And so what works for an organization today is not what worked for them 10, 20 years ago. And so we’ve built a program where we can address every area of cybersecurity. So if you look at any of the established standards from access controlled incident response to risk assessment, to policy, to awareness, we have experts in every one of those fields. And we’ve also along the way have married that with another real problem area in Cybersecurity, which is the talent shortage and I know we’ll talk about that. For us, the average organization today needs a cybersecurity team and a program, but they can’t find resources, they can’t afford resources and even if they can find and afford them, they can’t retain them.
Reg Harnish: The average tenure of a cybersecurity expert these days is eight months, somewhere between eight and 14 months in our experience. So we’ve built some technology, I call it technology, but it’s methodology around delivery of cybersecurity solutions that’s really working well today.
Georgia: Yeah I do want to talk about the labor shortage, the 3.5 million unfilled cybersecurity jobs that Cybersecurity Ventures predicts will be unfilled by 2021. And you’re saying that it’s hard to retain talent if you are lucky enough to get good talent. What are you doing at GreyCastle to fight that?
Reg Harnish: So the first is recognizing that this is not a technology issue and that cybersecurity, is a much broader program or much broader discipline than just firewalls and antivirus. And so if you look at governance, policy, managing risk, the people issues in cybersecurity, change management, disaster recovery. These are all massive areas of cyber that largely go unaddressed because most of us, most of the industry think of cybersecurity as a technology issue. So the first thing is we recognize that it’s a much broader discipline. The second thing is we also recognize that the average business needs an expert in encryption. That it need an expert in access control and incident response and so, but they generally don’t need them full time. And so what we figured out is how to take what they were paying in cybersecurity and essentially virtualize all of that time and time slice it so that they were getting experts working in every area of their business, but only when they needed them.
Georgia: Though not 24/7 when you need it?
Reg Harnish: Correct.
Georgia: So you’re talking about managing risk, managing the people and incidents virtually?
Reg Harnish: That’s correct.
Georgia: 99% virtually.
Reg Harnish: And everything in between as well. Yes, so 80% of all of our new sales is this managed virtualization concept or some component of it. And so even if there are technical areas like buying firewalls, which every organization needs to do, we would manage that process as well because we are acting as their virtual CICO or acting as their virtual everything in cybersecurity so-
Georgia: A virtual team?
Reg Harnish: A virtual team. We’ve provided their entire function for them and honestly in most cases, for the price of a single employee.
Georgia: Okay, so they’re saving money as well as-
Reg Harnish: Financially the results are irrefutable because generally organizations have two options in cybersecurity today. Either the traditional route where you go and you find people and you hire them and you try to retain them or something other than that. And every study today shows that the first option is just not possible.
Georgia: And it’s coming from yourself. You’re a businessman first and foremost, and also a cybersecurity expert as well.
Reg Harnish: Yeah.
Georgia: So I mean, you’ve consistently moved up the cybersecurity 500 list. You’ve tripled your revenue year after year. Tell us a little bit about that and your business acumen because you’re doing so well.
Reg Harnish: Well honestly, this is my fourth business and so I’ve made all my mistakes in the past or hopefully all of them past right. And so it’s been really the first time when we’ve been able to really focus on the solution and what it was we were delivering and our value rather than figuring out how to run a business because we kind of figured out how to do that in past organizations. So yeah, in 5,000 a couple of years in a row, last three years, 650% growth. I think a lot of it is the industry pushing its buyers to us because one, what they’ve done in the past perhaps hasn’t worked or hasn’t worked enough where they felt like they were doing enough in cyber.
Reg Harnish: Again, I think the complexity or the growing complexity of federal regulations and our threats and all these other competitive pressures as well has pushed organizations to look for something new and more effective. But honestly, the finances here are irrefutable. I mean, ask any executive team, listen, if you can get an entire team and a program for the price of an employee, what do you want to do? It’s pretty, it’s almost a no-brainer today what we do and we’ve just gotten very good at it.
Georgia: And you can’t find the individuals to work for you because of the labor shortage. They don’t exist.
Reg Harnish: Yeah. I agree. A lot of cases is not even finding them, it’s just that they actually don’t exist.
Georgia: I know you work in the education industry as well and I think GreyCastle, you have your own curriculum that you develop to hire employees or to train employees. I’m not really sure. Can you tell me a little bit real quick?
Reg Harnish: Yeah so we discovered early on that most of the folks coming out of college university or even from another organization were not really prepared for a career with us because they didn’t think the way we did. So we worked very closely with a local community college to develop a 10 week certificate program. No prerequisites. Basically anyone, whether they’re changing careers or they have been in cybersecurity for five years, they go through that course, they come out and they’re a candidate for an employment. So we’ve been recruiting right out of that class.
Georgia: Oh that’s really interesting.
Reg Harnish: Yeah it’s been great.
Georgia: And you’re a fellow at Excelsior College?
Reg Harnish: The National Cyber Security Institute, which was born of Excelsior College, but yes.
Georgia: And they’ve got a master’s and a bachelor’s in cybersecurity. One of the only correct colleges or universities that does.
Reg Harnish: Yeah.
Georgia: Okay. So does that affect your recruiting at all or?
Reg Harnish: One of the nice things is that colleges and universities have caught on. I mean many of them are trying to develop cybersecurity programs. Their challenge of course is that traditional higher ed is difficult to marry up with cybersecurity ’cause things change so rapidly. But the visibility is awesome. I think there are places. I’m an advisor on a number of different boards for colleges and universities trying to help them build their cybersecurity program. They want to do the right things. I think, things like online learning and the non matriculated aspects or opportunities-
Georgia: Yeah it makes more sense.
Reg Harnish: It makes more sense.
Georgia: Everything’s changing so fast. It’s like the curriculum that was developed two years ago, was just totally out of date.
Reg Harnish: Yeah or if it takes you five or six years to get through a degree program, things have changed.
Georgia: Yeah, we need people now.
Reg Harnish: With experience.
Georgia: With experience. So you have a lot of growth going on right now. You’re going through a lot of acquisitions at the moment at GreyCastle and you just acquired Orange Parachute. So tell us a little bit about that and if you’re looking at any other companies.
Reg Harnish: Sure. So part of our growth strategy is inorganic. We know we’re not going to get to 650% growth every three years unless we’re looking outside our existing environment. So what we do is every year we go through and we look at opportunities to grow the business. Some of them are very complimentary in the sense that maybe it’s a direct competitor that does something very similar. In some cases like Orange Parachute. It was more of a growth area for us and we saw 27,001 certification as a growth area and something that could also by the way, accelerate some of our other business lines. And so we look for the best one out there and we bought them that transaction closed in October of 2017-
Georgia: Okay it’s about a year ago.
Reg Harnish: It’s exceeded our expectations in terms of our ability to integrate the resources and then help our mutual clients do more than they ever could independently.
Georgia: And so I know that you’re also working with Assured Information Security (AIS).
Reg Harnish: Sure.
Georgia: So what’s that relationship?
Reg Harnish: Yeah, so AIS, Assured Information Security, they’re essentially our parent company. They’re a majority shareholder in GreyCastle. We met them many years ago and we started a conversation. They were looking to get into private industry. Today AIS is really the leading offensive tools provider to the DOD and the feds. They’re there on the front lines of cyber warfare every single day.
Georgia: So they’re more in the federal any government verticals?
Reg Harnish: Correct. Yeah, that’s their primary client. But they saw growth opportunity in the private space, ran into us and we spent about a year getting to know each other and making sure we could work together and they’ve been a fabulous partner. They have essentially taken what we had for growth plans and accelerated them probably 75%. So things that we were going to do in five years. Now we’re doing them in two and a half or three years.
Georgia: That’s fantastic.
Reg Harnish: It’s exciting.
Georgia: So with GreyCastle, who are your main markets? What kind of verticals are you in with your clients?
Reg Harnish: Today about 60% of our business comes from healthcare, higher ed and technology. And we’re working in every industry. Our secondary market is financial services, critical infrastructure, and a few others. In those primary markets that we’ve really figured out how to speak their language like healthcare is a great example where we know there apps, we know there are people we know the trends that are going on in the industry, the politics we know how to … We walk into a hospital and that’s home for us. Same thing with a college, or a university or a technology company like we really, really understand them and for us cybersecurity is really just a business solution.
Reg Harnish: So we don’t think about this as ones and zeros. We’re there to create competitive advantage or reduce costs or you know, just managing the risk around data has huge benefits. But we’re so early in the industry and in the evolution of cybersecurity. I’d say most businesses are just in survival mode. They are reacting to new regulations. They’re reacting to their latest incident, they’re reacting to board pressures. They’re reacting to-
Georgia: All the data privacy that’s going on.
Reg Harnish: All the … GDPR is a great example where everyone was kind of like, oh my God, what do I do with this? Rather than having a plan-
Georgia: In place, to be reactive instead of proactive.
Reg Harnish: But not a cybersecurity plan, a business strategy for how do I deal with privacy as a concept in my business and how does it, how do I do this better then my competitors can come out better on the other side of this thing. Just, we think about, I think about cybersecurity a little bit differently again, to your comment earlier, which is we’re really business people that love cybersecurity and have figured out how to do it well.
Georgia: I’ve heard you say in the past that 75% of a company’s risk has nothing to do with IT.
Reg Harnish: It’s true. Yeah.
Georgia: What do you mean? Talk a little bit about that.
Reg Harnish: So if you look at any of the established frameworks out there, NIST 53, NIST cyber, ISO 27002, it’s almost 75% of those controls are nontechnical. Their process, their documentation, their assurance, their audit, their people, awareness. And if you marry that with the results that we typically see in our risk assessments, which is technology is actually doing a pretty good job right now. It’s just that everything around it is broken.
Georgia: Kind of knowing how to use the tools in order to put it in place.
Reg Harnish: So there’s a couple of compounding issues, right? So most businesses have problems outside of technology because they’ve been focusing on technology and they’ve gotten pretty good at it. However, there is a compounding issue which is every time you add a piece of software, you’re adding lines of code. Those lines of code are vulnerable. They can be exploited, and so if you haven’t figured out how to take that firewall, which is nothing more than software running on hardware and it is in itself a vulnerability. If you haven’t figured out how to reduce your risk by a certain percentage with that firewall. Because guess what, just by installing that firewall, you’ve increased your risk because now you have more stuff, more complexity, more to monitor, manage, configure, architect. And so I think that point has gotten largely lost on the security technology industry, which is lots of blue pills and lots of flux capacitors and no one really talking about the honest truth behind a firewall. Which is, yeah, it can do some amazing things if the process works. And your people are also effective, but if you haven’t turned this thing into an anchor, it’s not what … Technology is not what people think it is, but it could be greater than what it is today. We just got to fix the other stuff.
Georgia: So GreyCastle, how are you going about that? When you talk to a CEO at a company or a CIO or a CICO, what do you say? This is what we’re going to offer to make things easier for you.
Reg Harnish: Yeah, a big part of it is just education. And it’s no one’s fault really because we’re so new, very much the wild west and there’s a lot of people making money on selling technology, whether it works or it doesn’t, and good for them. This is a capitalist society. So, would never, you know, we’ve all made a lot of money on technology. So I would not demean them in any way, but I think for businesses who are really committed to protecting data, protecting their customers, their reputation, their viability, this goes way beyond technology. So, we start with education. Some leadership teams are very open to it because they’re committed to survival and resilience and viability, some are not. And those folks that are not, are not great, clients for us.
Georgia: So you run a symposium every year and you talk about this education aspect. How do you do this? Where does it take place? How many people attend?
Reg Harnish: Yeah so when we realized that part of our responsibility was in education because all of a sudden we’re like, oh my God, we’re smarter than everyone. Which is a good and a very bad place to be. But we have a different approach. We said, listen to me, I think we’re going to need another educational outlet to talk about this. And so we invented the symposium six years ago. We just went through our sixth annual and that has been growing 25% every single year. It’s a hugely successful event for us. It’s mildly, not so subtly GreyCastle branded. But it’s very neutral. We have competitors there. There are technology vendors there, but the difference is for us is we’re very careful about content and presenters. We want to make sure that we generally agree with the concepts and the principles behind what people are talking about.
Georgia: So this is like a thought leadership-
Reg Harnish: Thought leadership, absolutely.
Georgia: Yeah educating in the industry and go into clients.
Reg Harnish: You got it and almost 300 people this year. It takes place in Albany, New York and we’ll see where the future takes us with that. We think we’ve latched onto something important there.
Georgia: Yeah it sounds really interesting. What do you think is the most vulnerable thing for a company right now when you talk to your clients? What scares them the most?
Reg Harnish: Well, what scares them the most and what they’re most vulnerable to are often very different things. And I use the analogy 9/11 and distracted driving, right? Everyone knows exactly where they were on 9/11 like probably to within a square meter. Yet today, if I ask people how many of you have actually been directly affected by terrorism? Zero. As I ask them, well, how many of you know someone who’s been directly affected by terrorism? Well, it’s zero. Statistically speaking, no one has been affected by terrorism because the number is so small. Well then if we ask, well, who on the drive here today looked over and someone was going through their Facebook friends list accepting friend requests?
Georgia: Yes. It’s a little more dangerous.
Reg Harnish: On a busy highway-
Georgia: That’s scary.
Reg Harnish: And so all we’re very much vulnerable to this individual and we do nothing about it. If you look at where we spend money, we spend trillions of dollars on counter terrorism and not trillions of dollars on distracted driving. And so as human beings we tend to flock to the kinds of risks that we have very little control over. The kinds of risks that are very dramatic and that doesn’t do as much service-
Georgia: So it’s not the power grid that’s going to go down that you have to really worry about. It’s something that’s happening every day in your company that you might not be aware of.
Reg Harnish: Absolutely. And not to say that we’re not worried about the grid-
Georgia: Or terrorist attacks.
Reg Harnish: Yeah, absolutely.
Georgia: It’s an immunology a little.
Reg Harnish: Cybersecurity is way more boring than people think it is. Absolutely.
Georgia: Well, I think it’s really interesting what you guys are doing. You kind of are a little bit of a renegade in the industry because you kind of call out the nonsense and say, no, this is what you really need to focus on and here’s why. Oh, that’s interesting. Well, how did you come up with the name GreyCastle, by the way?
Reg Harnish: So two pieces. Grey and the castle seems pretty obvious. Really the grey that security implements in human history. It’s survived for thousands of years. Really you think about a castle, lots of independent controls, archers, boiling oil if everything else-
Georgia: Frame and evil-
Reg Harnish: And clerics that could, bury people. So we liked the hard work and the general security foundation of it. And then grey in our business we wanted to establish this idea that there’s nothing binary in cybersecurity. There’s really three reasons why people don’t do cybersecurity today. The first is, it’s hard work. Human beings are generally not into hard work. I’m one of them, right? The reason I’m 10 pounds overweight is because I don’t want to go to the gym and do hard work.
Georgia: Easiest way is easiest when you’re in business I guess.
Reg Harnish: I want a blue pill. If there was a blue pill they could share with me-
Georgia: Solve it all.
Reg Harnish: Absolutely. The second thing is it’s never done, so if my personal trainer, after I got to the gym said, “Hey, listen, I’m going to need you to get on this treadmill and you can never get off.”
Georgia: That’s rough.
Reg Harnish: Also, not very motivating to me. The third though and most important is that there’s no direct correlation between your investment in cybersecurity and your outcomes. Very different than technology where if you need storage space, you buy a hard drive and you have more storage space. It’s binary. It’s direct. In cybersecurity we see lots of organizations investing in cybersecurity a lot and still getting hit and lots of organizations who have done nothing and are just getting lucky.
Georgia: Yeah and it’s hard to communicate about cybersecurity because it is a grey area.
Reg Harnish: Very grey.
Georgia: I see what you mean.
Reg Harnish: Very grey.
Georgia: Very interesting. Well, thanks for coming in today Reg.
Reg Harnish: Just so great to meet you. Great to have the conversation and for us it’s just, a lot of this is about education, getting the message out, ’cause there is a better way.
Georgia: Very interesting. Thanks so much. It’s been great.
Reg Harnish: Thanks.
Speaker 1: Cybercrime Magazines, podcasts are recorded right here at Cybercrime Studios 45 minutes outside of New York City. We’re brought to you by Cybersecurity Ventures, the world’s leading researcher on publisher covering the global cyber economy. Visit us on the web at cybercrimemagazine.com and hear our latest podcast covering the world of cyber crime and cybersecurity and cybercrimestudios.com. To be featured on one of our podcast, reach out to us at firstname.lastname@example.org. Again, that’s email@example.com. Thanks and have a great day.
Cybersecurity Ventures is the world’s leading researcher and publisher covering the global cyber economy, and a trusted source for cybersecurity facts, figures, and statistics. Cybercrime Magazine was launched by Cybersecurity Ventures in April of 2018 and is routinely featured, quoted, and cited by the top business, financial, and technology media.