An ounce of prevention is worth a pound of cure. Taking the time to design IT infrastructure, security controls, policies, and procedures will pay large dividends in the form of long-term cost savings. The cost of a cyber breach is usually about ten times higher than the cost of building a formal cybersecurity program.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Zach Fuller, Co-Founder of Silent Sector.
Zach Fuller has built businesses in industries including web development, information marketing, ecommerce, real estate investment, private equity, and cybersecurity. He served as Green Beret in the U.S. Army, conducting highly sensitive combat operations in Afghanistan. Zach was awarded a Bronze Star Medal, Meritorious Service Medal, and other decorations for his actions overseas. He later went into real estate investment and private equity, building an investor relations team for Caliber Companies, holding the role of Executive Vice President, and building a team that raised over 300,000,000 dollars in private capital to acquire residential and commercial real estate investments. Zach has a deep level of experience in asymmetrical warfare which mirrors the fight against cyber-crime. Zach is a Certified Ethical Hacker and founding partner of cybersecurity services firm Silent Sector, where he is focused on changing the dynamic of the industry by showing the benefits and impact security brings to proactive organizations. He leveraged his experiences to build Silent Sector with two partners who are long-time industry leaders. Building a cybersecurity firm is his way of continuing to protect the American people, our economy, and our way of life.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born in Mountain View, CA and spent my early years growing up in the town of Aptos. My parents both worked in technical roles in Silicon Valley, so I suppose you could say that technology is in my DNA. I moved to Arizona at the age of 10 and the long summers gave me a lot of time indoors, which I used to experiment with computers. This is when my interest in technology and entrepreneurship started. I soon realized I could make money building websites for companies when having a website was considered “cutting edge.” Technology was fun and when I learned to make money with it, I was hooked!
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I served as a Green Beret in the US Army and took a lot of pride in my work of protecting the American people from “behind the scenes.” After spending about 6 years in the investment business, I realized that I wasn’t very passionate about increasing return on investment. My true passion is protecting great organizations and the people they serve, enabling them to continue to contribute to our world. Our Nation’s economy and way of life is under attack and to me, it is well worth fighting for. The cybersecurity industry allows me to protect the people of our Nation again from “behind the scenes.”
Can you share the most interesting story that happened to you since you began this fascinating career?
One day we received a frantic call from an investment firm. They were experiencing a targeted cyber-attack, happening as we spoke with them. The attackers were able compromised the firm’s Google G-Suite administrative account, gaining access to their email. The firm had tens of thousands of dollars in three different crypto currencies, all of which was stolen by the cyber criminals. The company’s domain name was then hijacked, rendering their website and email useless until a ransom was paid. The attackers even got into the company’s cloud storage and gained access to all their sensitive data including the names and accounts of the company’s investors. The company’s leadership refused to report the breach to the Attorney General which was a legal requirement in their state. For that reason, we immediately discontinued our work with them. It is both ironic and unfortunate that the majority of the firm’s capital was invested in cybersecurity companies. While they owned portions of many different cybersecurity companies, they had not taken adequate measures to protect themselves. Like many, they had a false sense of security, believing that they didn’t need a cybersecurity program because they were only using cloud-based services such as G-Suite and Dropbox. While this is story of misfortune, it was eye opening to me and an incredible learning experience.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are a tremendous amount of people who have contributed to my success and the success of our company. I have my business partners, Mike Rotondo and Lauro Chavez, to thank the most. None of this would have been possible without the unique combination of skillsets, personalities, and resources that they brought to the table. Mike and Lauro both had very lucrative corporate positions with Fortune 500 companies. They are highly esteemed in their fields and recruiters are constantly seeking their attention. It would have been easy for Mike and Lauro to continue their paths the corporate world and retire someday. However, they wanted something more than just a career for themselves. They wanted to provide cybersecurity services beyond what they’d ever be able to offer with large organizations. They wanted to change the cybersecurity industry for the better and provide services at a level of professionalism that is beyond what is standard in the industry. Silent Sector is the result of their passion, vision, experience, and hard work.
Are you working on any exciting new projects now? How do you think that will help people?
Our team recently realized that we’ve helped our various B2B technology company clients gain millions in new revenue as the result of our work. We developed a methodology to not only protect companies from cyber-attacks and achieve compliance requirements, but do so while creating a competitive advantage for our clients to land large enterprise contracts. We transform cyber risk into a revenue generating asset using our Risk to Revenue Methodology™. Our process is unique and we’re just starting to unveil it to select organizations that fit the criteria. It’s exciting to have our work be considered a revenue generating asset when cybersecurity tends to be thought of as a dreaded expense.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Attitude is everything. It doesn’t matter whether you’re building a company or fighting in Afghanistan, if you don’t have an attitude of positivity and grit, you will not succeed. Always be conscious of your own thoughts and focus on the small victories throughout your journey. Place less focus on goals, outcomes, and what others are doing, while placing more focus on your habits and processes. A goal will never be achieved without the appropriate habits to support it. Finally, be careful about the information you let bother you. Remember that we’re now living in the disinformation age and much of what is dividing our Nation has little to do with reality.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
First, the cybersecurity is a young industry and still has to figure itself out. There is a tremendous amount of room for improvement and millions of brilliant people are working to make our technology more secure. It will be a completely different industry five years from now and we’ll see technological breakthroughs that would not be possible if it weren’t for the problem solving that is happening around the world.
Second, all companies rely on technology to operate in today’s business environment. The reliance only continues to grow so we’re in a race against time to create solutions. This pressure keeps the issues top of mind and executives must continue to grow their understanding of what makes an effective security program. As a result, technology and security education will continue to be critical. The more our industry can teach business leaders, the better off our Nation’s economy will be over the long term. What excites me is the fact that we can make the biggest improvements with very little cost, simply by providing education and awareness.
The third and most important point is the fact that the cybersecurity industry gives opportunity to people who are motivated and hardworking but lack the traditional education and financial resources required to enter most other professions. There is a tremendous amount of demand for cybersecurity professionals, even in entry-level roles. There is also an abundance of resources to help people get started which makes a career in cybersecurity accessible to anyone who will work toward it. It is a lucrative career field and presents an incredible opportunity to people of all backgrounds.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
While companies must continue to strengthen their cybersecurity programs, they must also prepare to defend themselves against reputation attacks. A reputation attack may not involve a cyber breach in the traditional sense, but is the result of hundreds or thousands of pieces of disinformation being directed at a company or individual. An adversary directing a disinformation campaign or reputation attack will often demand a payment in order to cease the attack. These attacks are devastating to a brand because people rely on reviews and other online information when they’re shopping for products and services.
Quantum computing also opens up an entirely new “can of worms.” Quantum computers have the potential to break all of the encryption algorithms that protect data in today’s environment. This means that all privacy could be gone quickly, with many trade and government secrets revealed. Fortunately, a lot of smart people are working on “quantum proof” encryption. Only time will tell the outcome of the upcoming quantum computing era.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
A company reached out to us after they identified a couple machines that were infected with ransomware. It turns out that over 1,800 computers in offices across multiple states were infected and the company was rendered inoperable. Our team got involved quickly and guided their entire IT team through stopping the spread to prevent further damage. We then helped them get back on line over the next few days to the point where the company was operational again. It was a tremendously expensive and damaging attack for the company. All executives were on edge and attorneys were geared up for legal battles.
Shortly thereafter, an existing client of ours got hit with the same strain of ransomware. However, the ransomware was immediately recognized, contained to a single machine, and cut off from the rest of the network. There was no damage or data loss, no 20+ hour days of remediation work, and no attorneys needed. This particular client had spent the previous few years working with us to build a proactive and resilient cybersecurity program. Had the other company spent adequate time and resources, there would have been little to no damage and costs resulting from their breach. In fact, the active client was a much smaller company with a lower IT budget and fewer resources than the company that suffered greatly from the breach. The moral of the story is, cybersecurity is no longer optional and companies of all sizes must build a proactive cybersecurity program. “We’ll do it next year” is not an appropriate strategy in today’s environment.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Silent Sector is technology agnostic and uses what makes sense for the situation. We are not a reseller of products like most in the industry. Instead, we prefer to start building security programs using the tools and technologies our clients already have in place. We’ll make product recommendations based on the unique needs of the client if there are missing components required for the appropriate level of security.
However, we do use tools regularly for testing and assessment work. A few examples include:
- Qualys Cloud Scanner — we scan network environments and web applications to identify vulnerabilities that may lead to an exploit
- Metasploit Professional — we use this to identify whether an identified vulnerability can be exploited, validating the results of scans
- SmartBear — this is used for testing the APIs of web applications
- Kali Linux — this is an operation system loaded with a suite of “hacker tools” used to see what cyber criminals see in a company’s digital environment
- Buscador — this is a Linux operating system configured for Open Source Intelligence or OSINT. OSINT is the act of finding information and building intelligence from publicly available sources. This intelligence is used in penetration testing and risk assessments.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
We do a lot of work with mid-market and emerging companies that have an internal IT team but do not have in-house cybersecurity professionals. For most, it is best to have a cybersecurity services company build and maintain a proactive cybersecurity program. A company is never secure by simply purchasing over the counter software. Software and security tools are insufficient to protect an organization without both strategic and technical implementation and maintenance. Likewise, hiring a virtual/fractional CISO will generally provide an organization with strategic guidance but not the hands-on, technical implementation or tasks that require a 3rd party like audits and penetration testing. Companies without an internal security team are most effective when leveraging a team of outside professionals who specialize in cybersecurity, providing both strategic and technical levels of service.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Cyber criminals use malicious emails to fool users into clicking on links that download malware and infect systems. While some malicious campaigns are much harder to identify than others, users can usually recognize when they click that doesn’t lead to where they expect. This is one sign of a malicious email (phishing) and users should always report the situation to the appropriate people in their company, regardless of whether any computer problems are noticed. A user should also be conscious of the normal speed and functionality of their computer. Significant changes in performance or problems with applications should be reported. Finally, do not forget that cyber criminals use social engineering to manipulate people into giving up sensitive information. Social engineering has also been called “human hacking.” If anyone ever asks for a password, version of operating system, or brand of anti-virus, this should be a red flag and the information should be withheld. Social engineering is conducted through email, over the phone, chat, social media, and even in person.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
As soon as a breach is suspected, the single most important action to take is to contain the attack by disconnecting any infected devices from the network. Do not shut the devices down as this could lead to loss of information that is critical to the cyber forensics work that will be necessary to understand the method of attack.
Every company should have an Incident Response Plan that provides the details of the actions they must take in the event of a breach. It is important for companies to review and update their Incident Response Plan on an annual basis at a minimum. A good Incident Response Plan will categorize incidents so the organization understands the actions to take based on the severity level. An organization must have a list of people to contact in order to contain and investigate the breach. The insurance company should be contacted as they will often provide valuable resources.
It seems like new compliance and privacy requirements appear on almost a weekly basis. Most companies struggle to keep up with all the compliance requirements. While the constant change benefits us as a security firm that helps companies navigate the complexities, it presents a tremendous challenge for organizations of all sizes. Working with limited resources, companies are often forced to choose between meeting compliance requirements or building a more holistic cybersecurity program. Compliance is not security. In other words, being compliant does not mean that a company is being secure. I always recommend building a holistic and proactive cybersecurity program because having that in place will significantly reduce the burdens of meeting compliance requirements. When your company is secure, it’s much easier to be compliant. If you chase one compliance requirement to the next, you’ll end up playing a game of “whack-a-mole” and never achieve a truly proactive, resilient security posture.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The vast majority of security breaches are the result of company leadership failing to commit to building a formalized cybersecurity program. A company will never be secure without its leadership recognizing the importance of proactive security and investing the resources necessary to protect the organization. Lack of decision and commitment is the biggest mistake, without a doubt.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Fortunately, I have not seen an increase in cybersecurity or privacy errors among our current clients, despite the transition to a remote work environment. Employees were able to take their office computers home or have been issued company laptops with hardware certs, securing the connect back to the company’s network. However, many companies that lack the resources to issue machines to remote staff are having people work on their personally owned computers. This presents a variety of risk factors because the computer configurations cannot be controlled by IT professionals.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1 — Every company needs to align with an industry recognized cybersecurity framework. A few examples include CIS Controls, NIST SP 800–171a, and NIST CSF. Breaches often result in lawsuits and attorneys immediately start looking for negligence. When a company is asked how its security program was built, it must be able to show that proactive measures were taken while following industry recognized best practices. If the company responds with an ad-hoc approach that was piecemealed together without the support of trained professionals, the company will almost always be considered negligent and will be forced to pay tremendous fees. However, companies that followed industry recognized frameworks can often minimize or eliminate the legal battles after a breach. Also, the damage of a breach will be significantly reduced when following a good cybersecurity framework.
2 — Being compliant does not mean your company is secure. For example, HIPAA compliance requires the protection and privacy of medical patent data called “Protected Health Information” (PHI). It does not require the protection of non-PHI systems. Being HIPAA compliant may mean that PHI is protected to the level of the requirements but does not mean that the systems without patient information are adequately protected. A breach can render and organization inoperable even if the organization meets all its compliance requirements.
3 — Network appliances and software don’t make your organization secure or compliant on their own. Human expertise is required to properly configure and deploy security systems. We find that most companies are only using about 30–40% of the capabilities of the cybersecurity technology that they’ve acquired. Vendors don’t generally take a holistic view of a cybersecurity program. They have more incentive to sell products to monitor remotely or let the buyer handle all the management.
4 — An ounce of prevention is worth a pound of cure. Taking the time to design IT infrastructure, security controls, policies, and procedures will pay large dividends in the form of long-term cost savings. The cost of a cyber breach is usually about ten times higher than the cost of building a formal cybersecurity program.
5 — People are more important than technology and tools. The human element is your largest vulnerability but also your greatest line of defense. All staff members should go through cybersecurity awareness training on a quarterly basis and should be equipped with the knowledge of how to respond to potentially malicious activity.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I believe that the United States is far too divided. In order to survive, we must create a sense of unity, selfless service, and national pride. This can be accomplished by requiring every U.S. citizen to perform 2–3 years of service in support of our Nation. The service would be done after high school, providing young people with new skillsets, creating new relationships, and opening new opportunities. The service can be a wide range of activities focused on solving problems and supporting worthy endeavors such as improving education, fighting poverty, and protecting the environment. Of course, military and law enforcement are areas to support as well. I would not trade my five years in the Army for anything. It was by far the most valuable experience of my life and I wish everyone was able to have a similar opportunity. People appreciate what they work hard for and if more people worked together for America, our population would begin to find the sense of unity that we need. If everyone acted from a place of selfless service, we would end poverty, racism, violence, and many other problems plaguing our great Nation.
How can our readers further follow your work online?
Readers can learn more by visiting our website at www.SilentSector.com or buying our international bestselling book, “Cyber Rants,” which is available on Amazon.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!