How Security Awareness Drives Business Enablement With Greg Johnson

The vast majority of US SMEs do not have enough awareness of cybersecurity issues, and a lot of them fall prey to phishing and other attacks because of this. Greg Johnson believes that security awareness needs to be the norm for business, no matter the size. With his team at Webcheck Security, they are driving business enablement to organizations through cybersecurity solutions and education. In this episode of Pineapple on Pizza, he stresses the importance of cybersecurity in SMEs. He also talks about the technological developments he is seeing on the horizon and what that will mean for the future of cybersecurity. Tune in and get your share of Greg’s incredible insight into the present and future challenges and opportunities in the industry!

Watch the episode here

 

Listen to the podcast here

How Security Awareness Drives Business Enablement With Greg Johnson

Welcome, everybody. We have an amazing guest who is the CEO of Webcheck Security, a member of The Tabernacle Choir, and a grandfather of 6 children and 4 children. Welcome, Greg Johnson. How are you?

I’m fantastic. Thank you for allowing me to be here.

It’s a pleasure to have you here. We got one question that we start with all of our guests. Hopefully, you can help us out with this. If the cyber risk was a pizza, with the crust being in the framework, what’s the riskiest topping you have seen? What topping would you equate that to?

This will seem silly, but for most of America’s small and medium enterprises, that may range from $5 million or from $50 million to $100 million in revenue. The biggest risk topping is that they don’t have a cyber program. They don’t have policies. They don’t have an incident response policy. When they get hacked, they go into fibrillation, like a heart attack. They go, “What do we do?” That’s the big piece of pepperoni on this one.

It sounds to me more like that’s the crust. Most of them are missing the crust. All they’re doing is throwing toppings at it, and it has fallen to the bottom of the oven.

Greg Johnson Quote

Greg Johnson Quote

We could have fun with the way you framed it. A lot of them don’t have security awareness and they open themselves up to phishing. The bottom line is a lot of these problems could be solved if they just had that framework to follow, they understood what the best practices were, they were documented, and then held accountable for it. That’s what most organizations are missing.

With that being said, if they’re missing the crust, can you give me an example of a customer or somebody that you’ve seen where they have missed that framework and where it helped them out to create that?

Usually, it comes in the form of business enablement. In other words, business is flying along, “We’re doing fine. We’re making some sales. We’re swimming along.” All of a sudden, they land a big fish or even a whale. I’ll give you some examples. We had a mortgage company that had some technology stack. As you can imagine, banking is finally starting to gravitate more toward technology. It has taken them a while. We were still sending faxes a few years ago.

As that world has matured, a lot of companies aren’t prepared for what’s coming. They landed a deal with Costco. Costco came back and said, “We’re excited to offer your mortgage services to our clientele nationwide. By the way, the state of New York has these specialized financial services regulations, and you need to meet them. Our security team will be in touch.”

What they sent was a big spreadsheet to the client and said, “Fill this out.” That’s a scary moment for most businesses because they think they need to meet all of the criteria on that. Frankly, they don’t know what a lot of it means, whether they have the controls, whether they don’t have the controls, or whether the controls are applicable. Most of the time, they don’t have the policies to back them. That’s when they would turn to our company, Webcheck Security, to help them out.

A great example is business enablement. For them to be enabled to do business with Costco, they got to meet the New York State financial regulations. That’s a common story. The client will go out. It doesn’t have to be GE or Costco. It can be a smaller $50 million organization that has a little bit more mature cyber program. The company comes along and says, “We’re going to be invoicing you by this portal. Somehow we’re going to be connecting to your system providing such-and-such service.” All of a sudden, the company says, “We need to ensure that you’re secure. Here’s our vendor management program. Fill out this spreadsheet.” That’s where the rubber starts to hit the road. It is in that business enablement concept.

That completely makes sense. We have seen that as well. It’s that scary moment, “Am I going to be able to keep that revenue or lose that revenue because of a cybersecurity issue, an insurance issue, or something along those lines?”

That’s what brings it to the fore. Most organizations, particularly small businesses or even medium enterprises ought to be concerned about cybersecurity. They just don’t know what to do. They got IT, which is concerned with security, but IT and cybersecurity are not the same things. One is business du jour. IT gets business rolling and operational. You throw in some technologies that hopefully are keeping you secure. Security is a lot of things. I like to equate it to Thanksgiving at my grandma’s. If you think of Thanksgiving at grandma’s, there’s pumpkin pie, apple pie, minced meat pie, and pecan pie. What’s your favorite, George?

I get asked that every Christmas. I always go for pumpkin pie.

It’s the pumpkin chiffon. There’s even pumpkin cheesecake. My point is this. If you think about a pie and all of these different pieces, they’re all important. You can’t have grandma’s Thanksgiving dinner without them. Cybersecurity is that way. It’s not just one piece of technology and one IT guy or gal saying, “Let’s throw on CrowdStrike and we will be safe.” CrowdStrike and Sophos are great endpoint products but what about your incident response policy?

What about your HR onboarding and offboarding policy? When do people leave with keys to the kingdom, who retires those? What’s the policy there? What about data encryption? What about network segmentation, vulnerability management, and penetration testing? Those are all important pieces of the pumpkin pie that have to be there in order for the business to not only continue and have succession and continuity—all that to say that IT is not cyber program management.

Greg Johnson Quote

Greg Johnson Quote

That has become more apparent as the frameworks have come out, the SOC 2s, the NIST frameworks, and all these other things to help try and organize those and make them more standard so that they’re easier to follow, specifically on the cybersecurity side, and make sure that things aren’t missed. That truly helps the executives understand the NIST framework of 130 controls. It makes it much easier than nebulously spending money or throwing money at it and hoping that it works.

That’s a good insight. I’ve been involved with it for so long. As we were discussing, I worked for A-LIGN, which has now hit $100 million in revenue. They do a lot of assurance services, SOC audits, ISO 27001, PCI, and HIPAA. I also partnered with AARC-360, Johanson Group, and Moss Adams, which are CPA firms. We do penetration testing and advisory services for all of those and many more.

What’s interesting is that some of those certifications are merely that. They’re check boxes, and you can tailor them. For example, it’s good to have a SOC 2, but if you’re doing a Type 1, it’s just a review of the design of the control. You can convince your auditor that the design of your cybersecurity program is okay, and it’s not following a framework. On the other hand, what most businesses don’t realize is that there are these best practices frameworks and they’re not rocket science. This is what I’ve learned over the years.

Take CIS, for example. They got an implementation group one, an intermediate implementation group two, and then an enterprise. A business that has nothing can start with the basics or implementation group one. They can be a lot more secure tomorrow than they are now just by following that best practices framework. With a lot of organizations, it’s education. It’s helping them understand that there are a lot of smart guys out there that have developed these best practices based on years of practice and observation. If you adopt these, you’re probably going to be okay. Those are some observations there.

I’m seeing the same thing. It’s great to have that acknowledgment of the market and where things are going. We need to find that quick education way of helping more CEOs and boards understand that the issue exists and that they may be putting their revenue at risk, as we talked about earlier. Tell me this. What events do you go to help educate these? Do you run your events to educate CEOs? Is it something where you are doing speaking engagements? Are you going to events to meet these CEOs? Are you relying on your marketing? How do you educate?

Greg Johnson Quote

Greg Johnson Quote

There are several ways. One is we have a robust channel. We love the channel, meaning manage security service providers, MDR or Managed Detection and Response companies, as well as CPA firms. All of these will bring us in and white label or resell our services because it’s not their core competency. In other words, you take a CPA firm that’s doing the SOC 2 audit.

They can’t be the CISO, write the policies, and then audit those policies. We will partner with them to come in. We can put a CISO in there for $250 or $300 an hour, which costs them a lot less than $500,000 to have a real CISO. These are real CISOs, but they can use them as little or as much as they want during the month, and help educate them.

We go to a lot of events that are channel-oriented, like Channel Futures in Las Vegas and Peace Summit in Orlando. There are so many channel organizations. We have become involved with the CompTIA organization. They have the ChannelCon that we will be going to later in 2023. I believe it’s either in Vegas or San Diego. I don’t remember which one. There’s that. They’re channel-focused.

A few years ago, we decided, “Let’s do a cybersecurity summit.” We were just coming out of COVID. Utah was one of the more progressive states in relaxing in-person events and so forth. Back in 2021, we held our first annual Webcheck Cyber Security Summit. We invited anybody outside of Utah or inside of Utah. We’re mostly local-focused, but we had people coming from out of state. We invited them to have this wonderful full day of cybersecurity with a keynote speaker.

We had Jack McCauley, who was one of the Oculus founders. He did a keynote speech. We had CEOs. We had breakouts on writing policies in the organization, Web3, and NFTs. We’re doing it again in 2023. We’re in the third annual Webcheck Cyber Security Summit. It is going to be a lot of fun. For your audiences, mark your calendars for April 27th, 2023. That’s when it is. If you go to our website, WebcheckSecurity.com, and click on Events, you will see it there. There’s a popup that says, “Learn more,” or you can make it go away.

That’s going to be a fun event. We got DeepSeas presenting on threat detection and some of the latest in cyber analytics. Speaking of CompTIA, Juan Fernandez, who wrote the Security+ network security exams for CompTIA, is going to be a keynote speaker. He’s a wonderful gentleman who built a multimillion-dollar series of MSPs and sold them off. Now, he just wants to help people. He’s a very exciting individual. He has his finger on the pulse of cybersecurity and what it takes to succeed there. He’s going to be a keynote speaker.

We do that. We have also had some of those events in San Diego and Arizona. Aside from that, there are lots of webinars and podcasts. This is a wonderful show to educate people about cybersecurity and how we might serve them. We have our branded podcast called Vistas. It is mainly cybersecurity-focused, but occasionally, we deviate and talk about entrepreneurship, leadership, and growing organizations.

We will talk to successful leaders of cybersecurity companies and ask them not only about their products or service but what they did to grow and where they see the market going. It’s a lot of fun. We’ve got a lot of initiatives going. I probably missed a dozen. We want to start lurking on Reddit. Maybe doing some Reddit chat sessions and things of that nature. That’s where we’re at now.

That summit sounds amazing. We may have to take a look at it ourselves.

I’ll be offended if you’re not there.

I have to point out that we asked this event question quite frequently, and I still haven’t heard anyone say RSA.

It used to be big and sexy. It’s still big, sexy, and expensive. You walk around all the big cybersecurity vendors, do the same old song, and dance in different strokes for different folks. We have gone some years and other years. We’re not going in 2023. We’re having our Cyber Security Summit pretty much on the last day of RSA. We haven’t run into too many conflicts.

I’m pretty sure that’s where I picked up. I went to the one right when COVID was breaking.

I remember hearing about a lot of RSA attendees coming back with the good old bug.

I picked up a virus while I was there.

You need a better firewall. Greg, do you read books? If so, are there any that you would recommend?

I’m a voracious consumer of books. A lot of my book reading I do on Audible these days because I find I’m driving so much, and I can get so much more done. One of the books I love is called The Compound Effect by Darren Hardy. He was the Editor of Success Magazine for many years. It is the principle that small and simple things done consistently every day are what lead to greatness and success.

There’s one example that stuck with me. I’m a fitness buff. I’m 60 years old, but I deadlifted 425 pounds. I work out every day. In the book, he tells the story of three guys. I’m speaking of fitness. He says that one guy decided that he wanted to lose weight, so he ate about 60 fewer calories every day. The other friend decided, “I’m good.” It’s status quo. He did nothing like your control group. The other guy decided, “I’m going to eat a bowl of cereal every night. I’ll eat a healthy bowl of cereal when I’m hungry,” but he was eating an extra 60 calories. After a month, there was no difference.

After three months, the guy who restricted his caloric intake was starting to notice some pounds fall off. The other guys were pretty status quo, but you fast forward another eighteen months, and there was a 120-pound differential between the one that was eating the bowl of cereal every night and the one that had started to reduce his calories by about 60 calories. That’s a great example of small and simple things done every day. His whole book goes into that. I love that book.

One I’m reading or consuming audibly is called Change Your Brain, Change Your Life. It’s by Dr. Daniel Amen. He’s a psychiatrist that, back in about 1989, started scanning brains with a SPECT cephalic type of technology. What they do is shoot you with a radioactive. When they image the brain, it shows where the blood flow is. What they found is that all of our problems, like ADHD, depression, bipolar, anger, or lack of libido, stems from brain damage.

He learned how to look at the brain and then be able to treat the sections of the brain with nutrition and medication. There’s a spiritual component and a counseling component. He would watch those brain portions light up if they were overstimulated to normalize. It’s a fascinating book. I’m reading that. One of the best cybersecurity books that I’ve read in a long time is Sandworm. Have you heard of it?

Sandworm A New Era of Cyberwar And The Hunt For The Kremlin's Most Dangerous Hackers

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers – https://www.amazon.com/Sandworm-Cyberwar-Kremlins-Dangerous-Hackers/dp/0385544405

It looks like George has. I have not.

It talks about the Ukrainian power grid going down, the big transport company Maersk, and all these big companies. It was Russia. It was the precursor to the war that’s going on now. This was back in 2005, I believe. Russia has been playing with cyber warfare for a long time. It’s a fascinating book. It gives you a lot of insight into what’s going on in Ukraine. I’ve written a couple of books. I have a book out called Testing and Securing Web Applications. I’m a co-author with Ravi Das. I call him Professor Das. He has written about ten books.

Between the two of us, we discuss the whole cybersecurity framework that has to support secure web applications, from infrastructure and algorithms to pen testing and threat hunting. It even goes a little into ISO and some of the frameworks we talked about. There’s that. I’ve got a contract to write a new book. I won’t share the title yet. It’s a fun surprise. It’s more geared toward the general public like Sandworm, talking about how we’re being spoofed by hackers and the whole ransomware epidemic. It will be interesting. I barely started that. I won’t predict when that will come out, but I would like to get on the ball here and get it done by the end of next quarter.

I look forward to the new book. When you do get that out, please let us know.

Thank you. Let’s hop back on, and we will talk about it.

I look forward to that. Greg, what excites you about the future of cybersecurity frameworks?

There are a lot of exciting things going on. As you know, the big chat now is ChatGPT. I’ll call it buzz technology. Maybe it’s a core technology, but it’s a buzzing technology because it’s pop culture. Everybody is talking about it, “How is it going to hack us? How are we going to incorporate it into cybersecurity?” If you think back to the whole blockchain thing, “Blockchain was going to be the answer to cybersecurity.” Would you agree with me that it’s probably not?

Maybe it’s part of a solution, but it’s not the solution.

It’s a cool technology. It’s very valid in different scenarios and the whole cryptocurrency. You could go off and talk about how all of the stocks and the cryptocurrency values have gone down. That may be just a thing. It doesn’t mean crypto is dead by any means. What the community realized is that there have to be controls around the servers that run the cryptocurrency and do the mining. The cybersecurity principles still apply. Anything that has 1s or 0s can be hacked eventually, which leads to the next thing.

There’s ChatGPT. AI is coming into play. AI has always been a buzzword. A lot of companies, especially in the threat detection realm, will say, “We got AI. Our SIEM, or Security Information and Event Management, has AI. It will find the threats.” That’s BS. It will find some of them but AI still is mostly heuristic algorithms. They learn a little bit, but not to the point where Isaac Asimov had “I, Robot” yet. If you saw the Will Smith movie, that’s AI.

ChatGPT has a series of interesting algorithms. Google has up the ante because Microsoft made a significant multibillion-dollar investment. Google is claiming, “We got an AI that we’re putting into the Google search engine.” It reminds me of when they bought Ask Jeeves. This is the next generation of Ask Jeeves. There’s that. You combine that with quantum computing. Quantum computing is still out there. China has it. The US has it. IBM has it. Dell and some of the big manufacturers are playing with it.

We will see that come more into the mainstream. It’s probably still going to be a while, but when you start to combine that with AI, then it presents an interesting red-team and blue-team scenario where hackers can use the technology to think faster than a human can respond. Manufacturers and vendors are going to have to start creating. You take the CrowdStrike, Sophos, DeepSeas, and Arctic Wolf of the world. They’re going to have to start incorporating the same technologies to defend as fast as the spears can be launched. There are some exciting things happening out there.

I agree. Also, most AIs are simple algorithms in AI clothing. How is that?

They’re scary too. Are they moral? Are they immoral? Whoever is programming them is programming the algorithm and the arrays. If it’s a serial killer, then you’re going to have a serial killer algorithm.

There is a scientist that sometimes speaks at some of these cybersecurity conferences. I can’t remember her name but she’s in the research area of this artificial intelligence and where it is. This was a number of years ago. She said that AI is about as intelligent as an earthworm in terms of its equivalent to humans. It does get better every year but they said it will be as smart as a German Shepherd in about 25 to 35 years.

The concept there was there is still no such thing as 100% secure, and there won’t be for a while. If you trust a German Shepherd to drive you down the road in 25 years, that’s your choice. Right now, you got an earthworm in an automated vehicle driving you down the road. It’s up to the programmers to program that earthworm properly because you need to program the parts where the intelligence is lacking. I‘ll never forget that statement, “It’s about the programming and ethics in programming.

That’s an interesting metaphor, which means that long after we are dead, AI will evolve to the level of my six-year-old granddaughter maybe. Who knows?

It’s one way or the other.

The other thing that has been exciting is watching the evolution of endpoint protection. Do you remember when it used to be an antivirus? It was Norton, and then Symantec jumped on board and bought them. You had all these other companies like Malwarebytes and Windows Defender. They all started to evolve from basic antivirus to looking for malware, anomalous code, and file integrity checks. It has been interesting to watch that whole technology begin to evolve as the hacks have gotten more sophisticated. We’re not done yet. I have a friend, Peter Bybee. I don’t know if you’ve heard of him. He was the CEO of a neat company based out of San Diego called Security On-Demand.

He was an MSSP. Let’s go back to 17 or 18 years ago. At some point, as the industry evolved and the SIEM thing came out, he started managing QRadar instances. That has been around for a long time. That’s old boxy technology, but it’s robust, and it works. He did that. At some point, he found these scientists in Poland that had developed this cool algorithm based on something called rough set math. He implemented something called an approximate query, which would take all of the logged data from a system and represent it digitally in a metadata layer. If you could figure out how to ask the right question, the technology would pull back anomalous results.

He bought that company. You take basic SIEM, regex or regular expressions, and the known knowns. You run logs through it. It says, “There’s a signature for this thing we know. Go fix it. It’s a Log4J.” What about zero-day stuff and all of that? This technology is next-level because it identifies a lot of that stuff. He bought that company based out of Warsaw, Poland, and the PhDs that went with it. He applied it to threat detection and response.

He sold that company to the Nautic group, who then went and bought an EDR company, Booz Allen Hamilton‘s MTS threat detection company. Now, it’s called DeepSeas. It has been exciting to watch how these MDR companies have grown up and started to add services, AI, and in the case of formerly Security On-Demand, the advanced query technology that finds more of the anomalies than QRadar would have done back in the day.

That continues to evolve, which mostly helps higher medium and enterprise clients. You don’t get a lot of small businesses buying threat detection. They will grab Sophos and stick it on their machine as I do. We all work mostly out of our homes. We make sure our pen testers and CISOs have VPNs, Sophos, or CrowdStrike. That’s pretty good for us but to get an organization that has a lot of infrastructure, they’ve got to have threat detection, particularly if they’re warehousing data, even if it’s in AWS. That has to be monitored. Those technologies are exciting. It will be interesting to see where they go.

Tell us a little bit about yourself. You said you were located in Utah.

I’m a guy that has been married for 38 years and has 4 kids, 1 girl and 3 boys. I lift weights, play racquetball, and sing in the good old Tabernacle Choir on Temple Square, which has been broadcasting for 94 years straight through radio stations and is now on the web everywhere. Europe picked up the television show. I’m on TV every Sunday morning. You will see me in the upper right-hand corner with the bass section on something called Music & the Spoken Word. It’s a lot of fun. You should tune in.

Here’s my next question. Are you a bass tenor? Where are you?

I sing low bass in the choir. That has been a lot of fun. We’re going to Mexico City in June. We’ve got some concerts lined up down there. Except for COVID, The Tabernacle Choir has sung at every presidential inauguration. They have usually been invited and dubbed America’s choir. That’s fun. I’ve been doing that for about five years. That will come to an end soon because when you turn 60, they say, “Here’s a nice plaque. Thanks,” and then you’re out. Other than that, I’m passionate about providing cybersecurity solutions for our clients from a governance perspective.

If our organization doesn’t do it at Webcheck Security, we will pull in partners that do. I’ve been doing that for many years. I worked for A-LIGN. I worked for SecurityMetrics, which is a big PCI or Payment Card Industry compliance firm. I was there for six and a half years. I was the Vice President of Business Development at A-LIGN. In 2018, I was working with Secuvant, which was one of these Managed Detection and Response companies like DeepSeas.

They had their customers saying, “Can you do a pen test?” They would say, “We got this partner we outsource it to.” I went to the CEO and said, “I have a number of acquaintances that I’ve used in the past that are fantastic engineers. I’ve been thinking of starting a company. Let me take these deals and run with them.” That worked out well. That company funded the upstart of Webcheck Security. Believe it or not, COVID was fuel for the fire for us because I got laid off from that.

One day, my boss said, “We’re losing customers.” It’s one of the first things to go when budgets are cut. I managed the thousands of dollars of monthly Managed Detection and Response. I decided to take it from a boutique company to a full-time endeavor. The Executive Vice President who worked there came with me. I convinced him, “Come on, Jeff. You have to come over here. Let’s do this.” We’re not looking back. It has been a great ride, largely due in part to great partners. We’re having a blast. I live in Utah. I love the outdoors. I love to kayak and hike. I’m not kayaking because the lakes are all frozen.

I’m curious about the choir. Do you play any musical instruments or anything like that? Is it just the vocal cords for you?

I used to have a rock band when I was in high school. The guitar has been a hobby off and on throughout the years. I can still play. I played the trombone a little bit in college. It’s a hard instrument to keep up. It’s like, “Come on, kids. Gather around the trombone. Let’s play some Christmas tunes.” It doesn’t work. I’ve let that go a little bit but I play a little bit of piano. I’m a jack of all trades, a master of none. I minored in Music, but that was voice or vocal performance. Voice is my primary instrument.

Let me ask you a question. If you could go back in time and give your younger self advice, what would it be?

What I would say is, “Get your MBA and then look at starting a business a lot earlier than I did,” but it’s easy to say that now. It wouldn’t make sense for me to get an MBA, not that I know it all. There is a lot of great stuff and business analytics that I would learn, but it would cost a lot of money now to go back. It wouldn’t give me a big ROI because I’m already the CEO of a successful company. I’m having fun and enjoying it.

What I would do is learn more earlier and then instead of going to work on something I enjoyed, I would look to learn more and then start a company a lot earlier, which would lead to more career satisfaction and the ability to bless others’ lives more, employ other people, donate, and give to the community earlier on than I am now, and have a little bit more life satisfaction. You go through life and figure things out. At one point, certain things click.

Would I have changed anything? I don’t know. I was pre-med at BYU. I was going to be a doctor like my dad. At one point, I realized, “I don’t know if I like sticking needles in people and feeling veins in their arms.” I realized I had a gift for languages. I serve an LDS mission to Milwaukee speaking Spanish. I learned the language well. I got a degree in Spanish Translation, which has helped me in business writing and so forth.

That might help you on that trip to Mexico City.

That would be it. I would say, “Younger self, get serious. Maybe stay in school a little bit longer, and then learn. Go to work not to just earn money but go to work to learn. Try different positions. Don’t be afraid to apply for more positions within large corporations. You would probably find an acceleration of where you wanted to be earlier.”

Where can people find you?

If they go to WebcheckSecurity.com, they can reach out to us. We have forms on every page. There’s an email, [email protected]. I get those, as does some of our BizDev team. I would be happy to respond. They can go to LinkedIn. Type in Greg Johnson and Webcheck Security. I should pop up. Connect with me. They can do LinkedIn messaging. I respond to those as well.

You also have the podcast. Tell us about that one.

We have Vistas. For the most part, in the major platforms like Spotify or Apple Podcasts, if you go out and search for Vistas by Webcheck Security, there you go. We’ll have to release the one for this month. We haven’t released it yet. We will be doing that soon.

We will have to check that out when it comes out.

It’s a fun podcast. The music is sponsored by a neat band that my son happens to be part of called Suit Up, Soldier. That can be found on Spotify and Apple Music. It’s a neat podcast.

Greg, I appreciate your time with this. I had some great insight. It was eye-opening for some of the frameworks and some of the things that you’ve done in the past. We appreciate your time on this. For our audience, thank you for tuning in. If you’ve learned something and laughed, tell someone about this show. There it is. This has been another great episode. We will see you next time. Thanks for joining.

Important Links

About Greg Johnson

Greg Johnson

Greg Johnson

Location: Eagle Mountain, Utah
Chief Executive Officer at Webcheck Security
Member of the Tabernacle Choir- singing at multiple inauguration ceremonies
Has six grandchildren
Lifts weights every day

(Education)
Brigham Young University
BA, Humanities

(Present)
CEO at Webcheck Security. World-Class Pen Testing & Fractional Information Security Officer (FISO) Services. Talented engineers provide simulated real-world attack testing for web/mobile applications and infrastructure.

(Previous)
Vice President of Sales – Secuvant Security Services
VP of Business Development – A-LIGN
Advisor to the Board – CipherTooth
EVP Security Strategy, Sales and Bus Dev – Lancera
VP Sales and Business Development – Access Technology Solutions