The risk of experiencing a cyber disaster these days is steadily increasing as technology evolves. Therefore, you must get ready for anything and do not let yourself be caught off guard. John Riley chats with Peter Busam, founder and CEO of Equilibrium Consulting, about the importance of crafting and designing your own disaster recovery plan to mitigate cyber risks and handle threats accordingly. He shares how his training as a Navy veteran allows him to nurture a well-disciplined culture of security in his own team. Peter also talks about using AI for better market data analysis and taking note of every bit of customer feedback to constantly improve cybersecurity measures.

—

 

Watch the episode here

 

Listen to the podcast here

 

 

Preparing For A Cyber Disaster With Peter Busam

Welcome to Navigating Cyber Risk with your host, John Riley, where we explore the challenges faced by executives as they grapple with new cybersecurity mandates. We’d like to welcome another great guest. He is one of the six original Gunner’s Mates in the Navy, now specializing in the cutting-edge vertical launch missile systems. He’s a true car enthusiast with a special passion for iconic Nissan Z cars. Owning not just one, but four of them. He loves the thrill of the race, especially with his prized Nissan Zs that burn rubber on the tracks. We’d like to welcome Pete Busam, CEO of Equilibrium Consulting. Welcome, Pete.

John, thanks for having me on.

Differences Between Cybersecurity And Cyber Risk

We talked a little bit about it in the beginning, but I love racing. This one might go fast because we have a couple of racers or racetrack enthusiasts. I’m looking forward to it. I’m going to start off with our big question. How would you explain the difference between what cybersecurity is and what cyber risk is?

Interesting, that can mean a lot to a lot of people. Cybersecurity, or I like to say cyber hygiene, is the tactic of what you’re doing every day. The cyber risk is what you’re not doing every day. The risks involved, your people are not doing what they’re doing, not getting trained. That’s the risk side of those things not being done, but if they’re done, that’s the hygiene or the security side. Two of them dovetail very nicely, in my opinion, at least.

If it’s not covered by cybersecurity, then it’s a risk.

 

 

Yeah, pretty much. Even if it is covered by cybersecurity or a policy, it still could be a risk because all you can do is safeguard it. You cannot use the word protect because that could put you in trouble down the road.

How much safeguarding can you do? As you said, there is no covering everything. Even if you do have the elusive protection, it’s still not going to guarantee that you don’t have some risk.

There’s no guarantee at all of risk. That’s what the underwriters do. They calculate that and figure that part out. Our job is technical on the technical side, and I’m not necessarily technical anymore, but it is to put all the processes and warnings in place to get those things as fast as we can, so we can shut it down or remediate when the time comes after we’ve looked at what the process is.

When you download that application, “Do you really want to open this application? Are you sure you really want to open this application?”

Don’t worry about user controls. Just say yes and go. That’s what you have admins for. They look to keep you a little bit more, I don’t want to say safe, but they put the right rules in place to take away that human side.

Why People Is The Biggest Cybersecurity Threat Today

Sometimes yes, if they’re good. What would you say is the most significant cybersecurity threat facing most companies?

It’s their people. People are the weakest link because human nature is curious, and they want to do things. If they’re restricted from doing something, they certainly want to find that workaround to try and beat the system. It makes an administrator’s job that much harder to put the safeguards in place, but it’s definitely the people and the lack of education that go along with them, wanting to slow down because cybersecurity slows us down. 

 

 

How do you deal with that? How do you deal with those people? There are only so many trainings and different things that we can send people through. What’s your suggestion on how to deal with that?

That’s interesting. If you want to go back to my military world, we send them up to the captain and say, “They’re breaking the rules.” We cannot do that necessarily in the civilian world. You have to have the rules and the provisions in place. It probably becomes a little bit of an HR role to get in there to talk about why they keep breaking the policy. Why do they keep bending the rules or going around them, and being that rogue warrior in the organization? I believe it’s truly part of the process, an HR referral after so much remediation training. 

Making Good Use Of Feedback From Customers

That’s always a good place to start. As a CEO, in general, how do you prioritize cybersecurity and cyber risk within your own organization?

We’re a small organization, so we’re very tight-knit, and we meet and discuss it. Since we do marketing for the technical community, we’re constantly having the technical community on us, on the things that we do and the words that we use. There’s a very high level of awareness that comes to our team. We scrutinize the words we use, we scrutinize how we roll things out on our web servers and our infrastructure, and how we protect it. There are things that we just won’t do. If you won’t do them, you cannot be a customer of ours. It’s that simple. We don’t believe in signing disclosures, and if you don’t fit our model, we won’t take you on as a customer. We’re in a great place to be able to do that, but not everybody is.

It sounds like it’s a culture within your own organization that you’ve called to be there. I think that’s what a lot of people maybe overlook is that it’s not just check boxes for compliance or something like that. It’s a culture that you have to build to understand what it should be.

It’s a journey. Every day is a journey. Something new comes up every day. As long as we keep looking at it and understanding it, asking the questions, our customers are great educators for us. We work exclusively with IT companies. They ask questions and give us great suggestions. We use a lot of that in things that they’ve learned they bring to us. Not only is it from top down, from me into my team, but it’s taking that feedback from the customers who are working on that stuff for the SMBs every day that we’re not. 

Rise Of Credentialing And Verified Services Beyond DNS

From your perspective, what emerging trends do you believe will have a profound impact on cybersecurity in the near future?

One of the things that I’ve been focusing on because of our web services is email delivery and email protection. Business email compromise to me is a huge piece. Once you cut through and figure out the D mark, the SPF, and the DKIM keys, there’s probably going to be the next level with the BIMIs. The BIMI is like an SSL for your email.

I think we’re going to start seeing more of that credentialed type of solutions that, when you’re doing something from organization to organization, it’s going to have to have some of those credentials because DNS is still penetrable fairly, even though you can harden it a lot. It still has a way to do it. I think credentialing and verified services beyond DNS are going to be the next piece. We’re already seeing that with the BIMI credentialing in the email.

 

 

I think there was also some more security built into IPv6, and there’s security becoming more top of mind and within the industry, and the protocols and all the other pieces that make it up. Between DNS poisoning and the Pineapple that could capture Wi-Fi and be a man-in-the-middle attack. There are a lot of opportunities there that people are trying to find for hardening some of those items.

I’m in a conference and they’re just loaded with these guys. I’m walking into this area. My cell phone is going off. I’m turning off my PC. I don’t want any of them to even know that I exist. “Come shake my hand.”

Not working out for you.

Some of them just like to have some fun. If they find something, they’ll tinker with it and let you know after they do it.

That’s like printer vulnerabilities. Sometimes I go, “Your printer is vulnerable.” I go, “What are you going to do, print on it?” I’m sure there’s worse, but it’s interesting sometimes to see. 

 

 

Think about an uninterruptible power supply that’s sitting on a piece of equipment that comes with a default password. How many times has that default been in, but you could initiate a shutdown remotely if you got in. It’s very true on a device that nothing for an SMB to be looking at, or a business owner. “They told me I had to buy that, so I did.” I hope they configured it right.

Definitely, the risk on a UPS is much higher than on a printer, I would say. There are probably some printers out there that do some pretty cool stuff. 

There is. 

Why You Should Prepare A Disaster Recovery Plan

Have you ever been through a cyber disaster, or what do you think that journey looks like for somebody who wakes up in the morning as a CEO and finds out that their data has been encrypted?

We’ve never had it to that level, but being a web service company, we have had an incident that could affect the brand. We had to shut down and lock it down quickly and then go to triage to see what happened so we could fill the void and reduce any exposure at that point. Fortunately, it wasn’t a website that did it. It was more from a brand perspective of crippling a brand because it’s a security company.

They could have easily had their brand damaged significantly from that perspective. Fortunately, we had enough things in place to do that. As a CEO, it scares the heck out of me. We’ve put the safeguards in place with customers and partners and at every level, but it’s not always if, it’s just when somebody is going to get through. Do they have the plant inside your equipment enough to get to where they can steal information or encrypt it?

We’ve got measures in place to disperse that and disparage that. I don’t think I would ever want to deal with it, even if it was just a very little bit of data in there. I have been with customers who have been, and it’s been pretty traumatic, and everything comes to a halt. It’s a big business interruption. Maybe small, but it is a business interruption. As a CEO, you’re looking to recover that as quickly as you can to get back up and running.

Probably a bit emotional as well. You’re trying to understand that mindset of, “Where am I? What do I need to do to get this done?” Along those lines, do you have a disaster recovery plan and an incident response plan, and everything?

We do have an IR plan. We do have a DRBC plan. We have a lot of the things that you should have. As I said, every day, a customer comes to us with something like, “You should think about this.” I’m like every other CEO, “No, you just want me to spend more money.” In the end, you have to listen to them. You have to take their advice.

If that’s the person that you’re trusting for the advice in that area, ultimately, they’re going to hold a lot of liability along with you if something were to happen. It becomes a shared liability. If I don’t do it, it becomes more mine, but they still get shared. You have to spend some money, but you also have to take the direction as a CEO and say, “If I don’t do it, what’s my risk? What’s my exposure? My job is to mitigate as much risk for my organization as I possibly can.” That’s why I have advisors who are smarter than me in those areas.

Honestly, probably some of that also comes from your racing experience, because when you’ve got the safety equipment and all the safety that goes along with racing, you’ve got to have things tuned in and ready to go. Especially on the safety side, you have probably utilized that experience to build your business, which is a great thing.

A lot of my experience comes from being in the Navy and the disciplines, high security. Obviously, I worked with a missile launcher in the very first one of its kind. It was a very high-security type of thing. It resonates with me that there are protocol procedures, there are tools, and there is a process to manage things with security, physical, and electronic. Those things resonate with me and transfer very easily to me to say, “You’ve got to do it. You just got to do it.” Again, if you’re going to have an advisor, why do you have an advisor if you’re not going to listen to them?

 

 

Using AI For Better Market Data Analysis

What are you currently working on that you’re most excited about?

We’re like everybody else, we’re mostly working on some new business development, but as a marketing agency, we’re turning to AI, not to write content, not to do things, but to enable us to bring our partners to market better with better analysis on data. Using that data, and of course, one of the things we’re looking at, and since we’re talking security, is the security of those LLMs.

If we go out and search them and put something in our query, that LLM now takes that and adds it to its library. If a competitor were to search that LLM, now what did we just divulge by doing it? We have a whole new layer of what we have to fold into our culture as to how we bring that data private or have a private LLM versus what’s out in the public domain. That’s a whole new concern for us that we’re tackling in there.

I was chatting with somebody the other day, and what he was talking about was that they were monitoring the firewall of a company, and they saw a number of requests going to different AIs. He went to the CEO and said, “Are you aware of this?” The CEO said, “No.” He walked over to the CFO and said, “Can you tell me how much we’re spending on AI?”

The CFO said, “We don’t have anything going towards AI.” He said, “We’ve got these IP addresses, we’ve got all this.” He walked over to one of the employees and said, “What are you doing?” He goes, “I’m using OpenAI.” He goes, “It’s $20 a month, right? I just paid for it. I’m not expensing it or anything.” Employees are trying to get that productivity boost without saying anything to the company. If you don’t have those AI policies in place and some of those procedures, then you don’t know what’s possibly slipping through there and going out.

Especially with, in their case, they had like ten different AI people using different AIs, who knows what data they had uploaded. I think that’s going to be an interesting thing because employees are trying to figure out how to use it, too. When you’re talking about corporate data, where is that line of what they should and shouldn’t do?

That’s pretty innocent, but it goes back to us talking about how people are the weakest link. The intent is good. They’re trying to do a better job or do it a little faster, get a product out. In the end, it probably goes against everything that the company’s policy even though it doesn’t specifically call out AI; it probably goes against what their data policy or restrictions are. A lot of people don’t realize that the minute they query, it’s looking at anything that’s available, including things on their local machine.

 

 

 

 

Any upload, any download, anything that you want to give it, it will take. That’s how they become successful.

That’s something that we’re, I don’t want to say struggling with, but as a small organization, we have to master it the best we can and safeguard our client information that’s proprietary to them. Not all of our clients are IT companies. Some of them are early-stage SaaS companies. One of our SaaS companies said, “We don’t expect you to go with all your rules.” I said, “What are your rules?”

We’re not allowed to use AI for anything in marketing or inside. I said, “Why should you not push that down to us? That should be something that you share with us because if that’s part of your culture and your protective nature, then we need to understand that, too. We don’t want to be the leak for something proprietary to you.” It’s the next frontier, and it is the Wild West right now with AI, as you know.

Services And Offers Of Equilibrium Consulting

It’s supposed to be fun to learn. Looking forward to it. Pete, tell me a little bit more about your company. What do you guys do? How do you do it?

I’m from an ex-IT company. In 2008, I decided that there was a need for sales and marketing coaching and marketing, outsource marketing. We’ve been servicing the IT community for going on eighteen years. Basically, just like the IT sells a stack of stuff for a fixed price per month, we sell a stack of marketing that touches anything that touches the brand, in the same way to a technology company. Translates to them the way that they sell it. We do it for them. We work on the strategy after we get certain parts of it. In a nutshell, if it touches your brand, we do it. It’s all in-house and all US-based.

 

 

All customized on a per-client basis. It’s not cookie-cutter. It’s not the same thing for everybody.

No, because that doesn’t work either because especially when you’re trying to find, because everybody uses the same software or uses the same stack of stuff. You’ve got to find the differentiation points.

That’s interesting because coming from that world and trying to trying to build an MSP back in the day, we should have met earlier. I would just say that.

I hear that a lot. It’s a tough market because an AI has made it harder. Everybody thinks they can do it themselves until they cannot. They realize that they hurt their brand instead of helping it. 

I find that a lot of MSP owners are extremely smart. They got into the business because they’re extremely smart. It also means that they sometimes don’t listen as well as they should because they think they can do it themselves.

As my phrase, why do you if you have an advisor and you don’t listen to him, but why do you go to court for a lawyer if you’re the one that’s going to speak to the judge instead of the lawyer?

If you know better, then why do you hire a lawyer?

It’s always a challenge.

The good challenge.

It is. We’ve been around for eighteen years. We were doing something right. We have a very loyal client base. That’s important. 

Looking Back To Peter’s Career Journey

Tell me a little bit about who you are. How did you get here? You mentioned the Navy. 

I was very fortunate, very blessed in my journey. I started out of high school as a very undisciplined young man, like many, and decided, “I’m going to go see the world and join the Navy,” so I did. I did get to see the world, mostly the Pacific. I was very fortunate to have done very well in my early education in the Navy schools and got selected for the vertical launch missile system, which was an experimental system.

From there, I built the first platform, the very first ship, and I took the very first ship, the USS Bunker Hill, to war after we built it over into the Persian Gulf. I ended up getting medically separated and retired medically over time due to some injuries and portions of the military. As a result, I went to work for a government contractor. No big surprise, come out of the government world, go right to the government world, where I got an opportunity to start a technical arm.

After about six years, we grew large enough, and the whole company was sold to General Dynamics. That was my first exit. I went to work for the PE team that put me into a regional internet provider and helped them get what they needed, and exit number two. In 2008, when the economy went into a downturn, I exited an MSP and started this organization. We’ve been going strong and building throughout the US, Canada, and we just took on our first UK coin. We’re having a lot of fun. It’s a great family and the team. That was my journey. It’s been a long journey, over 40 years.

George, who’s sometimes the other cohost with me, worked for a regional ISP that was purchased by a company called Viaero back in the day. He had that accent. I had a similar one way back. That was a software company that got bought out by Agilent way back in 2000, when the other crash happened.

The internet company was EarthLink. 

That’s how it worked.

It was good stuff. A lot of fun. A lot of learning. Never stop learning. That’s the key.

Pete, how would somebody reach you? How would you like for somebody to reach out to you?

 

 

The great news is I’m pretty out there. You can find me on LinkedIn, send me a DM, but my information is out there. You can get me through the website, and I think you’ll find that also. You can find our number and call. Of course, you could always email me. Those are the three big ways, but I’m not hard to find.

I understand that one. I’m not that difficult, other than if you just search for John Riley, you might find a million of me.

I figure there have been enough background investigations on me over time because I’ve worked on other projects like national conventions for the Republican or Democratic parties. I was the deputy CIO for the 2009 G20 summit in Pittsburgh for the State Department. My name has gotten around, and if you Google me, that’s another great way to follow me. 

Advice For Younger Self And Reducing Cyber Risk

We like to end the show with this. If you have one piece of advice for our audience and the executives who are dealing with this, what would that be? What would be a tip for reducing their cybersecurity risks?

A lot of companies are very close to the vest with a lot of things. I think you’ve got to be authentic to get your culture and make it a part of your culture. Just like everything you do, we share numbers with our team. They know where we’re at and where we want to go as a company. The more authentic you can be with that, and the importance that everybody has a role in safeguarding the data, safeguarding the company. If that becomes part of the culture, then you have a much better chance of reducing your risk. Your underwriters might like it too, when they see your culture.

 

 

Always got to reduce that insurance risk too.

Yes. 

Pete, thank you for your time. I appreciate your views on this. Maybe you and I will have to chat more about racing some other time. 

I’m always open to that. 

That’s always the fun part. Go fast, be safe. For our audience, we’d like to thank you for tuning in. If you learned something or laughed, tell somebody else about the show, and that’s it. This has been another great episode of Navigating Cyber Risk, and we’ll see you next time. Thanks, everybody.

 

Important Links

• Peter Busam on LinkedIn
• Equilibrium Consulting
• Equilibrium Consulting on LinkedIn
• Equilibrium Consulting on Instagram
• Equilibrium Consulting on Facebook
• Equilibrium Consulting on X

 

About Peter Busam

Peter Busam is the Founder and CEO of Equilibrium Consulting, LLC, a Myrtle Beach-based firm specializing in marketing and channel strategy solutions for managed service providers (MSPs) and IT vendors. With over 35 years of experience in high-tech systems, networking, and executive roles, Pete has become a trusted advisor in the IT channel, known for his disciplined, process-driven approach to business growth.

A U.S. Navy veteran, Pete began his career working on advanced missiles, naval guns, radar, and computer systems. His military background instilled in him a deep appreciation for structure and leadership, which he has carried into his civilian career. After transitioning to the private sector, Pete held various senior executive positions across technology and DoD contracting industries before founding Equilibrium Consulting in 2008.

At Equilibrium, Pete leads a team that delivers innovative, data-driven sales and marketing strategies tailored to the unique needs of IT providers. The firm’s services encompass digital marketing, lead generation, sales funnel optimization, and more, all designed to help clients achieve measurable growth.

In addition to his consulting work, Pete is an active community volunteer and contributor to the IT industry. He authors the “Omni-channel Monday” and “Finally Friday!” series, sharing insights on marketing and business strategy. Pete is also a speaker at industry events and webinars, where he discusses topics ranging from leadership and sales to multichannel marketing strategies and the integration of AI in sales and marketing efforts.

Pete’s commitment to excellence and his ability to translate complex concepts into actionable strategies have earned him recognition and respect within the industry. His leadership at Equilibrium Consulting continues to empower IT providers to navigate the evolving digital landscape effectively.

For more information about Pete Busam and Equilibrium Consulting, visit equilibriumconsult.com.