Many people are becoming numb when it comes to data breaches. If your business has been a victim of cybersecurity attacks, they simply move on to another business. But in today’s interconnected world, this is not the best mindset to have. Matthew Koenig, vice president of Channel Sales at Nodeware, joins John Riley to discuss how businesses must approach cybersecurity and navigate this kind of public perception. He explains why humans cause the biggest threat to cybersecurity today and the right way to mitigate it. Matthew also emphasizes why CEOs should never set aside foundational cybersecurity measures despite their efforts to catch up with today’s rapid technological progress.
—
Watch the episode here
Listen to the podcast here
Why People Are Getting Numb To Data Breaches With Matthew Koenig
Welcome to Navigating Cyber Risk, with your host, John Riley, where we explore the challenges faced by executives as they grapple with new cybersecurity mandates. We’ve got this amazing guest who has over 250 Disney visits and knows Mickey Mouse, I think personally, at this point, to flaunt his rhythm with the Florida State Band Marchers. His travels included Australia, the Dominican Republic, Japan, and London, just to name a few. He’s racked up 1.5 million meters on the hydrow-rower during COVID. I did a bicycle, but I could see how a rower would be good, but that’s some endurance. I’d like to welcome Matthew Koenig, VP of Channel Sales at Nodeware.
How are you?
I’m doing great. Good to see you.
You too.
Thanks for being on the show.
My pleasure.
Differences Between Cybersecurity And Cyber Risk
We’re just going to jump right in here. How would you explain the difference between what cybersecurity is and what cyber risk is?
Cyber risk to me is looking down and seeing where you have issues. You’re looking around and you’re saying, “That could be an issue.” To me, cybersecurity is now what you do about that to try to protect yourself. I almost liken it to a house with an alarm system and door locks. Someone comes in and they open the front door, and you’re like, “Wait a second, how did you get in here?” That’s a problem. You put a deadbolt on it. You’re covering the windows because you realize, “Someone could pop in my windows. Covering the doors by themselves is not great.”
Why Humans Are The Biggest Cybersecurity Threat
I think that everything is a risk. Walking down the street is a risk, not a cyber risk, but then you have to decide. As you’re walking, maybe there’s a crack in the sidewalk. Is it a hole? Is it going to hold me when I stand on it? You’ve got to decide what those things look like. What do you feel are the most significant threats facing your companies?
Humans. It’s always interesting. If you look out there at the cybersecurity landscape, and you look at how people get breached, whether it’s a physical human doing it on purpose, internal, or whatever the case may be. Whether it’s someone who is looking for a hole out there or someone’s security to get in. It’s all human-based. I’m sure it’ll turn to AI shortly, but if you’ve got your cybersecurity shored up, then you’ve taken 90% of the risk out if a human being does something that they shouldn’t be doing. The biggest risk you have is humans and making sure that they understand what they should or shouldn’t do as you shore up the backend.
As much as we try and protect the humans from the technology or the technology from the humans, I’m not sure which way that needs to go. We put in all these technological things that are supposed to stop that from happening. I think that ultimately, no matter how many times Microsoft warns you, “Do you want to open this application? Are you sure you want to open it?” Add a third and a fourth one, and that might help, but when I want to run that application, because sometimes you do need to run it.
What I’ve always said is if I have four dead bolts on my front door, if I’ve got every window and door and everything else covered in the house with alarm things and motions, three dogs, the whole outside is lit up like daytime at night, and I’ve got cameras. If someone goes to the front door and goes, “Come on in,” it doesn’t matter what I’ve got.
You put all the deadbolts on, and you leave the window open. I think that’s one of the things that comes from an IT background, is that I always saw somebody say, “There are layers of security.” If you say that to a network guy, he’s thinking firewall. He’s got four firewalls and everything in place. You say that to a system admin guy, and he’s got two networks, he’s got two antiviruses running and malware, and three other things.
Prioritizing Measures Against Corporate Theft
You’re like, “Now there needs to be a combination here of what’s the overall supposed to look like, not just what your profession is and how to protect it and four dead bolts, but an open window,” depending on where your view is. That’s where I see a lot of the frameworks coming in to people, maybe to understand or look outside of that. Let’s go ahead and move on to the next one, which is, how should CEOs prioritize that cyber risk?
I think CEOs need to prioritize cyber risk at the highest level possible. The reason is that as we move on, just like they talk about wars are now being fought in cyberspace, not with humans. Same thing, theft, corporate theft, corporate whatever you want to call it. It’s all now cyber. It’s coming in and shoring up. Nobody is breaking into the building at night and trying to open your safe anymore. They’re trying to open your cyber safe.
They’re trying to get to people. My opinion is that if you’re not prioritizing cyber risk and prioritizing what you do to shore up that risk, or at least deciding what level of risk purposely that you’re purposely willing to accept, then you’re doing a disservice to everybody. What I always say is that, with cybersecurity, you can talk about all the technology in the world, but as a CEO, I should be concerned with protecting my people, my profits, and my brand. That’s what I should worry about at night. If I’ve got anything that could affect those three things, I need to do something about it.
Why Foundational Cybersecurity Should Never Be Ignored
There are a lot of changes that are happening. You talked about AI a little bit earlier, but from your perspective, what emerging trends do you believe will have a profound impact on cybersecurity in the near future?
It’s definitely AI, both ways, unfortunately. You’re going to need AI to combat AI in this particular case. What’s going to be interesting to me is that all of these things continue to build. You’ve got zero trust to make sure you can only get your fiefdom, identity access management. It goes to your phone with MFA or all kinds of other things. What I think is going to be interesting is that as that peaks, people are going to go back to the old ways because, guess what? You’re no longer focused there.
It’s almost like magic. You’re focused over here, and I’m going great. You focused there. “You see in it. Great.” Let me go over here and do things that you’ve totally forgotten about because focused on something new and shiny. I think the things people need to worry about are continuing their foundational cybersecurity while they continue to build on the new threats that are coming.
That’s a great analogy because I’m old school. My days go back to the beginning of computers to a degree, and the beginning of the internet. We’ll go that far back. How’s that? When I first sat down with a person, he explained to me that the hardware is the hardware. The software is what controls those pieces of hardware. You’re at your applications on top of that, and networks, and everything else.
That foundation is exactly what you’re talking about. That foundation is the most important part, and each layer. As I’ve seen things change to the ASP model and then the SaaS model, and from the different mainframes to personal computers. It’s always been interesting that it’s still the same. The hardware is still the hardware, the software is still the software, and the operating system is still there.
That foundation is great because when you’re talking about cybersecurity, as you said, that foundation may be getting lost. People aren’t doing the basic block and tackling because they’re looking at the higher-end things that, “I’ve got to protect against this big thing over here now.” The basic, “Are you patching your applications?” Maybe they are getting missed.
Two things fascinate me about what’s going on. First of all, the CEO is still thinking, “If I keep it internally, I’m safer.” No, you’re not. That is not factual information. People have this fantasy about the cloud being this big. No, it’s just running your crap on different servers in a different place. If you think about it, someone owns a data center with 400 servers, and their job is just to do that. They have the money to put in much higher protection than you’re ever going to put in or afford to put in. To me, that goes back to what we just said, the basic blocking, that if I keep it internally, it’s going to be much safer.
Public Response Around Corporate Cyber Disasters
Also, resource. What you’re telling me is that you have some technology whizbang person that’s better than the 6 or 10 data center engineers that might be there. That’s their full-time job. You think your desktop guy is going to be able to support that better? That’s our check risk. Have you ever been through a cyber disaster? If so, what does that look like for most executives? Imagine waking up that next morning and finding out that all of your data had been ransomwared, and now you’re sitting there, kicking yourself probably. How do you think that feels?
I haven’t personally been one, but I have had friends who have been through one. It’s interesting because you’ve got two schools of thought. One, I did everything I could do. I did everything you told me to do, and yet I still got breached, but then you’ve got the people that come to you and say, “You should have taken care of this.” “No, I have this document that says you chose not to let me do all the things that needed to be done.”
It’s interesting to watch and compare because even the person who had everything got breached, isn’t it amazing that they’ve got an incident response plan? They’ve got built-in policies and procedures that are being followed. They’re up and running much quicker, much more effectively, and lose a lot less than this person over here because now you’re starting from scratch literally, where you should have started before to try to figure out. The downtime is significantly more.
Both have to notify customers, which sucks because there are all kinds of statistics out there that the public is finally getting wiser and saying, “If you get breached, 60% of them are going, I’m not doing business with you anymore. I don’t care.” It’s always educational to me to watch both sides of the house, which is that they didn’t get personal data. They did break into the system, but I don’t have to notify anybody because they did not touch any PII, and we’re up and running in three days, and they touched every piece of personal data we have. We have no incident response plan to figure out how to go back and fix it. I’ve had to notify every customer that “We got breached.”
I think that you brought up a good point there. I guess my question is about customers leaving 60%, but I look at it like AT&T got breached. T-Mobile got breached. Verizon got breached. All your major carriers are breached. Where do you go when they’re all doing a bad job?
For whatever reason, people in bigger businesses accept it and almost expect it. What I think is ironic about that is they’re the ones who have the better resources and more money to fix it. They’re just not doing their job. When you have smaller mid-sized companies, for whatever reason, in the psychology of the world, they shouldn’t be breached. Big ones like Target, Home Depot, or whatever, of course, somebody is going to go after them. That makes perfect sense.
What they don’t realize is that they don’t care about you. They’re not going after you. They’re just shooting shots all over, and they found a hole to drop their marble in. You just happen to have no cover on it, which means you have no cybersecurity. You were easy to get into. Guess what? Hitting five of you in a night is much easier than hitting Target. I find the public psyche amazing that Target is okay. Bob is betting the barn down the street, “I’m never going there again.”
People say that, but then I think a lot of times they come back because it continues to happen. It has not become that, “Crap. I’ve got a switch,” and people forgive and forget pretty quickly when it comes to cyber.
People are getting numb to it, and that’s a shame. As much as it’s a part of the fabric of who we are now, with everything being connected, the reality is it shouldn’t be like, “I don’t care about it.” That’s like saying, “I don’t care about going to the doctor because getting sick is part of being a human.” You still go to the doctor and get checked out to feel better and take medicine. Cybersecurity and breaches and everything are part of the fabric, but you still do what you need to do to try to stop it.
Data Breaches: The public is finally getting wiser and chooses not to do business with those who have experienced a data breach.
The blocking and tackling. Those foundations.
That’s the stuff that drives me crazy. Just because something has become part of the fabric doesn’t mean you just go, “It’s okay.” Is it okay that the result is you losing your life savings, your business, and having identity fraud occur? Come on, really?
Looking Back To Matthew’s Career Journey
Who needs that? Tell me about this, Matthew. Tell me about yourself. I gave a few statistics at the beginning of this, but how did you get here? How did you get a Nodeware?
When I first started, I wanted to be in marketing, true marketing, like marketing research. As I was graduating back then, if this tells you how old I am, a marketing researcher got between $18,000 and $24,000, which back then wasn’t horrible. You could live off of it, but it was still $18,000 and $24,000. I had a recruiter show up at the school one day, and they were asking to talk to people. My marketing professor recommended me, and we sat down, and he offered me $45,000, plus commission, to sell carpet to apartment complexes.
I did that for a while and decided, “That’s not for me. That’s not what I want to do.” I tried a couple of other things, and to be honest, I fell into technology by accident. I answered an ad in Florida at the time. It was a boutique technology store. I think CompUSA, in the middle of Boca Raton, is high-end. I started working there, and I started to figure things out, and I kept telling them, “I’m looking for a marketing job. I appreciate this, but long-term, it’s not.” “Fine.” My first commission check was like $22,000. He comes and goes, “Are you sure you don’t want to do this?” I said, “Why?” He handed me my $5,000 commission check. “Maybe I should stay and do this a while.”
To speed things up, I started there in a retail environment. I started their corporate program and grew that to the corporate program, I think $12 million in two years. I just started my progress. I then went to an MSP, $100 million MSP, before MSPs were cool. I did work for CompUSA. I worked for all the big boys, the SHI, SoftChoice, dealing with the enterprise space. I got a call one day and said, “You’d be perfect for this gig. Would you come talk?”
It was a company called RapidFire Tools. A lot of your readers will know. I was their very first sales manager ever. I came in, and I had three telemarketers, not even salespeople. I got involved in the channel. I was having a great time getting to know MSPs, traveling, speaking all over, and building out a team. I was there for about five years. I went from 3 to 42 direct reports by the time I left. It put together their entire outbound program, channel management. As I did that, Kaseya bought them, and it wasn’t the right fit for me. I looked at other opportunities, and I kept going.
I ended up working for a bunch of security companies because that’s where I wanted to stay. I took two channels from absolute scratch, like nobody knew they existed. I took on a few that people knew, but tried to improve what they were doing. Nodeware called one day and said, “We do this, and we’d like someone to come in and help with sales and marketing and get us known.” I was like, “Let’s do this thing.” Three years later, here we are. I love what I do. I have a blast. I have the privilege of dealing with all kinds of people, whether it be talking to SMBs on MSPs’ behalf or MSPs all over the world. I get to travel. I get to speak at events. How could that be bad?
Tell us a little bit about Nodeware. What do you guys do?
Nodeware does what’s called Continuous Vulnerability Management. If you take vulnerability management as a core, now picture instead of planning to run it or having to do it on nights and weekends, it runs 7 by 24 in the background all the time. No network degradation. You’re able to scan everything right down to IoT devices, keep that for remote staff, whether it’s Mac, Windows, or Linux, as soon as they connect to the internet anywhere in the world. Your information is never more than 24 hours old, with built-in patch management, built-in remediation guidance. We give them EPSS and CBSS scoring. It helps them decide what they should address first and last.
We’ve got a very comprehensive, easy-to-use vulnerability management platform. That’s the best at what we do out there. We’re not trying to add a bunch of different features that either don’t work or are outside of what we do. We’re trying to be the best at internal and external vulnerability management and continue to build on that. We’ve got a decent-sized customer base, and the good news is we’re busy with demos every day of the week. It’s awesome.
That’s great. What are you working on? What are you currently working on that’s like the most exciting thing that you’ve got going now?
We’re working on some AI backend stuff that I cannot talk about the specifics, but what I will tell you is that it will revolutionize the way vulnerability management is done, as far as gathering the appropriate information and getting exactly what’s needed to go. Right now, everybody gets it based on CBSS or CVEs. What if you could get it beyond CVEs and bring that back, and more importantly, bring back the solutions to the problems, versus just saying, “You got a problem.” It’s going to be very powerful and it’s going to be very next gen. It’s coming out, I think first quarter of next year.”
Pretty soon. That’ll be cool. Good to hear about that. We talked a little bit about like what you like to do for fun. Tell me a little bit more about Matthew.
I’m 57. I’m as old as dirt. I’ve been on the channel for twenty years. On my second wife, who I adore more than life itself, she’s a senior assistant attorney general. I outkicked my coverage. I didn’t just kick it through the goalpost. I kicked it out of the stadium. We love to travel. Between us, we have five kids. They’re all older, thank goodness, and out of the house. We travel. I like to play the drums. I read. I do some consulting on the side to teach people about sales and marketing, where they’re not doing as well as they’d like to do. We’re looking forward to retiring in 3 to 4 years and just going crazy. We want to travel the world. We want to see every country that we can think of. We want to go and have a good time, and so we can say we’ve done it.
Seven continents, right?
Yeah. We’re having a blast. I still do some recording. I’ve got friends who have recording studios. It’s amazing nowadays. We did it during COVID night, as much as I’m in technology, I never really understood this. I’ve got some acoustic sets and I’m an electronic set. If you connect an electronic set to an interface to your laptop, they can send over the file as long as I’m using the same software, and download it. I can play to the track, record my track, say mix, send it back to them, and they can do their thing, the engineering. It sounds like we were in the same room together. It’s amazing. Every once in a while, we’ll get together, but a lot of times, they’re all over the place. They send me music and say, “Can you lay down tracks for me?” I’ll be like, “Yes, I can.”
Is that like voiceovering with just music?
I guess so. It was wild when he sent me the final product of the first one we did. I’m like, “That sounds like when we used to be in the same room together. That was amazing.”
Matthew, how would you like people to find you? LinkedIn, phone numbers.
LinkedIn and email are fine. If you’re an MSP, because you’re on Facebook, Facebook is fine too.
Advice To Your Younger Self And About Reducing Cybersecurity Risks
If you could go back in time and give your younger you advice, what would that be?
It would probably get the law degree that my grandfather wanted me to get.
Give up on sales and go back to that thing.
Honestly, I think I’ve realized that technology was probably the place to be. I would have jumped into it earlier. I would have focused on it more. I think there would have been a lot more opportunities and a lot more fun to be had if I had not been so hesitant about it. I’m not sure I want to do this. I’m just doing it. I think it’s one of those things where if you’re going to do something, jump in with both feet and do it. Don’t do it half and half because you’re never going to get the success that you want and get to the places you want to go if you do something half-assed.
A final question here. What advice would you give to our audience regarding reducing their regulatory cyber risk?
The first thing I would say is to do the basics. A lot of companies have already been doing the basics. Do the basics. I don’t care how much it costs you. I don’t care how much of a pain in the butt it is. Do the basics. Get with your IT service provider, or if you’re internal and pick a compliance framework. If you don’t need HIPAA, PCI, whatever, that’s great. Pick NIST or SIST. You don’t have to do it overnight. Pick one of them and say, “I’m going to be SIST compliant in a year, 2 years, 3 years, whatever it is. Start working through it. There’s a reason there are compliance frameworks out there, and they’re to help you decide what level of risk you’re okay with and then implement a plan over time that helps make sure that that is the only level of risk that you’re dealing with.
On that one, the cybersecurity maturity model certification for the DOD is a big one because I think the big word in there is maturity. What a lot of companies don’t understand is that they cannot go from 0 to 60. You can over time, but you cannot do it like it’s the day of your people. Your people will revolt.
I guess the last thing on that is, I don’t care how small you think you are. You’re 100% correct. No hacker is sitting outside your four-person accounting firm trying to get you. Again, if you picture this, you’re in a ballroom. Take a circular saw, I cut a thousand holes just indiscriminately in this huge floor, and I drop 100,000 marbles on a 20-foot high ramp. Are you willing to bet your business that a marble doesn’t fall into your open hole?
It’s as simple as that. If you’re willing to bet that, do your own thing. If that sounds like, “Matthew, that sounds ridiculous. That sounds like whatever.” That’s what they’re doing. If you’re not comfortable with that, do something. At home, I don’t care that I’m in cybersecurity; I’m locked down. You should see the amount of crap that hits my router every day. If you’re a smaller customer, you’re small. If you ask your IT service provider to look at your router logs, which show how many times someone has pinged you trying to get in, you’ll freak.
Episode Wrap-Up And Closing Words
Just to understand what’s going on, the automatic pieces that are happening. Matthew, I appreciate your time. Thank you very much. This has been enlightening, and I wish the best of luck there in Nodeware. Audience, thank you for tuning in. I hope you’ve learned something and reach out to Matt if you’ve got any questions. Hopefully, pass this episode on to someone who might find it interesting. That’s it. It’s been another great episode of Navigating Cyber Risk. See you next time. Thank you, Matthew.
See you.
Important Links
About Matthew Koenig
Matthew K. Koenig is Vice President of Channel Sales at Nodeware and CEO of White Tiger Channel Consulting (whitetigerchannelconsulting.com), bringing over 35 years of sales and marketing experience to help businesses grow.
A lifelong drummer, avid traveler, and Florida State University band alum, he has visited Disney more than 250 times and explored destinations worldwide, including Australia, the Dominican Republic, and London. During the pandemic, he logged over 1.5 million meters on his Hydro rower — a testament to his dedication both professionally and personally.
