Unspoken Security

How the Hell are Small Businesses Supposed to be Cyber-Compliant?

AJ Nash and Tarah Wheeler Season 1 Episode 5

In this episode of Unspoken Security AJ Nash is joined by Tarah Wheeler, who is not only the CEO at Red Queen Dynamics, but also a Senior Fellow for Global Cyber Policy at the Council on Foreign Relations and Advisory Board Member for the Electronic Frontier Foundation (EFF).

Tarah and AJ discuss some of the ongoing challenges facing small businesses as they attempt to defend themselves and their customers against cyber threats. Of particular interest in this conversation, Tarah has some passionate thoughts about a new Federal Trade Commission (FTC) regulation regarding breach reporting that is set to go into effect in May 2024. You're definitely going to want to hear what she has to say on this!

(Spoiler Alert: Things are about to get a lot harder for small businesses!)

Lastly, as with all episodes of Unspoken Security, AJ asks his guests to reveal something they had never talked about before (something "unspoken"). Tarah struggled with this one a bit (partially because she already shared a great secret earlier in the show) before giving a very cool answer that led to AJ and Tarah planning a road trip together.

What a way to finish the show!

Send us a text

Support the show

Unspoken Security Ep 5: How the Hell are Small Businesses Supposed to be Cyber-Compliant?

Tarah Wheeler: [00:00:00] it's not just that people don't have the money to do this, it's that they don't have the capacity, the relevant resources allocated to them, the influence to get those resources allocated to them. So, we're watching right now a creation of haves and have nots in information security

AJ Nash: [00:01:00] Hello, and welcome to another episode of Unspoken Security, brought to you by ZeroFox, the only unified external cybersecurity platform. I'm your host, AJ Nash. For those who don't know me personally, or are first-time listeners, I'm a traditional intelligence guy. I spent 20 years, well, about 20 years, in the intelligence community, both with the United States Air Force and then as a defense contractor.

And most of that time was spent at NSA. I've been in the private sector for about eight years now, uh, primarily building or helping people build, uh, effective intelligence driven security practices. And I'm passionate about intelligence, security, public speaking, mentoring, uh, and teaching. I'm also deeply committed to servant leadership, which is why I completed my master's degree in organizational leadership at Gonzaga University.

Go Zags! So the goal of this podcast is to bring all of these elements together with some incredible guests and have authentic, unfiltered conversations, even debates. About a wide range of topics, challenging topics, frankly. Uh, and most of them are topics we're facing every day. It's not going to be a typical polished [00:02:00] podcast.

You might hear or see my dog. she's usually around here someplace. Uh, people may swear here. Uh, we may argue or debate and that's all okay. Think of this as a podcast. It's more like a conversation you might overhear at a bar after a long day at one of the larger cybersecurity conferences. These are those conversations we usually have when nobody's listening

 today.

Our guest is Tarah Wheeler, which is pretty amazing. She's a founder and CEO of red queen dynamics, as well as senior fellow for global cyber policy with the council on foreign relations. She's been a star and a leader at all sorts of well known places. Microsoft, silent circle, Symantec, Splunk. And she's probably the most educated person who would tolerate me.

She's got degrees and certificates all over the place, international relations, political science. She's agile development, cybersecurity. Institutions. I mean, from the Northwest, of course, Carroll College, Portland State, University of Washington. She's also been to Harvard, right? And she's a senior Fulbright scholar.

I don't know why she wants to spend time with me. I know she's been a little under the weather or something. Maybe the cold medicine got to her and she was tricked into talking to me. So we're going to [00:03:00] spend some time together, Tarah, is there anything I left out about your profile that you want to add?

Tarah Wheeler: Oh, totally. Um, see this one right over my head right here. paper on the wall behind me. Uh, the one that I like to keep nice and centered right there is my GED.

AJ Nash: Yes. I also have a GED. That's amazing. I didn't know that about you.

Tarah Wheeler: It's, it's super important. People should know this, right? Like I, I very clearly have an academic inferiority complex. That's why I go and do all of this shit. Right. But like, I keep, I keep like two things kind of like front and center for me, even when I'm having these kinds of conversations with you. One is John Wick right behind me.

I made my own motivational poster. Um, and it says work until you no longer have to introduce yourself. And right over that's my GED, just to, it's not to keep me humble, I don't need anything to keep me humble, I'm always like, you know, scared and trying to fix shit, right? But it is to remind me that everybody has their own journey, and the missteps and stumbles that we make along the way sometimes get us to where we wanted to be.

AJ Nash: I think that's great. And it's funny. Uh, [00:04:00] I've, I've said the same thing before, right? It was, uh, so this shows unspoken security and a lot of people share unspoken things, right? They've shared secrets and in another episode, one of them is, yeah, I also have a GED, which is something people wouldn't expect, Yeah, but you're, you're right on.

It's about the journey, right? I listen, I made some choices and things happen, but you sort it out, right? You never have to stop moving. So I think that's awesome. It's something we have in common, which is very cool. I just have to get a whole bunch more degrees and get a lot smarter. So people don't need me to introduce myself and then I'll catch up on the rest.

But, um, got one, we got a place right? good. so I I'm, I'm curious now, like we're going to talk about this episode, right? So today we're going to talk about. The title of the episode is how the hell are small businesses supposed to be cyber compliant? But I mean, what are we talking about?

Cyber compliance for small businesses? I'm not gonna lie. It sounds kind of boring, but you and I talked a bit and that was enough to convince me there's something really interesting and important here, and I know you're passionate about it. So, you know, the first question is what are you seeing when it comes to compliance, Tarah, like what's got you fired [00:05:00] up here?

Tarah Wheeler: Okay. So what's got me fired up? What got me started to begin with? Okay. So, uh, AJ. The first time I dropped out of high school, I was 16, uh, and I went and started building computers for my stepdad's MSP, for his computer repair company. He's still, he's still, you know, part of the computer guy, right?

This is, this is what he did and does and, uh, you know, I ended up with my after, you know, posts. School job, you know, trying to scrape my way through community colleges, building, you know, uh, ATX mid towers, right? So you're building many towers of is each jumper configurations were just jigsaw puzzles with computer parts, right?

and what I got a chance to see was the quantity of people who were intimidated and frightened by By computers by the stuff that they didn't know and they were it was the it was the old folks home It was the local retail shops Agriculture at small businesses that somebody like my stepdad and and the Businesses that I was raised around in rural Oregon, um, have to cope with because we use these things as tools.

So why do I care about it? that's the origin of me caring about it. But what am [00:06:00] I seeing right now is that a quarter of a century, uh, maybe a little more than on, you know, these problems haven't fucking changed. Do they've not they've not changed over time you still you still have the phone calls from all folks home where they've gotten hacked And retail businesses that have their machines, compromised and they they have excel spreadsheets full of credit card numbers stolen like I we're gonna we're just gonna we're gonna go with a quarter of his entry later on and just like use that as a As a great like rhetorical number, but I will tell you this right now if you want to here.

The kind of conversations that we have at bars at information security conferences. It usually starts with this shit hasn't changed in three decades. We're going to go from there. So, um, so what am I seeing right now? Let's, I mean, let's dig a little bit more into it. And this is the thing that is making me.

I'm furious right now. I'm going to give you a point in time a few weeks ago, and then tell you why this is so ruinously problematic. So, on October 27th, the Federal Trade Commission [00:07:00] published a new regulatory, uh, requirement. this regulatory requirement, yep, you did. And, uh, it mostly kind of went out there on, on Halloween.

No, it was not a joke, although it was terrifying, which is to say that all non banking financial institutions in the United States. Um, after, have to report data breaches of more than 500 customers data within 30 days to the FTC. As soon as this regulation comes into effect, now, in about five months, spend, it's already been 30 days, uh, these regulations come into effect in half a year.

So five months from now, any business that does financial transaction processing, think of construction companies that work with credit agencies to help people finance remodels on their homes. Or, 

AJ Nash: house. I went all that.

Tarah Wheeler: There you go. Exactly. So, did you do any, did you do any credit processing? Did

you like, you know, get like a, a bespoke, what, exactly,

AJ Nash: You had to get a builder's loan. You had to do all those things. Right. And let me, let me you, my builder is not a financial genius. So this is part of his problems. His life's not [00:08:00] about get better. I can assure you a nice house, but not a financial wizard.

Tarah Wheeler: So it's not, but they don't have to be, right? Like, my clients are wizards in other things, right? They know how to get, like, the shit that I want from Amazon from one side of the coast to the other. They do taxes. They're, they're lawyers. They're accountants. But I don't want to do that for a living. I like what I do for a living.

They can do that and I will try to keep them safe and they will make sure that, you know, my money and legal stuff gets handled, right? We, we have these, we, we live in a fucking society for a reason. Okay. So, um, here's the thing, this is the thing that's scary. In that regulatory ruling, there is no limitation on firm size.

That's the problem. You can be an eight person used car dealership in Auburn, Washington, and this applies to you. Okay. And I want to, I want to make sure people understand that there's, there's been no real pushback on this regulatory. Ruling, which means I think most people just don't understand what this is, because there is no way [00:09:00] for most small businesses to even understand that they've been breached, much less have any, any concept of how they would report it to the FTC.

What 800 report data breach to the FTC? How the hell do you even do that? I would have a hard time understanding how to do that. Most of the time when I tell small businesses they need to report something or get help, I tell them to go to their CISA state or regional representative, right?

CISA has regional and local reps that can help you with that now. So that is the thing that I'm seeing and, and that's a point in time issue. And what it is, is this. Just ruin is incapacity for state and regulatory and federal agencies to understand the bottom half of information security in this country and how small businesses are burdened by it.

Now they get help from their M. S. P. S. Managed service providers are the A. P. I. To cyber security to information technology for small businesses in this

AJ Nash: Sure. Sure.

Tarah Wheeler: at the point of which you're you are a small business and you're and you are like doing some business you pretty much have outsourced it right.

So those are the people that are [00:10:00] going to be getting hit with these kinds of requests and guarantees and compliance and paperwork so this is why I'm mad. Like, this is why I've started out mad, and this is why I'm mad right now, and any minute I'm gonna grow a beard, and I'm gonna join like all the guys at the bar, at, like, after DEF CON, and, uh, like, just start yelling, like, this shit's never gonna change.

This is why I'm frustrated, this is why I care about it, um, and this is a thing that, that I think needs to get brought to more people's attention right now. Like, you've got five months,

AJ Nash: Yeah, well, and I didn't know about it until you and I started talking, right? I mean, I, I, you know, full disclosure, I say, I've read it. Well, I hadn't read it. I mean, you showed it to me. I was like, Oh my God. And I started digging into this a little bit and it's, it's, it is fascinating. I think you're right.

The lack of pushback almost has to be from an ignorance. Either people don't understand it or like, it's just don't know it exists. Right. There's. Millions of small businesses in America. America is built on small business, right? That's, that's the American dream to start a business. Most them don't pay attention to FTC, to government rulings, to new policies and [00:11:00] regulations, unless it specifically affects their business.

I got to believe there's a lot of people who have no idea. That this is now part of, or going to be part of their problem for next year, right? And they're just gonna, they're just gonna live their lives, they're gonna run their shoe store, or their coffee shop, or car dealership, or you know, wallpaper department, whatever the hell they do, right?

And they're not gonna think about this at all. And it makes me wonder how enforcement's gonna work too. These breaches are gonna happen all the time, everywhere. People are getting breached constantly. Um, you know, and as you pointed out, like, Shit's not getting better. Like I can't imagine having a conversation at any of the bars where we don't all say that it always comes up.

Right. It's very frustrating whether whether it's about simple things like hygiene, whether it's about intelligence, you know, which I rail about all the time, you know, policies, procedures, all these things, right. Shit's not getting better. Bad guys are getting better. If we're getting better, we're not keeping up.

It seems like, but this strikes me as one of those things where. It's maybe a good theory, but in practice, I can't imagine how this is going to work, how enforcement is going to work. The FTC is either not going to get reportings or they're going to get overwhelmed with them. You know, like I said, these MS, MSPs that these companies are depending on are just going to [00:12:00] be flooded and they're just going to be sending all this stuff forward.

And then what's going to happen, who's going to even process any of this stuff. So, you know, I'm not gonna lie. I'm embarrassed that I didn't know more about this before you and I talked, right. I, and you know, full disclosure for those listening, listen, Tarah, I'm kind of a fan boy at Tarah on the side. Don't tell her, 

yeah.

I will. I've been following her for a long time. She's freaking amazing. And I was like, I gotta get her on the

show. I don't know talk about. Well, not yeah, not that. Like not, well, not, not, 

not creepily, you know, I was like, I, I wanna have Tarah in the show. I don't know what she wants to talk about.

And so, you know, I reached out and said, Hey, Tarah, what do you want to talk about? Like, I, I like to leave it open for a guest, especially spark people with great ideas. And you started talking to us. I was like, what the hell is this? And now I just look at it and go, God, I, I'm embarrassed. I didn't know more about it.

It's an absolute mess. Like, it's really frustrating. And I don't know how people are going to, to deal with this. You know, the next question I thought of was like, what about the small business administration? I mean, did they fit into here somewhere? Is this under their umbrella? You know, there's an MSI sack out there.

Like what, what are the thoughts in those areas? Who's going to be [00:13:00] helping people?

Tarah Wheeler: So, so to the, there's two different answers to that question, like who's going to be helping people. What I want to do is I want to point out that you just said, look, I'm embarrassed and frustrated that I didn't know about this. You know, people tell me that about cybersecurity all the time, the sheer quantity of like small business CEOs I've talked to, I mostly talked to managed service providers.

Now those are our clients, then, and, and they've got some handle on it. Uh, but the number of. business owners and leaders that I've spoken to are like, I'm embarrassed. I don't know anything about this. And I was like, join the club, buddy. Like we're, we're all out here, you know, just trying to figure out who did this, you know, and so the answer is I should not have to know the intricacies of updated IRS regulations, right?

As long as they're, there's something that, that over time they're going to stack up, somebody's paying attention to my managed service provider for my finances is my accounting firm. Right? It's their job to know and understand these things, also to translate them a little bit to me. But, if a major new tax regulation comes up that is going to impact an [00:14:00] entire swath of businesses in the United States, accounting firms have their shit together enough that they send out an email saying to people, Hey folks, just want to let you know, this is going to become, you know, you won't be able to claim your home office anymore.

Something like that would be sort of the equivalent of something Everyone's trailing along, claiming their home office. And the FTC is like, what? Half of you people weren't supposed to be doing this. And they're like, but the accountant never told me. Not to. Why? Because we have different jobs we do.

It's not my job to keep up with the tax code, it's my job to pay somebody to the best of my capacity to find a specialist who can translate much of this for me and help me walk through how I best discharge my ultimate responsibility as the fiduciary for my company. Right? Because I can't know everything.

So, in the same way, whose responsibility is it? To start translating these things for small businesses. Your question is so on point. The, the answer is there needed to have been better communication on these policy changes. But second, the answer is mostly managed service providers are the ones who are going to end up with the [00:15:00] burden of this.

Okay. And now the, of course, the question is, where is the small business administration? You know what? The number of people that I've talked to in cybersecurity where I've said, Hey, have you thought about the small business administration? Um, some of them have to stop for a second. And retranslate that in their head and go you mean the federal agency like that's what they're talking about Like I said, I grew up in rural oregon and the sba the extension schools for ag in the area Like these were bodies that were deeply meaningful in small business life and from what i'm able to tell the small business administration of the united states is Fully absent from this conversation.

So I just checked and next year for, for the period of time between now and I believe the end of 2024 and I gave you, I threw some links up there for you and we can post later. Uh, the SBA has a $6 million budget for cybersecurity for a pilot program to aid small businesses in the United States.

That is $6 million, not per state or per industry. That is. [00:16:00] For the United States. Now, I, I did the math on this one. I did the math and I, I want tell you,

AJ Nash: It's not gonna be good.

Tarah Wheeler: oh yeah, so right now, there are, there are at, at last count by the SBA's own numbers, 33, 000, 185, 500, uh, 185, 550 total U. S. small businesses, over 33 million U.

S. small businesses. And the SBA next year is going to spend six million dollars. That is 18 cents per business in the United States, that's qualified as

AJ Nash: It's nothing. It's nothing. It's absolutely

nothing. 

Tarah Wheeler: yeah, I, I, I lost that this morning, you know, in, that was, that was, that's less than the amount that it costs to put extra whipped cream on my latte in the morning.

believe I drink a lot coffee at this point.

AJ Nash: Oh, that's a good context for it.

Tarah Wheeler: so where is, where is the SBA? Like, they're a rounding error. For small businesses

AJ Nash: That's insane. I mean, [00:17:00] the last Intel team I put together, I had a 3. 2 million budget, you know, and that was one company, one team. And by the way, that wasn't everything I wanted. That was like initial operating capacity for, you know, nine project. It was, it was, you know, like I said, 3. 2 million. I

think we spent a little South of that when it was all done, but that's one company, right. And you're saying there's. Millions of these companies who also don't have cyber security I was working with, yeah, and I was working with experts, right? We were cyber experts. Well, I wasn't, but I worked with smart people and, and you're talking about again, the, you know, the mom and pop shops and the, you know, the small businesses, people who are just doing the things we all need done, you know, as you pointed out, I'm not a carpenter, I'm not a doctor, I'm not a lawyer and I'm not an architect, you know, name all these businesses, right?

But we need all these people. And now they're going to be asked to do all of this with no funding of any kind. So like you're telling me that the small business administration is just non existent on this. didn't ask you this in prep, so you may not have an answer for it, it occurred to me as we were talking, like, does MS ISAC get involved in [00:18:00] this at all?

Is there, is there a place for them to play in this? You know, the multi state ISAC, having an opportunity to, to, Create support here. I mean, it feels like it could be an ISAC kind of a thing. I dunno if anybody's talked to them yet or if they've talked to, to FTC yet about this. I dunno if you know anything on the subject.

Tarah Wheeler: I mean, I literally, I know what you're talking about because I know what the initials ISAC stands for. Other than that, like, that, that initialism has never walked across my desk in any way, shape, or form. Couldn't, never interacted, wouldn't, wouldn't know where to go find them or who runs them. Um, and, and this is, this is part of the problem.

We, we, we think that this is, there's going to be a technical solution to this. Okay, so, there's two problems with this, with thinking that there's going to be a technical solution to this. 

AJ Nash: Mm-Hmm. 

Tarah Wheeler: First of all, we, as an industry, have, we think that there are going to be technical solutions to these kinds of security problems when, um, for small businesses and for the managed service providers that we specifically, I'm, I'm, I, And we build a product that helps compliance for MSPs, uh, that, um, that work with small businesses.

And I could tell you about it later and I'll brag about it if you want me to. But the [00:19:00] important thing is part of the reason that MSPs have issues, managed service providers, the IT guy has a problem helping small businesses because many of the information security tools that we built are fucking cool, right?

Like Metasploit. Right. They're like, we build a tool like this. You got HD more, you got Egypt. You got amazing people building these tools that, um, you know, I think rapid seven owns Metasploit. Now these amazing tools that are incredibly important in information security, the enterprise and cutting edge level.

I took, uh, I took Metasploit, I think advanced Metasploit from like Egypt and Mubix at black hat, maybe a few years ago. Like I can, I can run Metasploit. I I've. I've done pen testing, I got a couple search from sand, stuff like that. Um, like I'm a respectively decent person in, in offensive security. But the problem is, is that when you take Metas Exploit's Community Edition and you hand it to, and it requires all of the additional configuration, and you hand it to, uh, an MSP and say, okay, good luck with that.

You need an [00:20:00] Egypt or Mik to configure it at that level. And aj, they can't afford me. I promise you they can't afford 

AJ Nash: Right, right. They 

don't have budget. Yeah. They don't have 

budget for it. 

Tarah Wheeler: So, a cut down, chop down, free version and small in version of an enterprise tool that's handed off to a smaller organization without the expertise to configure it, operate it, and keep it patched, for God's sake, is useless and it makes people feel even worse.

And then you have the other side of that where it's not just the, the small versions of it. It's that often we as technologists think that we can solve this with my three least favorite words in the English language, Can't you just. Can't you just install EDR on every endpoint in this, in this SMB and monitor and then create the audit trail that way.

Can't you just, uh, do, you know, monitoring. Can't you just install, you know, watch EDP, get a firewall. This, these are not. These are not organizations that have [00:21:00] firewalls. They don't have a corpnet. They've got 15 guys in trucks who are using their personal Android devices that are all out of date and you can't force them to update it.

You can't even force MDM on these devices. can't solve a human problem in information security using technology.

AJ Nash: no, a great point. you're exactly right. mean, these are not technologists. you got, you got guys out there that are doing their, or, you know, guys and women, obviously people out there doing their jobs, getting things done, and this isn't what they live. They don't live tech.

They aren't buying the new smartphone when it comes out, they've got, you know. Whatever four iPhones ago was at this point, right? And it's got a cracked screen and they use it because I have to, because you know, phones are a requirement, but they're not updating things. They don't understand them and they don't have to.

And this is not an insult to say they don't understand. I mean, some people are brilliant. I'm sure there's truck drivers who know tech better than I do. I'm not saying everybody, but in general, like you said, these are people they have. Really strong skills in what they do. And the rest of this is just in the way they just want to go do their thing.

Right. I want to get my, my truck where it needs to go, or I want to deliver what's going or it's going, or I want to, [00:22:00] whatever it is, I want to sell the thing I'm selling, I want to move product. I want to move services that this is all on the side for them. Like you said, they outsource it to other people.

I got accountants for that. I got an it guy for that, but there's no money for them. So what's the next step? Are we going to see, you know, managed service providers are gonna have to raise their cost. They're gonna raise their rate, 'cause they're gonna have to invest in more tech. So they raise their rate and then they pass that back on, which means the small businesses pick up harder, you know, harder charges for, you know, account all the services they need.

Right. Accounting and and whatnot, payroll and et cetera. And that then gets passed off to the customer. So we're gonna see a raise in prices. I mean, are we looking at a systemic challenge that can go all the way there as opposed to the government being able to provide more support? Is that gonna be the other answer?

Tarah Wheeler: Yes, the short answer to that is yes. The 32nd version of that is two things provide the teeth in that. One is cyber insurance and the other are related upstream supply chain security requirements for enterprise and DOD. those two things are driving those cost increases for MSPs. Cyber insurance is one of the very, [00:23:00] one of the, the, the first things a small business notices, um, when it comes to their inability to do business because they don't have cyber security.

Um, they don't have controls. They don't have compliance. So I have never in the now thousands of businesses I've talked to in this ever found a small business that bought cyber insurance because they felt like it. It's just not, not a single, and what's more. None that have ever bought it because they want to actually be insured against a cyber security threat.

Ransomware, data breaches, whatever. Not one single one of them. Other than me, because I'm a nerd. I have never seen it. It's always about revenue enablement. Um, and they either have a current, uh, enterprise or revenue based partner. They, they're, they're making money from someone. They've got some kind of partnership or sales agreement where the compliance, uh, requirements for that agreement are being upgraded on a year over year.

And they get told you have to have cyber insurance coverage now. Um, or they can't get through a vendor assessment process without all of their relevant [00:24:00] paperwork and demonstrating continuous compliance. It's never about getting protected from cyber threats. It is always about making money

AJ Nash: I was all, that's all right? That's all revenue. None of that's going to make anybody safer. It's all about, you know, we know we're all going to get breached, so now we got to pay somebody else and it's insurance and it's a whole, it's going to, it's, it's this giant industry that's growing, I'm sure because insurance industries always do and a whole new period and opportunity for revenue generation, none of which is going to reduce breaches or make anybody safer.

None of it, none of it's going to cut down on any sort of, of. Consequences for the average consumer, right? You and I, for that matter, in this case, all of our data is the data that eventually is going to get owned and compromised. And instead of coming up with solutions to be proactive and to protect the answer, it sounds like from what you're saying is we can't fix Let's just buy insurance. So at least we're legal when things go bad. But still, they're going to have all this, you know, new reporting requirements that they're not going to know what to do with they're not going to have the visibility to do the reporting. And is it? I don't know. I didn't read this well enough.

I should go back and look now. So the reporting [00:25:00] requirements, if I remember correctly, said it's like 60 days from a breach. Is it? I assume 30 days. Is it, if it's 30 days after discovery, so, which reminds me, I mean, there's, a loophole there, right? 30 days after discovery. So if I really don't see anything, if I, if I don't understand my network or whatever it is, then, then, so it's going to be more about plausible deniability, right?

Just, I'm actually as a small business, better off to have less security. Aren't I have no antivirus, have no ability to see this stuff. And then you can't get me because I didn't discover it.

Tarah Wheeler: Do I ever have bad news for you about how the IRS works when plausible deniability with your, that's what's happening right now is that the concept of cybersecurity liability is being professionalized by this. So I, I don't get plausible deniability on my taxes. When it comes to whether or not I've done the right thing, I just get assessed for what they are, right?

It doesn't matter if I know or don't know. I still is a fiduciary for my business. I'm the person with the ultimate responsibility for it. Um, and so [00:26:00] I have to make sure that this all seems sensible. But if I looked at how I spent what, you know, our budget for the business and I, and I said, well, as long as I throw away my, uh, credit card, Expenses and I don't pay attention to what's happening in our QuickBooks, you know, install and stuff like that, then I'm not liable for whether or not we've correctly written off our expenses.

I think that any accountant would tell you that you're in some very serious trouble there, sweetie. And that's what's to happen to people in in cybersecurity with this this compliance measure because there's no requirement that there be knowledge of it. There's no requirement that somebody have an understanding of what happened, just that they have to report it.

So there and and demonstrating good faith I'm sure will matter and I'm sure because I've seen this process work before I'm sure that when this regulation comes into play that the FTC will start by going after people who are operating in bad faith. Right, they'll start by going after companies that definitely should have known better definitely had a staff to [00:27:00] handle it definitely were internally notified of it and didn't follow the regulation when they knew about it.

So they'll start there but that's not where this ends. Right.

And it 

AJ Nash: I mean, we're seeing some of that now already, right? I mean, with large enterprise, we've seen, uh, you know, recently we've had a couple of CISOs now that have run into some legal trouble. Right. So, I mean, we're seeing the government start to try to take actions to hold people accountable, which listen, I've been very vocal and public about that, but I think it needs to happen.

I'm screaming all the time about, about organizations that are intentionally prioritizing. You know, bottom line over security. Um, and so I think that matters, but I think you make a good point of where does it stop, right? Okay. So that's great for the large enterprises and, you know, CISOs that are making millions of dollars and are conveniently quietly hiding problems and no better.

Right. They're going to start paying some prices and that's not many of them, by the way. I think most CISOs are really trying to do hard work, but. There's enough of them out there. But where does it land? I will say I'll challenge you a little bit. I get your point on the tax piece and you're exactly right.

You can't. Ignorance doesn't do you any good with the IRS, but they wrote this as saying no later than 30 days after discovery. I'm no lawyer, [00:28:00] but I pretend to be one a lot of times. If I were a lawyer, I'm absolutely gonna focus on that and say, prove when we discovered it. I think ignorance in this case could be a solution.

It shouldn't be, but I think based on the way this is written, it could be a solution to allow small businesses to sidestep this. It'll force the FTC to rewrite it and change the wording, but from discovery, isn't the same like taxes. We don't get that. I, Oh, I didn't realize this doesn't matter. They don't care.

You better follow you all your money. They don't, the IRS doesn't hold any from discovery piece into there. Oh, I didn't know about it. Isn't going to work, but this says 30 days after discovery. So it seems to me as a small business, if I can. Not discover things like if I can actually be intentionally ignorant, I may be able to duck the requirements here for a while until the that.

So I hope that's not the solution. But if I were a company who didn't think I could stand up to this and was afraid of what it would do to my business, I'd certainly have a chat with my accountant and my lawyer right now. And be like, what does to you? Uh, I'm sure some lawyers are going to focus on that.

You know how they are with the small pieces of [00:29:00] words, right? 30 days after discovery is good. I would probably tell some companies to get rid of some of their cyber security, which sounds ridiculous.

But if you've got an antivirus, get rid of it. If you've got an end point, get rid of it. Like if you can't solve this the way you need to, to keep your business running, then you're better off not to know it exists and let the breaches happen because you're theoretically protected then, because it says you have to discover it first before you can report it.

Tarah Wheeler: think first you're correct. And I think that there's going to be 

AJ Nash: We should stop there. I like when tell me I'm right. Just, we should

go 

Tarah Wheeler: this is in, this is improv. I'm disagreeing with you by saying yes and.

AJ Nash: Ah, here we go. 

Tarah Wheeler: Um, 

AJ Nash: here we go.

Tarah Wheeler: so I, Uh, yes, and I think there's definitely gonna be a swath of businesses that do this, just as there are businesses where where levels of knowledge are carefully maintained on things like HR or spend or whatever to make sure that people don't experience too much liability.

I think that in small businesses, the capacity for that kind of like what they call the Chinese wall and in the legal world, what you would [00:30:00] call, um. That kind of gatekeeping that specialized liability. It doesn't exist in a business of eight people, right? Like that are selling cars. And so there's there's no way to keep that that knowledge.

Um, not only technically but provably isolated away from a person who would have that requirement because if you have the ability to keep that knowledge appropriately firewall the way you have the ability to fix the problem at that point. Right. So what I think is going to happen. Is that that small businesses are more and more going to expect their MSPs to assume liability for not discovering problems or to assist them in this process.

Now, now, the reason that I have a company, the reason that we built the, we will dine at, which helps MSPs do this kind of work, which is discovery and small businesses and maintaining continuous compliance for these exact problems is why I care. Right. Um, but I think what's going to happen is that managed service providers are going to experience much, much more pushback from small businesses to assume liability for both discovery and reporting.

And that's going to become a professional service of MSPs. [00:31:00] That the, the process of doing that reporting of maintaining the records for that is going to become part of an MSP's service provision. Uh, and that's going to get more expensive because the next thing that's happen is the MSPs are going to want insurance to cover it and that's hard to get.

It's really hard to get.

AJ Nash: Yeah. And 

Tarah Wheeler: are getting harder to insure.

AJ Nash: Yeah. And then they're going to have to hire people too. A lot of these MSPs aren't built for this either, right? If I'm an accounting firm, I'm not necessarily a cyber expert for myself. So you and I know, I mean, I I've seen accounting firms law firms and medical firms, just as you know, three quick examples.

We've all been popped because they have tons of PII and they have lots of things, you know, lots of things you want, right? Confidential information they're not historically great at cybersecurity in a lot of cases. So they already are outsourcing to somebody as it is. And now that's another chain that might have to go down the line further.

Right? So their accounting organization for the medical facility. Now that accounting organization is also going to have to have a service provider that does this piece of the puzzle. So it's another chain that's got to be added, which [00:32:00] of course also creates more links and more opportunities for compromises, by the way, for anybody paying attention, that's more data flowing around and more opportunities to socially engineer somebody to get in another, you know, sideways entrance to get into the databases.

What a mess, man. Uh, 

Tarah Wheeler: it is,

Yeah, it genuinely and what you're describing what you were describing right now is exactly what Wendy Nather talked about originally in 2011 and continues to talk about now, which is the security poverty line. We are we are described and there's 4l It's not money by itself. What does she say?

It is. It's a money expertise capability and influence So, it's, it's not just that people don't have the money to do this, it's that they don't have the capacity, the relevant resources allocated to them, the influence to get those resources allocated to them. So, we're watching right now a creation of haves and have nots in information security.

AJ Nash: And that's an interesting point. Like I hadn't even thought about it until you said that. Right. I mean, uh, the, the poverty line of cybersecurity, I mean, that's. That's pretty powerful. And you're right. And that's exactly what this is [00:33:00] going to turn into. I mean, you can see it laying out, right.

You have to have a lot of money for security. We know that it continues to grow, uh, and yet we have companies who have enough money who won't spend it because they're determined to get that extra one or 2 percent on their bottom line. And risk be damned, somebody else will pay the price for it later.

And the other side, you're saying, here we are, the small businesses, the small, medium sized businesses are going to get crunched and it's going to be layers and layers of cost and risk that they're going to have to take on. Yeah. And then we're going to wait and see how the enforcement works. And, you know, using the IRS as the example of you said, I could feel this going that path too.

Listen, uh, how many audits do billionaires get versus how many audits do working class get? Right. We run into this all the time. I don't want to turn this into this huge political discussion for everybody's paying attention, but you know, we run into that all the time, right? It seems like there's a point when you get over a hump on wealth.

Where consequences just seem to dramatically drop because you've got the resources to avoid the consequences. You have, you have all the things you talked about, the money and the talent, everything you need. And somehow it, it just, you get over whatever that number is, whatever that hump is and [00:34:00] everything seems to get easier.

And for everybody else left behind. We're carrying the weight of all of the rules and all the regulations that you do have to follow because the IRS doesn't give a damn if I say I didn't understand. Well, that's great. You know, we'll, take your house and your car and you can understand now, uh, and it could be the same with this, I guess.

You know, I, I don't know. You're more well versed on this than I am. Clearly. Have you seen anything yet discussing what the enforcement Will look like for this or what the penalties or punishments will look like for organizations that failed to report within 30 days of they, have they released anything like that yet?

Tarah Wheeler: I haven't seen anything that describes that. Um, I have to say that at least part of this process, the process is the punishment, I think. Just as you would describe it for people who are looking at like, uh, you know, what is it, incarcerated justice. The process is the punishment for a small business to be faced with an FTC, a civil suit.

Can you imagine being sued by the FTC? And this is done in batches, right? A small business facing something like this, it doesn't matter [00:35:00] if they can defend themselves, they're done. They are Um, it, it's not, and it's, we use small businesses as this collective fiction to describe an economic activity that's agreed upon by, you know, 10, 15, 100 people where we all get together, we make something, and we think it's pretty cool, and we provide an economic benefit for society, and then we all, you know, get W 2s and healthcare.

So, the problem we have here is, Not just that small businesses are faced with this or that MSPs are going to have to charge more and face more liability. The real problem we're having is what you just described, which is that a lot of people are going to think that if discovery is the key term there, that the best thing that they can do is not have is not discover it, which means who are actually.

getting impacted by this. This is the bottom half of the bottom half of small businesses who are serving people in rural communities who are less technical, who have less opportunities available to them, who have less choice available to them. These are the people who are always going to get the total fucking shaft.

They're going to get it from Every direction on this one, because they're the [00:36:00] ones whose information is going to get stolen. Identity theft plus anything else that happens to a person who's already on an existence line, just the subsistence line for economics this country, that puts anybody over the edge.

So real challenge we're looking at is individual human stories of injustice that come from this. And let's not forget that The people whose fault this is are the ones who are committing the crimes who are harvesting money from small businesses and managed service providers, you know, North Korea collects what couple billion dollars a year just farming ransomware from just certain segments of American small businesses every year per the UN.

So, you know, small businesses in the US might do farming, but they're also being farmed and. That's where the crime originates. There's got to be better protections for it, and we have to stop penalizing the people who are victims of crime, as opposed to the ones who are actually creating it.

AJ Nash: Oh, you make an excellent point. You know, when you talk about who's really going to suffer for this, right? You said it, you know, the less technical, like I said, the [00:37:00] rural, and you talk about when it comes down to identity theft is a great example. As you said, listen, identity theft is, can be devastating.

And, you know, you or I, you know, please. Anybody out there listening, please don't try to steal my identity. I don't have time or energy for it right now, but we probably have the resources and, and, and knowledge and, you know, friends, and we could probably recover from it. It's I've seen it firsthand and it's devastating for people who are middle class upper middle class who have resources, money, education, and time.

If you don't have any of those things, if you're just, as you said, the subsistence line, you're just getting by. And one day you wake up and your bank account's empty. Uh, you know, you're listed as dead on a database, whatever it might be. You're done. Like the recovery for that is incredibly difficult and you don't know where to start because it's completely, you know, alien to you, right?

This is not something you've grown up with. You've lived with, you don't even know who to ask. If tomorrow, my shit all went South, I call you. Or I'd call, you know, people like I'd call somebody, right? know a few people, at least if nothing else, I would know somebody I could cry [00:38:00] to who would at least understand what I'm crying about, right?

So that's an advantage, but you're right. The people that are going to pay the most for this are going to be the ones who are least equipped. To solve for it and it's just going to be bad. I mean, this, this is, again, this is why I wanted to talk about this. When you, when you showed it to me, I'm not gonna lie.

When you first started talking regulations, like, oh my God, I don't know if this is going to be as exciting a show as hoped for, as started digging, was like, holy shit, Tarah makes everything exciting. Like this is Interesting and scary shit. Right. And I don't have a good answer.

So, you know, the question, and I don't know, you tipped on this a little bit as we were talking, but I mean, the last question we had in the setup here was, you know, what do you see as the way forward for these businesses? Like, what are the positives? So I've already talked about, Hey, just shut all your shit off and don't know anything, be ignorant and you're safe, which.

Probably isn't true. Uh, you know, but it might be a place to start, but, you know, and we talked a little bit about maybe Ms. Isaac, I'll maybe I'll do some followups Isaac's listening, wants to talk about this, maybe there's a place that a small business administration doesn't need to be doing much with us.

If you guys want to [00:39:00] come yell at me, feel free to, I'd love to talk with you guys too, but what do you see as some positive things? Like what can people do? What is the way forward for these businesses? Now, just solve the problem,

Tarah. That's all I'm asking. 

Tarah Wheeler: okay, I'm gonna, I'm gonna set aside, I'm gonna set aside the fact that this is what I do every day for a living, and instead just step over into, into a couple of things that, that need to happen, um, kind of on a societal level. Um, and obviously, anybody who, who wants to know more about this, please come talk to me.

I will enthusiastically talk your ear off about it all day long. Um, but here's one of the things I need. I need to see people in the information, I'm going to turn this back on us, people in the information security community need to hear and really deeply understand, um, love and anger. I'm, I'm, I'm, I am, I am nail chewingly.

angry over this, which is enough to get me up in the morning and get my first two cups of coffee. But just like, you know, just like Captain Taipan says, it's love that keeps her in the air, right? You have to, you have to love um, the [00:40:00] institutions, the rural small businesses, the people that make up the economic activity of this country.

You have to have that love in you. Um, and without that Love if there's the, if there's a hint of contempt or a stupid user tricks and pebcat shit, you know, when we, we make fun of users all the 

time. Right. And 

AJ Nash: course. 

Tarah Wheeler: are we like, I, I try to never do that. In fact, it's one of the filtering things I use for hiring for my company is I hear.

A whiff of that, no higher. Um, because you have to have this love for people that don't do the same shit you do every day. You have to love people that have spent 40 years in accounting. Um, and, and say, I treasure the fact that we live in this society with you and that you are doing what you're doing because I don't want to do that for a living.

I want to do what I do. Um, without that love Um, and with contempt, people try to create technical problems to automate away a solution that is a human one. So that's the security industry's issue and, and communities issue on a governmental level. I am appalled at the budgeting for the small business administration, which is often the API for many of [00:41:00] these small businesses to go to, to understand what they should be doing for best practices for small firms in this country and accounting standards.

They have best practices for ethics, for retail standards, how. Is cybersecurity just, just an afterthought? How is that half a whipped cream side from Starbucks per business? So I want to see some regulatory understanding of this. Um, third, I love the work that CIS is doing in a non regulatory advisory way to get local representatives, um, in, into spaces where they can be the, the first point of contact for reporting of problems.

That's. Wonderful. They're under budgeted. They need a little bit more of They are, they're a, a wonderful prosthesis for the Small Business Administration to use if they began sharing data. You know, if I'm just redesigning the government here, just give me a second. I'll be right back. I've got a spreadsheet for this.

Um, I'm just redesigning this, this whole situation. I want to see governmental, um, understanding of that. And I think the last part of this, uh, really goes to I think it does have to land with the [00:42:00] people that are doing managed service provisions, uh, providing managed services to small businesses, I. T.

people that do this. It is, it is the responsibility of managed service providers to communicate well and clearly the consequences of some of these regulations. Just as I would consider it to be my accountant's responsibility to communicate to me if there was going to be a major change in the way that I do the finances for my company, ultimately I'm in charge.

It is my responsibility, um, to put my name on something and say, you know, under penalty of perjury, I believe this to be true. And that same choice is coming up for every small business owner in this country when it comes to whether or not they know about whether or not they've had cybersecurity issues and data breaches.

Of their PII and their customers. And I don't wanna sign on the bottom of that, that document unless I know the truth. And I don't think most small business owners would either. So I think it's, it is the responsibility of, of MSPs to communicate well and clearly what those consequences are for people that that need to know that, and that have [00:43:00] that ultimate responsibility.

AJ Nash: I think that's great. I think all that would be, I love the call at the CESA, by the way. Um, and I think you're right. I think there's, there's some opportunities there. I I'm a big fan of CESA. I know they've, they've taken some shots over the last few months for a lot of different things and politics, whatever it, listen, it's a hard job.

And anytime you do anything, that's a hard job. People are going to not all agree on how it should be done, but I think that's a great call out. And I do like a lot of things they're doing and maybe there's an opportunity here for them to do more local outreach. Right. I'm curious. It's not part of the questions, but I mean, I wonder if there's five months until this, this ends up being a real thing, right?

So it's going to go in What are we talking like April ish timeframe, I guess. Um, I wonder, oh, hey, now we're getting places. What's, what's the cat's name?

Tarah Wheeler: it's Frankie Fang. He decided he wanted to come over. He's just gonna, he's gonna flop over. 

Does a good buddy? 

AJ Nash: my kind of, that's, that's what the show's about. Listen, uh, my dog, Riley's not in the room today.

She's out in the other room, so she won't come up, but, um, I love when there's animals on the show. It's the best part. Um, so, I mean, I think it's interesting. I hope there's enough time. [00:44:00] I don't know if there's enough time for people to do this because it's five months away, but we also have the holidays are going to be in there.

That's going to take a month off for everybody essentially. So now you're down to four months away. And again, the ignorance, a lot of organizations probably don't even know this exists because like you said, it's not. It's not something that's being pushed, you know, if, if you're an accountant, you follow everything the IRS puts out.

Of course you do. Who's following the FTC on this, you know, cybersecurity, as you said, it's too much of an afterthought, which is hard to believe everything we do. Is cyber at this point, we're all connected all the time, like it or not. And yet this isn't on the front of everybody's mind all the time. So it's, it's really, it's really an interesting topic.

Like we could probably keep going on about this, quite frankly, which again, surprises me because I didn't expect it to be as interesting. Now I'm going to want to follow up on this more, uh, and see where this goes. I think people should be paying attention to what the FTC has put out here. Uh, if you are a small business or you work with small businesses, obviously, or you're doing these provisions you're talking about for services, this is something that affects a whole lot of us.

And for vendors, uh, in cybersecurity vendors, we're all trying to figure out how we're going to help the small and mid market. This is going to be another area. We got a chance to look and see how we can [00:45:00] help them. Um, and, you know, service providers like yourself, Tarah, you know, with, uh, you know, with your organization, obviously having a chance to do it with Red Queen, um, you know, it's, it's.

There's always opportunity. I hate to look at it that way. I'm not really big on the business side usually, but there's opportunity here. People have needs. I really think the part that I want to emphasize that you hit though, was, was that whole love for your fellow person, right? That, that I think Fila is the brotherly love.

I think that's a key point, right? Is I think you're exactly right to be successful. We have to actually care. About other people. Uh, you know, and I think I've grown increasingly jaded and frustrated, especially in our industry, frankly, when I see so many people in positions where they're putting, in my opinion, at least the wrong things forward as their priorities.

I think, I think greed's getting a little out of control if you want my honest answer. And I I think it's a challenge and this is going to require somebody to go against that because to help your fellow person. Is going to require not necessarily making all the money you can make to do it. Um, you know, I like that lawyers are required to do so much pro bono a year.

I wish we had some of [00:46:00] that maybe in some other industries, maybe cyber could use some requirement to do that. We're going to need to help these folks somehow, and it's going to hit all of us. You know, like you said, you know, in terms of certainly the lower, uh, economic areas of the country, but it's going to hit all of us.

Eventually all of our data flows to all these companies at some point, that's just all interconnected. And. So this is a universal problem, right? And I think it's I hope we figure out a way to solve it. So I really appreciate you to bring it up. It's something I hadn't talked about before. I hadn't even thought about before.

And now, of course, probably go down the rabbit hole for days on this FTC piece and see what I can learn more about. And maybe I'll see if I can get Jen Easterly to come on the show and talk about how CISA is going to get involved in this. It's a stretch, but if anybody knows Jen, feel free to give her my number.

Um, So listen, we're, we're running out of time here. I do wanna close up, uh, but as everybody knows, we end the show with the same question for every guest. I, you know, it's, it's, we're not gonna have a a, a real tear jerker moment in here. I don't try to pull too much outta you personally, but I do always ask, you know, the, the show's named Unspoken Security.

So, you know, with that in mind, tell me something you've never told anyone. Something that's [00:47:00] unspoken.

Tarah Wheeler: Um, so I was, I was thinking about this and let, let me be fair to everybody here. Like, I got warned that this question was coming right? And I was sitting there thinking, um. And just thinking about something that I've never said to anybody that I would be okay with saying on, on this broadcast and I was sitting there, I, I'm married to a lovely physical security, uh, specialist.

His name is, um, um, uh, and I was hollering at him just before this podcast got started. I was like, babe, can I have a cup of tea? And I was thinking about this. Um. And, and thinking like, what, what have I not told him? What have I not told people that I would be okay saying here? And I was like, I can't think of anything.

I was just, um, and I, I thought to myself, God, this is like a security question, right? Like what's the thing that only you can think about that you're going to come up at the right time, know, and you get the banking flow to like regain access to your account. I was just thinking to myself about how, um, people often.

Use their security questions as this in the super emotional way that I actually really hadn't thought about till I'd grown more familiar with this over the [00:48:00] last few years People will use security questions to memorialize dead pets talk about they'll they'll add like their life bucket list life goals, they'll um, they'll track things that way and they'll have like a key in their head Like, you know, it's a hash where they like one question goes in, but the answer that is a different question pops out at the end because they, they've mapped this in their heads.

 and I just thought how incredible that is. And I was like, okay, well, what's not a security question for me. Um, but could have been, and here's the thing I read American gods. I don't know how long ago at this point. Um, but I. Always wanted to go to the house on the rock, and it's a place I never got a chance.

I've never got a chance to go to, and it is gloriously kitsch in this kind of Milan Kundera sort of sort of way. And at the same time, what a beautiful expression of the oddities, um, that can all sort of collect in a center of gravity in, in the United States,[00:49:00]  um, in one place that is just this consuming experience.

And I just, I wanted to do that. Um, And that's not a security question I can think of that I've ever answered in that way. But it's something that people I think often do. It's something to remember as information security professionals people will use security questions in that way. But I always wanted to do that.

Like, I want to go on a, I want to fucking retire, AJ, uh, I'm done, I'm, I'm done, I also, yeah, I want to get in, I want to get in, I don't want to do van life because that's not enough space for me, I want to, you know, I want to, like, RV, it's either an RV or it's a motorcycle and a backpack, I want to, like, see the biggest ball of twine, and the house on the rock, and roadside attractions, I want to do the trout derby in eastern Washington, I I 

don't know, I that's, that's what I want to do.

And I don't think I really expressed, I certainly haven't expressed that enough lately that, you know, I guess there's this, there's this thing of joy that I haven't gotten a chance to do yet. I want to do that. Maybe I'll just make time to do it this next year.

Somebody have me come and talk at a [00:50:00] con in Missouri or something, please.

AJ Nash: Listen, come on up house house on the rock. Isn't all that far from me. Like I'm in Minnesota. in Wisconsin. For those who don't know. 

Tarah Wheeler: is it, 

AJ Nash: Um, yeah, in Wisconsin, right? Since spring green. Uh, and I didn't know that off the back of my hand, by the way, I just Googled. I'm over here. Googling on the side. I'm cheating.

I knew it was Wisconsin. Ain't nowhere, but, um, it's really interesting for those who don't know house on the rock. I highly 

recommend Googling it. It's a really interesting. Uh, place, you're not the first person in the last six months, even to tell me, Hey, we should go well, in this case, they said, we, you haven't invited me, but you know, we should go to the on the rock.

So, yeah, I've got a couple of relatives and friends who've said the same thing. So it's actually on my list, probably for 2024. Um, just because several people around me want to go do this thing. So, but I think that's cool. Right? I think, I think it's also interesting. You're the first person so far who is.

Really put as much thought into, well, hold on. Now this is how security questions can answer it. Like you're such a professional, like you just immediately went to that, which makes so much sense. Right? So many people just threw out an answer and you're like, well, hold on a second. Now I don't, he could be social engineering me and I don't want to get, what answer could I not give?[00:51:00] 

Which I think is brilliant. Like, frankly, the GED thing could have been the answer to this. You just gave it away too early and you were stuck giving me something else now. Um, but I think that's awesome. And I think, I think wanting to make more time to do things like this. is a big deal. You know, I often, it seems like I ended up having a reciprocal answer to this every time.

So people are gonna know anything about me, but as it turns out, I just scheduled a vacation, uh, end of January into February, I'm taking a real vacation, like 10 days, 11 days, I haven't taken one in, it'll be about 16 years. So when you talk about making time to do these things, listen, the time goes really fast, you know, better than anybody.

I'm sure. Make the time you want to come to the house in the rock. Let me know. Like I I'll check and see exactly how far away from my house. It is 

like, I'm going to we're talking. It looks like it's about four hours from me, so not bad. Oh yeah. It's just a, it's just a West of Madison basically.

So, um, I nephew is going to go to Madison next year for college. So anyway, um, yeah, We'll do it. 

Tarah Wheeler: I'll bring deviant. along. And we'll just like, the problem of course with bringing deviant anywhere is that he's like, Oh, a lot. Oh, a [00:52:00] space I'm not supposed to be in. And then he's all of a sudden waving at you from the other side of it. So we'll, we'll take him along.

Cause that's happy entertainment

right There we go. 

AJ Nash: be fun. That's good. cops, if the cops get involved, we can get them out. It's all So I'm not real worried. I think that's awesome though. So we're going to wrap up here. Is there any last thoughts you want to leave people with? I mean, we've done a lot. If you're good, you're good.

But I'm curious if you want to plug, you know, red queen real quick, you're certainly welcome to, or anything you want to leave people with before we wrap up for the day. Mm

Tarah Wheeler: Look, I, I always want to, I always want to help if you're a managed service provider. Um, you know, we, we And I wouldn't dedicate my time, economic capacity and brainpower to this if I didn't care about it this deeply. Like, this is the thing I do. And I want to express that love and understanding.

People don't get listened to, um, that are frustrated and afraid of these, of these kinds of problems and want to find ways to make it better. So I'm here to listen. I'm always around. I'm not on Twitter anymore, or whatever the hell it is now, because eugh. Uh, but come find me on Mastodon, I think I'm, Tarah at InfoSecExchange.

[00:53:00] Love to talk to you. Tarah at RedQueenDynamics. com. And we're just at RedQueenDynamics. com. Come talk to me. Uh, and I'm more than happy to chat, and we'll get you set up. 

AJ Nash: That's awesome. Yeah. And Tarah genuinely is one of the nicest and smartest people in the industry like that. I'm, I'm aware of, frankly, um, I'm truly flattered. You took the time to even come on the show. So I couldn't, couldn't be more appreciative. So, and for everybody listening, you know, thank you for taking the time to listen to us today.

You know, if you, if you like what you're hearing, You know, please subscribe and, and rate and all the things you're supposed to do. Right. If you don't like it, gimme feedback. Actually, if you like, gimme feedback. If you don't, well gimme feedback anyway. I wanna know. Right. The, the show isn't about me, the show is about the guests.

It's about, it's about who's listening. You know? The idea is to really be informative and, you know, and also entertaining and all the things that, that make people get a little bit better and, and have a good time. So, you know, please do give that follow on, do give that feedback to us. Really appreciate you taking the time.

Tarah. Again, thank you for being on. You're obviously welcome back. Anytime the next thing you're passionate, excited about, even if it sounds boring, I'm [00:54:00] clearly going to listen because this turned out to be amazing. Uh, so, you know, as I would expect, so, you know, with all that said, uh, thanks again, everybody.

This is going to be the wrap up for this episode of unspoken security. Uh, Uh, and until next time, I'm, I'm AJ Nash. And thanks again Tarah Wheeler for joining us. We'll talk again soon. 

Cheers. 

Tarah Wheeler: It's a pleasure. Cheers.