Tommy Smith: Welcome to Sweet Tea and Strategy podcast, produced by Ackerman Marketing and PR. We speak with business leaders about challenges in their industry and the communication strategies to take on those challenges. And we're going to talk cold beverages as well. My name is Tommy Smith, Vice President at Ackerman. Today we'll be talking with cyber security with the CEO of the industry's newest company, Avertium. Jeff Schmidt is the new CEO of Avertium. He's here today with us on the podcast. Jeff, welcome.
Jeff Schmidt: Thanks, Tommy. Good to be here.
Tommy Smith: Talk about—so we’re in the South, and so we—the frame of the podcast, the name of the podcast is Sweet Tea and Strategy. So where do you stand on this classic Southern drink? Do you have a different favorite?
Jeff Schmidt: We're all in on sweet tea. So—we're all in on sweet tea. So when we moved here, that became the favorite of the household.
Tommy Smith: All right. And how do you—who makes it in the house? Or you only buy it from...?
Jeff Schmidt: Well, we're—we're the Chick-fil-A family. So go down to Chick-fil-A, sweet tea, and we're good to go.
Tommy Smith: Okay. All right, so in Atlanta, that—that makes total sense. Yeah. So Avertium is a brand new company, but the businesses that joined forces through the—through the new company have a long history in cyber security. So tell our listeners about Avertium, and maybe those maybe unfamiliar with—with some of the companies.
Jeff Schmidt: Yeah, so—the name Avertium comes from "avert," and then a play on the periodic table. So Avertium—think potassium, calcium—we're the new cyber element. People, process, policies—so if you really want to attack good security, you should be attacking it really from the fundamental of what the framework is before you start to apply tools and automation to it. And so those are really the five elements that we deliver. Avertium was made up of—of three companies to date: TrueShield out of Virginia, Sword & Shield here in Knoxville, and Terra Verde in Phoenix, Arizona. Three very similar companies, providing managed security services—so SOC as a service, as a lot of cyber people may know it. Delivering compliance—HIPAA, PCI—helping companies really build the framework for the next generation of—of what compliance is going to be, as well as things that are there today. And then pen-testers—that are out there, white-hat hackers doing the same thing maybe the evil guys are doing, but doing it for good. And then we've got—we've got virtual CISOs that are helping out as well. So a lot of small businesses are struggling with things like—like staffing or maybe direction: "Where do I go? How much money should I be putting into this?" So being able to provide those services as well. So we got the benefit of three companies. The oldest company, 22 years here in Knoxville, which was Sword & Shield, and the other two with 10-plus in the industry as well. So we can call ourselves a 42-year-old company—fair enough—22 or 10-year, or—or we're a six-month-old. So—but you know, we can play on those as well.
Tommy Smith: So what industries are you all in? Obviously, I—I know that you're in healthcare, government, and probably a broad array. Talk about some of those industries.
Jeff Schmidt: So hospitality, fairly large for us. Retail—you know, big issue with PCI in the retail space. Small businesses as well as the large businesses are all—targets. FinTech—from a financial perspective. Manufacturing—I mean, we're kind of agnostic to—to what we're doing because the problem when you talk cyber security typically is the same. There's compliance. There's—somewhere there's—there's the crown jewels of the organization that you don't want to get out, or you've got customer information you don't want out. So that approach. But hospitality tends to be one that—that's moving fairly quick for us. Retail. And then the smaller financial industry—so credit unions, community banks that are looking for help and assistance.
Tommy Smith: So there's a lot of regulation around—when we think of healthcare, government, banking. Hospitality maybe a little bit less so. Talk about what themes are kind of bubbling up for hospitality.
Jeff Schmidt: So if you think about—there's been a couple major breaches in the hospitality industry. Hilton was one. So they were exposed—a customer data. And so I think the numbers were—they were fined with somewhere around—I think it was 700,000 records that—that were taken. I may be off on that; that might be the fine. But if they were actually applied to GDPR, which is the privacy act for—for EU, that potentially would have taken out their profits for an entire year.
Tommy Smith: That's motivating.
Jeff Schmidt: Yeah. So—I mean you have a lot of core data that—that's sitting in these—in these environments, right? So hackers aren't just trying to steal dollars; they're trying to steal valuable assets. So social security numbers, driver's license, credit—credit card—so you've seen the article, you know, the—the advertisements on TV, right? Is your data is everywhere, and sometimes not where you want it to be. So helping companies really kind of understand what that is and being able to provide that defense to them.
Tommy Smith: Talk—you mentioned GDPR. Explain for our listeners what that is and—and also kind of the challenges associated with operationalizing that in an institution.
Jeff Schmidt: So—it's how information is collected in—in Europe, and—and what you have to do to protect that information. So the compliance wrapped around it is—is protecting information, being able to opt out. So if you think about companies that have your information today, you have the ability in—in Europe, if you're part of that EU union, to be able to say, "I don't want—I don't want you to collect my data anymore. I want you to erase it." And—and if you're in—if you're in the US, you don't necessarily have that same right today. I was playing around on the internet and just wanted to see how many companies I could actually find out like what their process was to erase me from their databases. And the number of things that came back was like, "Do you—do you live in Europe? Do you have a residency in Europe?" So—so there's a lot of pieces that are wrapped around that. And the intention is is that you can't just collect data on me unwillingly without me accepting what it is. Many of us in the US now see it where you're going to a website and it says, "This website collects cookies." And there isn't like, "Do you accept it or do you not accept it?" It's like, there's an X. Confirm—confirm that you know it. But that's—that's the result of GDPR. And so that's now spilling over into the US, which is—you know, California Privacy Act, Texas is moving in that direction. I think it's somewhere now around seven, eight states that are starting to move in this direction. The scary part is if we end up with a state-based privacy acts—how do you as a company deal with 50 different acts that are out there? So we need to have in the US a federal-based privacy act in what we're doing. Concerns over California—I think it was developed in two weeks—so, you know, almost like building a company on a cocktail napkin. So it takes time to think through the impact, and—to any company falls into this—they're all in the arena now. So much like Dodd-Frank to the—to the smaller banks. Larger banks could deal with it. I have massive amounts of people can go figure out Dodd-Frank, figure out how to make it work. But the banks that suffered were the smaller community banks, credit unions that are trying to figure out how to go do it. So having that ability for fractional services makes a huge difference. Like, I can bring in an expert at a fractional cost. I don't have to be BofA to go do this. So I can leverage an Avertium that has knowledge capabilities to go do that.
Tommy Smith: We mentioned—you know, kind of—I think of GDPR having the effect right now on the—on the US slowly over time, the same way kind of Medicare kind of leads all healthcare big changes. And so that's happening slowly. What is the status of federal regulation associated with privacy similar to GDPR in Europe?
Jeff Schmidt: So the CCPA, which is the California act around privacy—it's still not federal at this point. I have—I have some concerns as that our—our leaders, unfortunately, in government for all intent—for all intents and purposes, a lot of them lack the technical knowledge living into this technical age that we're in and what that really means. So we need to think about separating out what's happening in—in government, political factor, to the technology aspect. And there are some people who do get that, but these are things that have to happen quickly in our environment. This can't take—you mentioned Medicare, you know, or—you know, healthcare—this is—long—the longer that this spans, the longer that the gap is, and we as individuals are under fire every single day. That people are holding our data and that data that they hold is either done with or without our consent. And so, you know, our—we're in probably millions of databases at this point in time depending on how much you're out on the internet of, you know, collecting your information and how it gets used and what it gets used for.
Tommy Smith: Are there other—are there certain industries where you see businesses—changing the way they deliver service to customers based on what they've learned from cyber threats? So you mentioned some of the cookies and acceptance of terms—some of those are more obvious, you know, Facebook's always in the news in terms of what you're kind of approving them to accept and how—what they're doing with that data. But are there other industries that maybe don't—aren't so familiar to folks that businesses are having to tangibly change how they serve their customers as a result of cyber threats?
Jeff Schmidt: So I'd start with—I think we made a mistake in security early on, which is it became this kind of smoke and mirrors, you know, covert operation that we're doing to protect companies. And in fact, John Chambers of Cisco said, like, "If the internet of things takes the same route as the internet has around security, it'll die before it ever takes hold." And so you're talking trillions of devices that are out there today that don't have controls on them that are being put in the hands of people who don't know about securing passwords, other things. So flip that back is—we need to take a step back and really look at the problem. And what we tend to be doing right now is applying to the symptoms of the problem. And so we're chasing. And attend RSA conference in San Francisco and look at the massive amounts of security companies that are going to solve the problem that happened this year. So four years ago, data leakage protection. This year it's, you know, AI and machine learning's going to solve all of our problems. A pragmatic approach of—of really thinking about is—what in my business is—is at risk? If somebody had it, what's the value that I can assign to that? And what's the chance of somebody being able to get to it? And if you start with those three questions, you can start to build a program around it. While we're all focusing on security, we're not necessarily focusing on business continuity and disaster recovery. So it's great that we've been talking about people not breaking into our network, but now ransomware has picked up. So—and that's a business continuity, that's a disaster recovery: backups and control. Right? So that step back and where—where I look at chief security officers that are out there today, risk managers that are out there, the ones who can pull back and say, "Let's take a step back for a second and let's go look at what we have to defend today without deterring our customers and deterring the growth of our business."
Tommy Smith: So you have—you kind of have one wish that you—that you wish the industry would kind of move towards. "Industry" is a big term, but whether it be regulations associated with the industry or technology—that your firm's pursuing that you don't have now—where's a—magic wand, you know, what would you kind of lay over?
Jeff Schmidt: Shut off the internet.
Tommy Smith: Fair enough. All right. Pen and paper.
Jeff Schmidt: So—so I think there's—there's two things. One is security isn't as spooky as everybody thinks it is. And—and I've been preaching this now for 20 years. Whatever you do in your physical life to protect yourself—whether it be how you protect your valuables at home, your family—these things are—are really important. Do the same thing in business. What's most important? Break it down into just a very pragmatic approach. Start with that. And like, "Hey, if somebody got this, I wouldn't be happy about it, but it's not the end of the world." So—so I think that's one. And I—so I think it's just starting with that pragmatic approach of—of just getting a security policy. The number of companies I walk into—pre coming here at my past jobs—and somebody's like, "Oh, we're servicing, you know, Fortune 500 companies." And you're like, "Do you have a security policy?" "No." "Are you sharing passwords?" "Yes." "What are you—what are you—what are you sharing them in?" "Well, we're—they're saving them to Chrome browser." And it's like, you're doing hundreds of millions of dollars of business but you're still operating as a small business because—and, "Well, we don't want to do security because it's going to slow us down." You have to stop. Nobody would—nobody would go drive a car without brakes. And so sometimes you have to go slower to go faster. And—and the problem is is we've said you have to have the Maserati of security. No, you just have to have a basic framework. My wish would be is that we're building security into the fabric and the framework that we're moving forward with. And—and so—and we have to get ahead of the next generation. So part of fixing today has to be is—is starting to look at what next is and thinking about how we protect next, and actually building this into the fabric and the framework of what we're doing so that people don't think about it. And I use this terminology as—if I told you you had to pay an extra five thousand dollars when you bought a car to put airbags in, you'd probably opt out. If I said seatbelts were another five thousand dollars, "Well, I just need the driver's seatbelt because nobody's in my car typically." Whatever it is, right? But we make decisions based on cost. But if it's all built in, we're not thinking about, "Hey, that airbag probably costs five thousand dollars to stick inside the car." You know what the cost is when you have to replace it. Right? But built-in takes the cost aspect out of it and says, like, "It just has to be smart." Le Mans racing was one—one of the guys said, "Look, Le Mans racing's probably one of the most unsafe sports you can do, but the security controls that they built into the car to make it work the way that it's supposed to makes it also one of the most—safest sports today that exists." And so they go through the statistics. That's the same thing that we're moving towards is just: what are the three to five things you have to go do to be smart about it and make that fit into a budget that you—that you can actually live with.
Tommy Smith: To think of things that are next, talking about the Internet of Things, as—as we put AI and the power of the internet in new places—where are you a little bit concerned that maybe innovation is moving a little faster than security? Or it's quite innovative—as a security industry, we don't really have our hands—head around how to—how to control this a little bit?
Jeff Schmidt: So—somebody said this to me a while back and it was like: like, everything that can be used for good can be used for evil, right? So best intentions. The hard part is actually understanding it. So the other day somebody was showing me AI—an AI hack that took a turtle and made it look—and actually fed back in the system that the turtle was a machine gun. I'm like, "No, I'm looking at a turtle. Visually I can see a turtle here." But the AI system's saying, "No, it's a machine gun," because somebody's hacked the system and figured out how to do that. So if you take that a step further and you say, well—to your comment on driving: autonomous vehicles. What if I can change—what if I can actually change what it is? We're still talking ones and zeros, right? So we always think in three—in three-dimensional at least. The world that we live in in computer's ones and zeros. So—so it's just rearranging the ones and zeros to be something different. And so I'm worried that we're moving so fast—and IoT is one of those areas that I think is—is extremely dangerous because we're booting up computers that are pretty smart and pretty fast that can be used—we saw the Mirai virus that—the malware that came out. You know, botnets have always been a big concern to security people. So the ability to do command and control—I mean, it's Transformers to a certain extent. So if you have all these computers that have horsepower all over the place and you can go drop stuff on it that can't be detected because we as individuals, as consumers, aren't—aren't managing this. I don't know what my—what my camera's doing when I'm offline. Watch your phone at night. Look at how much activity on your phone is happening when you're not around it. We don't pay attention to it. So there's a little bit of—from my standpoint of—without being overly paranoid—but we're deploying these assets all over the place that while they're used for good, they have a high-value asset to somebody who wants to do something bad.
Tommy Smith: Thinking of communications, as it relates to organizational strategy, unification—you're leading this—this new organization that was once—formerly three. Talk about how you think about communicating the vision of this new company to—to a new lar—you know, larger employee base and—everybody's new to one another in a certain sense.
Jeff Schmidt: We were just at—we were just at dinner last night having this conversation about, you know, as we're all kind of learning how to work with—with one another—is to make our customers' world safer. And that's—that's our mission. And if you take the world that we're in, there's a passion with our team members. We want a team that's passionate about cyber security, and—we live and breathe this. When we go home we're thinking about it, you know, it's just kind of part of the DNA, and there's—it takes a special person. We want a team not full of ego, but people who are passionate about solving our customers' problems. We want a—we want to be the choice of our customers when they want to accept anything less. There's a little bit of "less is more" there, like, what does that really mean? But we want to be the de facto standard is: if I want the pragmatic approach to security without being scared to death, fear, uncertainty, and doubt, but I want to talk about pragmatically as how do I go do something that's right? Come to us. If you're in that mid-market space and you're trying to figure out, it's like, "Hey, how do I go create a security program?" or "What should I be doing differently in my security program?" that we apply a reasonable approach and we're looking to help you, not to just make money off of you. Our goal is to make that world safer. And hopefully we can influence the community, we can influence what goes back—you talk about government. I would love to see us at some point as—as an organization is influencing the way that the US works, the way that we apply security policies as—that we're establishing market leaders in cyber security that can take this forward to the next level. That 10 years from now, it's: "We didn't see Avertium coming, but look at the people that they have that are influencing the way that we work, live, on a national level." That they're influencing the way that senators, our representatives, our government, local, what we go do—we're influencing schools, community, and how they think about cyber security, but again as—without the glaze over on the eyes—like, "This is really scary stuff," to "Ah, this seems pretty simple. You know, look both ways." Yeah. This can be as helpful as—as much as it can be scary. And we have a—phenomenal—I haven't been in an organization in my past where you take three companies, throw them in a blender, and just expect everything to be okay. But we have a phenomenal team all the way around who—the general-at question, any—the question behind every question is is: how do we go make our company great? How do we—how do we—how do we go get this to the next level? How do we go do the next big thing in what we're doing and how do we make sure we're helping our customers? We want to win, but we want to win for our customers. And so I don't have the egos of like, "Hey, my business did it this way," or "My customer wants it—" it's—it's a very—it's very much about: let's go make the world better and let's go figure out how we apply ourselves to that and let's get more people here that have the same passion what we're doing.
Tommy Smith: That sounds like a great challenge to wake up and try to tackle every day.
Jeff Schmidt: I love it. I'm disappointed sometimes when Friday rolls around and I'm excited when Monday comes in. So sometimes that pushes me through Saturday and Sunday to keep doing things. But—fair enough when you care about something enough, that's what it does.
Tommy Smith: Yeah. Well, thanks for joining us today. We appreciate it. Good luck with that challenge—with Avertium and—the vision you're trying to cast. So, congrats.
Jeff Schmidt: We're excited. Thank you. Thanks for your time.
Tommy Smith: Sure. Well, that's the future of cyber security. Thanks for listening to the podcast. To listen to more Sweet Tea and Strategy about communications and business strategy, visit https://www.google.com/search?q=thinkackerman.com. Thank you.