Shaun St. Hill 0:03
Welcome to another episode of tech and main presents where we bring you the top technology leaders, thought leaders and entrepreneurs in the tech space. Today we have the privilege of speaking with Umesh Verma and Umesh is the CEO of blue Lance. And they are a cyber governance solutions entity out of Houston, Texas. Rather than steel mesh thunder, I’ll let him introduce himself and tell us a little bit more about his company. mesh. Good morning, sir. Good morning. And how are you this morning? I am doing well. Thank you so much for taking time to speak with the tech and main presents audience.
Umesh Verma 0:42
Well, thank you, Shaun.
Shaun St. Hill 0:44
You’re quite welcome. And so remash um, why don’t you tell us a little bit about blue Lance and what exactly you’re doing there in the Houston area.
Umesh Verma 0:51
Right. So, Blue Lance is a cyber security software technology company. We’re a leading developer For the assurance audit and compliance automation software, particularly focused on internal security controls, and so we have software deployed mostly in regulated industries like banks, healthcare, some government entities, education. We are installed, you know, through our customers globally. I think our bragging rights are that we are installed in about 121 countries, and so through our customers, and so we help them through all size and scale. So in the banking industry, for example, you’ll have the small and mid sized regional banks that are typically our customers that have FDIC FF IC requirements to keep up with security controls. You have HIPAA and high trust requirements in healthcare, you have the NIST framework and the NIST requirements of 853 and 800 dash 172 for government entities or any other entities like subcontractors that are doing work for the government, and then you have PCI requirements and Sarbanes Oxley requirements. And then we’re seeing quite a bit of interest in GDPR through our customers that have European entities.
Shaun St. Hill 2:30
Okay, great. Well, thank you so much for that. So it sounds that it sounds as though you keep your customers compliant from a cyber security standpoint, as it relates to the different regulatory agencies and regulations and security frameworks that are pertinent to their enterprise.
Umesh Verma 2:51
Yes. And so, you know, we start with automating the whole assessment Site of security controls. So you have a scan that’ll go in and automatically scan and in a company’s infrastructure, mostly on active directory on the Microsoft platform, and then we do still have some legacy customers on Novell and Susie Linux, believe it or not, Oh, wow. Yeah. So in business for a little over 30 years, and we’ve kind of morph we’ve been a private company. We’re a boutique company. We’re very, very proud of our service component. Very good technology. We focus a lot on technology, but we also develop very deep customer relationships. So like, many of our customers go back to be like 17 years, 18 years with us. So the product is used heavily in the regulated space, but a lot of companies that have we’re seeing Especially companies that are now getting in the mid tier between 100 and 1000 employees are getting hammered with ransomware and, you know, vulnerabilities that are being exploited by cyber thieves. Especially, you know, through poor cyber hygiene on the internal controls. And so, you know, people able to break in to infrastructure and masquerade around as users take over a user’s profile, through email or through other means. And they able to masquerade as administrators able to ask masquerade through as a CEO or a CFO in the organization, especially in the mid tier. And so we’re seeing quite a bit of interest begin to emanate through the mid tier organizations which is not necessarily compliance driven, but it is driven due to a need of cyber hygiene Siregar.
Shaun St. Hill 5:03
Okay, great.
Great. So Ms. That’s actually a nice segue into what would you say is the most common security obstacle organizations are facing today.
Umesh Verma 5:17
So, you know, at the enterprise level, they are facing third party risk, which is
that they, they, they have the resources, they have the talent, they have the sophistication, we have the connections in order to secure themselves and do a very good job of that. However, a lot of their risk comes from third party connections remote access. You know, it was illustrated through the target hack with the HVC third party vendor. And these third party vendors and third party risk is hard for enterprises to manage. Because, you know, it’s a slow process. And it starts with putting in new rules and regulations and policies as to how they evaluate their current vendors and what they’re going to expect of new vendors coming forward. And so there’s this whole conversation of what is required and what is not required, and how do they help these third party, pro service providers and supply chain providers improve their security posture, so that they can then be more resilient, and therefore those service providers and supply chain providers can be better partners back to the enterprise. So that’s what we’re seeing on the enterprise side. On the in the mid tier we are seeing the challenges being typically I cyber security has been considered as being part of the it function, and the it function is viewed as an overhead function. Mostly it has been used to keep the systems up and available and it’s a productivity issue not been done through the lens of cyber security. So mid sized enterprises and smaller enterprises have very scarce. Cyber Security resources and talent. They have it folks that are running around in brake fixed mode most of the time, and I use the example of one of my good friends who’s a very successful multi franchise car dealer of 480, some people and about maybe eight or 10 different locations. They’re in the business of selling cars and he doesn’t want anything that slows down the system as far as security to be installed because
He doesn’t want sales, people’s passwords expiring in the middle of the day while they’re putting out a quote, for selling a car, he doesn’t want long passwords. He doesn’t want multi factor authentication, because that’s slows people down. And then we also battle the age old problem of saying these are a lot of these are brick and mortar companies. So it’s a mindset, it’s a culture issue that says, by golly, I built this company by my with my hands, and I as the executive owner, or the executive manager, you know, I’m exempt from all of these security privileges, that’s for everybody else. So there’s this kind of monarchy mindset for for the individual business owner or the entrepreneur. And then that all changes the moment they have a email fraud item or a ransomware attack and then it’s likethe My friend calls me up and says, boom, ah, what’s that thing you’ve been talking?
So this is real life, right? And then the other issue that we face is one of turn employee churn in the mid tier. They don’t have a lot of succession planning. They’ve got a network administrator has been given the keys to the kingdom. And they don’t necessarily. So when when one administrator leaves and other administrative comes on, there’s not a real transition period and the new administrator doesn’t want to be seen as someone who’s causing applications to fail on his or her watch their new employee, they want to be a hero. So what do they do? They don’t trim anybody’s rights. They don’t do the hygiene that is necessary at that point. They end up cloning users creating other groups with tremendous rights. So you violate the the cardinal rule of least privileges, just to be able to make sure that things are up and running on your watch. And then they’ve been given the keys to the kingdom. So you end up with a lot of dormant users dormant groups with a lot of privileges, heavy privileges, and nobody knows about this, except this one or two individuals. And so, inadvertently or advertently. There are these backdoors with tremendous user IDs and privileges setup and groups.
So you have this proliferation of groups, proliferation of users. And so we have an example where we have a customer that has about 200 employees been in business for about 75 years. And guess what they have over 3000 groups of privileged users,
Shaun St. Hill 10:57
my goodness,
Umesh Verma 10:58
so so so the kind of stuff that is, again, scarce resources in the mid tier, churn and employees, no cyber hygiene or rigor in the mid tier, they look at it through a lens of ideas of productivity to any convenience to not through the lens of cyber security. So these are some some of those big issues.
Shaun St. Hill 11:27
Okay, and so looking at what you just shared as far as the material client who looks at cyber security as a function of it, the friend that you mentioned that owns the car dealerships, what’s what’s one strategy that you would share with them to overcome that common cyber security obstacle,
Umesh Verma 11:54
right. So one is it’s a culture change. So you have to have
You really need to put in some cyber security awareness training within the entire organization and it becomes a team sport. It’s a matter of if you see something, say something. It’s a, it’s a matter of saying it’s not just all convenience, but there is this practical resilience aspect of cyber security and for everybody to become aware of that. So that’s the big thing. You start there at the cultural level. And then there are about two or three other things that I would like to point out that you know, people talk about passwords and password links. But the most important is have a long Password Plus have multi factor authentication. implemented, it is an extra step, but just that. Second, the feedback that is just not a user ID and passwords allows for the weak passwords and the stolen credentials that have been made out there through all the high profile hacks with Experienced target, Chase, Yahoo, etc, etc Amazon so that all those credentials are available on the dark web. So you really want to add in the multi factor that cuts down a lot of the abilities of people to breach your network or breach your email systems. The third thing I would say is that give your administrators the tools to run assessments and make sure that they are able to conduct the cyber hygiene that is necessary to have an executive review session, at least every quarter, to say, Hey, how are we doing on the cyber security. And then the last thing is monitor. Monitoring creates a lot of data. And it’s hard because you have all this data and it’s like a video surveillance tool. We’re in the business of collecting a lot of monitoring data, but for small and mid sized companies, at least monitor that the privileged users like your administrators
Shaun St. Hill 13:58
mess you have Just shared some real nuggets, in particular, the multi factor authentication. It’s amazing to think that the number of breaches and hacks that we hear about in the news the majority of them could have been solved if multi factor authentication was a part of that cyber hygiene. So thank you for for sharing those tips. I do appreciate that.
Umesh Verma 14:29
Yes, through the assessments that we have done with over 500 companies with less than 1000 employees in the last 15 months.
Over 82% do not have multi factor authentication enabled.
Shaun St. Hill 14:44
Isn’t that astounding? That is
Umesh Verma 14:46
two thirds have dormant users with administrative privileges.
Shaun St. Hill 14:52
Well, almost I think what you’re sharing highlights the fact that as you mentioned, cyber security is a team sport, it is the responsibility of everyone within the organization from the C suite to, you know, the entry level frontline person, everyone can play their part and making sure that the enterprise is a good steward of the data that people have given to them over time.
Umesh Verma 15:22
Yep, I agree with you totally. I mean, we’ve been doing this for about 30 years and we’ve never seen the amount of interest finally that you know, taking care of your core, improving from the inside out. We all think about the thieves as being outsiders and that, you know, we got to put more blocks on we got to build bigger moats and deeper moats and throw more crocodiles in there and build, you know, better bigger fortress yet, we don’t have to take care of good hygiene on the inside. Like, you know, you, you know you’ve got to get up in the morning you got to do your sit ups you gotta brush your teeth.
And you know, we do all those things on the on the health side. But we don’t necessarily have that kind of regular yet on the inside, but that’s happening people are beginning to get attack. They’re getting to have to pay 17 Bitcoin 30 Bitcoin, hundred Bitcoin and ransomware. It’s changing lives, unless you just cause me
Shaun St. Hill 16:34
to think of something that you mentioned earlier. So employee training, that can certainly help put a company in a better position. When it comes to cyber security. How often would you say an enterprise should conduct employee training for cyber security.
Umesh Verma 16:53
So there are lots of entities out there now that provide online tools In fact, NIST has an online training tool, which is free. But you know that rigor, your question is how often it’s like anything else just takes more. It’s it’s a higher frequency when you’re getting started and then you can fall back to a lower frequency. So when you’re first getting started probably once a quarter, for the first year, then you can scale back to once or twice a year, or once a year thereafter. That’s how I would I would say that in order to get the rigor and get the get the get the thought process out there that this is not a fad. We’re going to stick with it. This is a new habit. We’re going to practice it to become perfect.
Shaun St. Hill 17:48
Okay, great. Thank you for that.
Umesh Verma 17:50
And the other thing I would say is that there are fishing tools and fishing exercises that that do help and so many Running a fishing exercise with a honey pot once every six months or so, help discuss helps your users get acclimated in a climatized to what is the new fishing techniques like today it’s iTunes cards tomorrow it is Hey, I’m trying to do a deal in in Europe, please wire this money, you know, things like that, you know, your Microsoft mailbox has not synced properly, there’s an error, please login over here and correct your problems. So you know, you get sucked into something that is so seemingly easy. So, so, so bad. And then the The third thing is, you know, run your run your internal security assessments on a monthly basis. That’s important. Just keep an eye on it. You can just see schedulers.
And you know, those are some of the tools, the assessments and the monitoring and the notification of tools like Lance does provide, but use that free tool that we have at least two, which is the free cyber scans to download it, it runs in minutes, it gives you a quick scan of your security controls, and the administrator should use that. And they should be able to get a real good picture of where the vulnerabilities and the weak policies are. And then just remediate those policies. So, yeah.
Shaun St. Hill 19:32
Okay, great. We’ll make sure that we put the links in the show notes to the tool that you just referenced. So that way the folks that listen can make sure that they avail themselves of that. And thank you for making mention of that as well. I know our time is coming to an end here. So I just wanted to ask you, one last question. What one person are you following right now? That’s you You know, maybe helped tweak your thinking or you find them to be innovative.
Umesh Verma 20:04
You know, I don’t know that I’m following any one person, particularly I have a group of people that they do follow, and they are all the normal suspects.
But I do really like the way that Amazon has totally changed the way we transact business. And so I am really just, I’m in awe of what they have done and how they have done it, and how they have provided this platform for products and services and how they using that platform to be able to provide new and innovative services even if it’s drone delivery, you know, so I, I hesitate to say who’s the one person but as far as a company that I’m really interested in and I’m annamma with and I think they’ve done this great job of giving you the ability to say when you think of Who do you think or when you want to go buy something on the web. Amazon, who do you think of when you’re trying to develop a cloud service application, Amazon Web Services, and you know, so
that’s one thing that I do follow quite heavily enemy other to Google and Microsoft. But But I also want to say I do Apple too, because I’m an apple fan. all my devices are Apple, but I am very disappointed in the latest revs of apple. Just the quality is not what it used to be.
Shaun St. Hill 21:42
You’re not the only one that feels that way. You mess that is for sure, sir. That is for sure. All right, well, great mess. How can our listeners get in contact with you? What’s the best way to reach out to you?
Umesh Verma 21:56
Best way to reach out to me is first in Last name you, Varma that’s you as an umbrella. V as in Victor e. r is in Russia m as in Mary a at Newlands com. That’s the easiest way to get ahold of me. The other way to get ahold of me is go to my LinkedIn profile. And message me from there.
Shaun St. Hill 22:21
Okay, great. And along with the tool that remash mentioned earlier, we’ll also put his contact information in the show notes. romesh. Truly, sir, thank you so much for your time. It’s been an honor, getting to know you a little better. Thank you for joining us and for sharing your wisdom with the tech and main presents audience.
Umesh Verma 22:38
Oh, thank you very much for having me on your podcast. Appreciate it. Have a great day.
Unedited transcript of podcast interview from Tech and Main Presents Podcast (https://anchor.fm/techandmain/episodes/Tech–Main-Presents-Umesh-Verma-with-Blue-Lance-e5p72l)