Protecting Your Company Online (with Taylor Hersom from cybersecurity consulting firm Eden Data)

00:00:05:24 - 00:00:28:09
Speaker 1
The guest is Heller herself from Eden Data. Taylor, thank you. Thank you for coming on the show. Taxi. So good to see you, my friend. Thanks for having me. This is a this is an honor. I mean, I've been listening to show for a while, but this is a pleasant surprise to be able to be on here. You're an entrepreneur, we can say that, but it's been a whirlwind for you.

00:00:28:09 - 00:01:04:05
Speaker 1
So walk us through how it all started. Oh, my goodness. Yes. Cybersecurity, professional by nature. Fancy way of saying that I sold my soul. That a big four worked at Deloitte for a while and was doing cybersecurity and audit and all the things that nobody else in their right mind would want to do. Cybersecurity started to become hot, so I had an opportunity to kind of move up the ranks at Deloitte and then become a chief information security officer for a consulting firm in Austin, and then one day I just I've always been an entrepreneur and I spent I think I could do this for myself.

00:01:04:05 - 00:01:25:11
Speaker 1
And I quit my job the week before COVID start. It wasn't the best plan, but it forced me to be resilient and I decided to start up my own cybersecurity firm. So we officially got started last summer and now the team is up to 13 or 14 people on the team. And we've got we've touched over 100 brands and it's been awesome.

00:01:25:15 - 00:01:45:22
Speaker 1
It's been a cool, cool experience now. I mean, looking back at it, at least from my perspective, I think the timing may have been good for you. But going through, you know, being an entrepreneur and making that leap, but then just seeing all these changes, how did it feel like for you the first couple of months? Oh, it felt like a dumpster fire.

00:01:46:10 - 00:02:16:08
Speaker 1
It was definitely a I think it's. So the saying that hindsight is 2020 is it's just such a perfect quote because at the time of course, myself, my family, we all thought that I was crazy. I didn't know what I was doing. I actually didn't think that I was going to start a company. I got on Upwork out of necessity and started doing contracts for people around cybersecurity and compliance and just doing our into our consulting.

00:02:16:11 - 00:02:37:04
Speaker 1
And then starting to realize, Oh, this is this is turning into something. But originally I had had my sights set. I had interviews lined up. I thought I was going to go work for another company and then people stopped calling me because of COVID and everyone freaked out. And then it kind of forced me down the path of hustling harder on Upwork and then eventually figuring out how to make it into a legitimate business.

00:02:38:04 - 00:03:02:00
Speaker 1
So Upwork was like market research for you? Exactly. I encourage it for anyone that can use it. It was life changing because it showed that there was a market there, there was a need and people were were paying me money on there. So I figured, well, I can just keep scaling this. And I had no idea or no perspective of how that would look, knowing that consulting itself is very traditional.

00:03:02:06 - 00:03:27:19
Speaker 1
It's just hour to hour, right. And I figured I would just become a consultant indefinitely. But of course, you add additional problems like health insurance and job security and all of these additional factors. I was making it up as I went along. Well, how did you take it from Upwork, which a lot of people have access to, or even even doing gigs on their to a consulting company working with all these brands?

00:03:28:14 - 00:03:57:22
Speaker 1
Yes. So I think the first step I took was just establishing an actual business, an LLC at the time I was a one man show and then I started getting interest from mostly LinkedIn connections, the people I would interact with. And so I had I had different contractors that I started leveraging for security work. And then one of the pivotal points was when I met someone that is now co-founder at Seeding Data, but they had just left.

00:03:57:22 - 00:04:28:12
Speaker 1
Deloitte themselves had the experience of me and they're crazy. They, they were crazy enough to think that they should jump into the entrepreneurial world as well. So that was kind of the tipping point of showing that that people were supporting me and wanting to be a part of it. So of course, getting clients is one thing and seeing how many Upwork posts you can kind of gauge how much need there is out there from Upwork, which leads you to believe, how much can lead you to believe, how much demand there is outside of Upwork.

00:04:28:21 - 00:04:49:16
Speaker 1
But having people that back you up, having employees that will come and literally put everything on the line when you're a one man show, it's it's insane to me. And it meant the world. Yeah, for sure. Now, you know, the cybersecurity side is becoming more interesting to me. I know typically when I think of cyber security, I think of business working.

00:04:49:16 - 00:05:12:13
Speaker 1
But it's important to businesses that have technology companies. But, you know, I know in the material side of things that's also relevant. Like what's what's what you say to people that says, you know, that you are approaching them as a cybersecurity company, say, hey, you know, we wear physical materials company. We don't need that. We don't have a website that does transactions.

00:05:12:13 - 00:05:31:11
Speaker 1
What do you say to people like that? You know, we get this more often than we don't, to be honest. It's usually people saying, I'm only doing this out of the necessity because my clients client's demanding it, or I'm afraid of getting a fine or whatever the case may be. But the reality is, in the 21st century, we're all data companies, we all absorb data in some facet.

00:05:31:19 - 00:06:14:00
Speaker 1
What that data is is completely dependent on the organization. So some hospitals have five, and that's just protected health information. But then you've got manufacturers, you gave an example. What was your example? The what type of company did you sell? Materials companies? Yeah, yeah. Materials company, yeah. So they could potentially have intellectual property in the form of key suppliers or key like margin information or things that if it were to be disclosed, would be damaging to the brand in some facet, whether it's either reputationally or it hurts their business in some way, either bottom line, rather.

00:06:14:00 - 00:06:40:02
Speaker 1
So I explain this. I usually have context on who I'm talking to and say, look, at the end of the day, like, you are a data company, you have something that you're trying to protect and therefore cybersecurity relevant to you makes sense. Now what are when you got into entrepreneurship? You know, maybe had some preconceptions. What are some of the things you've learned that kind of totally kind of surprised you?

00:06:41:11 - 00:07:03:12
Speaker 1
Oh, my goodness. First of all, that no matter how many books you've read, I mentioned at the beginning that I've been an entrepreneur forever. I've read all the leadership books and entrepreneur books and never really I started a few companies that failed and I, I felt like I knew everything. And coming into this, that is so not the case.

00:07:04:08 - 00:07:33:24
Speaker 1
I think the other expectation is that you see everybody succeeding around you because it's easy for us to see that on social media. But no entrepreneur has gone through and started a company without hardships, so be prepared to have the mental resilience to back that up. That's the hardest part about being an entrepreneur. And so you are guaranteed to hit road bumps and it's it's how you mentally prepare yourself for that and know that like tatt's I see you all over LinkedIn, right?

00:07:34:06 - 00:08:03:03
Speaker 1
I know that you are going through things that the rest of the world doesn't know about and they see happy chats, doing podcasts and being successful. But there's a billion things going on in your world that are considered a dumpster fire in your mind. So I think people just need to understand that with the expectation there's no you shouldn't start a company just because you want a chill schedule or an easy paycheck, because I don't think that exists, at least not in cybersecurity.

00:08:03:03 - 00:08:22:11
Speaker 1
Yeah, I think I think everyone's facing challenges for sure. So how do you manage that when you see all the stuff everyone wants? But I'm, you know, a good first step or whatever. Not everyone, but many people, you see that and and, you know, not to get to you. What sort of things do you do to prepare yourself for manage that?

00:08:23:05 - 00:08:39:06
Speaker 1
I think the first thing is surrounding yourself with people that support you. And I don't mean that in a cheesy sense of like, you know, someone that's always motivating you to keep going, but rather someone you can pick up the phone for and say, I am having a breakdown or I am dealing with this problem that I've never dealt with before.

00:08:39:13 - 00:09:01:04
Speaker 1
Having those people in your corner to have as a sounding board is it makes all the difference because otherwise you're going to keep slipping down a slope of of depression and negativity. And it happens to everyone. I'm the most positive person in the world and to put out two fires this morning and it just crushed me. If I didn't have people to pick up the phone for, I'm sure I would be bummed out for this podcast.

00:09:01:04 - 00:09:18:16
Speaker 1
Like, it's like those kinds of things. You just need to make sure you surround yourself with great people. And then the other thing is just understanding that you need to put external factors in your life that constantly motivate you. So in my mind, it's like there's a couple of podcasts that I listen to and every time I listen to them I want to go start a new company.

00:09:19:06 - 00:09:47:11
Speaker 1
That kind of stuff really fires me up. Sometimes it's people that you surround yourself with. Sometimes it's going and rewatching a movie that fired you, like surrounding yourself with those external factors. Interesting where the podcast, some movies that fire up or I get those ideas. So my first million podcast is probably my number one. It's like the main podcast that I listen to these days because they're talking about so many disruptions in the world in every episode.

00:09:47:11 - 00:10:11:11
Speaker 1
So you get on there and if, if you don't want to go and start a company after hearing one of those episodes, you probably don't want to be an entrepreneur at all because it's like they give they just perfect ideas. I think that from like a what's on the TV, I'm trying to think of like motivational shows. I like the show billions a lot, but I feel like that's like not a good one to put out here because those people are just not great people.

00:10:12:08 - 00:10:42:13
Speaker 1
They're they're successful for all the wrong reasons then. Yeah, yeah, for sure. Now, you mentioned you did a few things in the past that that didn't work. What you're currently doing is working. What are some of the changes? Are the skills that you learned that's helping it work for you now? Yeah, I think the first thing is that it's it's relatively how do the quotations easy to start a consulting firm but it's hard to differ from every other consulting firm.

00:10:42:20 - 00:11:00:03
Speaker 1
And so the first step that I took is figuring out how can I sit down and defer from consulting firms? And I came up with a list and the first thing I did was, well, maybe I can work with some of the types of companies that I've already worked with, which are startups. Most people don't target startups. They're volatile.

00:11:00:03 - 00:11:20:17
Speaker 1
They 96% of startups fail, you know, the statistics. So I kind of went against the grain in targeting startups and building that into my business model. I think the other big thing was, well, if I'm serving startups, how can I offer a service to them? That's that's easy for them to understand, easy for them to ramp up and down, easy for them to adjust based on their volatility.

00:11:20:22 - 00:11:39:03
Speaker 1
And so we built a subscription model that's very similar to the SAS startups that we serve. People can hire us for a flat monthly fee. It's month a month, they can ramp up and down like they bring us in for specific objectives. But if things happened during that project that they didn't account for, we can help them with those things.

00:11:39:09 - 00:12:03:09
Speaker 1
We pretty much take on anything that falls in security data, privacy and compliance buckets. And so we we created rather than going the traditional route of consulting where you're a specialist, we brought in specialists that could support a package that allowed us to be almost the kitchen sink for those topics. Yeah. Yeah. Interesting. Now, on the cyber security side, how much is cybersecurity?

00:12:03:09 - 00:12:29:07
Speaker 1
Is the technology side, how much of it is sort of the procedures and systems side and how much of it is the people side of it? Honestly, I put the majority of the, I guess, weight in the people and processes and that's what people don't really understand. They want to go out and they'll consider the latest and greatest endpoint solution with machine learning.

00:12:29:08 - 00:12:52:07
Speaker 1
It'll do your taxes for you automatically like they they think that that's they're so enamored by that over like hiring a consultant to help them build out a whole security program. But in reality your vulnerabilities are your risk associated with that solution or not the solution itself. But what that solution is trying to solve are pretty minuscule compared to the loop comparatively to you having like appropriate email security.

00:12:52:07 - 00:13:17:14
Speaker 1
So your employees stop clicking on emails and downloading random applications to their laptops and, you know, protecting your environment from ransomware. So, Sheryl, that to say typically, especially for startups, you already have all the technology you need to build a security program. You just need to build the right processes and people into the mix. You don't have to go spend a bunch of money on new tech.

00:13:18:24 - 00:13:42:24
Speaker 1
Yeah. I mean, yeah, you mentioned one one of the areas to watch for. Of course, you want to click on everything. I mean, what are some of the more obscure security things that you've run across and having to mitigate? Oh, obscure. That's a good one. So everyone's freaking out about ransomware right now and how to protect against ransomware in the cloud environment is a little bit more obscure.

00:13:43:08 - 00:14:07:08
Speaker 1
Typically when you're a lot of companies are are cloud based and the remote is. So you can compromise an environment to a certain extent on an endpoint. But in reality or cloud environment, where all your data, your family jewels are stored, that's really what you want to protect. So there's like some very obscure settings in eight of us, for example, that you need to enable in order to appropriately protect your environment from ransomware.

00:14:07:08 - 00:14:33:06
Speaker 1
Specifically, I'm trying to think of like there's still, at the end of the day, the majority of attacks is still happening because of I don't mean this in a offensive way, but stupidity on the human side. We saw the pipeline attack last month and that was because of a old password to their VPN, hadn't been changed, didn't have multifactor authentication.

00:14:33:15 - 00:14:59:14
Speaker 1
And cybersecurity professionals have been harping on this for years and years, but they didn't have awareness, they didn't know where their accounts were. And so it's very easy to push multifactor and better passwords and all of that, but you have to have the added element of understanding your environment. There are a lot of people that will start up a company and they'll create an account for contractors that help them build their environment and then they leave that account open indefinitely long after that contract was gone.

00:15:00:14 - 00:15:19:11
Speaker 1
So things like that are the things that we help customers all the time with are just bring awareness to it. We're not geniuses by any means, we just know where to shine. Firefly And so that's what we try to get customers to understand is like cybersecurity is a necessity and you don't have to pay a lot of money to implement it.

00:15:19:23 - 00:15:44:21
Speaker 1
Yeah, I mean, I notice that some of these websites are getting rid of passwords. I know that there's the biometric technology is always in there. Where is this all going? Like what where security go in the future? I think that right now we're well behind the eight ball. Unfortunately, I think security is is coming out of the stone ages and getting to the point where first it's going to be required.

00:15:44:21 - 00:16:07:11
Speaker 1
Basic security foundationally across every company. That's the way that the US government's known and that's the way other countries have already been moving. What a lot of people don't know about the European Union with GDPR is, yeah, GDPR reports on the rest of the world. But they rolled out very stringent security guidelines for companies in the UK and the EU before that and actually enforce a minimum standard.

00:16:07:11 - 00:16:27:18
Speaker 1
Other countries like Switzerland do the same thing and they're also the ones with the lowest risk comparatively. So I think as a as a nation and then worldwide, we're going to be enforcing more stringent security as a requirement. And so I think that until we accomplish that, there's not going to be a lot of change that we see outside of that.

00:16:27:23 - 00:16:48:01
Speaker 1
I think that eventually we'll get to cooler things like passwordless authentication. You don't ever have to have a password again, making sure that all of this vulnerability management and identifying threats on your network is all automated and takes the human element out of it completely. Like that's the direction we're going from a technology standpoint, but we're nowhere near that yet.

00:16:48:18 - 00:17:18:18
Speaker 1
Interesting. So this this this this question sort of came up when you were just talking, does having security in place affect insurance at this point, insurance premiums, or is this just absolutely no linkage? That's another laggard space, is that insurance companies have a different process to define cyber risks than cybersecurity professionals do. So there are a few companies out there that are that are combating this and addressing it.

00:17:19:04 - 00:17:49:19
Speaker 1
If you've gone through and filled out a claim or not explained, but actually on application for cybersecurity insurance, it's a bunch of rudimentary questions that you likely don't understand because they are they're very, I guess, specific and they are not questions that me as a cybersecurity professional would ask of a company to gauge their risk posture. However, you are now seeing that cyber claims are going through the roof and insurance companies are losing their bottoms on having to pay out claims.

00:17:49:23 - 00:18:17:07
Speaker 1
And so they're having to raise premiums. And there's going to be a point where someone solves that problem for insurance companies to be very hyper specific on understanding a customer's risk posture before they invest in them in the form of insurance. But there's another company retailer. Yeah, I know. There's another problem to solve. I think some other companies on the market are doing it better, but it's it's definitely a problem that needs to be solved quickly.

00:18:17:07 - 00:18:41:20
Speaker 1
So that's that's probably going to be surprisingly, one of the drivers for enforcing security across the globe is that you can't get insurance until you get until you're able to produce some kind of security program. Yeah, that makes a lot of sense to me as an entrepreneur. It's go, go, go. But do you have any hobbies that you're still able to do or is it just all work at this point?

00:18:42:06 - 00:19:00:06
Speaker 1
Oh, my goodness. Yeah. So starting the company in the last year, I will I won't lie to people. I do work a lot, but I am also very passionate about it. So I guess I would say that during the week I'm spending time on clients and work, but on the weekends I'm spending more time on my business development and researching better cybersecurity stuff.

00:19:00:06 - 00:19:18:00
Speaker 1
And so I find that fun. And so I would say that that's a hobby. I read a lot. We're a bit of foodies out here in Austin, Texas, so we go check out restaurants and bars and things like that. And then we also live close to the lake. And so we are on the lake quite a bit, especially now when it's friggin hot out.

00:19:19:05 - 00:19:50:04
Speaker 1
Yeah. Okay. So you mentioned movies earlier. I'm just curious what, you know, hacking and cybersecurity is characterized a certain way in the movies. Any characters, character rotations that you like or dislike in movies? Oh, my goodness. I'm trying to think like I've definitely seen Mr. Robot the TV series and that that show's weird. I think that they got the hoodie right, but that's about it.

00:19:50:22 - 00:20:15:09
Speaker 1
They make it seem so easy that everything can be hacked in a couple minutes and then reality. This is a it's an arduous process, especially for these more locked down corporate structures. So that that would be very incorrect. The timing perspective. But I actually think that movies are doing a lot better about depicting the issues we're having with foreign nations these days, because that's actually one of our biggest risks right now in society.

00:20:15:13 - 00:20:41:01
Speaker 1
We have years and years of proof that between the US government, the Chinese government and Russia, we are being spied on where intellectual property is being stolen. Attacks are through the roof. A lot of that is being driven by nation states. And so that is actually when they're talking about Russia hacking us or China hacking us, not so far from the truth.

00:20:42:03 - 00:21:09:11
Speaker 1
And interesting. Okay. Well, is there anything that I didn't ask that you want to cover? Oh, my goodness. Fantastic question. I think that I think that more than anything, I would love, obviously very biased opinion. I would love for just people to understand that if you are a business owner or you are a decision maker out of business, cybersecurity is not going away, not trying to sell you on anything.

00:21:09:11 - 00:21:28:11
Speaker 1
But there's a lot of things you can be reading on the Internet and implementing immediately, and I would not kick the can down the road any longer. We're getting to a point where I hate to fear uncertainty to help, but what we see on a day to day basis would terrify a lot of companies. And we love to see companies succeed.

00:21:28:17 - 00:22:06:11
Speaker 1
I love my job because I interact with founders every day, but it breaks my heart when I see companies breached and it really just criminal organizations. So I think that making sure that people understand that, that this is something that's not going to go away and they should invest in a one year term.