Jim Cox joined the Cadre sales team in March of 2019 covering the Kentucky and Tennessee territories. Jim comes to Cadre with over 15 years experience of Engineering/IT/Lean Six Sigma experience in the manufacturing space and over 6 years experience in technology advisory roles. Jim has an Executive MBA and is planning to go after another graduate diploma in IT with a focus on Cyber Security beginning in 2020. Jim and his wife have two adopted children. Jim has recently started training for a bucket list item to complete an Ironman race.
Jim's take on cybersecurity:
The sad truth is if someone wants in your stuff they’re gonna get in; it’s just a matter of persistence and time a criminal wants to invest. Criminal motives vary from money to fame to disruption in both domestic and foreign national states. What’s worse is we as security defenders have to be right 100% of the time and the criminals only have to be right one time - OUCH!
Attack vectors are enormous and wow - what a gold mine of social media content out there for social data mining. Maybe not you but someone in your company is sharing too much information on their social media. Are they using their corporate device or accessing corporate data (email) from a BOYD or connecting to social media/personal accounts from corporate devices? Email, and (not) funny enough, patching continue to be a leading entry points.
2 factor authentication/ multi-factor authentication is highly recommended and effective (hard tokens being the most secure). Security awareness training may seem dumb and a waste of time/money to some but if done right it can be effective. Especially if it can be tied to the employee’s personal life and home. Think their personal account passwords and corporate passwords and very similar? You bet they are and if criminally hacked in their personal account then the corporate account is vulnerable. What makes matters worse is if the compromised account has privileged access and lateral movement adds insult to injury.
Companies are trending upward an increased shift of their IT budget to security and, in some cases, adding to their budget to handle what effectively could be a black hole of spend. So what is a company to do about the ROI? You may ask youself: Am I spending too much? Am I spending in the right places? Am I buying the right technology? What is the value of what I’m protecting vs what I’m spending to protect it? These are just a few questions business and IT leaders struggle to answer which is why it’s important to have a VAR, like Cadre, who can partner with you to address those questions and provide mitigation solutions to those risks (often times leveraging the tools you’ve already purchased just in a better way).
IBM published a breach report in March of 2019 indicating the average detection of a breach being 197 days and then 69 days to contain the breach. I share this not as a scare tactic but to point out a statistical metric that should point you toward the adoption of a cybersecurity framework so you have a baseline to start working on closing security gaps by leveraging the framework so your risk exposure is lessened.
SMB and some Enterprise customers who have, or want to, enter into the “cloud” can be falsely deceived that security is being taken care of by their cloud provider. This is not true at all and I implore you to get a hold of the shared security & responsibility model and work with your VAR to shore up the gaps.
Be mindful of your supply chain, M&A’s, and trusted vendors. Sharing emails and files and giving privileged access to your network can be risky. Especially if/when their security posture is less robust than your own. Criminal hackers are like water and will attack where they think the weakest link is and that might be through a supplier or M&A.
Compliance and security are not equal. I think more often on the business side of an organization it is thought that because a regulatory requirement is met that means the company’s data is secure. While those regulations have some elements of security in them they are not broad enough to include all parts of the company’s infrastructure/data.
Why contact Jim:
Jim most likely is never going to be the most technical person in the room but those aren’t his skills. Luckily, like most VARs, he has really smart security specialists who surround him to help carry the how-to discussions. His strength is in business operations and helping to tie the business outcomes to the technologies and professional services available in the marketplace designed to support those outcomes. The position he takes is to help IT departments be enablers of saying “yes” to the business instead of being, or perceived to be, facilitators of “no”. Jim's desire and focus is to support business operations do their jobs efficiently while being safe at the same time. It works best (and feels best for everybody) in a collaborative team effort between Cadre, the vendors, and the customer. His perspective on sales is that it’s a result of doing everything else right. Jim is happy and satisfied to collaborate, knowledge share, learn customer’s business, learn who his customer’s customers are and how they service them, research security industry trends/solutions, and be an extension of his customer’s team. If/When his customer embraces him this way, and he is doing all those things right by the customer then he knows his value will be realized and appreciated through a continuous sales partnership.
Why I like working for Cadre:
The Cadre business model is hyper focused on the security space of Information Systems/Technology and I believe this differentiates the company from others who try to be a provider of all things in the IT infrastructure. Cadre takes great care in hiring resources who are knowledgeable, teachable, and fit into a culture of people who are passionate about helping educate/protect our local community businesses. Not every customer, or prospective customer, interaction requires a sales result. I like the fact that Cadre leadership believes in the collaboration of ideas and education with the intent of helping customers solve business challenges around cybersecurity without pushing for a sale. Being a trusted advisor in this manor is more often than not eventually rewarded with a business partnership.
Jim's Best Piece of Cyber Security Advice:
"If you’re not subscribed to a Cybersecurity Framework, you really owe it to yourself and your company to adopt one. Having a security controls structure to follow that has been developed over years of time and by many collaborative security SMEs is critical for a robust security posture. Defining your current and desired state security effectiveness you’ll be able to realize clearly where your gaps are and where to invest your time and money with the help of your VAR. Investing a finite budget in the right places based on your risk profile and risk appetite is the value you should be getting from your VAR. The two best benefits of leveraging a framework are having a communication platform that is easily understood by leadership outside of IT and for IT to have a methodology/process to manage the effectiveness of your business’ security posture. Talk to your current VAR about helping you get started or reach out to me and I’ll be happy to help. If you have adopted a framework when’s the last time you had a maturity/gap assessment? Continuous improvement!"
