Cybersecurity 101 with Jim Goldman, CEO and Co-Founder of Trava

Jara Rowe: Gather around as we spill the Tea on Cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is the Tea on Cybersecurity, a podcast from Trava. Welcome to episode one of the Tea on Cybersecurity. During this episode, we are getting down to the bottom of what cybersecurity actually is. I cannot wait to learn about this topic more with our listeners. I have a very special guest that will help shine some light on this industry and why it is important. But, most importantly, they will be helping us answer what is cybersecurity anyway. I would like to welcome Jim Goldman, the CEO and co- founder of Trava. Jim, thanks for joining me.

Jim Goldman: Hey, you're so welcome, Jara. I am happy to be here.

Jara Rowe: So that all of the listeners know more about you and your experience and the cybersecurity industry, can you go through your background for us?

Jim Goldman: I like to sometimes say that I've been in cybersecurity as long as there's been a thing called cybersecurity. The truth is we actually called it network security when I started in this. So, my introduction to this field was I took a professorship at Purdue University in West Lafayette, Indiana and started their network engineering degree program. Then, pretty early on, we started worrying about the security of the network, in particular the internet at that time, which was research based only. It wasn't open to the public yet. Then, that led to work in curriculum and lab development in cyber forensics. Then, I started doing some research on reverse engineering malware when that became a thing. That's when the FBI came to see me and asked me to get a top secret security clearance, which I did. I went to work for the FBI for five years as a task force officer on the FBI cyber crime task force, where I served as lead cyber investigator on both criminal and national security cyber squads. Then, after 20 years at Purdue, I wanted to get back to industry, so I joined a SaaS based B2C digital marketing company here in Indianapolis named ExactTarget, became their first CISO, got them ISO certified. Then, in 2013, ExactTarget was acquired by Salesforce and became the Salesforce Marketing Cloud. So, I was CISO of the Marketing Cloud for quite some time. That grew from one company to six companies. Then, Salesforce asked me to build out a consistent security governance, risk management, and compliance organization across all of Salesforce, because Salesforce had grown by acquisition. So, there was a lot of disparate security organizations. So, we brought that all under one umbrella. I did that until December, 2019, and we pretty much started Trava right after that.

Jara Rowe: So impressive, so very impressive. So, listeners, I'm pretty sure that was a lot of terminology that you may be unfamiliar with, but if you continue to listen to the Tea on Cybersecurity, we will answer more of those questions and help define some of those definitions. Jim, when you first started talking, you talked a little bit about that it was network security before it became cybersecurity. Can you talk more about what potentially may have happened to make the name shift?

Jim Goldman: So, if you look at the word cybersecurity, obviously it's made up of two words, cyber and security. The reason why cybersecurity is so broad now, basically it says, well, anything that has a computer chip in it is potentially in that realm of cybersecurity. It not only has a computer chip in it, but it's somehow networked, whether by wifi or some other connection, then it definitely falls into that world of cybersecurity. So, literally, your kitchen appliances fall into that realm and fall into the world of cybersecurity. Your personal devices like your phone fall into the realm of cybersecurity. Your Ring doorbells fall into the world of cybersecurity. Your security cameras fall into the world of cybersecurity. Anything that has computer chips in it, processing controllers in a manufacturing environment, in an electrical production plant, in a storage treatment plant, all of those computer driven devices, sometimes it's called internet of things, IOT devices. They're all in this ecosystem of cybersecurity. It might be quicker to list things that aren't cybersecurity than aren't these days, right? Your automobiles, automobiles are full of computer chips. Now, especially the electric vehicles, they just get software updates automatically. That's cybersecurity.

Jara Rowe: Yeah, one of the things that I learn more and more as I read different cybersecurity content is that we all deal with things that fall under cybersecurity every day. But, it's just not a common term to the everyday person to really grasp what we're all exposed to all of the time. So, I feel like you were already answering this question, but I'm going to go ahead and ask it again. What is the actual definition of cybersecurity?

Jim Goldman: To be as concise as possible, it's the effort to secure any cyber- based product or process. That's really my definition of it.

Jara Rowe: I find that easy to understand, but can you explain it to me as if you were explaining it to one of your grandchildren?

Jim Goldman: Well, my grandchildren are probably more cybersecurity... When I have a question about my phone, I ask my grand-

Jara Rowe: Oh, they're great. So, maybe one of your grandchildren's friend or something, a kid, how would you explain it to them?

Jim Goldman: So, really it comes down to take the cyber thing away and just talk in terms of, okay, what are we trying to protect? Very often, I talk about an analogy of a jewelry store or something like this. In this case, the asset that we're really trying to protect, it's not the cyber device. It's not the laptop. It's not the phone. It's the data that one can get to through that. So, you have to look the computer or the phone is almost an unlocked. If you go back to physical crime, burglary, that kind of thing, or they wanted to break into a brick and mortar store, what would they do? They would look for an unlocked door. So, what we're saying is when you have an electronic device, be it a phone, be it a Ring camera, be it a laptop, what have you, you have to look at that as a potentially unlocked door into the true asset, the true thing you're really trying to protect. That's your personal data, your financial data, if you're a working person, the data of the company that you work for, the data of your customers.

Jara Rowe: I definitely understand that with the analogy of a burglar trying to get into the door to get the goods. That totally makes sense, and I understand that. Yeah.

Jim Goldman: That's all it is. It's the same thing, except it's an electronic door and electronic goods.

Jara Rowe: Awesome. Listeners, I hope that that analogy worked for you all, as well. So, Jim, now I would like to switch gears just a little bit to talk about more of the history of cybersecurity. So, can you talk to me about the first cyber crime?

Jim Goldman: I think there could be a lot of debate, but what I'd like to talk about is the first wake up call cyber crime, publicized one. That happened on November 2nd, 1988. It was related to the internet, but as I alluded to before, the internet at that time was not open to the general public. It was a research network that connected research universities. What happened was a person who was a student at the time named Robert Morris, and this incident is sometimes referred to as the Morris Worm, wrote a program that actually spread and self- propagated. Now, some would say, well, that really wasn't criminal activity, because nothing was stolen, et cetera. But, basically it brought the internet to its knees. Research and military organizations and secret laboratories were on the internet at that time, too. So, these research laboratories, military, et cetera, was severely limited, as well. What happened is because it self- propagated, it quickly took over. What it did was it took over the processing power of all the computers that were connected to the internet. Ironically, it was a colleague of mine at Purdue, Eugene Spafford, that actually figured out what it was, how it worked, and how to stop it. So, that's a cool fact as well, but an article was published in the New York Times about it. It really was the first, oh, my gosh, this is really scary stuff. We had been trying to sound the alarm and saying, " Hey." It was tough to get people to listen to us, but the Morris Worm really got everybody's attention.

Jara Rowe: So, today's cyber criminals had a great example of how to get in and keep growing, it seems. Like I mentioned, today's cyber criminals, they're only getting smarter. You were giving a couple examples earlier, but what are some ways we can all make sure we are safe and secure? One thing that I've learned recently is the importance of updating software. I must admit that I'm a person that doesn't do it immediately. I typically wait until you need to update this now. But, I know that that is not good. So, what are some ways that people in their everyday lives can make sure to do to keep their data safe and secure?

Jim Goldman: Certainly, updating software is a big one. If you have a laptop, it has a thing called an operating system. Chances are, you're getting messages if your operating system hasn't been updated. We use the word patched, hasn't been patched. So, you're absolutely right. Take the time to patch your operating system, because what happens is each new vulnerability that can attack the operating system comes out. That's only what we call attack vector. There are others, but as each new attack on an operating system comes out, the vendors of those operating systems will provide patches. Yeah, that's kind of a one step behind catch up game, but that doesn't mean you shouldn't do it. You really should do it. The other thing that's really simple, but not necessarily easy, and there's a difference between the two, is you have to change your passwords. I know people have probably heard this 100 times, and they shake their head, yes, and they say, " Yeah, but." Everybody's got a yeah, but. Yeah, but they're so difficult to remember, et cetera, et cetera, that kind of thing. So, you keep it simple and use your dog's name or hopefully still not using a password that's literally password, and you certainly don't want to use the same password in multiple places. But, it's that kind of thing. Now, how do you go about that? Well, there are a thing called password managers that make it easier, password lockers. The other thing to do is you want to make your passwords complex and long. People say, " Well, I don't know how to do that." An easy way to do that is to use what we call a passphrase. So, you pick a sentence that's meaningful to you, and then you just take the first of each word in that sentence, and that becomes your password. Maybe you change the suffix on it from time to time as it needs to change. What you don't want to do is you don't want to have a password that could be looked up in the dictionary, because the cyber criminals will do what's called a dictionary attack. The other thing related to passwords and authentication that's again not that difficult and not that expensive, but enormously effective is what's called multifactor authentication. On your laptop, have it be that you don't just need a password, but you need to touch your finger on the fingerprint ID if that's available. Or, you have a device where you need to get a code off your cell phone as well as type in a password. Anytime you have more than one thing that has to go in, that's called multifactor authentication. That is the single most effective defense against the big crime these days, which is ransomware. Because, what happens is the cyber criminals that are trying to spread ransomware can get ahold of your password in multiple ways, but if they don't have your cell to get that extra code or what that second factor is, they're not going to be able to get in and infect your machine. Again, going back to our analogy of physical security and that kind of thing, multifactor authentication is no different than having the normal lock on your door as well as a deadbolt. It's the same thing. You need a different key for each one or something like that. It's the same thing. You have to get past two locks. That's the multifactor authentication. You have to get through two locks to get into your electronic device.

Jara Rowe: So, listeners, if you don't get anything else from today's episode, make sure you take away that you need to deploy or add multifactor authentication in all of your accounts that you're able to do so, which should be just about all of them now, I feel like. I know almost every app or something I have, they make you do at least two options to be able to get into your account.

Jim Goldman: Well, they at least offer it. It's up to us to take advantage of it, right?

Jara Rowe: Yes, we need to take advantage of it. So, Jim, this has been an incredibly insightful conversation. Do you have any final words or advice for our listeners?

Jim Goldman: I think what you are doing, Jara, is exactly what people need to hear, in that unfortunately, people hear the word cybersecurity, and they immediately shut down. They think this is way complicated. I'm not that smart. I couldn't possibly do this. So, they bury their heads in the sand, and then they also say, " I don't have anything worthwhile on my computer, et cetera. I really don't have to worry this." Nothing could farther from the truth. In fact, you do have valuable things on your electronic devices, but also this is not that difficult. You can be more secure than you are.

Jara Rowe: Cybersecurity does not have to be complicated, everyone. I hope you learned more about cybersecurity and why it's important for us all. Now that we've spilled the tea, it's definitely time to go over the receipts. At the end of each episode of the Tea on Cybersecurity, I will be giving receipts. So, what are receipts? When people spill or sip tea, the receipts are the evidence to support the claim that they were talking about. So, the Tea on Cybersecurity receipts are evidence that I actually understood what was being discussed with the guests. The receipts are key takeaways that I gathered during the conversation. Number one, we figured out what cybersecurity meant. I think the easiest analogy is the one that Jim gave us, just thinking about robbers, how robbers are trying to break in and get the goods. That's pretty much what cybersecurity is, as well. We have the criminals trying to break into our different devices, trying to get the goods, which is data. Another major thing I took away, another receipt is that cybersecurity really is everywhere, and it affects all of us. It's not just businesses, but it's us as people, as individuals. Cyber criminals can come in and disrupt our entire livelihood just through our cell phones. The last thing that I took away were that cyber criminals are only getting smarter by the day. We started with one person doing something one time, and people are learning from that. Especially the way that technology is changing every day, our cyber criminals are as well. They're able to learn and adapt and sneak into our lives any way that they can. On the next episode, we're going phishing. If you understand cybersecurity, you get the joke. If not, tune in so you can laugh along as well. That's the Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.