Cybercrime has become a full-scale global economy, forcing legitimate businesses to compete with criminals for survival. Former FBI operative and NeXasure National Security Strategist Eric O’Neill joins Sean Martin to explain how preparation, clear strategy, and strong communication can keep companies resilient when—not if—an attack comes.
⬥GUEST⬥
Eric O'Neill, Keynote Speaker, Cybersecurity Expert, Spy Hunter, Bestselling Author. Attorney | On Linkedin: https://www.linkedin.com/in/eric-m-oneill/
⬥HOST⬥
Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥EPISODE NOTES⬥
In this episode of the Redefining CyberSecurity Podcast, host Sean Martin reconnects with Eric O’Neill, National Security Strategist at NeXasure and former FBI counterintelligence operative. Together, they explore how cybercrime has matured into a global economy—and why organizations of every size must learn to compete, not just defend.
O’Neill draws from decades of undercover work and corporate investigation to reveal that cybercriminals now operate like modern businesses: they innovate, specialize, and scale. The difference? Their product is your data. He argues that resilience—not prevention—is the true marker of readiness. Companies can’t assume they’re too small or too obscure to be targeted. “It’s just a matter of numbers,” he says. “At some point, you will get struck. You need to be able to take the punch and keep moving.”
The discussion covers the practical realities facing small and midsize businesses: limited budgets, fragmented tools, and misplaced confidence. O’Neill explains why so many organizations over-invest in overlapping technologies while under-investing in strategy. His firm helps clients identify these inefficiencies and replace tool sprawl with coordinated defense.
Preparation, O’Neill says, should follow his PAID methodology—Prepare, Assess, Investigate, Decide. The goal is to plan ahead, detect fast, and act decisively. Those that do not prepare spend ten times more responding after an incident than they would have spent preventing it.
Martin and O’Neill also examine how storytelling bridges the gap between security teams and executive boards. Using relatable analogies—like house fires and insurance—O’Neill makes cybersecurity human. His message is simple: security is not a technical decision; it’s a business one.
Listen to hear how the business of cybercrime mirrors legitimate enterprise—and why understanding that truth might be your best defense.
⬥RESOURCES⬥
Book: Spies, Lies, and Cybercrime by Eric O’Neill – Book link
Book: Gray Day by Eric O’Neill – Book link
Free, Weekly Newsletter: spies-lies-cybercrime.ericoneill.net
Podcast: Former FBI Spy Hunter Eric O'Neill Explains How Cybercriminals Use Espionage techniques to Attack Us: https://redefiningsocietyandtechnologypodcast.com/episodes/new-book-spies-lies-and-cyber-crime-former-fbi-spy-hunter-eric-oneill-explains-how-cybercriminals-use-espionage-techniques-to-attack-us-redefining-society-and-technology-podcast-with-marco-ciappelli
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact
⬥KEYWORDS⬥
eric oneill, sean martin, nexasure, fbi, cybercrime, ransomware, resilience, cybersecurity, business, risk, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
[00:00:36] Sean Martin: Hello, everybody. Good morning, afternoon, evening. That's a new intro for me there. This is Sean Martin, your host of, uh, redefining Cybersecurity podcast. And, uh, I'm thrilled to be back on with the one and only Eric O'Neill. There may be others, but, uh, you're, you're the one I know and, uh, the one that matters.
Uh, you've done a lot of stuff. We met through a mutual friend, [00:01:00] uh, and, uh. We, we've had a chat with Marco not too long ago and we had a conversation, I don't know, a year or so ago,
perhaps, and, uh, you've been busy, my friend. What? What's going on?
[00:01:10] Eric ONeill: Have Sean. It's good to be back talking with you again about cybersecurity and since then of course I've got my new book out, spies Lies and Cyber Crime. Uh, everything you need to know about protecting yourself from the legions of cyber criminals who are out there just trying to steal our data and our wallets.
[00:01:27] Sean Martin: Exactly. Yeah, we, uh, we had a good, uh, good conversation with Marco about that. Uh. About the book and, and, and the yeah. The realities within it that you, uh, that you share from a societal perspective and, uh, an individual perspective. And today we're gonna maybe shift that a little bit and spin it around and look at it from a business perspective, B2B perspective, perhaps even a B two, B2C.
[00:01:54] Eric ONeill: Certainly
[00:01:55] Sean Martin: All of that. And. And of
course there, I think one of the main things that [00:02:00] stuck out in my mind is we talk about this, that cyber crime is a business, but, uh, I mean some of the things you pointed to in our last conversation really means, really points to this is really a business and, uh, yeah, businesses competing with businesses.
So let's get into it before we, um. Before we start talking about the impact, uh, cyber crime and the dark web and all that good stuff has on, on, uh, the economy and, and our, and down to ourselves. Um, yeah, maybe a brief background of, you know, the things you did at the agency and, uh, and, uh, your, your first book, which we talked about a while back, and then, and what you're up to now.
[00:02:39] Eric ONeill: Certainly, well, uh, my background, my earliest background is with the FBII was an undercover operative. I was tasked with counterintelligence and counter-terrorism and mostly operated in around Washington DC area. So counterintelligence is the science of countering spies, foreign intelligence officers who want to steal everything today from [00:03:00] state secrets, which is old school espionage coming after our government.
But more often than not, uh, secrets from our businesses because economies drive policy, economies drive innovation and economies, uh, and, and information that, uh, foreign intelligence services can steal from business drives full economies for other countries. And of course, counter-terrorism, which is the science of stopping terrorists, which seems a little bit more simple, uh, but it's really not, it's actually more dangerous Since then, uh, after my final case at the FBI, which is what the book Gray Day is about, that was catching Robert Hansen, who is the most damaging spy in US history.
I was sent undercover in FBI headquarters in the most unique case, the FBI had ever run. To trick the spy into revealing information that would lead to his arrest. My job was essentially find a smoking gun. And I did, and that's another great story if you wanna read the first person narrative about that [00:04:00] story and everything.
Uh, I have to say in my theories on the evolution of espionage from traditional cloak and dagger. To what it is today, it's cyber attacks. Then read my book Gray Day and you'll be an insider into the craziest, most unique investigation, the FBI ever ran. And of course, if you like my voice, you can listen to me tell this story.
I'm Audible. That's the book Gray Day. And but from the FBI left the FBI. Shortly after that I was very burned out. I had worked undercover for five straight years, never came out of cover. And even in that last case, went undercover as myself, which still boggles my mind. Left the FBI. I got my law degree.
By then, I was actually, uh, going to law school while I was at the FBI, working full-time, and I was a national security lawyer for quite some time. Uh, actually still practiced law, just sort of part-time compared to what I used to do. Worked for one of the biggest firms on Earth. Left that firm. Started my own company called the Georgetown Group.
Which is a competitive [00:05:00] intelligence and, uh, investigative company. A lot of what I did in the FBI, but I get to do it for myself and for fun and for corporate clients who we help empower trust. And since then I've also started a new company called Nexsure, which is a cybersecurity advisory and risk consultancy.
And we do everything from planning ahead of the attack to helping clients who are in the middle of a cyber attack to helping them come out, uh, and keep going without going bankrupt and everything in between. And I'm also an author and what I do more than anything else, Sean, and what I was just doing yesterday, I was, I just flew in this early this morning from Seattle, is speak I, I take stages all over the world.
I talk about cybersecurity, cyber crime, and what all of us can do to protect ourself, which is what became the basis for this book. Usually what works on stage I use in books. That way I know that I am telling entertaining, uh, stories that capture your attention, that keep you reading, that keep [00:06:00] you interested, but also teach you the things you need to know to protect yourself.
[00:06:04] Sean Martin: Yep. I I love that you went there. I'm gonna, you said have fun. You're, you're having fun. Which is important, uh, maybe not, not always the case for a lot of security professionals, uh, trying to run a successful program in a business that, uh, just wants to sell stuff, right?
Products and services.
[00:06:20] Eric ONeill: you're a hundred percent right and security professional professionals from what I've seen throughout my 30 some year career in this space. Are, are always under the gun in every company that we look at. And, you know, most companies are, uh, SMB in the, in this countries, most companies are smaller, medium sized, moving toward enterprise, but not quite there or just graduated to Enterprise, are trying to figure out suddenly going from middle to big and needing to deal with cybersecurity.
The security person is often, very often in the majority of companies in the United States, and I, I think across the western world, [00:07:00] someone who has a background in it and is now being promoted to security without the, the real scalable background in cybersecurity. And this is a company, typically, companies can't hire a $300,000 executive ciso.
And, and one of the things that I do personally and with my new company is we come in and we, we act as a virtual ciso. And that's one way that companies, and there are, there are plenty of people like me, but there are, that's one way companies can scale their security without having to pay for a full-time person.
And FTE, that is a, uh, a pure cybersecurity professional. But, but those companies who don't do it, those companies who don't find an advisor, who don't deal with the risk ahead of time. In my methodology in the book, the the number, the first thing you have to do is prepare, right, prepare, assess, investigate, decide.
If you don't do the preparation, if you're not prepared for the attack, that will hit you. It's just a matter of numbers. There are so many cyber [00:08:00] criminals out there and so many businesses. At some point you will get struck. You need to be able to take the punch and be resilient. So right now, offensive cybersecurity, hunting, the threat and resiliency after the threat has landed are the holy grail for cyber
[00:08:16] Sean Martin: Yeah, absolutely. And I mean, it, it's a bit cliche to to say. Uh, well, I just look at transformation of, of businesses, right? The ability to start a company super easy now because of technology. The, the ability to connect with customers, not just in one state, not just in
one country, but, but across the, across the globe. Um, to have a bunch of services, to connect with a bunch of partners to build out bigger solutions, which were, there's a lot of value comes with that. We, I think we take that for granted and, and businesses and certainly security or business leaders and then the, the boards that, that, that guide them and investors that guide them [00:09:00] want growth.
Right. So that's, that's the focus, and I'm looking at this from a marketing perspective right now where everything's about demand gen and, and driving pipeline and closing deals. And oh, by the way, we're still human. We still have business connections and relationships. We still have trust. And I think from a, I'm kind of rambling a little bit here, but I'm curious to have your perspective on the transformation we've seen over the last few years with technology and the ability to create business and create
partnerships with others that we, we make those investments. Um, but then you say we, we can't afford a $300,000 ciso.
And maybe
not even a security team, and we're talking about your small medium business here, but I'm just wondering what, what's, what are you seeing in terms of threats that we're maybe we're not realizing and or, um, yeah. Do you see organizations do it right that, that maybe [00:10:00] others can learn from as they're listening to us
[00:10:02] Eric ONeill: Absolutely. And, and, uh, we're working with organizations who are, uh, exploding into the enterprise stage and are being very smart about layering and building in intrinsic side. Cybersecurity into their stack, into their transformation, uh, companies that are moving from on-premises to cloud and are building cybersecurity in smart right from the start.
And then there are companies who move too quickly and don't think about it, or, or what, what I see a lot in companies, uh, is this idea of. You know, I'm too small. I'm not, interesting enough, it can't happen to me. Right. And, you know, I start, I start the book in, in one of the early chapters, telling a story about how my house burned down when I was in high school.
And I, you know, I come home from school. I was, I pulled outta school early and I, looking at the smoking wreck of my home and it, you know, my room was the one that was the most [00:11:00] destroyed. The fire didn't start there, started in the basement and moved up through a duct system and. Exploded my room out. If I had been there when it happened, I would've been incinerated.
Uh, so fortunately it was at school, but I lost everything and we didn't think it could happen to us. Now we had insurance, we had planned for it, but you know, we still had to deal with the aftermath of that fire. So it can happen to you and it behooves everyone to prepare for it, and there are ways to do it without breaking the bank.
A, a good, and, and now consultancies like mine that do cybersecurity advisory can do this in a very affordable way without having to pay for that full-time person. But the, the trick is, do it early. Don't wait, uh, until the, like I say, don't wait till a pressure situation to examine your cybersecurity.
There are too many companies who go through a crucible, an unnecessary crucible, and that is, uh, we didn't prepare for it and suddenly we're in the middle of a cyber attack. I tell a story in the book. Of a, a nonprofit, an NGO, a non-governmental [00:12:00] organization, a charity that is working all over the world doing humanitarian assistance.
And I'm advising, uh, as an outside attorney actually, and cybersecurity and helping. And I, I moved into a role in cybersecurity, uh, and they were hit by a large scale, massive cyber attack. The CISO calls me on a Saturday morning, and you never want to call if I, he wasn't even a ciso. He was sort of like the IT guy who was promoted, right.
Uh, who had no background in cybersecurity. He frantically calls me and he says, I think I have a problem. And anytime you hear from your IT person on a Saturday morning saying, I think we have a problem that that's a cyber attack. Attackers love Fridays. They love Fridays before holiday weekends. Uh, they, they know that people don't wanna work.
They know that people are planning to be on vacation. It might be hard to pull them in. And they launched their attacks and, uh, it was a large scale cyber attack by a Russian cyber crime group who believed it was their. Patriotic duty to attack the company because they were performing humanitarian assistance in Ukraine.[00:13:00]
So I make a long story short, and you read the whole story in the book. It's the, the, that's the through story from the beginning of the book to the end. But, uh, that company hadn't prepared for this attack and suddenly they were in the center of a massive ransomware attack that was, was using VPNs to go country to country and, and shut down.
There are hubs everywhere. And he said, what are we doing? I said, we, there's only one thing we can do, shut it all down. And so we, we went to the executive team and we made recommendation. They took it 'cause there was no other thing they could do. And we told every single employee in the company around 3000 employees.
You know, turn off your laptop, close it, you know, shut that thing, pull the other net, cable, get off wireless, walk away. Just walk away. And for two weeks. All that, all the IT team, this global IT team and, and people that had be pulled in and cybersecurity advisors and lawyers and, and everything and, and [00:14:00] outside remediation company.
And, uh, WA was install endpoints on every laptop, clean it up. And then finally we were able to find the point that the attacker got in, which is insanely ironic. Got in through a. Internet facing help desk server exploiting a flaws. So they use the help desk to get in the it help desk to get in and attack the whole company.
Um, and, and then once we knew the point of attack, we knew a backup that we could restore from the company lost, you know, weeks and weeks of data and information and time. Uh, and, um, it may not, may, may actually not make it. Uh, it was, that was the one two punch with the, um, you know, the USAID. The reduction in usaid.
Um, but yeah, so it's, um, it can be devastating if you don't prepare for it. Now, if they had just done the work to invest in that endpoint solution, they could have quickly found the attacker when they landed, isolated the attacker, and [00:15:00] minimized the footprint of the damage the attacker could have, could make.
And that is not a super expensive. Trajectory. And when I'm talking to boards and I do a lot of public speaking to boards, I do, uh, classes with boards and I teach them, you know, one thing I tell 'em is you should have someone on your board that at least has some background in cybersecurity. I mean, uh, every board now you wanna have someone with some knowledge of cybersecurity and someone with some knowledge of law.
So you need a lawyer on the board and you need, even if they're not a practicing lawyer, they have to understand it. You need someone who understands cybersecurity, even if they're not a CTO, you know, a uh, ciso. They, they have to have some background and understanding of cybersecurity. I sit on a lot of boards just for that reason, and I tell them, look, you know, the investment is worth it.
It's like a 10 x investment because you could spend one x now to prepare ahead of the attacks, or 10 x later in the middle of the fire to rebuild the house to figure out how the fire started. To make sure that the, uh, [00:16:00] arsonist isn't sitting in the basement waiting to start a fire again. And, um, and that usually, that usually gets them thinking, um, and, and willing to do the investment.
And the, the other way that we're selling it now that we're pushing it, especially for companies, is you have to have that insurance. I mean, if we didn't have fire insurance, uh, that would just been a smoking wreck of a house. And I, I think my father would've had going into bankruptcy. The fire insurance at the end of the day saved us.
It was still expensive and grueling and painful. Every company has to have cybersecurity exp insurance, and, and cyber insurance is very expensive. The actuaries don't really understand how to, how to code it, how to set the, the, uh, the limits. And so, uh, what we have been able to show with, with some cyber, uh, with some insurance companies that we work with.
Hey, this company is reaching this gold standard for them. 'cause cybersecurity isn't one fit all, one size, fit, all fits all. So they're in this industry, they're, uh, this far out [00:17:00] there. Um, they have this kind of employee and, and technology stack, and this is the cybersecurity that fits well for them, right?
That's gonna keep them from being destroyed and the, the premiums go down. The cybersecurity premiums go down, so you save money there too. So you can almost recover your investment in cybersecurity just on what you're paying in premiums year after year if you can avoid the catastrophic cyber attack.
And that, that, that makes the ROI very worth it to invest in, in good cybersecurity.
[00:17:29] Sean Martin: Yeah, it's about, about doing the math and the, the risk, uh, risk calculations. Can you talk me through the, uh, the structure of, the structure of the book? A structure of how
you, how you walk through the, some of these things you talk, talk about being prepared and then at the end making decisions. So what's that, what's that look
like? And, uh, how do, how do you have conversation or pres, how do you present that to, to folks on stage as well?
[00:17:55] Eric ONeill: yeah, definitely. So the book is in two parts and, uh, going back and deciding how am I gonna write a book [00:18:00] on cyber crime and everything you need to know to defeat it. I went way back to the start. I went back to the FBI academy at Quantico when I was just a, a, a green new investigator. Thrown into the academy and trying to learn the science of counterintelligence because that's what we need.
We need right now in cybersecurity, we need counterintelligence. That, that, which is a, a fancy word for spy hunter. We all have to become spy hunters. If we wanna stop. Cyber attackers. So one thing I wanted to do with the book for my readers is, uh, demystify things like the dark web and how cyber attacks start and where they come from and, and the origins of all the cyber crime.
But also peel back the curtain and give you an inside look at what it's like to be an FBI counterintelligence specialist. A ghost, someone who has, is steeped and understands. The way that attackers are attacking so that we can defend against it. So, using storytelling and, uh, a, a primary acronym in the first part of the book called Diced, which is, [00:19:00] um, deception.
Because espionage runs on deception, the engine of deception. Uh, it launches all cyber attacks. So deception, impersonation, um. Uh, to, so you, you, most cyber attacks will impersonate someone you trust, right? Infiltration. You know, if you're looking at ransomware, then the attackers are going to bur their way in and then take everything down.
So deception. Impersonation, infiltration, uh, confidence schemes, which are taking deception to the next level, uh, exploitation, and then finally destruction. Because at the end of the day, what criminals do is they use the same tactic tactics as spies. They quietly get in. They maintain persistence. They expand their footprint.
Uh, spies just steal, steal the data, and so do criminals. And then spies sneak out, and they don't want you to know they were ever there. Criminals smash everything, uh, at, at the end and set everything on fire. Uh, lock it down with ransomware, uh, [00:20:00] destroy data, you know, they steal it, they exfiltrate it, which is our cool word for it.
And, um, then they wanna sell it back to you or ransom the you, the decryption key if it's a ransomware attack. Um, so it's very similar. And what I do is in each of those categories of espionage, I teach you what cyber criminals are doing and how you can recognize the attack. So the first part of the book reads almost like a hacker's playbook.
Like if you got one on the dark web and you downloaded like how to become a cyber attacker, right? Because I wanna put in your mind the, the ability to recognize the attack when it's coming because you understand it intrinsically. That's how I learned how to hunt spies. I had to know their tactics so I could defeat them.
That's what we do in the second half of the book, paid, prepare, assess, investigate, and decide. It's a four step, very easy to follow, um, methodology that scales from you and me, Sean, a consumer right, with our laptop and our, you know, and the [00:21:00] pictures of our kids that we wanna protect, right? To a full enterprise and a CISO running it.
Um, the only difference between how you defend yourself. As an individual and an entire company is a matter of scale, and that's what the beauty of the methodology scales from whatever, uh, e either individual or company that you're trying to defend. So paid is prepare, assess, investigate, decide. You prepare ahead of the attack.
You don't wait for the pressure situation. You are routinely assessing your cybersecurity. And so this never stops, and there's a whole series of steps for that. You investigate when your assessment shows you that there is a problem, it, it runs up a red flag, and then you put on your spy hunter hat, or you bring in a team to help very quickly, rapidly find the attacker and neutralize them, and finally decide you have to decide to act, which means you don't wait until the last minute you act.
Now you, you're listening to me now, and you go [00:22:00] now and you, you begin this process if you haven't already.
[00:22:05] Sean Martin: So great. Um, great. Structures, I'm sure they work. Uh, they work extremely well, especially when they have somebody like you to kind of guide them, guide them through the process of understanding where the threat's coming from, how are they criminals and the, the bad actors, uh, targeting and moving through and exfiltrating and, and destroying. And then on the other side, to your point, um, how do we prepare for that and build programs to, uh, protect and then respond if, if something bad happens? Um. What I'm seeing, and especially when, when, uh, organizations are moving from the SMB to the enterprise, they're, um, yeah, they're transforming, as we noted earlier.
They're transforming, they're, they're moving to new technologies. They're building out and building new apps and. The what I'm, what I'm hearing and and seeing is that there's so much [00:23:00] out there. Well, so many systems. They have to protect so much data to protect so many people involved, so many partners involved, and then. So many solutions. So all that succeed, the exposure part of it. And then there are so many solutions out there to help with little bits and pieces of it, to parts of it, to the whole shebang. And, and with that, you might get something, something offered to you that you may not need right now. Maybe a little cutting edge, but it's gonna help you in, in your years time to here's the basics that you need. But some of it might be best practice or best of breed, but. But you're gonna have to find, find out what those are. And then you have the big behemoth companies that do it all. And, and you get good enough across the board, but you might be missing some little part small parts. So how, painting that picture now, how do you see organizations trying to do, do that math of what is the threat?
What is the risk? What is [00:24:00] my exposure? How do I map that to what I exactly need? And, and I find the,
the Right.
pieces and parts to actually. Build a program and build a team and not, not kill ourselves in the process.
[00:24:12] Eric ONeill: Well, that's a great question, Sean, because you're identifying one of the biggest risks that every company and, and almost every and SMB and even moving into enterprise. We see it constantly, uh, is, is putting on themself. That is their stack, their technology that they've invested in. And what we're seeing time and again, is they're over-investing in things they don't need.
They've got multiple things that are plugging holes where one, one tool could do all of it. And it's because as they've grown, they, you know, they've gone to the trade show, they've talked to vendors, they've taken the phone calls, they've been sold on certain, uh, technology. And, um, and it doesn't all work together.
It, it's not marching and singing together. Right. Like a, like a [00:25:00] good battalion. And, and what we do is we come in and we do a, a, the first thing we do is a vulnerability assessment. Like, what are your vulnerabilities? Where are your holes, where are your problems? And we look at the full technology stack and you know, we have a client right now, it's a, um, a, a corporation that has, uh, company has offices all over the country.
And we're, you know, as we came in and we did the vulnerability assessment, we saw that they had two partners that were both involved in moving them from on-premises to cloud, doing the same thing, but at cross purposes. So, you know, the first thing we did is put a hal to that, sat down and said, which one are we going with it?
We don't need to pay both. Right? Or maybe we don't go to either. And, and it restarted that process. Um, we also saw that because they didn't have good policies across the board in it. There were shadow it everywhere. You know, the, the person in charge of it for different offices was investing in his or her own thing.
And then, and then of course we had, we had, there was no plan [00:26:00] for how does the company use ai, which is something that many companies aren't thinking about. If you don't have a plan for ai, if you're not providing a secure environment, AI environment for your employees, they will use free ai. They will go out and they'll use their free version of chat, BT or cloud or, or whatever.
Uh, and um, and, and then they're just, they're putting your data, your confidential data into an open source AI that's now reading it and others can see it, and it, it can create a, a point for a breach. So you have to think about that as well. And so that vulnerability assessment can be critical. And also, you know, the nicest thing about having someone come in and do that, it, you know, it's not just cybersecurity.
It's really it vulnerability to find where you are in your, in your journey and where the holes are. And what has to be fixed is companies end up saving a lot of money. We, we find that what we're charging for the vulnerability assessment, we're we're providing cost savings in just streamlining the [00:27:00] technology.
Um, getting rid of things that they don't need. You know, it might be a few years down the road because companies sign contracts and they can't get rid of this and, you know, for, but, uh, but they see it down the road that it will pay for itself and that's absolutely critical. Um, especially moving from small to big.
Uh, as soon as you look like you're gonna move from small to big, like every vendor on earth comes in and wants to sell you something. And you have to resist buying the things that just aren't going to be necessary at all and aren't going to help you, or might open the door for an attacker because you're bolting something onto something where it doesn't fit.
[00:27:34] Sean Martin: So another thing that I, I feel is happening is, I mean, companies seem comfortable. Making those decisions when it's, I mean, mark and I do it all the time. We we're using this service. It's meeting 90% of the need that we have. We need to do. We need to move in this direction, so we need to look for something else.
We have a contract with this one or subscription that's not ended. We [00:28:00] make a decision, move to the new one because. Added, even if it's a short period of time, that added value
is gonna help us reach new, new thing. We're comfortable with that. You throw the word cyber in there and it's like, eh, right now. Now what do we do?
Um, and it's because I think the industry is painted this, uh, this cloak of myster mystery above it and. People dunno how to talk about it. So I, the reason I'm going there is kind of the storytelling aspect of this. Um, how important is it, how do you, how do you see organizations be successful in telling a story that maybe doesn't focus on the cyber part of it, but focuses on that last part?
The decision to say this this is. This is a story we've heard.
Here's how we're telling it in a way that you can understand, right? You haven't experienced it yet others have. It's not cyber. It's the story and therefore you can understand it and maybe make some decisions that you're[00:29:00]
familiar with making all the time.
Just this one happens to be cyber.
[00:29:04] Eric ONeill: Yeah. Usually when I'm on stage and I'm speaking to a company, uh, I, I will look for, I always have one key cyber attack I like to talk about, like I was just talking to, I. A, this, this huge organization of historic hotels and, um, wonderful, wonderful, wonderful people. I mean, I decided as a keynote speaker, I wanna target every kind of hospitality company I can because no one knows it to take care of you better than a hospitality group.
Right. But, uh, in, in speaking to them, I use the example of the attack on MGM. Vegas and how Vegas was shut down and those hotels were shut down and there was chaos. And, and every patron was unhappy and people couldn't check in. Uh, and how just one simple phone call led to that attack, one 10 minute phone call and the attackers were able to get through MGMs.
Incredible cybersecurity. Um, and, uh, you [00:30:00] know, you have to speak to the audience in a way that they understand and you have to draw from stories. That will matter to them. Right? If, if I, if I went and spoke to a group of hospitality people and I was telling the story of Colonial Pipeline, right? It wouldn't hit it the same way it is like, okay, that's great critical infrastructure.
And then I tell 'em, you know, technically you're critical infrastructure people can't go stay at a hotel then, you know, it causes trouble in travel. Right. Um, but you, you, you need to be able to speak and this is why, look, I'm an attorney, right? I was also a general counsel for some time. I was at an outside counsel and the difference between having your general counsel, who's a member of your executive team and going to an outside counsel when you think you need legal help is kind of the same as, uh, having a CISO in your company on the executive team and going outside to a cybersecurity person when you think you need help.
Um, that, that inside person, that [00:31:00] executive understands the company intrinsically, knows where all the skeletons are, knows where the problems are, you know, has, has fixed that engine a hundred times and, and just knows it like the back of their hand. Um, so will understand what is necessary from the inside out while uh, uh, you know, and if you're, if you don't have that person, then you need someone who's gonna come in and become knowledgeable about you and be on your side.
As opposed to just having a subscription to a, a cybersecurity vendor who just wants to sell you things. Right? Um, so you'd need to have that advisor, not just a company, that their, their goal, I mean, while they wanna make you safe, their goal really is to get more subscriptions and more seats for their technology, because that's how the person working on commission makes their salary.
So if you don't have your insight, if you don't have your general counsel, right, don't just go to a law firm who's just gonna wanna bill you for [00:32:00] whatever they can. You need some, you know, now we have virtual, uh, general counsels, right? Um, the same thing with a ciso. You need someone who's gonna be there for you know, your team and, and fulfill that role, even if it's only like one day a week.
They're gonna understand the company and they're going to be able to say, all right, here's where we are in our transformation, in our growth, and these are the kind of things we need, and these are the kind of things we don't because this won't fit and this will fit. Um, and, and that is a way that a company that can't hire that full-time person can, can rent one and, uh, and get not quite the same, but close enough that it's gonna help them be secure.
And storytelling is critical. That's what a, a good CISO will do. And they come and they come. And I, I speak to a lot of CISOs every year and they come and listen in the keynote. Uh, and often they'll bring their CEO with them, right? And then I get so many Huck, you know, until my arm wants to fall off, my CISOs will come over and they're like, my CISO, halfway through your [00:33:00] keynote, you know, approve my budget.
Because storytelling, learning the examples of how this harmed companies in the past. What companies did to be successful and doing an rubic of a story, which is how we think as a species, is how we remember information. Uh, what will sit in your mind and help you sell, uh, from the inside to get that, uh, that little slice of budget that you desperately need.
[00:33:26] Sean Martin: I love it. So, so funny that you went there. 'cause the question I wanna wrap with is, uh, back to the book. So you did in, in the context of, uh, of speaking to an audience and, and CISOs and CEOs coming together. Or maybe the rest of the executive team, but, uh, for the book, how, how can a CSO and an CEO and the rest of the C-suite use the book perhaps to create their own story so that they, they can define their own. Uh, scenarios [00:34:00] of risk and exposure and, and protection, detection and response. Being, being, uh, yeah, getting rolling. The diced, diced and, and, and, uh, and protecting the business so they can actually get paid and, and keep that revenue. How, how can the executive team keep, use the book to, uh, to gain benefit?
[00:34:19] Eric ONeill: Well, the one thing about. Cybersecurity and cyber crime and cyber espionage is that it's rocketing forward. It, it's a, it is a train at high speed and not like our trains here in the us like a bullet train in Japan, like moving, uh, so fast that keeping up with it sometimes can be a full-time job. So one thing the book will do for a CISO and my companion newsletter is keep you right up to date, right?
Um, these are the ways that attacks are happening now. This is what you need to know about today. Uh, so, so that you, you, you know what to talk about when you're sitting in front of the executive team, you have examples that you can draw from. You can say that this is happening. Here's the size of the dark web.
Here's the [00:35:00] size of cyber crime. $14 trillion a year in cyber crime and growing by next year. Right now it's the second largest economy on earth. By next year it might be the second largest economy on earth. That's a huge market share of bad guys. And uh, there are only so many companies. You know, there are lots of companies, but there are lots of bad guys.
Just play the odds we're going to get attacked. Right? Uh, and then from there, the second part of the book, once again, using stories. Provides examples and toolkits that you can use to deploy in order to say, look, this is what I think we should do. We're in the planning stage now. We need to be, we need to do a little bit more work in assessment, and here's an idea of a tool we could use.
Here's a way that we need to think. Um, and uh, and, and maybe we need to bring in some help here and I need a little bit of budget. But, but you know, the book will teach you how, uh, we're gonna use a little budget, but we're gonna save money on insurance. We're gonna save money on, uh, getting rid of technology that we've deployed that we don't [00:36:00] need.
That's really expensive. Um, you know, do we stay on prem? Do we move to cloud? How do we defend against ransomware? But most importantly, also, it will give you the story you need to tell if you're trying to get that budget as, uh, as the person we're in charge of security for your company. About the incredible damage that can happen if you are, uh, under the siege of a cyber attack, if that fire is set and burning around you.
Uh, because it's just not, it, it's not worth being. Um, what is the saying? Um, uh, penny smart and pound foolish, right? Something like that, you know, just to save a penny. You, you throw away the whole bank account. So, um, it, it, it will, it will give you the ammo you need, the ideas, the storytelling to, uh, to sell your executive team and your board on the need for enhanced cybersecurity.
And hey, get, get, get your, uh, CEOA copy.
[00:36:55] Sean Martin: exactly. Exactly.
[00:36:56] Eric ONeill: Have him read it. Yeah. I, after he reads the book, he will, after [00:37:00] he reads the first, the first half of the book, he'll be coming to you and saying, how much more budget do you need?
[00:37:05] Sean Martin: There you go. Yeah. And, uh, yeah, you're, you're, you're speaking my language. Uh, one of the earlier names of this podcast was the Business of Security, and I, I still have in my mind that this, uh, utopian vision, that security can really help shape the business. And you're talking about it in the context of, of. If you're spending money on tech, you don't need and, and it's, um. Adding complexity and it's leaving you further exposed. And just that decision alone, security, helping the business make those decisions, um, can save money,
can save money, and in the process, make it safer and perhaps even more nimble. And. And, uh, scale faster and make more money. And obviously the goal is to do that and then protect it. So you, you're speaking my language there, Eric. Um, it's always a pleasure, my friend. I could talk to you for hours. I have a lot of different things I'd wanna, wanna dig [00:38:00] into here. But, uh, leave folks with, uh, with, uh, this story. And, uh, perhaps you can come back again, uh, soon and we can talk some more. I wanna talk about competitive views. We look at our competitors, but we don't look at. Cyber crime, cyber criminals is our competitors necessarily. Um, anyway, lots of stuff in my head. I'm gonna leave it there. Eric, uh, show the book again.
Spies Lies, cybercrime, and uh, gray Day was the other one. And, uh, Eric O'Neill dot net, uh, to connect with Eric and course I'll put links to all that
stuff to the book and your website and they can grab the newsletter and connect with you. And, uh, who knows, maybe I'll see you, uh, in person at an event somewhere.
Sometime
soon as well.
[00:38:45] Eric ONeill: You know, I'm sure we'll run into each other at one of these big cyber security conferences that spring up all over the world as it becomes more and more necessary. And I should also say if, if everybody liked hearing my voice and you think it could help you get to sleep at night, uh, you can, [00:39:00] you can download the audible version if you prefer to, uh, to listen to your books.
And I recorded that myself.
[00:39:06] Sean Martin: Look at that. Fantastic. Eric, it's a pleasure seeing you. Thanks for, uh, thanks for taking the time. Congrats on the new book and, uh, continued success for you and the team and, and ultimately for all the people that, uh, you're helping with your, your words and your stories. So. And thanks everybody for listening, watching this, uh, episode of Redefining Cybersecurity.
Stay tuned for more. Uh, I have lots of fun stuff lined up. And, uh, yeah, check out the newsletter as well. The future of cybersecurity. I'm, I'm, uh, musing on all kinds of things. Uh, AppSec is the current series I'm working on, so thanks everybody. Thanks Eric.
[00:39:40] Eric ONeill: All right. Thank you, Sean.
​[00:40:00]