We’re at a point in the technology boom where cybersecurity is vital to the livelihood of every company. It doesn’t matter what industry you serve.

But in order to benefit the most out of a cybersecurity infrastructure, you’ll need to get started in a way that works best for your organization. So where do you and how should you start?

We spoke with Retired US Army Master Sergeant and CEO of The Cyber6 Group, Shawn Richardson, about getting started with cybersecurity. We also had the chance to flip the script and ask him how he approaches clients as a cybersecurity vendor.

Matt: Hey Shawn, before we dive in, I'd like to introduce you.

Shawn’s a retired US Army Master Sergeant with over 25 years of information systems engineering and cybersecurity operations experience. 

He currently serves as the Chief Executive Officer of The Cyber6 Group, a cybersecurity consulting firm that’s purpose is identifying risk within small to medium-sized businesses that don’t have existing frameworks, expertise or budget.

The company uses a unique, hands-on approach to cybersecurity by creating a roadmap that’s directly aligned with their client’s business objectives. 

He also runs a nonprofit that supports local school sports programs by developing athletes who have aspirations of playing at the next level.

Welcome to the interview, Shawn.

Shawn: Thank you, Matt! I appreciate it.

Matt: First of all, thank you for your service.

According to your LinkedIn, you started your Army career as a Wide Area Network Engineer towards the latter half of Operation Iraqi Freedom. 

Can you talk a little bit about your experience in the Army and how it helped get you to where you are today?

Shawn: Yeah sure. Thank you for having me on this interview it’s a blessing and an honor to speak with you today.

As I worked up through my career as an information systems analyst, I had a natural migration to wide-area and enterprise networking. I liked building architectures and infrastructures. That’s how it all started.

The Army as the tendency to help you grow a career path so I started diving into the network side pretty early.

As it relates to my time over in Iraq. I led a team of about ten security and information system communicators. We ran all of the ones and zeroes for radio systems and battle communication networks for our transportation brigade.

Having the ability to take my tactical experience and inject it back into the commercial world has been an honor.

Matt: Cybersecurity is very important on an organizational level but also to our national security. It sounds like it was a great experience and that you quickly became an expert within the field.

After your service, you relatively stayed on the cybersecurity path as the Manager of a Security Operations Center, Director of Sales and Business Development at an information security company. Eventually, you got to where you are today, as the CEO of The Cyber6 Group.

Throughout the time you’ve spent within cybersecurity, how has the industry changed? Have there been any major shifts in focus?

Shawn: I’ll tell you, each role I’ve transitioned to adjusted to vast changes in the industry. I’ve seen everything from building live area networks on dial-up and DSL lines to where we are now in the digital information age. It’s unbelieve how much things have transformed over the last two decades.

When I left the military and went into the private sector, there was an evident change in the technologies and equipment immediately. We spoke a lot about security in the military. When I went into the commercial space, nobody talked about it. There was always push back, primarily because they couldn’t do their job. As an example, anytime you’d put a security control in place the HR or finance department would give some push back.

To conclude, there’s been a vast change the technologies and approaches.

Matt: Definitely, of course, if we’re going to talk about the past we need to talk about the future as well.

To piggyback off of that question, where do you see cybersecurity heading towards in the future? In five years, where do you see it changing the most? 

Shawn: When I left the military, I worked with one of the largest nonprofit science and technology companies in the world, Battelle Memorial Institute. I initially struggled with applying my passion and what I learned about security in the military to small business owners.

Frankly, they’re the foundation of our countries economic development. But when you have a small business owner who’s affected by something like ransomware or they’re manufacturing lines shut down for a few minutes, they lose thousands of dollars.

If something similar happens to a big name automotive company like Honda, they’ll lose some money too but it’s not going to close their doors.

How I see it changing the most is it’s moving towards identifiable security weaknesses. This is kind of what we were preaching in the military. In the commercial sector, software used to just sit on the shelf or it wasn’t configured correctly.

But now we’re at this pinnacle point where we have to look at it from control, framework, and policy perspective. It’s moving towards putting actions into place that improve business processes as it relates to cybersecurity.

When the day begins and ends, it’s all about where your data’s located. That’s what threat actors want. They don’t care about a social security number or PII. In the grand scheme of things, that information is helpful to them but they want all of the data. Data is so critical and if they can lock that down, hence ransomware, a business is in a lot of trouble. 

Matt: In your answer there you mentioned ransomware. I talked to your counterpart Paul Hugenberg about it on the healthcare side. But in the commercial and government side it’s scary too.

I mean these hackers break into your system and demand money. If you don’t pay, you don’t get your data back.

Shawn: Yeah, there are safeguards you can put in place for ransomware like decryption tools and keys. But if they’ve taken a variant of the malicious code and made it their own then you’re going to end up emailing an extortionist to get that unlock key.

We’re going through these with current clients right now. They’re in huge trouble if they don’t get that decryption key.

Matt: One of the hottest topics right now in any industry is IT security. It can be overwhelming for those companies just now starting to look into its intricacies.

Where should companies start?

Shawn: I think the biggest mistake small to medium-sized businesses make is not doing their homework. What I mean by that is using someone that says that they’re going to protect you because the “bright shiny stars” isn’t a good idea.

The company owners must sit down with a professional cybersecurity expert that has the full gambit of experience. This person should have extensive knowledge of frameworks and GRC.

I’ll give you an example. My good friend runs a family-owned recycling company. Up until the last few years they haven’t had to worry about cybersecurity at all. After answering a third-party vendor questionnaire recently, it asked them, “what cybersecurity measures do you have in place?” They left it blank because they didn’t know how to answer it. They don’t have something in place as it relates to controls, safeguards, protective software, and hardware. Now, not all questionnaires go down to that granular of a level but they’re important.

Companies should start by sitting down with someone who has a background with cybersecurity frameworks and controls. Discuss with that person, “What’s a cybersecurity program look like?” This will help identify what inside their company is most critical to protect.

If it’s something as simple as the operations floor, how do you protect that? You don’t need to implement a huge cybersecurity program if you don’t need it.

At The Cyber6 Group, we want to build a relationship and conversation that builds trust with our clients. For us, it’s less about selling products. 

To be honest, when we start with a lot of small to medium-sized businesses the conversation starts with, “how much is this going to cost?”

It’s never, “let me listen to what you have to say.” Until something happens to them. So we created a program that we believe is budget-friendly and it’s hands-on. We focus more on the business relationship rather than the transaction.

Matt: Some experts may say that everything starts with budgeting. Without a cybersecurity budget, it’s hard for any company to stay protected from hackers or other malicious attackers.

I recently read in an article that security budgeting is particularly hard for companies within healthcare. The majority of them haven’t updated their IT security budgets in 3 years.

What are your recommendations for cybersecurity budgets? Where should companies begin and how much should they allocate towards it?

Shawn: Budgeting is a science within itself. There are experts out there that have far greater experience than I do in this area but I’ll share my opinion form what I’ve learned.

It starts with understanding your threat landscape and what you have to protect. It’s almost like the old analogy, “There’s a door inside a door.” If the outside door's locked, then there’s no need to put a lock on the inside door because there’s security around the perimeter. There’s nothing beyond the second door meaning there’s no exposure to something like an operations floor.

To circle that back to technology, if there’s a security control or piece of software that does the job and protects an organization then they should purchase it.

Allocating funds for cybersecurity within the commercial space typically run anywhere between 1.5% and 3% of total revenue. When we look at that budget for larger companies, that’s thousands if not millions of dollars.

The moms and pops of the world don’t have that luxury but still need security programs. So these smaller companies need to great creative when selecting vendors. They can’t afford all of the bells and whistles but still need to protect their data.

Matt: After companies review controls and decide on a budget they’ll need to fill it by looking at vendors and purchasing solutions.

Who should you involve in the vendor evaluation process? Should the process be exclusive to the C-Suite?

Shawn: I think the evaluation process should be set aside for someone who has the right experience and can talk about the technologies. I don’t only mean on the cybersecurity side, but everything this particular company uses.

As vendors, we don’t know everything about the equipment that’s on the floor of a manufacturing company. So we need to understand the capabilities of each piece of technology they use. Is there a tested software for what they want? 

To answer your question, the evaluation process falls on a cybersecurity professional or information security officer that has years of experience. They need to be able to work in an executive role and helps the company make decisions to choose the right vendors. That’s the best way to ensure that the cybersecurity solutions you just purchased don’t become shelf-ware. If that happens, they've wasted dollars.

We do information security reviews for small businesses all the time where we try to lead ownership in the right direction.

Matt: Another aspect to keep in mind after establishing a review team is the actual vendors themselves. There’s are a lot of risks involved when selecting cybersecurity solutions. The last thing any company wants to do is face a breach because their vendor mishandled their data.

What should companies look for when deciding whether or not they should work with a certain vendor?

Shawn: I think one of the biggest shortfalls that we see, and we could talk about this all day, happens when applications aren't tested. There will be development testing, but they don’t consider the security ramifications that apply when injecting them into a business. When we do a web application penetration test, oftentimes we find loopholes in them. Those are the things you need to look for. 

The average owners of something like what you guys do, billing solutions, need an immense amount of testing. Of course, you guys do that and I know that first hand since I work with you. But it’s so critical to understand what to look for and you’ll need an expert who can identify tested well-known solutions that fit your business. 

Being able to make articulate recommendations to your ownership about the right cybersecurity software, hardware, or solutions is important.

Matt: In a way, Shawn, you’re a cybersecurity vendor. So if we flip the script on that last question, how do you convey to your prospects why they’re in good hands when working with The Cyber6 Group?

Shawn: For years and years, what used to happen is companies in the industry would solve a problem by saying, “you need that software” without doing a review of what their program looked like.

It used to be like buying a car. How would you know whether or not it’s going to do what you want it to in snow if you’ve never driven it in those conditions? You trust that the individual who’s selling it to you will be honest and for-front with you. If they say something like, “that rear-wheel-drive vehicle is going to do awesome for you in the snow.” You’d immediately respond with, “no, it’s not.”

So it’s important to take the same approach in cybersecurity. We go identify the problem by looking at the entire spectrum of the company. If they don’t have any framework in place we’ll build it. Only then will we talk to them about what they need.

Matt: After filling up their budget, that company will move into the implementation phase. This phase includes installation, training, and execution. 

In some cases, it could get complicated which many fear will disrupt business operations.

Is it possible to implement a cybersecurity infrastructure into a business without disrupting operations or objectives?

Shawn: That’s one of the biggest fears companies have because that’s their livelihood. What we believe at Cyber6 is that our relationship-based approach makes implementation much easier.

I was with a financial institution this morning and that was the final question he had. He asked me, “What’s day zero to thirty look like?” I was able to tell him that because the whole goal of the first thirty days as a cybersecurity vendor is earning trust with every business unit. We need to make sure that they understand we aren’t planning to disrupt their business operations, that’s not our goal.

We don’t want to put in a security control in place so that people can’t do their job. The best approach is a relational approach first instead of transactional. You don’t want to go in and say, “we’re going to put these controls in place.” Without understand why.

Matt: That’s a great way to approach it. Cybersecurity is all about trust. If you’re training employees on how to do something, their managers need to be able to trust them that they’re approaching things the right way. 

Shawn: That’s a perfect example. So once we get through onboarding and established trust with a company, maybe eighteen to twenty-four months down the road, it’s up to the managers to keep their employees trained. It’s a two-way street.

We aren’t coming into clients' offices banging bang our fists on the table and demanding them to do what we tell them. We want you, as the client, to get mature enough to run your training program. That way we can focus more on the back-end through quarterly audits, pen testing, and reviews. 

The most successful clients get excited about holding training because it’s their own. They feel a sense of accomplishment. Those executives understand that it’s not Cyber6 coming in and running the show. We want them to feel confident in the guidance we’re giving them.

I use this analogy a lot and anyone who’s not an Ohioan may not understand it. There’s this great place up in Port Clinton called Cedar Point. There’s a ride there where a metal contraption guides carts, we’re that apparatus in the center. We’re going to take that company down a path that others have been down a thousand times.

Matt: That’s a great analogy, Shawn. Once everything’s implemented, the job is still not complete. To thrive, you need to treat cybersecurity as a living environment. This means checking up on it every so often to ensure everything is running as it should. 

What are the best ways to ensure the success of an already implemented cybersecurity infrastructure? How often should companies follow-up?

Shawn: I’ve kind of hinted a little bit about this throughout the interview in other questions but the most important takeaway is to ensure that your information security program never ends. It’s a continuous improvement process.

We used to say in the military, “the foxhole is never perfect until you make it your own.” Even when you move to another battlefield or different location you’ll still have to build and maintain it.

So what can you do to maintain a cybersecurity infrastructure?

• Audits

• Continuous risk assessments

There’s nothing wrong with having quarterly or semi-annually risk assessments. There are regulatory bodies that require them that often in some cases already; healthcare and finances. But even for other small businesses, there’s nothing wrong with bringing in a cybersecurity professional quarterly to do standard testing, review your policies and re-train your employees. Those are some things you should follow-up with.

We find that these follow-up processes are much easier to accomplish after maintaining a relationship with a client.

Matt: Absolutely, that makes a lot of sense. That’s all I have for you, Shawn. Thanks for taking the time for the interview Shawn, I appreciate it. Before we leave is there anything else you’d like to mention about cybersecurity or your non-profit?

Shawn: Yeah, so The Cyber6 Group is very grateful for our partnership with Etactics and Open Practice Solutions. We’ve grown very quickly together while being able to manage our group of clients well. We’ve got some great things on the horizon for our company and can't wait to share that with everyone in the months to come. Right now, thank you for allowing me to speak with you today.

I’d also like to say a couple of final things. First, if you get the opportunity to see a veteran, thank a veteran. Second, pour yourself into your communities. They need leaders and people who invest in their youth. That’s a passion of myself and my partner, we’re heavily involved in youth sports. I run a softball youth sports organization and I love every last one of them.

It’s so important to the development of your community. Give back.