CCT Vendor 01: The Blurry Line: Where Physical Security Meets Cybersecurity - SecurePassage.com

Show Notes

The traditional boundaries between physical and cyber security are rapidly disappearing, creating both risks and opportunities for organizations of all sizes. This eye-opening conversation with Casey Rash from Secure Passage explores the critical intersection where these two domains meet and the innovative solutions emerging to bridge this gap.

Casey brings his fascinating journey from Marine Corps signals intelligence to fintech security to the partner side of cybersecurity, sharing valuable insights about career development along the way. His key advice resonates deeply: build a strong professional network and be open to exploring different security domains before finding your niche.

The conversation dives deep into how everyday physical security devices have evolved into sophisticated data collection points. Today's smoke detectors can identify THC in vape smoke and detect distress calls. Modern security cameras perform advanced detection functions like tracking objects, identifying crowd formations, and reading license plates. All this creates valuable security telemetry that remains largely untapped in most organizations.

What makes this discussion particularly valuable for security professionals is understanding how Secure Passage's solutions—Haystacks and Truman—map to specific CISSP domains including Security Operations, Security and Risk Management, and Asset Security. Their "Physical Detection and Response" (PDR) approach applies cybersecurity principles to physical security data, creating a more holistic security posture.

Perhaps most telling is the organizational disconnect Casey highlights between physical and cyber teams. As he notes, "If you talk to CISOs today, it's a crapshoot who's managing physical security." This division creates significant risk, as threats in one domain frequently impact the other—from terminated employees becoming both physical threats and insider cyber risks to non-human identities outnumbering human identities 10-to-1 in most environments.

Ready to rethink your approach to comprehensive security? This conversation provides the perfect starting point for bridging the gap between your physical and cyber security programs. Check out securepassage.com to learn more about their innovative solutions.

Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Introduction to CISSP Cyber Training
• 2:14: Meet Casey Rash from Secure Passage
• 10:38: Career Growth in Cybersecurity
• 15:45: Haystack Platform & CISSP Domains
• 21:51: Physical Security in Schools
• 27:26: Truman: Physical Detection & Response
• 33:30: Product Limitations & Use Cases
• 36:38: Final Thoughts on Holistic Security

Transcript

Speaker 1: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go.

Speaker 2: 0:22

Cybersecurity knowledge All right, let's get started. Hey all Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is something new. Today we're going to try something a little bit different with the CISSP podcast, based on feedback I've received from many of the people that are listening to this podcast from all over the globe. So the purpose of this podcast is to tie people out there in the world right now that are providing security services to the various domains that you're studying for with the CISSP and that just kind of it's real easy to go and study for the CISSP.

Speaker 2: 1:00

But really what it comes down to is then, how does that work when you're trying to tie that all together? And because of that, I have a gentleman on the call with me. He is from Secure Passage and his name is Casey Rash. Casey, can you say hi to everybody? Hey, everybody, happy to be here. Thanks, sean. Awesome, awesome. Well, we'll get started.

Speaker 2: 1:19

And the one great thing Casey and I have a little bit of a kindred spirit. We both were former military. Casey and I have a little bit of a kindred spirit. We both were former military and I'm going to let Casey kind of go into his background a little bit. But to kind of add a little bit of color on why this is so important is the fact that I met Casey and his team at an ISC squared meeting about a month, two months ago, and this is where it kind of this whole process came up of going.

Speaker 2: 1:42

You know what A lot of my students would love to hear about these different types of tools, because I get the feedback around that, and then how does that equate specifically to the domains of study in the CISSP exam, and so hence that is why I've got Casey here today. So, without further ado, I'm going to go ahead, casey, I'm going to let you kind of introduce yourself to everybody and kind of go over your background and then from there we'll just kind of get into some questions. Sounds good, awesome, you got the floor, appreciate it, hey.

Speaker 3: 2:13

So this is a whole. This is kind of a new endeavor for this show, right? Yes, it is. Yeah, you've bit off a lot in this conversation. Secure Passage at Secure Passage passage, we're doing things a little differently than, uh, the status quo would would say. So, uh, this is super cool, gonna make for some great conversation great well, I'm looking forward to it yeah, me too, man.

Speaker 3: 2:37

yeah I. I was in the, in the marine corps and of all the things that that can do to a guy, it got me into the security side of things. Sometimes I say it got me into all the nerd things, right. So I was a SIGINT guy, a signals intelligence operator, for the first half of my enlistment. I was active duty for eight years and the latter half was focused on cyber defense and that set me up. That gave me a great background for security and figuring out how to leverage that in corporate enterprise, civilian employment that's probably a whole podcast episode itself.

Speaker 3: 3:15

I ended up getting on at a fintech, a financial technology company. They basically build and sell software to banks and credit unions. I was a network security guy on that side various types of technologies, Did that for several years and I went to a very large trucking company and was doing virtually the same types of things but on different technologies. And over the past three years three and change I've been on the partner side of things in pre-sales. So I work with account executives and their clients to explore their projects and their priorities and the solutions that might be viable for their situation.

Speaker 2: 3:59

Okay. So when it comes to the partner, give me, if you could now, when you started off with you know you've been in a lot, so you started off with. You know you've been in a lot. So you've been in active duty Marines, you've been in the financial sector, you've also been in the physical moving of stuff right, logistics aspects of this. What is the one thing that you've seen over this time? You know what kind of brought you to this nexus of where you're at. How have you kind of matured your career and gotten to this position?

Speaker 3: 4:27

I think I can say two things to answer that. First, having a network, that's kind of a major part. I started getting traction when I started taking serious the relationships on the table at all levels. So that's one point. And the second point was a bit more of an evolution of really figuring out what I was trying to do in security. It's such a vast field that it's okay to dance around a little bit, take different positions, try different things and then figure out okay, this is what I really enjoy. Sure, no, that's good. Yeah, I think that's that's probably critical is to accept the idea like I might land on a position for three, four or five years while I'm figuring out if it's really what I'm into.

Speaker 2: 5:19

Sure.

Speaker 3: 5:21

For instance, I never, ever thought in my life I would be involved in sales at all. But I have found. I really enjoy it.

Speaker 2: 5:28

Awesome, that's awesome, yeah. So there's a couple of big nuggets there. Before we kind of get into some of the things around what Haystack can do and secure passage, one thing that I want to reach out to all the folks that are listening and I think this is a huge nugget that you guys really need to grab a hold of and I'm going to point fingers at myself for not doing a good job of this and that is building your network. And, casey, I agree with you a hundred percent because it's those relationships that are so important. And whether you're dealing with trying to influence people to buy a product, which we talk about a lot on this program is around influencing decision makers. Whether it's influencing it or getting sales folks, it's getting those relationships is really important, especially when you're getting in your cybersecurity career. So that's a huge nugget. I really love that.

Speaker 3: 6:15

I agree, I can't say enough about my network and it's growing all the time. And you know, connections that were really close when I first got out of the service aren't as close now, but I'm fond of those relationships. But as a career progresses, the network never lacks importance.

Speaker 2: 6:34

You're right, and there's an acronym we use in the military. You may know this one, but it's called HABU or HASU and what it basically means is hook a brother or hook a sister up and it's that whole thing of meeting people and knowing these individuals to help kind of make these things happen. And I've seen this now in my contracting world of it is what you know, but it's more not what you know, but who you know is a big factor in as well. Big time, totally agree. Time, totally agree.

Speaker 2: 7:06

So, as we get into this, if you could explain a little bit about what you're offering, what your team offers and so forth and I'm going to come back to that after what you mentioned around what are some of the key areas in your product and what are some of the domains and we've talked for everybody listening. We kind of talked a little about this, obviously before we prepped Casey to be here. But what are just a couple of the domains that we focus on, such as maybe asset security or security operations? If you can kind of maybe tailor what your product does to those potential domains, might give the guys, gals, that are listening to this maybe a better, better insight into how is all the stuff they're learning with the CISSP. How is that being translated into products like yours?

Speaker 3: 7:45

Yeah. So when you first spoke to me about this and told me the intention it actually, it gave me a really good way of structuring how I personally will look at solutions going forward. Bounce it against these things like the eight domains when are we playing and what are our gaps. So it's interesting. At Secure Passage, we're basically a 25-year-old startup. We have a solution in-house that has been around since the late 90s. It got really popular in three-letter agency circles right after 9-11. We still have that solution today and it's called Haystacks. Still have that solution today and it's called Haystacks. It plays very closely to security and risk management.

Speaker 3: 8:31

I'm talking about domains of CISSP now, asset security, architectural engineering and security assessment and testing. And I will have a caveat here on asset security. It's going to be important, whether it's this type of conversation or you're talking to a client, whatever the case may be, to define the terms. In this case, that being asset. So when you're wearing the cybersecurity hat, asset means a certain thing. Typically, you know an endpoint device. It could be a user's laptop, it could be a data center server and specific to haystacks, under the secure passage, branding asset is going to apply to anything that's critical infrastructure to your organization. I don't just mean critical infrastructure in the way of power or natural gas or water, those things. Those are critical infrastructure and we can help monitor sites, properties, facilities around those things. And here's where the conversation can get interesting, because I just mentioned physical security things. Right, where the conversation can get interesting because I just mentioned physical security things right.

Speaker 3: 9:46

But the line between physical and cybersecurity is getting blurry Right Time goes on. At any rate, that was the caveat there. Asset security relative to haystacks isn't about end-user laptops and data center servers. We don't manage those, we don't track those. It's more about property facilities, critical infrastructure to your organization.

Speaker 2: 10:14

Right, right, yeah, no, and that's actually a really great comment and the reason I say that is I would think that that's an area that's maybe a little bit underserved and I've got on your, I've put the slide deck. Well, you guys can all see the video. You don't need to see Casey's much better looking than me, but you don't need to see my ugly mug, so we didn't put that on there. But I've got his website that's out there in securepassagecom and the Haystack, basically, tab and you all can go and check this out on your own. But he has in here where their Operational Intelligence Center, which is tied to Haystack. Can you kind of explain a little bit? What is that Operational Intelligence Center? What does that mean? Yeah, that's the title.

Speaker 3: 10:57

That's the tagline for Haystacks.

Speaker 1: 10:59

Okay so that's your tagline.

Speaker 3: 11:01

Yeah, it's like Haystacks, the Operational Intelligence Center.

Speaker 2: 11:05

Okay, good. So the point around that is then, if you can see where there's a couple of bullets in here where he talks about they talk about OIC in action, which is your operational intelligence piece. Well, they've got monitoring security cameras, access control systems, and here's another one. It's social media and potential threats. All of those, I mean folks that have been listening. We've talked about physical security in the past. That blurred line Many times when I work with physical security, working for this large multinational. I did before. The physical guys would come to me and they go well, how do we deal with this? And I would go well, I don't really know how do we deal with this. So can you kind of, kind of pull back that a little bit of where you've seen this being used and really been effective?

Speaker 3: 11:44

Yeah, absolutely so. You're saying a lot of things. I should be typing notes to speak to much faster than I am.

Speaker 2: 11:54

You're good.

Speaker 3: 11:57

The physical guys come into the cyber guys and say how do we deal with this guys? And saying how do we deal with this? Well, cyber security let's say ttps, trends, tactics, procedures and and how we carry out the duties of being cyber security practitioners um have far surpassed the like abilities in physical security, does that?

Speaker 3: 12:19

make sense yeah, yeah, ok. So, when it comes to visibility and tracking incidents, physical security systems haven't made the leaps and bounds that cybersecurity has, where you can identify your assets of importance and you can deliver assessments according to fire code. Like buildings, follow fire code and certain structural properties will dictate how firefighters respond. Where are all of those kept? Typically today, it's in a binder, right? Well, if a building's on fire, who's going to grab that binder and find the page that shows a firefighter that information, right? So, having a digital system where those things are tracked and kept and being able to look on a map and tell firefighters, hey, you'll want to come from this direction and enter here those types of things, that is a very specific example.

Speaker 3: 13:32

The tool as well is being implemented today in school systems. Okay, because there's a lot of regulatory compliance about what schools have to assess and report on Right, compliance about what schools have to assess and report on Right, so that all ties into security, because school resource officers, law enforcement officers love our platform. It makes it easy to share information and not just track what's going on at the building level, but maybe a campus level, right, but maybe a campus level, as well as the behavioral threat analysis involved, where you can keep track of maybe at-risk students.

Speaker 2: 14:11

So let's pull on that. So is that the behavioral aspect? How does that work? I mean you're saying potentially keep track of students. Can you kind of pull on that just a little bit for me?

Speaker 3: 14:22

Yeah, so it's common. Look, I have three kids and I've sat on a school board right dude, I have heard everything.

Speaker 3: 14:30

Nobody's kid is ever the problem, right, right, yeah, uh, specific to a school, the behavior threat behavioral threat analysis is maybe, um, the counselor's ability to keep some notes and the school's ability to track discipline issues as a means of carrying out some degree of profiling. I know that comes with a negative connotation, right, when it comes to school safety. You know well. What I was about to say about school safety is true for all of security. Nothing's a problem until it's a problem Right. Security is not a concern until there's a problem Right. So it's just another way of shifting Incidents to the left a little bit and giving you more indications and warnings, yep, no, that's good, that's good.

Speaker 2: 15:27

So, and here's a question to ask. And as we talk about the CISSP, one of the big areas we have around is privacy, and that's a big, huge factor in making sure that people are connected. How does your product and your platform deal with privacy? So, if you're dealing with students and they're on this list, right and again, profiling is not a bad thing. It's unfortunately. It's a bad thing when it's used incorrectly, but you need to. If you're looking at risk mitigation, you're always sizing things up to go okay. Well, hey, I'm this guy walking down an alley in a dark night wearing all kinds of bling. That's not probably a bad idea From a risk standpoint. Somebody's profiling me, saying this guy's an easy mark, right. But when it comes to the situations for in this situation you're dealing with privacy is a big factor when dealing with students. How does your platform handle that? Does it take care of that for people, or is there a different platform you'd need to use if you're going to be focused on the privacy of the students?

Speaker 3: 16:26

It's a matter of where the data is kept and who has access to the data.

Speaker 2: 16:30

Okay good.

Speaker 3: 16:31

So yeah, look, current users of Haystacks today are government entities for the most part.

Speaker 3: 16:40

So we have to abide state and federal regulations when it comes to data security, which is a oh my gosh dude. That could be a whole nother podcast. Good space there, big moving space. Dspm is the term that I'll use Data Security Posture Management. There are several solutions there that are good to talk about, but I'm going to zoom out a little bit from your question and say how does all of this apply to CISSP and cybersecurity? Yeah Well, anybody studying cybersecurity, working in cybersecurity, is aware that attacker SOPs dictate that threats in one domain cyber or physical can and do impact the other Right. So this is why we're talking about.

Speaker 3: 17:30

The line is blurry, and this is another reason why Secure Passage is a very interesting choice for you to bring on today, because everybody at the organization at Secure Passage has a pedigree in cybersecurity. We all come from cybersecurity backgrounds, but the owner of the company, as does he. He's been a founder and an entrepreneurial leader in this space for a long time. He started thinking, you know, the gap between physical and cyber is too much risk, and so he had acquired Haystacks some years ago. I don't know all of that, and next to it we're also developing Truman, a second in-house solution. Okay, so that's why I feel like Haystacks. Although it is not a cybersecurity dedicated solution sidebar, if you want to take a note, it's also good to know what a solution is not.

Speaker 2: 18:33

Right, right and that was kind of one of the next questions I had for you as well.

Speaker 3: 18:38

A-Stacks is not a cybersecurity dedicated solution, but it is highly valuable to physical security teams and communicating across that blurry line.

Speaker 2: 18:50

Right, and I think that that's an important factor, because we all and the CISSP is focused on cyber, but it's not just completely around the cyber aspects of it We've got business continuity, disaster recovery.

Speaker 2: 19:04

You have physical security and it's one of those pieces that, if you become an expert in this field, you're going to have to talk this talk, and so let's use it as an example. So the question we just had, where you're coming together with a physical product, a product that helps physical security, but, as we mentioned, the lines are very blurry between that and what you would see in the cyber side. If you're a security leader, you're going to have these. Your leadership's going to come to you and say how do I deal with physical security? And you're going to have to know it. So it's important I really do. I think it's important that you guys everybody's listening to this podcast understand it's not just you're dealing with IT stuff as a whole, you're dealing with the full gamut and you're expected to know this information or, if not know it, at least know where to get the right answers.

Speaker 3: 19:50

Right? No, I love it and I feel like you have a great audience for me to make this comment that I'm about to make. I don't necessarily tell this to everyone, but because it's partially opinion. But the more I've studied what we're doing at Secure Passage and how we're impacting the market and addressing these gaps between physical and cybersecurity mostly because it's just different teams that have traditionally never worked together- I get it.

Speaker 3: 20:17

I'm not dogging that in any organization, it's just the state that it has been. But the more I study and read and research and talk to CISOs and security leaders, I'm comfortable saying that most of the responsibility when it comes to unifying systems for security outcomes lies on the cyber side. We understand the data right. We know how to leverage data right. Physical security teams don't care about it they don't really have to but the technologies and the systems in place on the physical side produce data relative to security outcomes. So that's where Truman comes in, and I don't know if you've looked out on your website, but the tagline there is physical detection and response. Right, call it PDR. That should start to ring some bells with cybersecurity practitioners, because we're familiar with you know all the dr acronyms edr, mdr, what have you right?

Speaker 3: 21:29

we're basically applying those traditionally cybersecurity principles to physical security systems nice um, things like you know, a smoke detector isn't just a smoke detector anymore, right, they are IoT that produce dozens of different types of detections. They can detect smoke. They can tell if it's smoke from a vape. They can tell if it's got THC in it, which is really good for high school bathrooms Good point. Good point, um, they can detect, um raised noise levels, be it just, um you know, an excited classroom because they're doing a lab or something, or somebody yelling for help, right, or a gunshot, right. So all, and those are just a few examples. You can go look up, like, uh, halo environmental sensors and read about all the detections they do. There are numerous brands out there but, um, that, all of those detections produce logs and so, unless somebody is watching their halo system which um corporate enterprises, schools it's just hard to staff everything, right. That's why AI and automation is so popular right now, because human capital just we need people to actually be able to do their job, not sit in front and watch for alerts all day. Right, we talk about that with our cyber SOC people Like you know, they're just 24, seven eyes on glass, right, well, that's great, but we have AI and automation now. So if we aren't leveraging these technologies to make security faster and better. We're not rolling right, we're not keeping up. So, at any rate, truman can collect those logs, as well as logs from surveillance systems, because cameras just aren't cameras anymore. They just like the environmental sensors. They do dozens of detections based off what they see. So people carrying objects, a crowd amassing or license plate readers, facial recognition this all produces data. There are numerous other types of traditionally physical security devices that fall in the IoT category that produce data, and that's what Truman is doing is taking that data and creating a better security picture. Holistic security Nice, taking that data and creating a better security picture. Holistic security.

Speaker 3: 24:07

Let's say you are a, you're a security director, something like that, right and you got to fire somebody. So you've got HR in the room with you and you call somebody in and this person gets irate, they're not happy. You and you call somebody in and this person gets irate, they're not happy. So if an environmental sensor picks up elevated voices and you have an AI, an automated system to create an alert, right, and somebody says, oh, that's coming from the room over there where they're talking to so-and-so. Now, all of a sudden, that guy might not just be a physical security risk, but he's also at risk of being an insider threat, right? So let's go ahead and terminate his access Right Now. It's an identity and access management issue, correct? So just because somebody in the office wasn't happy, right? We see how this again, the line gets blurry, right?

Speaker 2: 25:07

So and I think this is really important because we've all, if anybody's had to deal with and this actually is a really good use case If you've had to deal with employees they've had situations where we've all. I mean, I should say I'll just point me. I've had to let people go and it's very uncomfortable for everybody in the room. I should say I'll just point me. I've had to let people go and it's very uncomfortable for everybody in the room. And this is a great point of, if there's sensors listening to these types of things, how does that blend into the physical security space? And I think that's an important part of areas that we don't talk about a lot. We've talked about it in the CISSP and the podcast, where IoT is a huge factor. Everything is listening. I mean, we all have the Alexas and the series and all these different things that are going on at home that are listening to all types of aspects. But it's also, to your point, around just even fire suppression systems that have sensors. What are they listening to? What are they not listening to? And I think it's all about the data. It's always all about the data and having tools like yours that can help kind of, especially with the. I use AI loosely, but it's basically to the point where all the data is being aggregated through these very fast algorithms that can figure out what is actually occurring, and I think it's an important factor, especially as you mentioned.

Speaker 2: 26:20

There isn't enough people to go through this and, from a fulfillment standpoint, it isn't what people want to do is just sit there and watch logs all day. It's just not. That's not fun. So so we've got. I want to keep us on time as far as how much we've got with us and just cause I've got a few more questions, and I want to make sure that we get all those covered With your tool.

Speaker 2: 26:38

What are some things, though, that it doesn't do? So I got one thing I always talk to all contractors and and people that are coming in that are offering up a service, and is that when I get very concerned when someone comes in and tells me it can do everything it's the Swiss army knife to all things that you ever could want I usually run away very quickly because that's I have yet to see one where that's actually the case, so I'm going to kind of throw it out there with you and just ask Casey, you know, what are some things that your tools just don't do. They may do it, but they just don't do it well or they don't do it at all.

Speaker 3: 27:13

Yeah, no great question. I love that question. Being a solutions architect in pre-sales for a few years now, you are striking a chord.

Speaker 3: 27:25

I love it. You hear it from every security vendor. Oh yeah, we can, we can do it all. So Haystacks it. You know I'm just going to hit on assets. It doesn't do automated asset aggregation. There are some asset management tools for IT that will do automatic inventory. It'll go out and sniff and tell you what's on the network. Well, haystacks doesn't do that because a lot of times the assets that we help organizations track don't have as much of a digital footprint, or it might be such that it changes and has to be updated. So it doesn't do any good to have an automated system. So when we talk about asset management for Haystacks, we're not like an IT asset management solution, nothing like that at all.

Speaker 3: 28:20

When it comes to Truman and physical detection and response, today we don't do automated remediation of anything. Just by the nature of being a physical security detection and response solution, so right, all response will be on the organization's end. Right to leverage the data, we can build detections and workflows, but the tool doesn't actually remediate any of those that come up. Right, it's all tunable, and I'm going to make a correlation here that I really don't make, except for with cybersecurity people. But we're all familiar with SIM and SOAR right, mm-hmm. That's essentially what's happening with Truman, but with data from physical security systems. Okay, make sense, yep, totally. So yeah, it seems like such a like. Once it's explained, it's like how is this not? How's this not already being done everywhere? You know what I?

Speaker 2: 29:18

mean Well.

Speaker 2: 29:19

I mean and then again it comes down to the need right, and I think that I'll just use an example of I'm doing some consulting stuff for financial companies right now, and some very large financial companies, and they've got money, they've got resources to make things happen. But I've also was the CISO for manufacturing and some of my partners that I'm working with at NextPeak made a comment to me going well, the manufacturing space is growing but they don't need cybersecurity the same as they do in the financial industry. And they do. And in many cases the stuff that can happen in manufacturing can kill people, whereas the financial it just devastates them financially. But the ultimate goal is there's money there in the banking industry. So therefore there's lots of traction Outside of the banking industry. It's growing. All areas are growing, including, I believe, in the physical side, because they see it more and more almost every day. But it's just, it doesn't have the level of traction yet, but it will.

Speaker 3: 30:17

It just takes time right, yeah, absolutely, I missed earlier when I mentioned Truman, mapping Truman to CISSP domains. Yeah, the most applicable domain would be security operations.

Speaker 2: 30:33

Okay, yeah, and that makes sense.

Speaker 3: 30:36

Bearing in mind by leveraging data from physical security solutions. Right, so there's also an identity and access management piece for us internally. That is a roadmap item, but we're working toward being able to tie whatever detections. You know, if you're a client, sean, and we've developed your use cases and built detections with you for your particular use cases, we want to be able to tie an identity to every detection, whether it's human or non-human.

Speaker 2: 31:13

Right.

Speaker 3: 31:15

Actually it's probably a topic in the CISSP, in the IAM domain. Most identities in cybersecurity today are not human Right. And it's a staggering number. I I read about it recently I don't remember what it is, but it's like 10 on non-human identities to human. So when I read that I thought well, you know, everybody says macs are more secure than pcs. Right, why is that right? Because there's fewer packs. Most people just use use a PC. Right, that's true, that's very true. So that makes them more vulnerable. Yeah, there's more of them out there. Well, let's look at identity through that lens. What's more risky a human identity or a non-human identity? Right, if non-human identities outnumber human identities 10 to 1, I kind of need to have something going on to monitor my non-human identities.

Speaker 2: 32:10

Agreed, yeah, totally, and we all know the non-human ones are much easier to provision and they also get forgotten about and they become the bane of most security leaders' existence just trying to have to deal with all that. So, yeah, no, that makes total sense. Well, we're getting close on time and I wanted to be cognizant of your time as well as what we're trying to accomplish here. But in the last few minutes, if you could, Casey, kind of just explain to the team you know the folks that are listening to this, you know what are some things they need to take away and know around what your product does, but also around how it can benefit them for the CISSP exam does, but also around how it can benefit them for the CISSP exam.

Speaker 3: 32:59

We are a breath of fresh air when it comes to various solutions and I realize I'm saying that out of some degree of partiality, but I'm also saying it out of years of being dedicated to cybersecurity and we're addressing things that, just because of status quo, aren't being addressed by other solutions. Sure, I'll use a word that, as an organization, as Secure Passage, we're trying not to use this word because it's just too buzzy. Converged security I'm sure everybody's familiar with that, but if you ask anybody to define that, you'll get a bunch of different answers. Right, a lot of people will just say OT or IoT. Whether it's OT or IoT, they're just looking at cybersecurity controls around those environments. They're looking at how that data is being used. Right, that's what we're looking at.

Speaker 2: 34:03

Did.

Speaker 2: 34:03

I answer your question yeah, no, you did and I think to kind of just peel that up a little bit or peel it back is that it always comes back to the data and I feel that, as we are, whatever product you are, as a security professional who's listening to the podcast, whatever resource or whatever tool you look at, consider it's about the data. Where is the data being stored? How is the data being managed? Store, how is the data being managed? And, in the case of this, where you have physical devices such as security cameras and other types of alarm systems, where is that data going and how are you protecting it and managing it as well?

Speaker 2: 34:36

So I think the ultimate goal is just to kind of come back to is that it doesn't matter if you think it's a and don't take offense to this, casey but if it's a dumb camera, it's not a dumb camera. These cameras in today, as you have mentioned, they have AI built into them. They have their collecting data, their storing data. As a security professional, you need to be connected with all of these things and where the data is being stored, where it's being transported to.

Speaker 3: 35:02

Yeah, you're dead on, and maybe some of your listeners will be in a position to help achieve the next level of essentially holistic security awareness at the leadership level, because if you talk to CISOs today, it's a crapshoot. Who's managing physical security? It might be well technically, it's mine, but I don't have anything to do with it because so-and-so and so-and-so. Yeah, you're spot on. You're spot on, or it's a totally different team and they don't want to talk to cyber at all. Right, right, at some point somebody has to take ownership.

Speaker 2: 35:38

Right, yeah, the guys with guns sometimes don't want to, they just don't want to know it and you get it. So, no, this makes total sense. Casey, I really appreciate your time with me today and I hope everybody that has been listening to the podcast. You can reach out to me at CISSP Cyber Training and I'm happy to pass on information about Casey and his team. You can go to securepassagecom that's securepassage, all one word, dot com and you can check out what they have there as well. So and I know we'll put in the show notes, we'll put Casey's contact information, so you'll have that. But at the end of the day, you know, we want to try to teach you this stuff at CISSP Cyber Training and give you the tools you need to be successful and so you can pass the exam the first time. So any last thing you want to say at all, Casey?

Speaker 3: 36:28

No man, I really appreciate you having me. I think this is a really cool way to leverage your show. It speaks to the feedback you got too, that CISSP covers a lot of things but solutions that fall into each of those domains. That's a really good concept of viewing the CISSP domains is what solutions apply where?

Speaker 2: 36:49

Awesome, this is very good, well, awesome, well, thank you Well, and I just appreciate you taking the time because, again, time is money and time is valuable and taking the time to spend with us is greatly appreciated. So thank you so much and we will be very, very excited for your future. But other than that, that's all I've got for you all today, and if you have any questions again, reach out to me at cisspcybertrainingcom or reach out to Casey at securepassagecom. All right, thank you all. Have a wonderful day. We'll catch you all on the flip side, see ya.