Cyber Frontlines: Securing the Future with ECI - Part 3 Artwork

ECI Pulse

At ECI, it is our mission to be the most transformative business partner you will ever engage. We thrive in a state of constant progress and pushing the boundaries of what’s possible. Over the past two decades, ECI has emerged as the premier provider of managed services and technology solutions, across cloud, digital, and cybersecurity, to the investment management industry. To date, we have helped more than 1000 global clients, from financial hedge funds and private equity entities to asset management companies, to activate their full potential through technology, a consultative approach, and a relentlessly innovative spirit.

Join us as we explore the latest trends, innovations, and strategies that are shaping the industry. Each episode features insightful conversations with industry leaders and experts who share their experiences, challenges, and visions for the future. Tune in and stay ahead of the curve with ECI.

All Episodes

ECI Pulse

Cyber Frontlines: Securing the Future with ECI - Part 3

July 17, 2025 • ECI • Season 1 • Episode 8

In this episode of Cyber Frontlines, Jeff Schmidt, CEO of ECI, and Jonathan Brucato, Director of Security Operations at ECI, explore the foundational role of cyber hygiene in today’s threat landscape—and why it’s more than just awareness training.

They discuss:

The evolving nature of phishing attacks and the value of phishing simulations
Why continuous employee training is essential for building a resilient security culture
The growing complexity of the regulatory landscape, from GDPR to SEC and HIPAA
How modern service providers can accelerate incident recovery and embed security into daily operations
The advantages of combining MSP and MSSP capabilities to eliminate silos and improve visibility

Whether you're navigating compliance requirements or looking to strengthen your organization’s frontline defenses, this episode offers practical insights into building a more secure and responsive cybersecurity posture.

Welcome to episode three, Cyberhygiene and the Modern MSP Advantage. With me today, Jonathan Bricato. Hopefully you've been with us on episode one and episode two. We're going to draw down now on the theme of cyberhygiene, fishing simulations, and the regulatory landscape. Three key items that we think are really important when we talk about cyberhygiene. for you, Jonathan, when we think about cyberhygiene, most people say it's like

Hey, knowing is half the battle. Maybe it sounds like the GIG at Joe simulation. Knowing is half the battle. Experience is actually an embedded way to get it into people's heads. So for you, when we talk about cyber hygiene more than just awareness, give us some insight to how you put that into action, why it's so important, and for companies to really think about that as a way to defeat the bad guys.

Yeah, you know, the, the, the bedrock that I, I stand on in everything that we do is, is really two principles. So security through layers, which is I'm not relying on one technology or configuration or training to make me secure, right? It's, it's in everything. It's, it's multi-layered, multi-pronged.

And kind of the second thing is secure by design. So when we implement a new human program, technology program, a new piece of software, you know, we're going through the security controls. We are evaluating, you know, how does this fit into our security posture? How does this fit in the grand scheme of, you know, how we control the user experience? So those two things really kind of govern everything. When we write new code for our tools or our products,

You know, we're critiquing them through the security lens making sure that they're they're passing unit testing and things like that when we're You know implementing a new human process You know the I I said it in you know a previous podcast but the who are you? are you? What are you, you know going through the principles of You know who the target is for this particular Use case or this particular program, you know, how are they getting?

getting through this program or how are they interacting with this from a business perspective? And how do we make sure that their experiences is secure and controlled, right? The continuous protection element really is continuous through the layers of the business just as much as it is continuous on a timeline. It's continuous in everything that we do, it's ubiquitous. So at face value, sounds a bit like generalization, but it's as simple as saying, you know, did we consider the security elements of this thing that we did for our business and how does it fit in the grand scheme, multi-layer security approach that we're taking?

It's interesting. So recapping that one as you have process and procedures, which are really important for people to understand, practicing that and scrimmaging around it. So that people experience that the team members experience what that really means can fail or succeed. But then looking at the output and then finding ways to embed that into the daily roles and where people are. So cybersecurity isn't just about training is not just about testing people, but it's also starting to learn the muscle memory of the enterprise and how it works and coming back in and modifying as well and ensuring that how we work is also embedded into how we secure.

Yeah, I'd say also there's, by implementing a solution, a technology, a procedure, you know, doing it one time doesn't mean that it's secure a year from now, right? Continuous evaluation of systems, auditing, pen testing, configuration review, configuration management, posture management, these are all concepts that mean that, we're going back to this.

at some point in the future to make sure that we're still doing it correctly. Extremely hygienic method of maintaining security in your environment.

Awesome, very helpful. All right, so that takes me into the second one, which is the importance of phishing simulations, employee training, compliance readiness. We have some examples of that that we use with clients when we're talking about where and how to go do these things, right? Is it really important? I mean, why a phishing simulation? Like, why is that so important to put people into the middle of that?

Sure. The thing with phishing simulations, in my opinion, they should be done often. The landscape changes faster than a once a year annual training and reminder on don't click links that you didn't expect to see. We spoke in a previous podcast about how attackers are using AI to increase the genuine output of their attacks, that they feel authentic, that they feel very real.

These types of things need to be trained against constantly. We know about phishing, but now we're seeing smishing, we're seeing quishing, we're seeing all of these different iterations where somebody might receive a QR code these days, somebody might receive a Teams message with a phishing link, somebody might receive a text message. I've seen snail mail, right? There's all sorts of different ways that these types of...

You know, user awareness activities and scenarios are evolving, right? You know, so training often and training frequently is going to train, you know, behaviorally your users to think about this more often. If we keep it in their minds, it's likely that their gut instinct is going to tell them to second guess what's in front of them if they even have an inkling of skepticism.

It's interesting because I was actually thinking about QR codes, right? And people are getting more used to, fact, it's interesting, 10 years ago, people were like, who's going to scan a QR code, right? Now everybody's scanning QR codes. So it'd be interesting to see when that becomes a mainstream of being able to redirect somebody to a malicious site where you're entering in credentials through that mechanism. And I think that's an opportunity, hopefully, for a two-way trust that you

If you don't get the right trust, you can't enter in your credentials. that ties maybe into the whole password conversation as well. And it's wildly interesting where things are going to. In fact, somebody told me the other day that like announcing your new job, right, which is a LinkedIn thing, I just started working at, right? And then immediately the phishing scams start, right? The smishing, right?

is that person starts getting a message from the CEO of the company, which is not a phone number that's associated with the CEO of company. depending on who it is, because I've had some people before have some fun with this, is, hey, would you go get some apple cards for me? Right. And it's like, I'm in a meeting. I'm too busy. and the response that they don't. And again, it's playing back and forth. The response is, well, why are you asking me this when I'm sitting across from you inside the meeting? Right. And then they stop. Right.

The number of times in my past I've had to go through and make people aware is I will never ask for this, right? But it's the new person coming in, CEO contacting me, hey, welcome to the team, you're really great. Hey, I need you to do me a favor, right? So it is crazy that maybe what is old is new. And what is new is just a new mechanism and maybe some of the stuff that was old to begin with.

Yeah, there's all sorts of different ways that this is manifesting itself in the open source world the same way. We just talked for a second about how this is all about layers, right?

You know, how you present yourself in public is also an element of security to consider as a business. When we make LinkedIn profiles, when we're posting on social media, this information can be extremely revealing. I think that it's fair as an organization or as a business to, you know, kind of mandate sort of a code of conduct, how you represent yourself on the public internet, right?

You can, it's also a little bit or a lot of bit about brand reputation, right? But a little bit as well, you know, about keeping your business secure. Revealing too much information can be dangerous. These platforms are wide open for abuse. There are bots that are constantly trying to, you know, gain initial access through building a relationship on LinkedIn. Start a security researcher, post in his bio. When you send me a message, please drop your source code.

and found just bots just shipping code, raw code into his inbox. So there's all sorts of stuff like that going on, but the security through layers extends into that boundary for sure.

Yeah, and the expediting of it, and again, doesn't require humans in the middle of it, right? I talked to a bot today, which was an answering service that sounded like a person. They let me know ahead of time that, I'm an AI bot and an answering service. But if it hadn't said that, other than maybe when it repeated every question that I answered back to me, I probably wouldn't have known it. So that leads me now into this regulatory landscape, right?

And it's alphabet soup, right? There's the California Protection Act that exists today. Massachusetts has one across the US. You talked earlier in one of the other podcasts about lack of standards around credentialing, how people are using pass keys. Maybe you can relate a little bit there. GDPR, right? So company that exists in the US but also operates in UK falls underneath those. So one standard doesn't necessarily meet the other.

SEC requirements HIPAA requirements are there standards that you can build off of that that maybe represent At least a standard framework that then you can build from that says, know Hey, this is the ground floor that if you do this then you can build on top of it versus having to build controls for GDPR controls for PII depending on where you are CCPA or you know order

hip hop type rules, is there a baseline like around NIST or ISO that you can go use that at least starts you off that I'm not repeating myself every single time? And then what's the need to really start to integrate into this, right? Cause it does feel like from a business perspective, while a global company, insert any manufacturing company around the globe that delivers product sets has

the revenue and the profit to be able to go do this. The GLBA type stuff that came out, Gramm-Leach-Biley acts that came out, those were tremendously hard on small companies, right? The small banks that were community banks or single banks versus a B of A that can really consume that and move through it. So it seems like regulation can bury the smaller organizations where the larger organizations

and withstand the push? Do we see the same thing happening here?

Yeah, I mean, I think you said it a little bit earlier. There's a lot about some of this stuff is conventional wisdom that's old as time. We've been doing role-based access since the 70s on data systems. This business of secure by design.

you know, taking a holistic and sensitive approach to as we integrate a new system, as we move our data to SharePoint or start exposing it to co-pilot, things like that, same principle still apply. A small business might have an easier time objectively adopting, you know, know, sensitivity labels on their data or reintegrating with a new RBAC policy on top of a data set.

you know, re-permissioning things as they move into a new system or technology. I think that that larger, larger organizations have a, have a bigger budget to be able to sort through the, the larger source material, but smaller companies can be nimble and agile. And, you know, a lot of resources here at ECI were using largely informed CIS benchmarks to, to build our standards and best practices.

Obviously, when we look at going to the full in totality security control in something like a CAS benchmark, we have to consider how this is going to affect user experience and functionality. But these programs are widely available. Some of the NIST stuff can be a really great asset to look at when you're your GDPR compliance, for example.

Um, there are a litany of other, you know, this is alphabet soup on the regulatory agencies, or, um, security agencies, but CISA has a scuba framework, um, that's also really compelling. Um, and by following sort of the baselines that are out there, um, when you go through an audit, suddenly you're, you're really a leg up, right? And these are things that, you know, can scale from a small organization to a large. see it in our smallest customers and our largest customers. Um, it doesn't have to be a tremendous cost burden.

It really just has to have some thought and care put into it.

I think that's interesting. And I think explicitly when you talk about even things like SEC, right, as and I think I'll start with first in fairness to the large organizations that are out there, they also have a much more robust and span of span of control that they have to handle. So while they have larger teams, they also have a massive amount of complexity that goes along with it as well as global reach. But they they have the ability to to do that. I was talking to a local bank

And they're talking about the amount of controls that are being thrown at them. They're in an audit almost, you know, one or two audits almost every month. It's just, it's insane to hear. I think it's interesting even in our, in our world, right? Is if you take a private equity, the portfolio companies have a requirement to meet a certain baseline of SEC requirements of controls over how they perform and what they do in cybersecurity, right? So we have a responsibility to, to RP to be able to go do that as well do all the port codes that are part of it.

So think that understanding the downstream effect of that as well is really important. Hopefully to some of the listeners that are listening today is the importance of it. But also there is a simplicity to it. To your point is once you do the first one, you know where you stand. And negligence isn't really an excuse for allowing something to happen. We should be able to move forward and setting a baseline and improvement month over month, quarter over quarter is really important for for organizations to follow. I want to jump into

Sorry, did you have something you wanted to say to that first?

Yeah, I was just going to give a quick tip. So before, we talked on a previous podcast about AI enablement, right? A really good way to look at how we could use AI here is we can train a model to understand what our positioning is on our compensated controls, our technologies, our configuration and how we approach the problem for customers that, or really any organization that

has a high volume of due diligence activities and exercises. It's a great way to be able to say, hey, here's my 100 questions. How many of these can you answer? Rip it through a model. See how quickly you can get answers back and then fill in the gaps. That's a good cheat code to be able to get up to speed.

Absolutely, absolutely. I'll go develop one of those in Co-Pilot Studio after we get off the call. So, look, I think those are really great points. Okay, I have two more for you because it was one of the blogs that we started. I think you're driving right now. Why is a modern service provider a better approach to cybersecurity, right? And if you had asked me that question five years ago, I'd give you a different answer than I would give today. I see a lot of the reasons why.

the service provider has, especially the modern service provider that has a vast span of control over data, cloud, endpoints, and cyber across the organization and access. Why is it an unfair advantage for the modern service provider in the cyber security realm?

I think it's two things. think number one, it's reachability. you just kind of touched on it, access to systems to be able to take action, right? In the security realm, the plight of an MSSP is getting all of our ducks in the road to take that next step. So we've seen this indicator of compromise. We've seen presence of a threat actor on our network. What's the next thing that we need to do?

is it isolate the asset where we found presence? Is it, you know, block a destination to a command and control server? the, the, the plight of a modern service provider, is that, you know, with great power comes great responsibility. that reach ability, that access actually really enables us to be quicker, to write better, you know, automations and playbooks that, that, you know, we're, you know, we're moving into an agentic realm. We're moving into.

infrastructure as code realm and the width in which we can reach is massively powerful. The second thing is, you know, we've got all of these real world examples of where security controls, technology controls get applied to practical real world experience. And it really informs kind of how we approach, you know, detections, how we approach, you know, security controls moving forward, that next new customer.

How can we improve their experience by what we know about these several other experiences of the past? Everything that we do in the service provider world informs how we approach the security problem. We have this cyclical value add that's constantly producing gains.

I think it's a pretty spot on. I unfortunately led the witness to where I wanted you to go versus asking you, do you think or why? That said is, I've seen it in action a number of times. So you see a disk doing something that over a period of time has never done that before. Monitoring tools will alert us and let us know you immediately have somebody who's already monitoring that device, that system, that service that

in a SIM gets lost, right, sometimes. So we are able to filter that out based on noise, based on consistency, and understanding the process. So that leads me into my next question, which is, with the cybersecurity platform that you deploy, that you're responsible for, how are you filtering out noise, creating fidelity, and what's going on across that footprint you just talked

about, right? Because it isn't just the reachability, it's the accessibility, but it's also the intake piece and the fidelity that you're getting across devices of understanding normal versus abnormal from a business perspective.

That's it.

Yeah, I mean, from like in like the detection realm and the information gathering realm, you know, our, you know, managed XDR platform is is really, you know, driven and iterated upon by, you know, what is what is security relevant? Like when we look at data sets, when we if it's a firewall, if it's a, you know, a cloud site or something of that kind, you know, what's the what's the security relevant information that I can potentially gather here? And what is

you know, what am I seeing in the wild, from this type of data set, you know, so we're, you know, constantly performing threat hunting exercises. We're doing purple teaming exercises where, you know, we're gathering the latest, you know, malware sample, detonating it in our lab, running it through the same tools that we deploy to customers. and, just kind of evaluating, you know, did we have this data, coming from this data set? is there a vacancy? am I missing the plot line by having too much noise?

So it's this fine dance that we do in the detection realm. I'll say it's informed on a previous topic that we covered, having good data controls, a good security program that's building proper configurations and thoughtful configurations helps keep that noise level down. So we have to kind of drive what we learn in the wild from the log gathering space back into the MSP space to say, look like

this is noisy, we have to come up with a better way to control this technology for the greater good, right? So this is us feeding the information back into the service provider loop.

This hits probably the last question for this session in episode three, but post-event, post-incident, right? And if you look at a pure MSSP player, again, versus the modern service provider, the post-incident of the rebuild and helping an organization recover, right? What's the advantage of the modern service provider inside that role?

You know, while we do have, you know, our security operations center and our security operations team, you know, running independently of, you know, maybe the account teams or the service teams that work with our customers day in and out. That doesn't mean that they're not, you know, constantly working in conjunction with one another, you know, post incident or live incident. You know, it's very, very, you know, typical to see.

you know, day-to-day service teams, you know, working in lockstep with our SOC to be able to, you know, provide anecdotal information, tribal knowledge, things of that kind that are very close to the technologies that are functioning at the system, at the customer. You know, so when we come to, you know, needing to remediate or we need to contain, you know, we have that tribal knowledge to be able to go back and say, this is why, you know, we're seeing this or this is a red herring or this is a false positive or

this might have been the front door being left wide open, right? You know, so that feedback loop with the day-to-day service folks really, really enables us to be quicker, to not chase dead ends and, you know, really hone in on the problem. And then, you know, the taking action steps, the blocking, you know, the destination at a next-gen firewall, the isolating the asset, these types of things are, you know,

tools that we would use on the service side just as well as a security incident, right? So we can hop in, we can take action directly into the customer's technology, which is really unique for us as a business that's both an MSP and SSP.

Yeah. I think the extensibility where I've seen a new client come in that's been through this is our ability to rebuild and the knowledge base, not only from a cybersecurity side, as you mentioned, right, is as well, the teams have different functionality happening on a day in and day out basis, right? One's focused purely on cyber and noise and what's happening. The other is the operational uptime consistency and

and reliability that's there. They do come together on a regular basis, but in the mode of coming in is being able to touch firewalls, routers, switches, endpoints, understanding the playbook, having the hand in the cybersecurity team to talk about, know, least privilege access, know, the red forced ideas of most precious things in the back of the realm, right? So that they're not out there in the front.

Thanks.

So those all get deployed,

which typically you would struggle with a pure MSP or a pure MSSP being able to really deliver on that commitment on that side. And so you're getting really is that the ability to fabricate a defensible system in a rebuild mode after an incident from an organization that understands both sides of the coin.

and you can start your training on.

from a practice and a subject matter expertise.

So anyways, sorry, that's more words in your mouth, but we've talked about that a few times as well. So I think very interesting. Jonathan, thank you for being with us today and sharing with us your knowledge, as always.

Absolutely.

And for the listeners today, thank you. I hope this was beneficial. There are a lot of pieces here. Again, we love to have the conversation. We'd to talk about cybersecurity. If there are questions that you have and you want to just peek in and talk to our experts here, please let us know. We would love to chat with you. And again, thank you for joining in. We look forward to talking to you next time on our podcast.

Thank you.