Get to the Point — The High Point Networks Podcast
Technology can feel overwhelming — the jargon, the pace, the pressure to keep up. Get to the Point exists to change that.
Hosted by Andy Middlemiss and Brandi Mentele of High Point Networks, Get to the Point is a podcast for business leaders, IT professionals, and anyone trying to make sense of how technology can actually work for them. Each episode cuts through the noise with honest conversations, real-world insights, and practical takeaways from people who live and breathe this stuff.
No fluff. No unnecessary jargon. Just the deeper "why" behind the technology decisions that matter — from a team you can trust.
New episodes every other Wednesday.
Hosts: Andy Middlemiss & Brandi Mentele
Audio & Video: Alex Conner
Production, Post-Production & Management: Jasmine Joy
_______________________
Get to the Point is produced by High Point Networks for informational purposes only. Guests include High Point Networks professionals as well as subject matter experts from across the industry, each speaking from their own experience and expertise. Content shared is intended as general information and should be evaluated within the context of your specific organization and circumstances. Views expressed by outside guests are their own and do not necessarily reflect those of High Point Networks or its affiliates. High Point Networks assumes no liability for decisions or actions taken based on content discussed in this podcast.
Get to the Point — The High Point Networks Podcast
Breaking Down the 2026 DBIR with Dean Sheley: What Business Leaders Need to Know
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
The 2026 Verizon Data Breach Investigations Report just dropped — and in this bonus episode, Andy and Brandi sit down with Dean Sheley, Senior Security Architect and Consultant at High Point Networks, to unpack what's in it and what it means for your organization.
Dean brings nearly 30 years of cybersecurity experience across global financial institutions, higher education, and the SMB sector. He's a CISSP, holds a Master's in Information Security and Assurance from Dakota State University, and previously served as CISO for the South Dakota Board of Regents, overseeing cybersecurity across six South Dakota public universities.
0:00 - Introduction & welcome
1:49 - What is the DBIR and why does it matter?
6:45 - The DBIR's north star: fundamentals still matter most
8:38 - Vulnerability exploitation is now the #1 threat vector
14:21 - Why organizations are struggling to keep up with patching
21:10 - Does automated patch management exist? (Yes.)
22:40 - Ransomware is up — but payments are declining
26:43 - Third-party risk and the expanding attack surface
33:20 - What to ask before you move to the cloud or a third party
37:28 - AI vs. AI: how the threat landscape is shifting
🗨️ Mentioned in this episode:
2026 Verizon Data Breach Investigations Report (DBIR) — free download at verizon.com/business/resources/reports/dbir | Industry breakdowns: pages 80–81
CISA Known Exploited Vulnerabilities Catalog — cisa.gov/known-exploited-vulnerabilities-catalog
Jen Easterly, former Director of CISA — referenced in context of software quality accountability
Project Glasswing — anthropic.com/glasswing
Connect with Dean: linkedin.com/in/deansheley/
_____
New episodes every other Wednesday.
Connect with us: 🌐 highpointnetworks.com 📱 LinkedIn, Instagram & Facebook: @highpointnetworks
Subscribe — Spotify | Apple Podcasts | YouTube | And wherever you listen.
Get to the Point is produced by High Point Networks for informational purposes only. Guests include High Point Networks professionals as well as subject matter experts from across the industry, each speaking from their own experience and expertise. Content shared is intended as general information and should be evaluated within the context of your specific organization and circumstances. Views expressed by outside guests are their own and do not necessarily reflect those of High Point Networks or its affiliates. High Point Networks assumes no liability for decisions or actions taken based on content discussed in this podcast.
Good morning, gentlemen
Dean:Hey. Hey.
Brandi:Most of us have heard the word breach so many times it almost doesn't register anymore. But the 2026 Verizon DBIR just dropped, and buried in 100-plus pages of data is something every business leader should know about.
Andy:All right. And today we're getting to the point of digging into the highlights here. We're certainly not gonna cover all 117 pages of this, but hopefully we can get to the point and cover the highlights, and what do businesses need to understand, and what can they take away from this that's actually actionable. So excited to get into that. And this is Get to the Point Welcome to Get to the Point podcast, the podcast where we dig into the why behind the tech that's all around us. We talk to real IT people about real IT stuff, and we try and make it a little bit more human.
Brandi:We do.
Andy:I'm Andy Middlemiss.
Brandi:I'm Brandi Mentele. And joining us today is Dean Sheley, senior security architect and consultant at High Point Networks. Dean brings nearly 30 years of cybersecurity experience across global financial institutions, higher education, and SMB sectors. He's a CISSP, holds a master's in information security and assurance from Dakota State University, and previously served as CISO for the South Dakota Board of Regents, overseeing cybersecurity across six South Dakota public universities. Welcome, Dean. Tell me something good, sir.
Dean:Hey, yeah. Thanks for having me, guys. It's just a beautiful day. Great to be here with beautiful people and thanks for having me.
Brandi:Great. Dean, you and I have been… The… I think I went back maybe five or six years that you and I have been, whatever you wanna call, unpacking this report.
Dean:Yeah.
Brandi:And I'll tell you I'm gonna expose myself a little bit here. I'm gonna tell you a little secret.
Dean:Okay.
Brandi:In all of that time, I've put all the weight on you to read this report and come out with the knowledge. Why? Because you're the expert, and I'm like, "He's gonna do a good job." But this year-
Dean:Yeah
Brandi:and I printed it, by the way.
Dean:Yes.
Brandi:I did kill a lot of trees with this, but I printed this baby. 120 pages.
Dean:Beautiful.
Brandi:For someone who's non-technical, like me, again, I work for a technology company, I know enough, this was an actual easy read.
Dean:Right?
Brandi:So I, I'm, and I highlighted a lot of sections, and we're, gonna kinda dig into this today. But I really got a lot out of it. I It was so much fun. The humor in it, the data in it. They give you literally a pathway to read this in a manner that is so digestible for even someone like me, who is not technical. And so I'm excited to talk about this today'cause I actually read it. And so I think I'll, maybe have a little bit more to offer other than just, "Hey, Dean, take it away," and, so I'm excited about that. But tell us a little bit about this report, kind of what it's meant to you, and why it matters, why people should actually be reading this.
Dean:Yeah, absolutely. And number one, thank you for reading that. We, have a little, kind of pre-game talk before we started-
Brandi:We did.
Dean:Shooting, and it was a beautiful discussion. Brandi was talking about reading through the report and, some of the things that she got out of it, and it was just proof, I just wanna substantiate what you said, that you were able to read through it and really get out of it some of the key factors that can make a significant difference, for organizations, reducing their risk. And, very proudly- And it's, it's just gonna amplify our discussion 'cause I think in the next 15 minutes or so you and I are gonna be able to chat back and forth almost in a way as if you were a customer that High Point Networks was helping out that need a path forward in their security journey, maybe a way to approach continuous, continuing, maturity and improvement, prioritization and so forth, and I know that's absolutely gonna be brought up. But, just in short here really quick, yeah, the DBIR, I think it's in its 19th season. it's done by Verizon. When we think of Verizon, we think of the cellphone people, but this is a completely different division of Verizon. I think, I always say it's kinda like General Electric where they make microwaves but they also make jet engines and turbines and, stuff like that. So this is not the cellphone part of the company. what they've been doing for the last 19 years is, they'll look at tens of thousands of breaches, that's when data's been affected in any type of a compromise, and incidents, that's when data has not been compromised or exfiltrated, and, they, look at all of those different instances, over, a number of different verticals in a very statistical way. It's not market-driven, it's… There's no pressure from, this company or that company, and they really lay it out there as if a medical research or any type of other, statistical, evaluation of something was done. And they break down the data nicely for us. They put it in a report And we take a look at it, and then from that, as we approach information security as risk management, it helps us understand what our greatest risks are globally, but then also in individual, business sectors, whether that be in manufacturing or medical or agriculture or whatever it may be. And then that helps us kind of understand how we want to prioritize controlling that risk, how we want to control it, and the type of resources, financially or, whatever that may be to controlling those risks. So in a nutshell, that's kind of what the DBIR is.
Brandi:Yeah. I love that. And before… Andy's got… Andy's gonna kind of take us in-
Dean:Beautiful
Brandi:to the details here, but I, highlighted- something that I read earlier that I really wanna read to people here.
Dean:Yeah.
Brandi:This is pretty much the bulk of what I got out of this report. Now, granted, there's so much more that I got out of this report. But something that they said in the very beginning really hit me. And it says that, "The threat landscape will keep evolving, but the fundamentals still matter most." I want people to let… I want that to sink in a little bit."Organizations that stay grounded in strong cybersecurity basics, clear visibility into assets and third parties, disciplined patch management and well-practiced response plans, along with a culture that supports and enables secure behavior, are better positioned to handle today's realities and whatever comes next." So I want that, I wanna set the stage for what we're gonna talk about today, because we are gonna talk about some fundamentals. We're gonna, we're gonna get into just some of the key- again, we won't read the entire report, but that really struck me. I mean, I highlighted it.
Dean:Yes.
Brandi:And there's so many things in here that I highlighted, but that right there was like, wow, that really hit home for me especially being non-technical. Like, wow. All right, let's get back to the basics. And Mr. Middlemiss, will you kick us off here? And let's start talking about some of the things that people need to know regarding this report.
Andy:I will. And that, little paragraph just, really sets, the foundation nicely for, really the, I think the rest of the conversation. And for, again, it's kind of an overwhelming amount of data. but again, super, well-written. I was hesitant to read it, because I, couldn't find the time to take a nap that long, frankly. but when I got into it, it's just so well-written, and they're very-
Dean:It is… Andy: clever.
Brandi:They are. Yes.
Andy:And it keeps you engaged. Yes. And there's some great information there. But that paragraph, I think just really sums up kind of the key points that we really want to dig into today. Yes, sir. So the first one is also, kind of the leading stat as far as what's kind of taken… I, think it was new this year that vulnerability, exploitations is now the number one-
Dean:Yes, sir
Andy:threat across, of across the whole report. My assumption, that is about patch management primarily. I'm sure there's other factors there as well.
Dean:Yes, sir.
Andy:but you know, patching is really the front line. And it feels like organizations are really having a hard time keeping up and, losing ground. I wanna dig into that a little bit. But some stats that I grabbed from this, the average remediation has increased quite a bit, up to 43 days now. And this one, to me, is a little bit shocking, that 26%, so a quarter, of all critical vulnerabilities, known I assume, vulnerabilities are just never, were never completely remediated in 2025. So, can you just talk about those a little bit and, w- why are we struggling so much?
Dean:That's a great question. As we were talking in our little pre-game here, there's so much that in that Andy. Okay, let's, take it from this approach. There's 19 seasons of the Verizon DBIR. Again, a ton of data. It's not market-driven. It's… This is just what exists out in the environment. It's a very important report. It'll drive the narrative now for a year. For a year now, you're gonna hear patch, vulnera-vulnera-vulnerability, okay? That's gonna be the narrative for 2026 going into 2027. But the big three have always been, in any particular order, patch management, social engineering, and credentials. For the 19-- For 19 years, it's been kind of a mix of, those three. Like Andy said, this is the first year where statistically, the, let's call it flaws on software, vulnerabilities, software not patched and so forth, is giving people, the bad actors, the greatest probability of an initial foothold into an environment. And as Andy mentioned, a huge number of those vulnerabilities are known. They've been out there for a while. In other words, they're not zero-days, yet they're still not patched, and the, question is why? And, I kinda have an answer for that, but even before that, just give me a minute to touch on that, 'cause I, think you're gonna have-- You have all kinds of amazing guests. You've had, Jim Edman, Scott Erkonen, and I think Dr. Ashley's coming on board here pretty soon and whatnot. And something that I learned from Dr. Ashley while I was a student of hers in cyber ethics, and also if you look at what Jen Easterly at DHS CISA talked about, especially back in 2023, which I completely agree with, is that especially Jen Easterly was driving the notion that we as customers and we as those that, that sell IT services and so forth must demand higher quality software, that's written by the manufacturer. It's at what point in time are we gonna say enough is enough? We need our software to work. Okay, we're human. mistakes are gonna be made in development and so forth, but we're patching constantly, and we're patching everything from software to what we would call hardware devices, to our vehicles, to our phones, and, especially in the day of these large language models and their ability to, look through code, which is, typically English and based on these mathematical axioms and so forth In my opinion, and I'm not a developer. The days of writing sloppy code should be over now. Okay? So it'll be interesting to watch the DBIR, 24/7 and stuff come down to see if the rate of this patch management and so forth goes down. Okay, why aren't people patching? the people that I talk to day in and day out, hundreds of people, a year, fantastic people, beautiful people, intelligent people, they really, care about what they do, but they're, just so overwhelmed and wearing so many different hats that maybe patch management slips to kind of the bottom of the priority list. It's "Oh, we'll get around to it when we can." that's what my gut tells me. And, just really quick, Andy, I am aware of organizations, I'm very close to one of them, that has 80,000 endpoints, and they patch diligently day in and day out. I've seen their reports. I kind of used to be associated with that organization in a past career. But they have two people that are dedicated just to patching, but they're able to, 80,000 endpoints and how many devices. It can be done, but it's really, I think, a logistical human, we have so many other things to do that maybe it just falls to the bottom of the list.
Andy:Yeah. So just a, capa- I mean, we all suffer from capacity problems-
Dean:Absolutely.
Andy:sometimes, right?
Dean:Absolutely.
Andy:So I get ya. It's, can be a little bit overwhelming.
Dean:Yeah. And that's why these outsourcing of services and stuff are, so far, are so important- because maybe if you don't have people that you can dedicate to patch management, maybe there's ways that organizations can help you out with that.
Andy:Ya know it occurs to me that there's another sort of subset of all of the companies out there, that have another struggle with patching, which is you've got to take systems down-
Dean:Absolutely.
Andy:to patch things, and not everybody can just do that at a whim.
Dean:Thank you for bringing that up.
Andy:Not everybody can do that even on a schedule.
Dean:Yes, sir.
Andy:Yeah. you take your critical, mission-critical environments, your hospitals. your financial institutions, it's really hard-
Dean:Absolutely.
Andy:to find just a time to do it-
Dean:Absolutely… Andy: and get everything So talk just a little bit about that, and I mean, how do they, deal with that? And Brandi and I were, chatting last week. I came from the service provider industry from way back, and they have, in some of their systems, they have this concept of in-service upgrades. Yes, And containerization has given us a lot of that capability.
Andy:Is that… Are we making progress there-
Dean:I think so.
Andy:for those critical environments? Where's, the path look like?
Dean:and that's right. Containerization, the modularization. Boy, that was a mouthful.
Andy:Say it again. That was fun.
Dean:Where's my Monster energy drink?
It's 8:30 in the morning, folks. Give me a little bit. But anyway, yeah, the making software more modular where you can, shim out a piece that needs to be updated, fixed, tweaked, or- and shim that back in while still have it operating is one way to do it. Having worked in the financial sector, it's like, why have one mainframe when you can have two? You know what I mean? And we'll take this one down, and this one will take over, operate, as a HA pair, active-passive, or whatever. That's one way you can patch. But what does that do, Andy? That doubles the cost of your hardware expenditure whatever. I mean, so like it comes down to an expense thing. Again, I'm always trying to contextualize the whole conversation of information security in terms of risk management. Okay, so you gotta look at, okay, what is the risk of not patching this thing? Okay, maybe I have to patch it. Maybe I have to bring a machine down. Maybe as a result of that, I have a green zone or a window that people expect, patches to happen or a service to be offline for a couple hours or so. And the business, depending on what it is, maybe you just have to bring that system down for an hour or two while you patch. Okay, that… Can't bring a credit card system down. You can't bring a medical device or whatever system down. So it's not, there's different ways to skin a cat depending on what your scenario is. But, just let me leave you with this, Andy. In terms of risk management, I think now we have entered a time where, in addition to what you said, Andy, is that if I patch something, is it gonna break something? And from a political standpoint, is that then gonna make, all my employees mad and, the, board and, the, C-suite and stuff like that, if I patch something and it breaks something? And the answer to that is, is there a probability, is there a "probability" of that? Yeah, absolutely. Okay? If I don't patch it, then what's the risk? Okay? And then you kinda have to balance that out. And, my knee-jerk reaction today is, is if it's a critical risk, patch that thing, patch it fast. And what I mean by fast is 24 hours, 36 hours. I wouldn't even go two days. I mean, if it's critical, if it's zero day, patch it-- Might it break something? Are you gonna make some people mad? Yeah, but they're gonna thank you when you don't get hacked. I mean, sorry for the aggressive, blatant language there. But then if it's a, high, if it's a medium and a low, then maybe you can take a little bit more time. CISA has a known vulnerability database out there online that you can Google, that'll tell you what flaws are out there and what, are actively, have active exploits out there and breaches happening and so forth. Take a look at that. You need to be able to patch those things like yesterday, and you need a software solution to help you do all of this. It's just impossible to do it manually.
Andy:Yeah. Very good. So matter of prioritizing et cetera.
Dean:Yes, sir.
Andy:Is it realistic, or even necessary to patch everything? You mentioned the organization that has, like, dedicated a lot of diligence. Do they patch everything?
Dean:Again, I'll keep this in real terms, right?'Cause we're all here about being brutally honest and so forth. Will everything always be patched? Absolutely not. Is the goal to do it that way? Of course. But that critical stuff, the high stuff, the zero-day stuff, that has to be done. And if we have a CISO or any types of those people, CIO, listening to the podcast today, please, you need to see reports maybe twice a month, maybe once a month, as to what vulnerabilities are in your environment, what are critical high and so forth, and what's been patched and what hasn't. And, in a very compassionate, sympathetic way, you really need to be on whoever is responsible for that stuff to make sure that it that it is being done. And, that's one of those fundamentals, that need to be day in, done day in and day out as perfectly as possible, like sleeping well, hydrating well, like eating well, like exercising well. That is an absolute fundamental. Because if you have flawed software out there, it's gonna, like having a bad night's sleep or whatnot. If you have fla- flawed software in your environment, it is just gonna trickle down. It just affects so many other things in a domino effect way inside organizations.
Andy:Just kind of become a part of a lifestyle basically to stay up with things.
Dean:Absolutely.
Andy:So prioritize. There are resources, DBIR, CISA, with their vulnerabilities done. Known vulnerabilities. So use those resources, make a priority list. Get the critical ones done.
Dean:Absolutely. Yeah. Absolutely. Yeah. Great topic.
Brandi:Before we transition, into this next section, which, can you quickly… So it, it- strikes me odd that we have not developed something that can automatically patch systems. Like some sort of service that can patch systems. You, talked a little bit about, and again, not a sales pitch by any means, but, like, are there resources available to offload that part of your organization to help you focus on other things? Can you quickly cover that before we transition into- does it exist?
Dean:Absolutely.
Brandi:Is it… Okay.
Dean:Yeah yeah. There's a few tools that I would say are kinda, kind of enterprise grade, that you could really, put them in place and sleep well at night. High Point can obviously help you out with those. There's, kind of a couple different ways to, skin a skin a cat, but definitely, yeah, the software is a piece of that, the proper configuration of it, the monitoring, the, reporting, the, conversation prioritization, the green zones for patching and best practices and so forth. It can absolutely be done. Has it been prioritized throughout the industry in the past? Probably not. Will it be prioritized now as a result of this report and all of the marketing that's gonna come out in 2026? Absolutely. But yes-
Brandi:Thank you.
Dean:The short answer is yes.
Brandi:I just wanted to… Okay. I just, I'm like, I feel like we're a little more advanced, there should be something. But- okay, so something caught my eye in here about ransomware, and I- we're all, we're not a stranger to ransomware, right? But it said that ransomware had gone up, but payments had gone down, and I wanna read a little excerpt here, and it said-
Dean:Yeah, yeah.
Brandi:"Ransomware grew again 48%"- "of all breaches, up from 44%." Not a big jump, but enough- from the previous year. So it says, "However, ransomware payments had, have continued to decline amongst the data set, as 69% of ransomware victims didn't pay." And then they go into what the median, I think it was like 139,000 versus 150 from the prior year. So can you talk… again, that kind of leads us into our next section. Why do you think that is?
Dean:I think the super interesting thing, if you can read between the math there, is what was that? 69% didn't pay? Didn't pay.
Brandi:Yeah.
Dean:Right. So how many do pay? 30%. You know, it used to be more like 40% of people pay. So the, a lot of people ask,"Do people ever pay their ransom?" Oh, yeah, absolutely. And again, that's a business decision, a risk management decision. Do we want our business back online now? So then do we risk paying the ransom? And again, we're, you're gonna hear stuff here that you've never heard before, and yeah, people absolutely pay their ransom. Do they get access to their data back? I'd say most of the time, absolutely. But yeah, more and more people are not paying the ransom. ransom, requests are going down. I think there's a couple reasons there. Usually when ransomware happens, a ransomware negotiator will get involved from an insurance company usually, or a forensics incident response team, and they're very good at talking the bad actor down from whatever the initial number is. We're gonna talk it down 20%, okay, 30%. So they're gonna, they're gonna talk that down. I think the, other reason of people just flat out not paying it at all is that organizations, I think especially over the last three years, have gotten more resilient or, maybe that's the right word, robust, capable of being able to recover their environments quickly. So having proper backup in place, immutable storage has been absolutely key. I know this isn't supposed to be a salesy thing, but, the, endpoint solution that we provide has kind of a special capability to have an immutable snapshot, if you will, on the endpoint itself so that if it gets ransomed, you can click a button and that machine will come back like that. So if you have the proper back-office components in place to bring your virtualization environment back, and then also the, proper software and configuration and so forth on the endpoint, you can bring those back very rapidly as well. So i- if you have those in place, the, realistic ability to bring an environment back from a significant ransomware, incident, I mean, it can happen quite rapidly, and perhaps that's why people aren't paying the ransom.
Andy:Interesting.
Dean:Yeah.
Andy:I love that word, immutable.
Brandi:Yeah.
Dean:Yeah. Right.
Andy:It's like, like Brandi's love for Coco, my cat, it's immutable.
Brandi:You're not even using that in the right context.
Dean:yeah.
Andy:Well, whatever.
Brandi:Right. He's not using it.
Andy:All right.
Dean:Yeah yeah…
Brandi:is he?
Andy:Okay. Okay. Well, i'll go study up.
Brandi:Maybe you are.
Andy:Maybe I am. Okay. Okay. All right. So let's switch topics one- … once again. Brandi loves Coco.
Brandi:Sorry to everyone who loves cats. There's, nothing wrong with cats. Just do not put that narrative out there, okay?
Andy:Thank you. So you hear… Anytime you talk to, somebody about protecting your cyberspace-
Dean:Yeah
Andy:there's this concept of reducing the attack surface.
Dean:Exactly.
Andy:give them something less to target right? For the bad actors. At the same time, companies are moving more and more things to third parties, to the cloud. Aren't we simultaneously increasing our attack surface by doing that? So I wanted to dig into that just a little bit. And again, it's the, statistics are very similar-
Dean:Yeah… Andy: in that third party space, So ya know, like almost a quarter of their known vulnerabilities never really get fully remediated. Yes.
Andy:Huge increase inin the attack vectors in that third party space, so 60%, I think, year over year increase there. And again, almost half of the breaches have some element of third-party involvement somewhere within the attack. I, it's fascinating to me 'cause it feels like we're talking out of both sides of our mouth here.
Dean:No, I know, yeah, absolutely. Again, a former employer financial institute, it… We had a third-party risk management program Where, we as an organization, not only do we provide services, but we receive services for, from third parties, and we had agreements with them to actually physically go out and audit their environments, because we wanted to make sure that their security operations were sound before we would partner with them. And, a lot of this happens on a contractual level."Okay, hey, I'm gonna, contract you to provide a service for me." And, as a customer, you can absolutely mandate, negotiate, whatever it may be, proof of that service provider having their information security program, risk management program to a level that it needs to be and there are standard ways to do that. SOC is probably the most popular way of doing it, SOC 1, SOC 2, SIG and so forth. You can go out there and maybe do a little bit of auditing on your own if you have, folks that have the ability to do that. But yeah, ironically, we talk about patch management. A big thing for me, again, is identity. A lot of times we allow third-party consultants into our environments in order to do work, and best practices is that access should only be allowed just in time, only for a certain amount of time, and that consultant should only have access to whatever he or she needs during that engagement. Maybe it's a three, four, five-hour thing, maybe it's a two-day thing, but then once that engagement is done, that access, that access should be taken away, in my opinion. So that comes down to identity, authentication, authorization Just in time, only for a certain amount of time, only when you need it. Basically that consultant that's coming into your environment should abide by the same standards that your own internal employees have. And, believe it or not, just an example, you may, outsource a service to a service provider, and then you may change a few years down the road, but you still might maintain those, accounts from that, that former service provider within your identity environment. Remote access might be left open, this, that, or the other thing. So yeah, that's definitely an aspect worth thinking about. And as we've heard our leadership, our- not only addition to you- the, our CEOs and so forth, that is the major factor on their mind is how do we keep High Point Network secure in order to keep any downstream, well, and upstream too, activity that we do contained in such a way that we never become a risk in that in that equation.
Andy:And every company should wake up every morning with that thought in mind, right?
Dean:Absolutely.
Andy:How do we protect ourselves and are the people that are connected with us, companies that are connected with us safe?
Dean:Absolutely. Absolutely.
Andy:I'm curious about the… 'Cause this 60% increase in threats in this space is a big number. Is that just a function of this growth with people moving services and moving software out, or is there something else at play there? What's causing this big surge in that particular threat landscape?
Dean:I think you're right, Andy. I think organizations are outsourcing services to people like ourselves, whether it be security services, professional services, whatever it may be, just because, IT, human resources, it's hard to find people, they're expensive, and so forth and so on. So I think that's a big part of it as well. Just the, what do I wanna say? The philosophy of IT, of so many things becoming as a service as opposed to, doing it yourself, right? Well, email, for example. Pretty soon you're not even gonna be able to buy Exchange Server on-prem any longer. I speak to a lot of companies that have ERP CRM systems, whether that be financial, higher ed, medical or whatnot, like you're not running Epic on-prem anymore. You're gonna run Epic in the cloud. You're not gonna run, Jack Henry or whatever, AS400 on-prem anymore. You're gonna run it in the cloud as a service. So I think you hit the nail on the head there, Andy- Yeah. Is that so many things are becoming as a service.
Andy:With… Before we transition into the- another topic here, but what can companies do considering this whole expansion of this, third-party involvement in our environments? What should companies be thinking about or preparing for just to address that and take care?
Dean:Yeah, like what do you mean address it or take care? Can you tell me more?
Andy:Just, I mean, yeah. What should you consider if you're considering, "Hey, I'm gonna take all of my stuff and I'm gonna move it out into the cloud, or out into a service provider, out into a third party"? What do you… what should you do along with just making that decision to protect yourself?
Dean:Yeah. Kinda let me go down a path and then interrupt me and let me know if I'm going the wrong direction or so. When it comes to security your biggest point of leverage in deciding on a service or contracting a service is this really goes into the legal realm. Your protection is gonna be whatever is said on your piece of paper. This is where the grounds are set as to who's responsible for what the boundaries are, if things were to occur, what happens, at that point. It gets into, liability, indemnification, so forth and so on. Another interesting one that I saw real world with a customer of ours is that they had a bunch of data, let's just say over here in this cloud repository, and they really needed that data to feed another service in somebody else's cloud, and there was a steep transaction fee to move it out of one cloud or one service into the other. So not only the network bandwidth, I mean, we traditionally paid for that, in these services as well, but now people really wanna… People wanna make things sticky. Is that kind of the sales term or whatever, whether it's a car salesperson or whatever, they wanna make some. So the way they make it sticky is that once you have your stuff, your data, your applications or whatever in a certain cloud or a certain service or whatnot… this gets down to an ethics thing. They sometimes wanna make it difficult for you to get out of that and into something else. And I'm proud to say, especially our SMART team, our professional services team, is very aware as we evaluate and choose people that we partner with, whether it be email security, endpoint, SOC, whatnot, firewall, we are very cognizant not to pick sticky solutions, because we want our customers to have the flexibility to change as the industry evolves. And then for selfish reasons, at High Point Networks, we want to be able to pivot to the latest and greatest technologies, especially where it adds the most value and ba- We want to have the freedom to do that, and if we are in a sticky situation with our partners, that hinders our ability to be flexible and nimble. We're very cognizant about that. That's a great question.
Andy:Makes a lot of sense. So be thoughtful, be thorough- read the fine print,
Dean:Yes.
Brandi:Yeah. I like it.
Dean:Yes. Like, IT and legal should be like this. Yeah.
Andy:Okay.
Dean:Cause if information security is risk management, then, and you bring into regulatory compliance and all that other stuff, and okay. Anyway, sorry to interrupt.
Brandi:Yeah, no. I just- quick. I'm gonna… I want our listeners to hang on. I know we're going over time. We've got a couple more points that I want us to drive home, so thank you for staying with us, and if you could just stay with us just a little bit longer. This episode's gonna be maybe just a little bit longer than normal, but as we kinda wrap up- kind of into our, last topic, we've not… I don't think we've had an episode yet where we haven't talked about AI. And obviously-
Andy:Not yet. Not yet, and not this one either.
Brandi:I don't think we have, and we're not gonna make any exceptions here, but-
Dean:this could be its own one-hour talk,
Brandi:I think it's interesting because as much as we're using AI as users, and we're finding it very convenient for our work lives, well, the hackers are also doing the same thing. And so can you just touch on, how do we fight this? I mean, is it… What tactics are we supposed to use? if they're using AI, and we're u- are we using it against each other? Like, tell me a little bit about that as we kinda drive it, drive the episode kinda home here.
Dean:You have to fight AI with AI. There's no other way, period, full stop. Okay? Like, seriously. And here's what's going on in real time, and in-- A lot of people don't know about this, but I think in the beginning of April, the Anthropic folks came out with a large language model called Mythos. And the… I think the primary reason of that, circle back to the beginning of our conversation, was to look through code and to find vulnerabilities so that those could be fixed and patched and whatnot, and here we are and we're off into this new era where we don't have to patch enough. Okay, so they build this large language model in-house in especially software that they can see the source code of. They let this large language model just tear loose through software. And there's only been-- I've been doing this for, like, 30 years, in security specifically for probably 20. There's only been a few times in my career where I've sat back and went This is one of those. Mythos. Okay. The most secured operating system probably ever developed, and I think most of the audience would agree with this, is Berkeley BSD, the Berkeley system distribution of Unix, has been bulletproof for, like, 25 years. Mythos found a 25-year-old vulnerability in BSD that's active today. Okay? It found tens of thousands of other zero-days out there that are active today that just haven't been-
Andy:Haven't been exploited… Dean: haven't been disclosed. Okay.
Dean:Right?'Cause the government and everybody is like, whoa, whoa. Okay? So what Anthropic has done is they've invited, let's call it the big dogs like Oracle and IBM and Microsoft and I'm sure Palo Alto and, some of these others, SentinelOne, CrowdStrike, whoever, you know, the big players in the tech space to have, and, Eli Lilly and Citi and you, you get the point, the government, access to Mythos to get ahead of this before Mythos is intentionally released or accidentally released or maybe, DeepSeek or somebody else invents their own model with the same type of capability to get out there ahead of time to start patching things. And when I used to sit on the customer side of the camera, one thing that I absolutely hated was listening to… going to a conference and listening to a seminar that was fear-based.
Andy:Yeah.
Dean:Absolutely hated it. But what I need to bring forth is just especially, Q3, Q4 2026, Q1 2027, we're gonna see an onslaught of zero-days as a result of these LLMs finding exploits in software like nothing we've ever seen before. So how do we fight that? Again, very proud of our, managed services, our smart team, that we're very intentional that our patch management platform are plugging into these LLMs. Mimecast, our email platform, is now plugging into Anthropic. SentinelOne, I think, is plugging in or is going to plug into Anthropic as well, who's the creator of Mythos, right? So these services, if they are plugging into what's kind of taking shape, and I know we're running long, I'm sorry folks, is that there's gonna be this abstraction layer in the security world that are run by these large language models, right? That could come from Anthropic, it could come from Palantir, who's, largely military-based. But like, your email security is gonna plug into that, your firewall is gonna plug into that, your endpoint and patch management is gonna plug into a singular or maybe multiple, but an abstraction layer of AI, and everybody's gonna have that, and that's largely gonna be how we fight AI with AI. And again, I'm, I know this isn't a salesy thing, but I'm just very proud of our smart services team to have the forethought to ensure that the products that we offer are already plugging into these LLMs. And it's… This is just happening. Like the Mimecast thing I think was just released like two weeks ago, how they're plugging into to the Anthropic backend.
Andy:Yeah. Very cool.
Dean:So yeah.
Andy:Well- All right. I think we're gonna wrap it up.
Brandi:Yeah, let's do that.
Andy:But I'm gonna wrap it up with a call to action-
Brandi:Okay.
Andy:for the audience. The call to action is you can go download the DBIR for free. It's a little bit overwhelming, but again, it's actually a fairly easy read because of the way it's very well-written. But there's a section for industry, and if nothing else, go find your particular industry in there and read through the recommendations. What are they finding as the biggest threat vectors? What are they finding as the biggest types of attacks for your particular industry? And that's maybe a way to start prioritizing and go deal with those things first.
Brandi:Page 80 and 81- and 81 if you would like to. I mean, there's a little bit. There-
Andy:Thank you very much.
Brandi:There's some information more, but that's kind of the overview. I just wanted to find it for people-
Andy:Yes, thank you very much for doing that.
Brandi:-so it'd be very easy for them to do it. Dean, thank you for being here. Yeah. Thank you for being just my co-partner in unpacking this for so many years.
Dean:Oh, this was beautiful. Yeah.
Brandi:I genuinely appreciate your insight and your time, and I know other people do, too. Again, folks, I know we went long. Thank you to everyone listening for hanging in there with us. I Promise you, this report is worth it, and speaking from the heart here, from someone who's very non-technical, it was very easy for me to read. And if it's easy for me to read, I guarantee you can read it, too. And if business owners, people who don't even … if you're not even in IT, I would highly encourage you to download it and just kind of read through it. Even if you just don't get past the introduction, there's some really, really good takeaways there. Dean, thank you for being here. Andy, as always, thank you. For everyone out there, if you wanna hear more from Get to the Point, please hit that Subscribe button. Follow us on social media. Hit our website. You wanna hear something, let us know. We'd love to interact with you. We'd love to learn about what challenges you are facing. Take us home. And thanks for joining us for this bonus episode- There you go.
Andy:of Get to the Point around DBIR, and remember, we're always here to help you get to the point. Have a great day. Thanks for joining us.