The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

94. How one unsecured printer can take down 11,000 devices (with Jim LaRoe, Symphion, Inc.)

Hello everyone and welcome to another episode of the Security Podcast of Silicon Valley. I'm your host, Jon McLachlan, and I am joined today with a very special guest, Jim LaRoe, the CEO and founder of Symphion. Welcome to the show, Jim. Thanks for having me, John. So would you like to share with our audience what is Symphion? Sure, sure. What do you guys do?

Hello, we're Dallas, Texas-based, we've been in business since 1999, we're currently the world leader in print fleet cybersecurity, protecting the printer endpoints across the United States predominantly. We're protecting print fleets that have over 30,000 printers in them for large healthcare systems down to print fleets with 300. It's a big gap in cybersecurity, so we thought that it would be important for your audience to hear some about that. No, thank you so much for joining us and giving that nice, succinct summary of the type of

cybersecurity that you guys think about and you guys tackle head on. And you mentioned you've been doing this since 1999. Yes. That's a hot minute. Well, we started with the CMDB, you know, you got a technical audience, right? So we had an alpha customer here in the Metroplex that needed what they described as a configuration measure database, which they anecdotally, they had an incident where somebody took down a server for maintenance and it was really integral to their credit card processing worldwide.

So they couldn't process credit cards for about four hours on a Saturday, two weeks before Christmas. So they needed something to put everybody on the same page for, you know, what infrastructure map to which application. So we built them a CMDB with all the intellectual property rights to it, and then we moved out from there with all sorts of scanning techniques that we developed to do agentless scanning and fill that up and keep it filled. And then we got into the printers in 2015.

We launched a managed CMDB service. Okay. So we manufacture the software and we deploy the people to operate it remotely. So that really went over very big with the large IT outsourcers to have reporting responsibilities to their customers, especially in healthcare. You know, they have to keep track of all the assets through their lifecycle and their configurations and their versions that you got all that forward. One of the big printer manufacturers said, Hey, can you come sell that to our customers?

And we got into this alternative universe of the printer endpoint and how it's grown for, you know, almost 40 years outside of IT and IS. And it's really a forgotten endpoint from a cybersecurity standpoint. And it has all sorts of issues with it from a protection standpoint that don't correlate to its brethren, PCs and servers and other network element type endpoints. So that's how we kind of got to that space. And then we developed some software that will control the settings across all the makes, models, brands, ages, firmware versions of printers, because they're IoT devices with

disparate operating systems and different manufacturers hidden entry point API accesses with their own software. So we built the software and put it in a managed service to deliver a whole program of cybersecurity cyber hygiene, basically for that endpoint. Now, that's really interesting. I've always thought of like endpoint security in my mind just instantly goes into like laptops, employee laptops, contractor laptops. How do we and how do we manage like interns, printers, though, in the startup space, maybe

sometimes get thrown into that category of like good problems to have. What's your ICP? Do you notice like a lot of highly regulated industries have strong security requirements around their printer endpoints? That's a great question. One of the, you know, complacency is the enemy of cybersecurity, right? Across all the industries, 20% of their endpoints are typically printers. Wow.

And 99% of those are unprotected, sitting at factory defaults with a published administrator password on the network, all the ports open. Then you've got 360, all it takes is one of them to compromise the enterprise. And there are a number of ways with the 360 degree threat landscape on each one of those. They receive, transmit, process, and store the most sensitive data of the enterprise. And they offer lateral movement from our Red Hat guys that are out there doing ethical work, ethical hacking, you know, they store credentials for ancillary systems like your email system and your file server system and your credential system.

And oftentimes at administrator godlike privilege level stored in the printer. So they, they're like a goldmine of data and access and lateral movement capability for the bad guys, you know, both internal and external. Wow. So I'm smelling things like a vulnerability lifecycle management remediation requirement creeping in here as well as virus detection and, and endpoint AV systems, like maybe even being scoped to printers or if I'm operating a large organization, we have several offices and each office has like physical printers as a security leader.

How should I be thinking about printers? It's a big question. Let's jump into that. So you've got some time here on your bucket. It's like, look. Oh yeah. 40 years of these devices growing out of analog that came from analog and it, then you've got the belief, everything's getting digitized away, right?

It's not really happening like that. I mean, they're tier one app support in hospital systems. You know, you can't process patients without the printers. They're supporting admissions, you know, discharge, the pharmacy, the labs, all the, all the stuff that's out there and, and its legacy, you know, built in. I mean, some of these systems have, we've got one that over 30,000 printers in it, you know, you know, 150,000 other IOT endpoints, that kind of stuff that's out there that it's really big.

It's been traditionally owned by supply chain and procurement. This endpoint has not by IT, like your PCs, your laptops, your other, what you would consider, you know, mainstream endpoints, right? IS has got their hands full. Information security. Yeah, they're, they're busy. Yeah. They're blamed for everything and responsible for everything and, you know, not sleeping

at nine stuff. And, and so this endpoint really is grown up in its own fiefdom outside of, of IT's purview and outside of information security. So it's kind of grown up where the manufacturers have competed with laying all these features on this camera and this paper sorter that are, you know, business enabling features like giant hard drive, FTP, fax, email, web, all sorts of servers built into it. All these ports and capabilities open and the security features available to harden them, but when they get placed on the network, they're not hardened.

So we start the program with basic blocking and tackling. How many do I have? We go into, we're on calls all day, every day. And it's like, you know, I've got 15,000 devices. I think, I don't know where they are, what they are. I don't have an accurate inventory. It needs to be maintained evergreen. We talked about IT asset life cycle management.

That's a challenge. Security configuration management, patching, you know, blocking, like basic blocking and tackling for cyber hygiene, certificate management, monitoring, remediation. All that's out there. And the thing that comes in that printers are really the top of Mount Everest of complexity for IoT internet of things devices. Okay. Because they've got 40 years runway of all this configurability and business

enabling built-in solutions. They're this sleeping dog over there that's lying, wait for something to happen. They have different, each manufacturer has a different OS for even in the same model sometimes, and they don't allow access to security settings or capabilities beyond their own software to manage them. So your security professional knows it's out there. Okay. How do I, and it hasn't been a budget line item because the whole, there's a $40

billion a year industry that manages the printers. It's called managed print service industry. And it's, it's a big one and they supply the devices, the toner, the break, fix paper, all the current feeding of that print service. They don't have a line item for security of the devices. They haven't had a line item. So what the IS folks are charged with is they've got, and they usually are challenged with budget arguments and board proof and risk and how do you prioritize this risk?

And, you know, printers don't really oftentimes make it to the top of the list. So we've got some ways to help them with that, but it's 20% of their end points. So what we see a lot of them doing is running their vulnerability scanning software, like your Rabbit7, Tenable, something like that. That's designed for the desktops against the printers, looking at the outward vulnerabilities and then saying, Mr. IT, Mr. CIO, go fix it.

And then they have issues of finding budget for doing that, where there has been none. And they've got sometimes arguments politically with the supply chain and procurement that's been running that for a while. So the first thing they need to do is find, you know, an owner for it that's willing to sponsor it, set a policy and then enforce it. So it's easier said than done, but that's kind of where we're at in that market. Wow. No, that's incredible.

It's just something that I don't think crosses a lot of people's minds, maybe until it's too late. And, you know, those smart devices, you can log into them. I'm sure they're just running like variants of, of some Unix based system. Yeah. You know, they, they have to stay online. That means like SSH is on there, who's going to take the time to strip down like all of those vulnerabilities.

And then a printer, you just think of it as like, Oh, it's that little thing that's over there, it sits there. And then like, as the zero days come out and as all of the other vulnerabilities come out, like there's that thing that's like, you never really update it, you never really touch it unless you have like a deliberate intentional program. It sounds like you help take care of a lot of that. So.

We, we take the lift, no operational lift. We'll do all the blocking and tackling the required to, and we do three year contracts per device pricing inclusive. So they can change the pricing out for the devices when they get new ones. It's huge value. We just designed the program to fit the gap. And the challenge is with the customer politically, I'll give you some examples. We were on a call with 15,000 printers in the print fleet.

They thought, you know, 15 to 16,000, that's a big difference, right? To not know where you have, what you're using and everything. And those guys, it was on with the CISO of the company and it's a big hospital system and our partner basically put the brakes on and said, Hey, we've got to have a security profile because our partner's trying to sell them a five year managed print service contract. It's millions of dollars. And they're, they're saying, we've got to have security.

How are you going to secure all these disparate brands and models and locations and how are you going to, you know, harden them, monitor and patch them, all the basic stuff that you need to do for cyber hygiene. How are you going to do that? They said, well, we're partners with Symphion and they're the world leader in this space. So they get us on the call and they're like, man, this is the best thing we we've had.

You know, it's, it's, it's fantastic. Well, then they start negotiating their management and they said, we're not starting anything to get Symphion straight. So then they start negotiating their contract through supply chain and procurement, the GPO, the group purchasing organization that's in charge of that red lines, the security out and the CISO has no juice on that because the supply chain has owned it. So, you know, they're coming back around, but it's, uh, the whole

managed print service industry is selling cost elimination in the print service because of the perception of digitization and then you've got the whole printer manufacturers. Their job is to move their factory and that includes move their devices and their toner and the things they manufacture, right? Right. You've got those and they build in features to do that and sell the features, but they don't enact themselves, enable themselves.

So they have to be constantly, we've got other examples where they've been hacked through a printer, you know, big system, 11,000 devices hacked through a printer. We love you Symphion. We want to go with you where we're going to wait two years for a managed print service contract to be negotiated to include you in on that before we do a single thing, so yeah, and it's really, you know, this is for your audience, your IIS audience, it's a quick win.

I mean, think about it. You've got 20% and we can give you published tax. I mean, these devices are set to phone home back to the manufacturer on the network most of the time for updates and things like, when would you ever do that with a good shot? You're not going to allow the unmonitored communications off your network by a product manufacturer, unless it's sanctioned and you, you, you rule that. Right.

We've had others where they love the whole program, but they can only do passwords, only inventory and passwords components of it. So it's very clearly the forgotten endpoint. And this is where IOT is headed. I said, it's the Mount Everest, other IOT devices, you know, you've got, we're doing cameras, we're doing power supplies, things like that, that are all hackable and entry points into the network out there as well. You know, it's what can they do?

They can make the company aware of it, establish controls, a policy, and then enforce it. Sure, sure, sure. And there's a business case to be made, right? If you have like PHI, if you have classified information, if you have like, I could imagine all sorts of things, anything that's not basically a totally air gapped space, you have risk, right? So.

It's all that way though. 10 years ago, there were highly published hacks where they're hacktivists that went out there and they found like one of them found 800,000 unprotected printers in the United States and sent out some antisemitic stuff to all the universities across the country to 150,000 of them to print. You know, you can print on the printer, you can hack it and you're on the network. And then there was another one where Cyber News did a pick 28,000 of them and printed out how to protect your printer manuals on that.

And that's 10 years ago. Think about it now. I mean, this is, they're looking for weak spots. They didn't even need AI back then. And now it's off the chain and it's kind of like, you know, I told one guy the other day on a show, it's like, look, it's like putting gasoline on the raging fire already because you've got these vulnerabilities sitting there that are wide open, you know, with the published administrator password on a lot of them on the network based upon

the model. We're on the protect side, you know, so we don't talk about hacking the device or anything like that, but ethical hackers do the job. I mean, they, they've got it. They're like, man, if I want to fail somebody, I go after the printers every time. Yeah. Yeah. Yeah.

I know it's real. AI is just going to make everything happen that was going to happen anyway, is going to happen much more quickly. I agree. So that increases the risk, that increases the cost of, you know, these breaches and it's just going to happen much more quickly now too. Yes. But that's, that's why the risk is going to go up.

I'm curious though, what's been your proudest day as an entrepreneur? No, we're still looking forward to the proudest days. You know, every day we have successes and we have challenges, you know, from an entrepreneurial standpoint, you've got all sorts of different challenges every day that arise and you build process, you stay with the process, you adapt the process, you empower, you hire really good, smart people and empower them to do their work. I mean, all those things, you know, you still have challenges, but. Of course, of course.

Are you guys entirely bootstrapped? No, we're, we're making money, man. And we've been a business 25 years. We're a very profitable company. I mean, no outside investment? Did you guys take outside investment? We got with an accelerator down in Austin called Capital Factory a few years back and worked with them a little bit, but the terms were not right for the

investment community to dive in. We talked to some of the OEM manufacturers, the folks out there, cause it's in their industry, you know, but they're, they have their own politics of software that they develop and things like that. And that's been a few years. That was a good experience though. Capital Factory out of Austin. Yeah.

Entrepreneurial activities just in general. They're just, they're tough. They're really gritty. And there's lots of really high highs and there's lots of really low lows and, and like incubators and accelerators, those are all like great ways to just sort of ground ourselves, focus on the right problems as entrepreneurs. You know, if it was easy, like everyone would do it, right. And it wouldn't be, it'd be a big deal, but I think it is a big deal.

One of the best things we got out of them, John, was they introduced us to the Small Business Innovation Research Award. The SBIR? Yeah. Yeah. We won. That's perfect. Did you guys go for one of those?

Yeah, we won. We won two of them. Congratulations. That's amazing. The CISO for one of the armed forces was going to take us to stage three immediately. And then the CTO is our sponsor for that armed forces, that armed force, and he retired and then a new one came in and had a different approach that they wanted to take, and I'm not sure they've done anything yet, but you know, it's still, we

still have the SBIRs, one for Crane Fleet Cyber Security as a service and the other, you know, it's the same platform for IOT devices to IOT information as a server or cybersecurity as a service. And it's a comprehensive program just like that. So we have to adapt our technology and process to the multiple layers of confidentiality in the government for them to be able to adopt it. So that was the SBIR for us, but we, yeah, we won two of them, man. So we still have those, and that was a great introduction from the incubator

there that we got, we got dialed into the federal government a little bit. Excellent. Amazing. Amazing. What did you do before you were an entrepreneur? Lawyer. Trial lawyer. Trial lawyer.

Wow. So I bet you're, you're just a brutal with those negotiations. Oh, I don't know about that. I'm a, I'm an engineer training. You're an engineer at heart. Yeah. Yeah. I engineered first and then went to the dark side.

Yeah. I see. I have lots of friends that did that, that, you know, the computer science and like being good with like logic cuts over to law really well. I guess, man, I don't know. It's, you know, it's a challenge. I mean, figuring out the human piece of it, you know, the complacency piece and cybersecurity.

You know, we see this giant gap and it's like, it's, it's, it's huge. And it's like, you know, we we've gotten the price down where it's all inclusive and affordable. And, and, you know, we've got some just are like, depends on their maturity. I guess, you know, some are just like, yeah, we've got to have it now. Let's go. And others are like, are you serious? There's no risk there or something, even though it's 20% of your end points.

And we can, we launched two new services. You're putting a press release out this week. One is a enterprise assessment. So the ones that have the hard case board member that can't believe that our prayers are at risk, you know, we do electronic assessment, process assessment, give them a board ready report in plain English that shows them the risk, you know, scoring for how bad it is. That sounds like a great starting point.

Like just like measure before you cut sort of thing. Yeah. It's, we, we will fail everybody. I mean, it's, it's just. Do you, so do you have like a red team member like in the house that helps with some of that risk assessment? No, we don't do that because we're, we're, you know, we, we know what, we know what should be placed in the protection bucket, right?

We know that these it's a, it's a 20 point assessment. 10 points are electronic on a 500 device swath of the print fleet. And we'll, we'll take it soup to nuts from everything from like hardening of the passwords internal to the device, the hardening encryption of the hard drive, the USB port access for walk-up access to the devices, they all have that on them, you know, for the Sony type hack and it, you know, and password hardening, you know, all the configuration ports, things like that. And we'll, we'll develop that against our model.

And then we look at the process too, because when they're adding it, you know, they call it the, the IMECD process, the install, you know, move around device, add, delete process, you know, change the devices, what's their process. However, they're recording it. The big problem that these big fleets have is they have newly added devices that aren't configured or patched or under the purview of the program. So our program, you know, we investigate that process, how they're doing it now. And, you know, look at their CMDB, how they're maintaining that, the things

like that, how are they enforcing, like a big deal in the industry, you know, you got personal behavior, like, you know, clicking on an email or something that we all know about, right. In the print industry, the human behavior is when somebody works on a device, they reset it back to factory. So they could have the best configuration on the planet earth. And a technician who's been trained in doing this for even five, 10 years, they're going to reset it back to factory defaults after they work on it.

And how long does it take you to discover that? We discover our solution, we discovered it within hours and we have a standing change order remediate at the same day. So it's like, you know, how do you know that you've got a newly discovered device, our software discovers device on subnet within an hour. So it's like, we look at the change in the devices, the change in the configuration of the devices, we investigate that and give them a report because those things make them vulnerable, right?

They make them at risk, they increase their risk. We score it, give them a report, go to work. You can build some consensus like that. And then the other offering we have to address that complacency is we've got a light version, which is inventory called evergreen inventory, which is life cycle management of the devices, which with printers is really challenging because. They swap them in and out. They're not in a data center, like a server is with system

administrators or anything like that. They're not PCs like users assigned to them or laptops or something like that, that can, can see it. You know, they're, they're, they're swapped out and that device may be unconfigured, you know, it's sitting on the network and they don't know about it or, you know, they've got a spare, they added or something like that because the network drop doesn't communicate with the security group, we mesh all that together to, to give them that sort of information.

So we've got evergreen inventory and password management. So everybody understands passwords, you know, I mean, it's even though it's a, it's a administrator level password that's usually set out there like 0123456 published on the internet at default, you know, hard in the password, full password management, settings for timeout, lockout, all that kind of stuff that is not being done. So we got them at a lighter price point on that to try to stimulate the complacency movement.

Yeah. I'm curious. I, I don't know on the top of my head, but is there like an ISO standard or any sort of prescriptive security standard that, that covers all of these types of devices and that like is, is something that some of these larger organizations try to achieve and then they have to come in and get an auditor and they have to use Symphion to help manage like this huge influx of printers and random end points on their devices or on, on their networks?

You know, yes and no. Okay. Yes and no. Okay. So NIST is, you know, let, let's start with the CVEs, what you were talking about earlier, you know, the scanning and vulnerabilities, they don't self report that much, and there's a dearth of, of CVEs on the printers. It's just what the printer manufacturers decide they're going to do, right?

It's not like the competitive environment that other end points have, National Vulnerability Database or anything like that, or SCAP type scanning. And NIST came out in 2015 with a, with an IR, I think it's 8023 IR. It was a standard just for replication devices. Okay. And they, they subsumed that into the current NIST without really referencing the printer specifically. So it's a overall basic cyber hygiene approach to, to cybersecurity.

I mean, so we're, we know we, we're standards-based program. We've got NIST, we've got the DISA STIG for the government built into it. You know, there's a STIG on it too. So, you know, that's, that's pretty solid guidance that we're basing that on. There are others out there, but man, it's, this is blocking and tackling. I mean, it's just like, inventory, okay. Passwords, shut down the unused ports and protocols and communications, you know, is this, is it secured communic- is it, are certificates updated and involved

and stored, you know, cause we're, we're narrowing the time limit on certificates now because they've got to be changed. I mean, are they being patched? Okay. And firmware in the printer space is a little, is a lot different because the firmware is not, you know, they got the readme file and the firmware to document it, but it's really not copiously document cause it could be something about the camera, the, the operation of the sorter or the, the OS, or it can have security

updates, maybe. So, and people tend to hang on to their printers for a long time past the time when they're making firmware for them too. You know, they've got a lot of devices out there that are unsupported. I mean, think about your IS, you know, audience, I mean, unpatched, unsupported end of life devices sitting out there with no users, no, no systems looking at it, no DLP, no nothing, and they don't know whether it's communicating off the network or they're not segmented.

They're right there inside your most like trusted inner space. Yeah. And they are trusted endpoints because they're trusted to communicate with your email system. Somebody scans something to email it, scan it to file it, your file server system, your credentials, your LDAP system, it's got to communicate to that. So who's, who's looking at that? Where are you going to find those printer security experts?

It's a daunting task that gets pushed down in priorities because it's not sexy like AI or anything like that. We've seen the hacks across the board on the printers. Nobody's talking about root cause now, man. So it's like, I can't lay statistics about how, how likely am I to get hacked through my printer? I just, I can't do it. It's, you know, root cause is not published anymore.

It's the lawyers hide it for a couple of years. I'm exaggerating, of course, but it's not really at the forefront. You don't put it in a press release unless you're blaming somebody for it. You know? Right, right, right. Yeah. I get you. I hear you.

And it's interesting. It's like, these are businesses, right? So. Yeah. Given as a security professional, you're, you're part of the business and you have to connect business success to your security programs that you're building. And it's, it's really intriguing for me to hear about all of these things. And I'm sure it is for all of our listeners too, because I, I think it's

one of these pieces that, you know, when we put our, just our security hats on, forget about the business for a second, like the security hat can go on. You're only as good or as secure as your weakest link. And, and it's these things like printers, like we'll just kind of sneak in there. Someone like with all of the great intention of the world, like, Oh, we need to be able to print out like all of this patient information or whatever, like even for a smaller, like private practice, a dental office or something. And then boom, there it is.

That's your end as a security hole. Yeah. Supply chain too, John, because you know, the big push like a DOD right now and other like in the financial industry is supply chain, you got your lawyers, you got your accountants, you got everybody in the confidential information supply chain, not just the vendors, like the HVAC vendor at Target or something like that, but you've got all the vendors and it's all the way into the supply chain and everybody uses printers.

So, so let me ask you, if we fast forward into the future a little bit, I'll let you decide how far into the future you'd like to go, what does success look like? Just going forward. You're already the world leader in helping secure all of these. We want to be the de facto choice for everybody. We want it to be the first name that they think of when they think of printer security. And you know, it's, it's man, it's like ball in the ocean.

We have to make people aware of it. I mean, even you, you're a security podcast professional and your audience is the top information security people around, okay, and it's an alternate universe to you. So, you know, we're having, we're having to go and talk a ton to raise this word, articles, you know, a whole lot of effort to get the word out about it. And if they're not being digitized, they are to a certain extent, but in many, the volumes are up in, in the print, but it's not just that, that's tip of the

iceberg, the other IoT devices, think about the cameras, how many IP cameras do you have on your network? You know, they have a, an administrator password that needs to be hard. And they communicate via as old arcane SNMP versions that are unhardenable. They have, you know, firmware that has to be updated. Those are things. And that's the number of Becker's healthcare, the, the big, you know, pre-article for, for healthcare.

They said the number one and two IoT endpoints getting hacked in healthcare systems are the cameras and the printers, you know, and then you've got all sorts of, you know, with the proliferation of wireless, you've got all sorts of endpoints that are coming on the network that have to be protected. I mean, it's a gimme. It's, it's not an exotic where I've got to have something sniffing the traffic on the network to identify something or anything, let's just use the built-in features, each manufacturer has incredible features built into the devices to

protect them, they're just not being used and they have to be programmatically enabled. It takes work to set that stuff up. You got to do some work. Yeah. It's a little bit of work. You got to maintain your security operations, your security programs. And it's cost effective too, John.

Nobody's going to do anything unless it's, unless it's a cost effective approach. And it's, I submit that, that it's a very quick win. It's an affordable, quick, no operational lift win for the IS professionals to, to get behind. No, I love it. And I, and I love that there's incredibly smart people and dedicated folks like yourself, like thinking through and grappling with these, as you put it, like less sexy problems.

It's not the latest and greatest AI thing, but it's, it's important. I bet people don't even think about it when we go to the doctor's office, when we're calling up our, our broker, if we still have one of those, like there are printers in those offices and those are just as much part of the cybersecurity ecosystem as the laptops that have access to all sorts of incredible systems in them, so absolutely. You know, we make the analogy all the time that, you know, you've got, if you, your printer's not in the data center, but it's servers that are comply, you

know, comprised of all these server class capabilities in the hard drive, that would be something that you would want to protect physically in your data center. You know, with all the technologies to monitor its communications and system administrators assigned to it and carriage beating that you would have with your servers that you don't, and it's sitting out in the middle of your floor with lockup access to it, and it's got all these capabilities, so it's like, you know, and, and we're really the, the voice in the industry because the manufacturers, you know, they're selling their devices, they're selling features and the, the

print, managed print industry, the big industry is driving costs out of it. And security is, you know, if you put it in terms of the cost of the risk, it's nothing, right, you know, because the risk is incredible for a ransom or a hack or, you know, notifying people that you, you know, the lawsuits, the regulatory violence. Just look at GDPR, just look at CCPA, like you steal private information, it's expensive to recover from that. And they don't know what they've got, you know, I mean, look at your, just look

at a, like, you know, we first got into it, it's like, Hey man, can you connect to my scene, you know, security incident event management system, you know, and we started talking to IBM about QRadar and some of the others, and it's like, you know, the logs, we, we, we turn logging on, but the logs are filled on a printer with non-security events, you know, just tons of non-security events that are like, my tray is full or empty. It's not a security thing that you need in your SIM. My door is open or, you know, and it's just a ton of non, non-actionable events.

And then what are you going to do? Yep. Am I going to sort through that log file and find that event, you know, and then send a ticket to the ticket, you know, the help desk, who's going to get some service vendor to manage, you know, to go out in a truck roll to the device and do something about it, you know, what's the time limit on that, man. You know what I mean? It's like with us, we're monitoring it.

We see it happen. We remediate it back, standing change control. So it's like, you know, the, the idea is, look, let's put at least speed bumps in for what's going on with the AI. You know, I mean, let's, let's put, we can't do without the prayers. They're essential, you know, they're, they're numerous, they're risky, you know, we can't, can't just ignore them, you know, continue to ignore them. It's just going to be our downfall to do that.

So, you know, I'd give a big shout out to the print industry to, you know, look, I mean, let's get beyond brand a little bit and let's talk about this and with customers. Unify that. Yes. Very good. Very good. Um, no, I really appreciate all of that. That's a, it's a good perspective.

I throw a lot at you there, John. I'm sorry. It's a, no, no, no, nothing to be sorry about. Like, it's good. It's good. I'm super curious, you know, with everything that you've seen and everything that you've built and all of the success that you've like, you've worked really hard towards and the amazing future that you see in front of you as well.

If you could go back in time and meet your younger self, would you? And would you have any advice for yourself? You know, I've got four children, John. So I give them all that advice. I'll have two sons, two daughters. Maybe get on this risk sooner, you know, but it's, it's got to marinate. I mean, it's, it's just like anything else. We had to go through everything that we went through to get to this point.

So that's a great question. I don't know. I have to think about that and get back to you for next time or something. Yeah. You know what? Like, I think you answered it really beautifully. The journey is what matters. That's a good point.

I mean, it's, it really, you know, we're the sum of our experiences, right? It's like, everybody's focused on new this, latest technology, this latest technology, that, especially out where you are, right? I mean, especially here in Silicon Valley. Yeah. You're, you're in Texas, so. It really like the treatment quote, right? The only thing new in the world is the history you don't already know.

So it's like, it's absolutely true. I mean, there's, you know, a ton of history with this particular end point. And it's, it's not new that it's a risk. It's been a risk for a long time. And, you know, we learned from the sum of our history and innovate with that. So it's like, I see this as no different from that. I mean, hopefully we learn. We're hesitant to go hard on the risk.

You know, everybody does that selling fear and certainty and doubt and it's risk. We said, look, we're going to step it up this year and start talking about the risk more because our partners are, they have different approaches to it and customers need to be aware of this and how easy it is to fix this. You can't eliminate the bad stuff, but you can sure mitigate it and with some basic steps. I love that.

I love how you just phrased that. Like it's so easy to fix this. It is. Quick quiz. That's a quick one. It's an easy, it's an easy button. Well, thank you so much, Jim. This has been amazing.

The CEO of Symphion, also the founder, right? Yes, sir. Yes. Yeah. Amazing. And thank you also to all of our listeners for tuning into another episode of the Security Podcast of Silicon Valley. I'm the host Jon McLachlan, and this has been a Y Security production.

Thank you. Huge. Thank you, Jim. Thank you.

93. The Conversation Nobody’s Having About AI (with Jacob Andra and Stephen Karafiath) ›