LISTEN: I’m in With the ARCC Interview, Small Business Cybersecurity
Reg Harnish, CEO of OrbitalFire recently sat down with Amanda Blanton, VP, Marketing and Communications at the Adirondack Regional Chamber of Commerce to discuss cybersecurity and how small businesses need to think about it as a foundational part of business.
Originally aired on Hits 95.9, 98.5 WCKM, and 93 WSC The Legend, listen to the full interview HERE.
Read the transcript:
I’m In with the ARCC is brought to you by StoredTech, your technology, our passion, and Keena, your local HR professionals. And now here’s your host for I’m In with the ARCC, Amanda Blanton. Welcome to I’m In with the ARCC.
Amanda Blanton Thanks for joining us today. I’m your host, Amanda Blanton, Vice President of Marketing and Communications for the Adirondack Regional Chamber of Commerce. And today my guest is Reg Harnish. He is the CEO of OrbitalFire Cybersecurity.
Reg, welcome to the show. How are you doing?
Reg Harnish I’m good. Thanks for having me.
Amanda Blanton Absolutely. New year, it’s 2024. Lots of things are going on. People are making New Year’s resolutions. Some of them have probably already broken their New Year’s resolutions.
And one of the things that you want people to be thinking about this year and every year is cybersecurity, right?
Reg Harnish Well, yeah, and every year. And every day, really, I guess I kind of feel like we don’t want it to end up like a resolution, which, as you say, tends to get forgotten and disposed of, but rather a lifestyle change.
Amanda Blanton It is. Yeah. So we are here to open people’s minds up to it, teach them about why it’s important and all the fun things.
Reg Harnish Okay. Sounds challenging, but okay. I’m up for it.
Amanda Blanton It’s something you do every day, right? You live and breathe it.
Reg Harnish We do. We really take an educational approach to cybersecurity.
We know that, well, a couple of things. I think small businesses certainly have been late to the game. Cybersecurity is confusing.
And the industry has done them no favors, small businesses. And so a big part of our mission and job is to try and take all these complex problems and solutions and translate them and distill them down into things that make sense for smaller organizations.
Because honestly, it’s a lot of nonsense in our industry. And for small businesses, they’re challenged with figuring out, how do I take cybersecurity and turn it into something of value for my business?
Amanda Blanton Absolutely. Absolutely. And there’s something that I hear often, you know, in speaking with other professionals that deal with cybersecurity or sometimes in some amazing trainings that I’ve been taking from OrbitalFire, is that it’s not a matter of if a cybersecurity threat will happen, but when.
Right? Everyone is susceptible to it. Small businesses, nonprofits, medium-sized businesses, and large corporations. It doesn’t matter, right?
Reg Hanish It doesn’t. We don’t like the term, you know, it’s not a matter of if, it’s when. You know, we think people are already scared and we don’t need to scare them anymore.
We kind of feel like for small businesses, it’s a personal decision, you know, it’s much more emotional and connected to the people that are there because you don’t have 10,000 people in a bureaucracy. But for us, it’s really more about, let’s have a conversation, give you enough tools so you can make an informed decision and really sort of make it part of your culture, make it part of your strategy because it really, we’re at a point now where cybersecurity is getting in the way of small businesses doing things that they understand, like selling their product or service, getting insurance, keeping their best customer. You know, I think back 10 -15 years when I kind of got into cyber and, you know, it’s akin to voodoo, no one really understood how to do it, or how to do it well.
And it applied even less to smaller organizations, like the entire trillion-dollar cybersecurity industry. They’re focused on the Fortune 1,000 period.
Amanda Blanton Okay.
Reg Harnish There’s nothing out there for small businesses. It’s changing a little bit, but I think only because now small businesses are getting to the point where like, oh, this cyber thing is really sort of a pain. And if I don’t do something, I can’t even bid on that next RFP or I’m not going to keep my best customer because they’re sending me questionnaires that I can’t answer.
I can’t get insurance to. So it’s, it’s becoming more mainstream for them and they understand it in a way that they can translate it into value for their business.
Amanda Blanton Yeah, absolutely. Um, you wrote a great article too recently, right? About committing to cybersecurity in 2024.
Reg Harnish Right. And it’s kind of how we started the show today – don’t make it a New Year’s resolution, make it your thing, right? This is it. So absolutely.
Even if you start by doing one sit-up or push-up a day, you can stick to that. Well, in two months, you’re probably willing to do two pushups and three pushups, but it really is a lifestyle change. Cyber is not something that’s done once and put away. There’s no real checkbox.
It’s a continuous, never-ending pursuit. You know, it’s a journey. It’s not a destination.
Amanda Blanton Absolutely. So do you have some recommendations for how businesses can understand how the cybersecurity can contribute to their actual mission, right? Like making it a part of their operations essentially, right? Like what are some recommendations you have? Well, you, you kind of hit on the main one, which is a commit to it.
Reg Harnish Recognize that cyber related issues, they’re not going anywhere. Right. They’re only going to become more frequent, more severe, more relevant to small organizations.
And so I think it’s really about at the business level, at the strategy level, recognize that if you want to continue to be a viable business, compete in your industry, minimize disruption and loss and reputational, all of these things, it’s going to take a commitment. You know, it’s, it’s, it’s hard work.
Amanda Blanton Sure.
Reg Harnish The good side of that is there’s not really a lot of rocket science in our business.
It mostly is pushups. Okay. You know, there’s no, uh, you know, no blue pills, no, uh, you know, fancy chemicals, no ab toners.
There’s really no magic. So in some ways it becomes very simple, but we know that that commitment is very difficult. And that’s it.
Amanda Blanton It’s not a one and done, right?
Reg Harnish It’s not a set it and forget it.
Amanda Blanton This is a change to how you operate essentially.
Reg Harnish It really is. Yeah. The second would be to really define as a business, how much cybersecurity makes sense for you.
And we call it risk tolerance. I try to avoid nerdy terms, uh, but your risk tolerance will really drive how fast and how far do you go.
And again, that’s a business decision. Yeah. You know, uh, most of my customers, they’re, they’re not the Pentagon.
Amanda Blanton Right.
Reg Harnish The Chinese are not after my customers, at least not yet today. Sure.
And that decision will really help you guide all future decisions because it gives you a sense of the intensity, the pace, uh, the investment that you’re willing to make. And it’s different for every business. If you’re in financial services or you’re a hedge fund manager, uh, that’s different than if you own a landscaping firm or you’re a manufacturer who makes, you know, titanium ball bearings for the F-35.
So every business is different and it is a personal decision, but understanding risk tolerance and really how important. Is cyber to you that will help you, you know, sort of guide the vision for the program going forward.
That’s number two. And again, I feel like it’s just a conversation with leaders.
It doesn’t require any real knowledge of cybersecurity. You don’t need any expertise. You probably don’t even need a provider or a partner.
You can sit down with your leadership team and your ownership and say, what does this look like for us? You know what I mean?
So, the first two steps are very easy and very hard at the same time, and then we get into, you know, some of the actual practices, the nuts and bolts of it. And, and the first nut would be what we call a risk assessment, a nerdy term, but basically you look at what stuff do you have that’s worth protecting?
It’s usually almost always data. Obviously, reputation, money, those are in there as well, but it’s data. I mean, money is just data these days. Reputation is honestly just data. It’s a Google search away. Everything’s on a computer. Everything’s a one and a zero.
So, you got to say, okay, of the things that I have, what, what things threaten these and how vulnerable am I to those? Kind of like it gets a little more complicated from there, but you come out with this, what we call a set of risks or a risk register, which is in priority order, how vulnerable and exploitable am I am in these different areas.
And it could be very general terms like my technology. I don’t have good process. My people aren’t well trained and their security behaviors are, are inadequate.
And once you come up with that prioritized list, now you’ve got marching orders. You’ve got what we call a cybersecurity roadmap, which is what am I doing over the next 12 months? Who’s doing it? When am I doing it? How much am I doing it? So that risk assessment is really fundamental. We encourage organizations to do that on an annual basis.
Unless your business is really static and nothing’s changing, enough changes over 12 months where you want to continue to refresh that. The findings from a risk assessment have a shelf life and they expire.
So that risk assessment really is sort of your plan. That’s the best way to do it. Now it’s not easy, and generally speaking, you’re going to need someone who has a bit of expertise in that.
The value of it is almost incalculable.
Amanda Blanton Yeah. Yeah, absolutely. That totally makes sense. And my brain is spinning as you’re saying all these things, like even if you had a changeover with staff, that’s enough of a change in your business for you to maybe reevaluate, right? Your risk assessment potentially. I mean, things change all the time.
Reg Harnish Oh, it could be anything. You acquire a competitor, you stand up a brand new application.
Amanda Blanton You change your data processing system.
Reg Harnish Yes, a new data processing system. You get a big new customer or the regulatory environment changes on you. True.
If you’re offering healthcare, manufacturing, financial services in particular. So it could be a lot of different things, but you kind of want to have the pulse of that. So, you know, when it’s time, I would say small businesses could probably go 18 months because they’re not as fluid as a large organization most times, but you want to ensure that you’re working on the right things.
Amanda Blanton Okay. Good. Good.
Reg Harnish That really requires an assessment of your risks.
Amanda Blanton Yeah, absolutely. Now, OrbitalFire typically works with smaller businesses, correct? Small to medium size.
Reg Harnish Well, not typically, exclusively. That’s our mission — I spent 15 years in enterprise cybersecurity. I didn’t give it a lot of thought, but certainly we had customers or prospects come to us, small ones. And you get to the point where it’s like, we got nothing for you.
And you can’t afford us. And so, you know, that happens enough, you kind of recognize that there’s a hole here. And what became interesting four years ago when this idea behind bringing cyber to small businesses came up, you know, did some market analysis, looked around, ran the numbers, and it turns out that 99.87% of all businesses in this country are small.
So, the trillion-dollar cybersecurity industry focuses on 0.13% of the problem.
Amanda Blanton That’s wild.
Reg Harnish And then we’re sitting around wondering, why aren’t we making more progress? Well, if you round the problem to the nearest whole number, it’s a hundred percent.
We’ve literally ignored the entire problem. So that was exciting for me.
Well, right. And, you know, not just because there’s a huge addressable market, but also because, you know, felt like we could really make a difference here.
You know, one of the advantages that small businesses have is that they’re small. And so you can actually make a meaningful difference in an organization. It’s not like working with Walmart or GE or Boeing, where honestly, no matter how much work you do, you’re never going to make a huge difference.
With that many people and that many processes. Too much surface area, too much complexity, too much change. It’s kind of like the Golden Gate Bridge, where they say where they start painting at one end, and by the time they get to the other end, they got to start over because there’s too, there’s just too much weathering and things like that.
Amanda Blanton That’s incredible. Those statistics are staggering.
I had no idea. Wow. So once you realize that, you’re like, I got to do something about this.
And OrbitalFire was born. Wow.
Reg Harnish And, you know, we certainly made our share of mistakes and, you know, a little bit of arrogance coming out of the gate just because, you know, I had been successful in cyber for many years. And you had experience too, right? Yeah. But as it turns out, it’s cybersecurity for small businesses is far different than I expected it to be.
I think, you know, we’ve gotten to a point where we really understand it and we have some things, some practices that we can, you know, implement with small organizations where it really changes the business and it improves their resiliency, it improves their defensibility at an affordable rate, you know, in a way that almost everyone can afford. But it definitely took some trial and error because there is a lot of complexity.
And honestly, I knew nothing about small business when I got into it. Honestly, I probably still know nothing about small business.
Amanda Blanton But you’re learning, Reg. You’re learning.
Reg Harnish Yeah, we really are. We’re committed to it.
And every prospect that becomes a customer feels good to us, not just because it helps us as a business, it helps them as a business, but it’s, we’re starting to chip away at this problem. Because I think in an accelerating way, small organizations, while they’re late to the game, the visibility to the problem is accelerating.
Amanda Blanton Sure. Absolutely. Exponentially.
Reg Harnish Yeah. And so it might only be like 0.1% of 0.1% today that are meaningfully pursuing cybersecurity, but that like triples every day or every week. So it’s exciting.
I feel like we’re in a good position having been doing this for almost four years now. And I feel like when there’s critical mass looking for these kinds of solutions, we’re going to be the first people there. Excellent.
Amanda Blanton Excellent. Love it. Love it. All right. We got to take a quick break. And we’re back. Thanks again for listening to I’m In with the ARCC.
My guest today is Reg Harnish, CEO of Orbital Fire Cybersecurity, presenting some really interesting statistics and just really enjoyed kind of a little backstory too about how OrbitalFire was created, which I meant to ask you, but we just naturally organically got there. So we’re vibing here. Yeah.
Reg Harnish It’s good stuff. And I’ll admit it wasn’t actually my idea. Someone brought it to me.
Amanda Blanton There’s more to the story. Okay.
Reg Harnish At first, I was like, eh, no thanks. But I agreed to kind of go look at the problem and see if it was, you know, if we could make a viable business out of it.
Amanda Blanton Yeah, because you have to be successful too.
Reg Harnish Yeah. Yeah, of course. And, but I got excited about it really quickly.
Amanda Blanton That’s incredible. Something I want to go back to, which you mentioned early in the show and I love it is not, it’s not your job to instill fear in businesses, right? Like the, the, the threat of a cybersecurity attack or whatever you want to call it is real, but what is OrbitalFire doing to not make it so scary for businesses?
Reg Harnish We don’t want to scare anyone, but we also don’t want to come off like the rest of the industry, which is, you know, pounding their fist on the table saying you must do this, you must do that. That’s not how cybersecurity is supposed to work.
Our job is to help organizations figure out what their options are. Ideally get them through some kind of an assessment so that we have a standard to compare their existing status to.
Amanda Blanton Oh, okay.
Reg Harnish We identify gaps and weaknesses and vulnerabilities and things like that. But then our job is to educate them in a way that they can understand. So no jargon, no nerd speak, no, no nonsense, no flux capacitors, and then help them make an informed decision about what they feel like.
And the way I describe it is we are like the secret service. And if it were up to the secret service, the president would never leave the Oval Office, but that’s not practical. That’s not how the presidency works.
They got to get out and shake babies and kiss hands. And so our job is to say, okay, if that’s what you want to do, here are your options, and no matter what you select, we’re going to do our best. So if you want to drive a truck through Baghdad, we’re going to figure out the best way to do that.
Now, if you are completely risk intolerant and you don’t want to leave the Oval Office, we’re fine with that too. So we’re counselors and therapists and educators, and we really take a different approach and similar to fear tactics and hysteria and things like that, we’re also not an aggressive sales organization. So we really, we’re not beating people’s door down.
Amanda Blanton Right. Right.
Reg Harnish You know why? Because we really know that if a decision maker isn’t ready, nothing we say is going to change their mind.
Amanda Blanton Thank you, Reg. Thank you. That’s sales 101, right? Is it?
You just, you got to listen to what they want and when they are ready, they are ready. Don’t, don’t shove it down their throat. Right?
Reg Harnish Yeah. We have prospects that become customers and ours sometimes. Sure. But it’s only because we’re willing to say, Hey, listen, sounds like you may not be ready for this if, and when you ever become, let’s get back together because I think we’re your best option.
Wonderful. We can really help you. But yeah, we don’t, we don’t try to change minds.
Amanda Blanton Yeah. Good. And it goes back to your original mission really is to help small businesses help that underserved market with their cybersecurity.
Reg Harnish Yeah. Serving the underserved. That’s kind of our mission.
And you know, it is frustrating at times because often we care more than our prospects do or even customers do sometimes, you know but I think, again, part of being mission driven is that we have to get over ourselves in those situations and kind of get on with the business of finding someone that is ready, you know, and we’ve had to separate from customers. Honestly, it’s not something we like doing, but if if a customer with enough risk isn’t willing to do some of the things that we recommend, and again, we’re only encouraging and recommending, we never mandate.
Amanda Blanton Sure. Sure.
Reg Harnish If they aren’t willing and ready and capable of doing some of the basics, they become a risk to us too. Cause, you know, the first time a customer of ours ends up a headline and we’re attached to them, you know, that’s going to be really problematic for us.
So, we, we really try to, you know, stick with organizations that are committed. And have some sense of how secure they want to be.
Amanda Blanton Yeah. Yeah. And I love also the education piece, right? And that is, that’s the part that kind of takes the fear away.
The knowledge is power. And I mentioned your trainings earlier in the show, which the chamber tries very hard to stay on top of because they are monthly, but they’re great. They’re virtual trainings. They’re videos. They’re interactive.
And I’ve learned so much about what to look for, especially in your email box.
Right. Because we’re also susceptible to getting those spam emails or phishing emails where you’re like, Hmm, this doesn’t look quite right. And I feel like I’m getting really diligent.
I feel proud of myself, you know?
Reg Harnish That’s really what we’re after because while we feel like we’ve done a very good job of, of making security training absorbable by small businesses, small drip monthly might usually take two to four minutes.
Amanda Blanton Not long at all.
Reg Harnish And it’s about behavioral change. So while we do use these monthly, you know, trainings and testings and things like that, we don’t really care if it’s a training video or a hamster wheel.
Our, our job and our goal really is to change security behaviors because honestly, before you ever got a training from us, you probably already had the skills to identify a phishing email.
Amanda Blanton Sure.
Reg Harnish You probably did. Uh, just like most people do.
What you didn’t have perhaps is the willingness to take the 2.2 seconds it requires to apply those skills. Yep. That’s where the behavioral change comes in and that’s very difficult.
Giving people skills. I mean, most folks are computer literate these days, certainly at our customers, but they’re in a hurry. Yes.
Amanda Blanton They don’t like their boss. It’s Monday. Yep.
Reg Harnish You They’re tired, whatever it is. Right. It’s Christmas time and they’re getting tons of Amazon messages.
So they are in a hurry. And so it’s much harder to convince someone or to train and instill a habit in someone under those conditions. And that’s what it is.
Amanda Blanton Right. And I find myself using those skills even in my personal life too. Right.
Yeah. How many emails do I have? So many. I got, I got the one that’s necessarily for junk.
Amanda Blanton The one I give out to everybody that asks for it. I got my regular, but I still have to go through them and I still have to pick those out and then text messages too. Right.
It, you know, it’s, yeah, it’s evolving. Oh, good God. UPS texts me every day about some package that I, that couldn’t be delivered.
And I’m like, this is not real. So, you know, you block them, you report them, you do all the things. And things are getting, you know, the adversary is getting smarter.
Reg Harnish They’re sophisticated. So very commonly, a text message to a brand new employee in the accounting department about buying gift cards because they’re smart enough to be scraping LinkedIn and they’ve already got everyone’s phone number and email address.
You know, I think for us, you know, we say, we feel like we’re doing better in cybersecurity, but the problem is the bad guy’s getting better faster. Yes. So the gap between where we should be and where we are is widening still.
I think we’ll catch up at some point, but again, it’s going to require a commitment from critical mass, small businesses and everyone else. Yeah. Everyone get on board basically.
Amanda Blanton Right. One last question before we round out the show here. This is a growing industry, right? Cybersecurity, IT professionals.
So, what would you say to these kids nowadays that are like, what should I do with my life? Maybe I’m interested in this. What kind of advice could you give them to pursue it?
Reg Harnish Well, let me put it this way. Most kids that go to school for cybersecurity or IT, they’re, they’re passionate about these solutions.
Amanda Blanton Okay.
Reg Harnish It doesn’t matter what it is. Sure. And for us, we’re really looking for someone who’s more passionate about the problem.
Amanda Blanton Ooh. Okay.
Reg Harnish Because over time, the way we treat risk is going to be different and it’s changed dramatically even over the last 20 years.
I, when I got back into cybersecurity and so we want someone who is ferociously pursuing, you know, the serving the underserved part. That’s, that’s the key.
And, and because if you get religious about technology, which honestly, our industry is full of religious zealots that just love their X platform or they’re this or they’re that, and that can be counterproductive because a lot of time solving cybersecurity risks is really nothing more than hard work. There’s nothing fancy about a pushup.
Amanda Blanton Got it.
Reg Harnish If you want to get in shape, it’s a pretty great way to do it. Um, so I would say, you know, for kids who are looking or are potentially interested in a career in cybersecurity, you got to get passionate about the problem.
Amanda Blanton Okay. Get involved for the right reasons. Right.
Reg Harnish Absolutely.
Amanda Blanton Okay. Great advice, Reg.
Reg Harnish I appreciate it. Thank you.
Amanda Blanton So last question. How can we learn more about OrbitalFire? How can we get in touch with your team if we’re interested in working with you guys?
Reg Harnish If you’re a small business you could really be anywhere, but we have densities, certainly in upstate New York, California, North Carolina, but upstate New York, email@example.com. We’ll get you to the right people. We’d love to have a conversation about how we can help in an affordable way.
If you are a potential employee, firstname.lastname@example.org, we’re always looking for people. We’ve got a couple of positions open now, but also, you know, these kids, I mean, we, we run internship programs year round. We’re not really tied to semesters.
If you’re a partner, email@example.com because we partner with MSPs and it providers who are, you know, they’re in a tough spot right now too. They’re getting dragged into cyber. They’re not really cybersecurity experts, but their customers are demanding cyber solutions.
Amanda Blanton And you can complement what they do.
Reg Harnish Yeah. We’ll make you look good and we’ll pay you along the way.
Amanda Blanton Okay. So, a couple of different audiences there.
Reg Harnish We’d love to hear from everyone.
Amanda Blanton And we appreciate your time today. Awesome. Reg, thank you so much.
I, you know, I never think I know everything about cybersecurity, and I loved your approach today. I think we did a really good job of talking about it in a different way. And I appreciate you for bringing your knowledge and your different mindset today.
Reg Harnish Thank you. Yeah, absolutely. I appreciate it.
Amanda Blanton Awesome. Well, thanks again for being on the show today and everyone make sure you tune in next week.