Today, Kenneth Grossberger from Elite Investigations joins the team at CyberSound to discuss ways you can minimize reputational risk, the importance of physical and cybersecurity training, and practices to ensure safe risk management in the workplace.
Tangible and Intangible Enterprise Risk
Listen to this episode on
This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl and Steven Maresca.Jason Pufahl 00:10
Welcome to CyberSound. I’m your host, Jason Pufahl. Joining me today in the studio is Steve Maresca, Matt Fusaro, as always. Hey, guys.
Matt Fusaro 00:20
How are you?
Hey.Jason Pufahl 00:22
And joining remotely is Kenn Grossberger. He’s the Vice President and Chief Consultant at Elite Investigations. He’s got a PhD, and he is part of Elite who is a security company located in Yonkers, New York. Welcome, Ken.
Kenneth Grossberger 00:39
Thank you. Hi.
Jason Pufahl 00:40
So today we’re going to actually talk a little bit about an area that we probably don’t cover a lot. I think as we chat internally here, but you know, more risk management, I think, outside of the cyberspace, maybe a little bit more into the physical space, I think can mess with you. That’s your area of expertise. So I’d like maybe you spend a minute on introducing kind of that concept a little bit and we’ll segue from there.
Kenneth Grossberger 01:09
Yes, thank you very much for having me. Yes. Physical risk, assessments, physical risks, security, basically, is all encompassing, we talk about enterprise security, risk management. And as a general practitioner in the field, I obviously rely on the expertise of folks like yourselves, subject matter experts who have in depth knowledge and experience to see things others might not. And obviously, what we’re attempting to do is catch problems, while they’re small, keep them less expensive, and eliminate, if possible, and mitigate as necessary, but basically, to make sure that we are taking care of our clients and making sure they’re safe.
Jason Pufahl 01:55
So you know, the partnership between Vancord and Elite is really beneficial for I think clients on both sides, right? We don’t bring a real deep background in doing sort of physical plant assessments, right, we through some of the regulatory requirements, we might do a cursory review, but our expertise is definitely in that cybersecurity space, the cyber risk management. I think, you know, the ability for you to utilize us when you’ve got some issues like that, and I think reciprocally for us to actually lean on you has been great. So far. I think people have probably heard us talk enough about the cyber side, describe what a physical security assessment might look like, from your perspective, and how those engagements often go.
Kenneth Grossberger 02:45
Physical risk assessment, threat assessment, there’s a difference. One might be more safety, one might be more physical risk, isn’t just a check the box kind of exercise, although we use checklists, we’re looking to make sure first of all, we’re subscribing to the needs of the client, what they’re requesting, we generally like to take a comprehensive look, even if the risk is fairly narrow, give an example there’s a physical breach in security, there’s people entering a facility that shouldn’t be, or there’s folks getting injured, or there’s just a general kind of assessment where we’re looking in a comprehensive way at everything that might happen. Brand risk, to reputation risk, safety risk, and of course, cyber risk. And if we come across things where we need to go deeper, it behooves us professionally and ethically to bring in legitimate experts, legitimate subject matter, folks like yourselves, to make sure that we get it right. And just again, we live in a very complex world, things are fast changing, one cannot know everything. And the need for particular expertise is real relevant, and of course, timely.
Jason Pufahl 04:04
So you’re actually talking about a couple of things in there that we probably should cover, right? The idea of reputational risk. Certainly we talk about that, as it relates to website defacements, or incident response and some of the potential notification fall out there. What is reputation, what kinds of things impact reputation that you see on a regular basis?
Kenneth Grossberger 04:32
Well, we’re talking about damage done and how that’s measured. Usually, it’s subjective, but when we see and we deal with a lot of major companies, a lot of major brands like as you do, and they’re very concerned about their public perception. And if something happens, or people are, you know, getting injured or something like that something is occurring. There’s losses of some kind, whether it’s loss prevention or some sort of damage being done. Obviously, it’s difficult to recover a brand in that nature. And given the amount of investment that these large companies and these well known companies have put into their names, and their goodwill, they depend on us as the experts to come in and help them offset whatever damage has been done, and to put in the rearview mirror as fast as possible. And again, if we see something in your world, we are going to certainly bring you in to make sure that the clients reputation is intact. And if there was an issue that it’s recovered, and that it doesn’t happen again.
Matt Fusaro 05:40
Yeah, I feel especially like today, reputation is so fragile with a lot of companies. So you do anything wrong, I’d say it’s on social media, it’s in news, this information gets spread so quickly, this is protecting reputations, probably a lot more important than ever.
Jason Pufahl 05:55
I mean, it’s an interesting point, right? Because for sure, a single customer can spread a lot of information really quickly nowadays, which they couldn’t before.
Matt Fusaro 06:07
Do you find, Kenn, that your reputation is driving a lot of the requests that you get, or, you know, what’s your main driver that people come to you for?
Kenneth Grossberger 06:15
Yeah, definitely reputation is one of the keys. Even if they’ll have an internal loss, something happens, they don’t want it to go public. That requires a very confidential type of investigation, or a CMS assessment, find out what’s wrong and fix it fast. Obviously, confidentiality is key in our industry. And we’ve got to make sure that the client is taken care of, again, large companies, major names that everyone knows, even names that people don’t know, you know, you’ve done it before. Commercial office buildings, real estate companies, law firms, they’re very, very concerned that somehow there’s a public perception that is not so good. You can kill a market and Arese suggested before news travels incredibly quickly. And bad news travels the fastest.
Steven Maresca 07:03
So what are some common risks that you encounter? Like, you know, common denominators that you experience if there are some hot button items that you can share?
Jason Pufahl 07:04
Kenneth Grossberger 07:16
Yeah, a lot of it has to do with personnel and folks doing things they shouldn’t be doing. Typical one, someone accuses somebody of sexual harassment, true or not true, the damage is done. Usually it’s a career render. And nobody wants to be in the wrong end of a courtroom on this stuff. So our job is to go in and make sure that we can understand what the issues were, and help offset. Other kinds of things just in terms of pure physical risk is again, entry control, failure to follow the rules, safety stuff, things like that. One injury, one break in, one kind of a loss, can really build its way into quite a difficult situation for a client. on your end, if you’ve got folks, even sealed things like stealing laptops, somebody breaching security in their programs, hacking, things of this nature. You can roll up a reputation in a hurry, as you know. And that’s where we come in, and you come in to make sure that the client has a sense that this problem can be solved as quickly and as quietly as possible.
Steven Maresca 08:29
I heard you mentioned loss prevention in passing earlier, is that really in the context where you’re using it, loss of goods, intellectual property, you know, tangibles associated with the business, and, you know, its actual sales to customer base? Where’s that land?
Kenneth Grossberger 08:48
Well, the answer is, yes. It’s all of that. We think a loss prevention primarily in terms of retail at sight just stolen, they talk about shrinkage, which is defined as the difference between inventory and what got sold, something happened. It got stolen, it got broken something inventory, miscalculation, something like that. But in the broadest sense, loss prevention is part of lost control, which is anything that might occur that I think broadly defines the client’s risk, and our involvement in making sure that risk is properly mitigated or offset completely.
Jason Pufahl 09:23
Do you find that you get involved in any way in, say insurance policy reviews or anything like that as part of risk mitigation?
Kenneth Grossberger 09:32
Yes, somehow we become insurance experts along the way.
Jason Pufahl 09:36
Yeah, us too.
Kenneth Grossberger 09:40
So you know, you know what happens if you see something deep into a contract, some offset was in there, and somebody tried to make the policy rating a little cheaper, and let’s eliminate this, let’s eliminate that. And then sure enough, an event occurs where you’ve got that exclusion, staring in the face, and then it’s pure risk because it’s the client against the world. There’s no transferring the risk to the insurance company. So we do that. It’s part of what we do. And again, like as we do with you, if we feel we have questions, we certainly will reach out for an expert.
Steven Maresca 10:12
I’m curious, in cyber insurance, at least, the presence of a prior incident has a tendency to make carriers more likely and willing to engage because it means that corrective action has occurred, do you find that that is a similar pattern in your world or not quite the case?
Kenneth Grossberger 10:33
Yeah, as you know, insurance ratings are quite complex underwriters have to take everything into account, depends on what they’re using, a three year averaging method on losses, they’re looking at loss runs all the time, but you’ve got to point in terms of knowing that the risk has already been somehow corrected or offset, that would account for part of it. But as you know, in insurance, if a pattern is developed, or these, you know, a large hit over the past three to five years, that’s going to affect other ratings negatively. But then again, as you say, as we can come back and say, Yeah, but we did something about it. And the probability of that particular event occurring, again, is very minimal. Therefore, you know, maybe we put the rating back in good standing for the client.
Jason Pufahl 11:21
So I want to return to the question that I sort of briefly alluded to at the beginning. You know, we just recently recorded a podcast where we talked about security fundamentals, and really tried to have a discussion about, you know, the things that every single business should be doing to enhance their security program, many of the things that we talked about were free elements, like really, really basic things. You know, from your perspective, is there anything that you feel every business should do to reduce their risk? Right, you know, low costs, maybe low effort, but things that you see missed regularly that cause problems?
Kenneth Grossberger 12:02
Yeah, certainly a number of things. Number one, have some sort of security safety policy or program, easy to do, security and awareness. Do you see something, say something, have places to go for the information, an email box, some place where folks can say, I have some concern, make sure that security and safety training are part of any new hire package, have quarterly or semi-annual reviews, periodic reviews, making sure it’s in terms of pure safety, making sure that people are aware of their means of egress, that you have evac drills at least once a year, periodically enough. With all kinds of awareness, I think was critical. Your security safety plan isn’t something that should be sitting in the bottom of the drawer, it should be readily available, and I think periodically reviewed, so if security safety risks become part of the corporate mission, the company mission, the organization mission, is a far better chance of something not happening, or initiating mitigation steps before the consequences become disastrous.
Jason Pufahl 13:09
So you know, it’s interesting that you mentioned security awareness, or sorry, just awareness training, right? Having people who understand the requirements of a business, understand what’s expected of them, understand where to where to stand, to identify, and really, they don’t have to be complicated things. But so much of this does come down ultimately to communicating to employees, the things that are expected of them, or the potential risks that a company might be concerned about, it’s exactly the same on the cybersecurity side, there’s no difference there at all.
Kenneth Grossberger 13:43
Yeah, I mean, simple things. So cybersecurity training, knowing what emails to open up and not what attachments not to open up knowing when you’ve been hacked. I mean, some folks just blindly move forward and open up things and next thing, you know, yeah, then, of course, then they really do need you because we got a big problem, right?
Steven Maresca 14:05
So, you know, we tend to fall into a storytelling mode occasionally to share some things that are helpful for our customers. And I’m wondering if there’s any, you know, sufficiently generic, but still helpful story that you can share that would exemplify your business, something that really, really communicates core competency and what you can deliver.
Kenneth Grossberger 14:27
Yeah, let me give you let me give you one, an institutional one, we do a lot of work for religious organizations. And one is, let’s just say a soup kitchen. And the issue there is that they want folks to come in. And very often, the folks that are coming in are the folks that you would normally defend against so you’re violating every precept of access control because you don’t have access control, you have folks coming. And so what we do then, of course, is, first of all, you have to be always conscious as you are of the clients budget and culture, those are two of the variables that are going to drive decision-making in terms of whether or not to spend on security and what to spend on. So in those cases, and this particular one particular instance, we had to actually embed one of our officers on an undercover basis to make sure that if something happened, someone who’s ready to press, we didn’t want a police uniform, we didn’t want an overt presence, because that might have, you know, taken a different tack with our culture. Another quick story, we also defend a lot of large malls. And this one particular case, there was a funky valves in their fire safety system. And this thing used to go off and if it read a low pressure system has good condition, and it set off the entire alarm system for an entire mall. Now, we couldn’t tell people to just, you know, ignore it. But we had to evacuate the entire mall 5,000 shoppers and 600 staff. Obviously, in that particular case, we said you know, we better bring in some some folks that know what to do with fire safety systems and fix, this is not something you can ignore. In that particular case, we were worried less about budget, and more about just the look for the mall, you don’t want to be in a mall that when the alarms going off, the strobes are blinking. That’s not a fun day at the store.
Jason Pufahl 16:42
I personally really appreciate the story about the soup kitchen, because I think it does demonstrate just how important it is to really understand your clients, right. And risk prevention is different for every business. And I think the tolerance or the needs are going to be different. So you’re understanding that and building programs that make sense for individual clients. It was certainly important to us and and I think it’s helpful for people to recognize that it’s not a one size fits all practice, right?
Kenneth Grossberger 17:09
Not at all. As you know, in your work, you’ve got to customize your solutions, they got to offer your client has to be have confidence in your reputation that you can help them, that you truly are interested in, in what’s going on and that you are going to get to the right solution at the right time and within their means. And that there is going to be a positive outcome. And in the future, they can rely on you to come back, just in case or even just for tuna, for whatever the services are required to make sure that things don’t have.
Jason Pufahl 17:29
Yeah, and I think I hear a phone going off. So maybe you’re getting a client reaching out now whether it was a potential problem, right?
Kenneth Grossberger 17:56
Somebody needs cybersecurity.
Jason Pufahl 17:59
So on that note, though, I think, you know, we want to end always by sort of letting our listeners know that if they wanted to talk a little bit more about just generalized risk management either on the you know, the cyber side, or, you know, say the more traditional, say business risk or physical, physical risks side, to reach out to us on LinkedIn at Vancord, or at Twitter at Vancordsecurity, we can keep talking. If we get some some inquiries, Kent, we’re happy to have you back, we can kind of keep the conversation going a bit. Any last thoughts before we do adjourn?
Kenneth Grossberger 18:35
Just an overall comment. I’m in the industry over 40 years, you all have your own lengthy experience. And it’s not just the amount of information, it’s our ability to digest and translate that into positive action for clients. Because we’ve seen these transactions, not hundreds, but thousands of times. And the ability to bring that expertise and that experience to assist clients I think, goes beyond the profit motive. It gives us a personal sense of satisfaction that we are helping our clients in a very positive way. So there’s a professional satisfaction, I think that means as much to us as the dollars and cents.
Jason Pufahl 19:15
I mean, that’s a sentiment that we can certainly appreciate, you know, and share. So I think that’s a great way to close. And on that note. We hope that that folks got value out of this slightly different perspective from what we normally bring. So if anybody has any questions, as always, feel free to reach out to us and we can keep the conversation going. But again, thanks for joining. We appreciate your time today.
Kenneth Grossberger 19:40
Jason Pufahl 19:41
Thanks for listening, everybody.
Stay vigilant, stay resilient. This has been CyberSound