Fortifying Businesses Against Uncertainty: Strategic Resilience with BRaaSS LLC

Show Notes

Join us for an eye-opening discussion with the specialists from BRaaSS (Business Resilience as a Security Service) LLC, where you'll uncover the secrets to fortifying your business against the unexpected. In a landscape where threats loom on every horizon, we navigate the complexities of operational resilience and strategic crisis management, ensuring that your company is protected and primed to prosper in the face of adversity. BRaaSS LLC’s 'as a service' model melds rigorous audits with collaborative federal agency tactics, offering a shield tailored to your vulnerabilities.
 
 BRaaSS LLC's experts craft crisis strategy plans that are nothing short of bespoke armor in today's volatile business battleground. We look at the art of strategic alignment and threat preparedness, tackling cyber threats, geopolitical turbulence, and ever-changing regulatory landscapes. Sectors like healthcare, defense, and manufacturing within critical infrastructure receive specialized attention as BRaaSS LLC prioritizes threats and conjures robust plans that predict, preempt, and protect. Discover how their Crisis Strategy Plan and Business Impact Threat Evaluation become the compass guiding organizations through the storm.
 
 Finally, our conversation illuminates BRaaSS LLC's advanced threat management protocols—an approach as intricate and vital as the human anatomy. We explore how intelligence serves as the brain of the operation, with vigilance as the eyes and ears scan for danger. Unveil the benefits of fostering a security-centric culture and the efficacy of red team testing in validating the strength of your defenses. BRaaSS LLC supports and elevates your existing incident response teams, empowering them with actionable intelligence for precise, strategic decision-making in times of crisis.

Our American Security is brought to you by BRaaSS
Business Resilience as a Service

Learn How to Improve the Operational Security of Your Employees with BRaaSS

If you have any questions for the OAS team, please contact oas-podcast@braass.io

Connect with us on LinkedIn
https://www.linkedin.com/company/braass-consulting/

Connect with us on Twitter
https://twitter.com/OAMSECURITY

Visit our Sponsors (our) BRaaSS Website
https://www.braass.io/

BRaaSS Pricing Plans
https://www.braass.io/consulting-plans

Chapters

• 0:01: Brass Business Resilience Introduction and Strategy
• 8:08: Strategic Alignment and Threat Preparedness
• 18:49: Enhancing Security Through Advanced Threat Management
• 28:05: Cybersecurity Risk Assessment Methodology

Transcript

Speaker 1: 0:01

Welcome to Our American Security. I'm your host, bobby L Shepherd. Our American Security is brought to you by Brass LLC. Brass business resilience as a security service is a new and innovative consulting firm which provides world-class intelligence, monitoring and analysis on emerging threats specific to your organization and its priority areas of concern. Your Brass subscription will provide monthly or quarterly audits for operational security, physical security and cyber security, as well as liaison with federal agencies and help see suite executives to strategize and plan for crisis events. So welcome to another episode of Our American Security.

Speaker 1: 0:46

Today, we're going to do a little bit things a little bit differently. Our sponsor, brass business resilience as a security service, is full disclosure, our company too, and so I didn't want to keep saying we were sponsored by Brass and not really have anyone know what the heck Brass was, is and so forth, and, in particular, it is one of our I think it could be one of our best weapons to protect companies in this country and maybe around the world. And so, without bias, you know, I just want to you know, really truthfully, honestly talk more about what Brass is, how we derived at the name, the capabilities, and we're going to probably kind of do more or less a deep dive into the capabilities and what's it all for, you know, business resilience as a security service. We all know that companies have to be resilient nowadays with multiple threats coming at them at the same time, and we want to be the company to pioneer, you know, being able to do that for for these companies out here, enterprise companies and eventually, hopefully small to be inside businesses as well. All right, so hopefully you enjoy it. It's quite interesting, I think. Hopefully it'll be interesting for you as well. Thank you Speaking.

Speaker 1: 2:05

You know I've been in counterterrorism and counterintelligence and what I've seen over the years is that, like commercial, private industry companies trying to hire guys and girls that that are like me, you know, basically come from a deep history of, you know, working in counterterrorism and counterintelligence as analysts, as a corporation specialist and so forth, and I kind of was a little taken aback about five, six years ago. What is what's going on? I mean it's I know they all, everybody has the have, you know, they have cyber security, they have, you know, threat intelligence analysts, and it's okay, that's, that's normal, you know. But a lot of companies started hiring more. Hey, you know, we're looking for folks with CT and CI backgrounds and folks who deal with crisis management on a regular basis For the country. So I was kind of like huh, and then I started digging into some of what the job descriptions would say and the job descriptions would save basically things that basically are looking for creating a department within their organization that basically gave them early warning about threats and help them figure out, you know, priorities of how to deal with threats and stay resilient and help with their business continuity policies and such so and so.

Speaker 1: 3:35

That that hit me, you know, and I thought, man, you know there's there's probably somewhat of an industry gap out there where you know, instead of like bringing in, you know, like run is the a crap shoot. You know bringing in some, some guy, a girl with a great background and then saying, hey, you're VP, you know, get this job done, help us anticipate threats. I thought why not create a business that you know brings the best minds, some of the best TTPs, tactics, techniques and procedures that we've used over, you know, 30 years or more or just in general within the industry and and have an outlier, a century capability for these organizations where you know we're set up as a partner, but not necessarily inside the business, but knowing about what the client needs as far as being able to protect the business. And so that's that's really what brass is about, because we know what we go in and we do what's called a crisis strategy plan and we understand the critical impact areas of what the company needs and what's going on within the critical impact, meaning that, like there's a critical impact area, that means that basically there is, there's some kind of catastrophe or some kind of threat is kind of damaged through cyber or geopolitical or there or natural disaster. We understand, like, what part of the company could be damaged to such an extent that it could basically put it in the dirt, you know, in the drain, or at least you know, put it back, put the organization back on the hill. So much where the financial loss or the employee retention, you know, just goes, goes down the drain, you know.

Speaker 1: 5:22

So that's generally what brass is about and what it means and I'm going to cover this early. I know Jay said he's going to touch on this, but I figure something talking about it is business resilience as a security service. So you know what they mean is that you know everybody say, oh, that's a cute little thing. Everybody uses this as a service. As a service, you know, I saw some letter day and LinkedIn. You know, surprise, they said resilience as a secure, as a service.

Speaker 1: 5:51

So brass meaning business resilience, meaning that we're here to make your company resilient, help your company become more resilient, but we're using a security service to do it in as a meaning that it's built in the SAS model, right is built in the SAS model. So you can go to our website and see basically two subscription plans. We have a threat advisory plan and a threat management plan that basically encompasses everything from a dedicated intelligence analyst to a brass consultant, to multiple capabilities within that one subscription tier. And then you know that's in its more, that the first one is more of an advisory. The second one is a full up management plan where we are literally, you know, strategic, you know, during the strategy, advising, doing the analysis, the collection, and we're managing the threat as it comes in in multiple forms. You can go and take a look at that if you have the opportunity.

Speaker 1: 6:55

So, but today what we're going to do, like I said earlier, is that we're going to go through and just talk about it and talk a little bit about some of the things I pulled us on with chat GPT actually like a query chat GPT and say, hey, what pain points with a CEO and the chief risk officer you know probably most talk about or ask about in enterprise, you know, business organization, and it spit out some cool things, some things that that we could potentially address in a couple of things we can address, but we'll actually talk about all of that, so let's go ahead and get started on that. So, jay, thanks for patiently let me get through that. So, man, you got any questions about what I just spoke about?

Speaker 2: 7:41

Yeah, first thing I want to say is you know very good for our listeners to listen to that introduction that you gave to just kind of give them an idea about who we are and what we're trying to do to change what's actually going on in the industry, particularly in cybersecurity, so yeah, so the first question I'm going to ask you is going to basically be categorized under strategic alignment. So you being the CEO and founder, so how will brass, the services, align with the overall business strategy and objectives, especially regarding growth and market expansion?

Speaker 1: 8:22

Growth and market expansion. Freaking chat, gbt no, that's cool, though. Growth and market expansion Alright. Well, okay, so during speaking. Alright, so strategic alignment is very important.

Speaker 1: 8:37

Alright, now we don't deal with market expansion in brass. That is something that we were not worried. We're not thinking about growth or Market expansion, but we are thinking very heavily about strategic alignment and what those objectives are for the organization as it pertains to threat in resiliency and business continuity in crisis management in particular. So brass main focus is basically working with a new client, and we're working with a new client is developing out there crisis strategy plan as it aligns with protecting the overall organization from threats coming from cyber, geopolitical risk and third party vendors.

Speaker 1: 9:19

Secondarily, we look at regulatory issues regulatory issues, but primarily only those regulatory issues that that affect you from a foreign exit and for, like, a foreign nexus.

Speaker 1: 9:28

They're like basically say, for instance, china has changed, is constantly changing its policy, to say, basically, in order to work in China, you have to you know, pretty much give up the ship on all your proprietary Informations if you want to use it in that country.

Speaker 1: 9:44

You know, that's something I'm Paraphrasing, of course, but that's generally something that recently came up on a regulatory aspect you basically, you know, have to, you know, allow them to see what your, some of your information is, that that, honestly, can come across as proprietary. That's something that we want to help our clients be aware of and Inform them in some of our deliverables that we put out the geopolitical risk, you know, as you know, that that covers in part cyber, but mostly we're looking at, you know, natural disasters, climate change, social disruptions, wars. You know military Conflicts that may be within the regions in which the organization your organization, client organization may be operating, and so we look at all those from how it Aligned strategically with the organization as it pertains to its critical impact areas, those areas that are within the organization, the client organization is management.

Speaker 2: 10:48

So how does brass identify and prioritize cyber security risk that could significantly impact business operations?

Speaker 1: 10:59

All right, like once again, cyber security risk is just one part of what we look at, for the organization is super important. I know this is like it's not sexy, scary, but it's definitely one of the bigger Big bad wolves wolves of what companies have to look, look out for. But, like I said, it's like I said it's one of like four things we take a look at as a primary. But brass basically looks at the entire scope of cyber security threats to those that are in our target market. So, like our target markets you know we're speaking for right now didn't get into this but our target market, we generally look at healthcare industry, the healthcare industry enterprise companies, enterprise organizations in the healthcare industry, defense industry companies, which I spent a lot of time in as as a, as a CVC, as a clear defense contractor, and also manufacturing companies, which you know we move into supply chain In organization, like that. So we, those are our main target mark is that we delve into and we will be expanding those as we grow. Right now, overall, just just to just to give you an overview, I mean we we're pretty much looking at what we call critical infrastructure companies, these, and we prioritize the threat by the level of danger, in the prolific nature of the threat. So, you know, we, one of our folks on our team, good dude named Emilia, oh, he's one of our Right now, he's just an advisor and also, of course, jay, who's another cyber expert.

Speaker 1: 12:35

You know, we basically Will take a look at number one, the critical impact areas. That's based on the CSP, the Crisis strategy plan, which is our, our cornerstone, our foundation, and we basically say, okay, well, this is what we determine, per what the client says, per what we discovered, plur, where everything went through the crisis, just as a as inside, a crisis strategy plan can take anywhere between three to six months to complete, dependent on the size of the organization, and it could be ongoing. So, like we should get all the primary areas of the CSP completed. I'm not gonna go through each area, but, but, depending on how bad or how good it is or how well Organized it is, you know, if it takes a shorter amount of time, you know, but generally speaking, three, two Shouldn't be no more than nine months, and even then we have something called the business impact threat evaluation. That's basically what we take out. That's the first thing we take out as, as far as being able to, so we can get to work immediately with, with protocol to which is the, the collection, the monitoring, the collection of threats, you know, going towards organization, so that that part of it, that business threat evaluation, business Good evaluation portion, is where we pull that out of the CSP. But, like I said, the CSP should should already be shortly quantify what those critical impact areas are.

Speaker 1: 14:11

We, we take a look at it, so we take these are our partners, such as Jay Anderson and my buddy Emilio, and we say, okay, you know the danger, what are the biggest threats to these, these critical impact areas? What, what malware, what apts, what, what have, what has, what has in the past already hit the organization or just hit the industry, you know. And so then we say, okay, then we look at that and then we look at the prolific nature of it. How often, how easily are these, these malware, these, these executables, so forth, are our how, how, how frequently are they deployed, you know? So basically, we start, we try to get a probability of Score of like.

Speaker 1: 14:55

Okay, these are typically this company I hit, that company I hit is used all the time. It's, it's already in the forums as part of the, the, the dark web and everybody knows how to access it, and then, and then from there, we prioritize the intelligence of it. So we create what we call a priority Intelligence requirement. Yeah right, basically something that we use in the past. We didn't corroborate the information with the critical impact areas and then we Continue to collect, analyze and prepare the organization to prevent in or mitigate that potential threat.

Speaker 2: 15:34

Yeah, that was good. That was a pretty thorough answer there and I'm sure that the audience out there really appreciate those details. So I have another question for you is going to fall in the category of compliance and regulations. So, ken brass, guide navigating the complex landscape of cybersecurity regulations across all the different markets out there and to make sure that compliance is maintained?

Speaker 1: 15:59

You Uh, short answer no. So so basically, no, we're not, that's not. Brass primarily doesn't look deeply into compliance as it pertains to what the government will care about overall. Okay, because if we're looking at compliance, then we're looking at the government and that means that what we're looking at pretty much Is a, is a, is a threat, but it's a, it's, it's a policy threat or it's a it could cripple your organization financially and if you that bad of organization that could cripple you, you know, to end your company, then that's crazy.

Speaker 1: 16:40

Because here's the thing you know, yes, super important, but what we care about this this is a regular regulation in general is not if it doesn't have a foreign next list is more of a policy. And what are we considered like a CISO duty that, although important, doesn't constitute an unseen or unpredictable threat, and that's and that's for what brass is made for, made to combat. We're made to combat a unseen and unpredictable threat and to be able to prepare the organization to be adaptable and to pair the organization to be proactive against those unseen and unpredictable threats and then be able to properly prepare, the prepare for those threats that we do know about. But that does not fall into the category of you know regulatory compliance, that is that's passed down by the government that may be changing. You know we're. We're I mean for all intents and purposes we're kind of like a low grade snake eater.

Speaker 2: 17:50

You know so you know.

Speaker 1: 17:51

so we're going to. We're basically actually, you know, we're looking for the bad guys and figuring out a way to make sure your organization is ready to both mitigate, prevent and or prepare, prepare to combat that bad boy. That's where we are and, and you know, to me it's like a, you know, regulatory that's that's lawyers, that that's that's CISO's, that's that's policy that we want to be messing around with. So no, Okay.

Speaker 2: 18:22

So again, thank you for that answer. So I have another question for you. It's going to fall in the category of incident response. So what is brass's approach to incident response and how can brass help to minimize the impact of cyber incidents or breaches?

Speaker 1: 18:39

Okay, well, brass will support the client's incumbent incident response and cyber teams, you know. So we basically work with them. You know pretty much what we use is pretty, what we call the second and fourth protocols, that a brass threat management framework. All right, you know, like I said, the protocols we use, like four, four protocols within within the brass protocol, and it's a threat management framework that is organized to first have, like the brain, which is the crisis strategy, and then have the eyes, which basically eyes and ears, which is going to be the, the collection and the analysis of intelligence based on what the brain tells it, you know. And then we move into the lesser, secondary parts, but more but still very important, which is dealing with creating a security culture with the workforce and making sure they are opposite, friendly, the workforce, and making sure they are well educated and security awareness and in what the company client specifically cares about when it comes down to security awareness. And then the fourth is red test and basically making sure that you know things that come down from the CSP. The brain is actually in what we find actively fine for with our active monitoring and collection and analysis is also being quantified through red testing, quarterly red testing, and so that's a big part of what we do. And so because we do these things for the organization the cybersecurity team, incident response team, the client organization, you know, basically we will share what we've learned about threat through our monitoring and analysis as it relates specifically to the critical impact areas and and, of course, the brassie, as I said before.

Speaker 1: 20:42

You know, one thing we were proud to do, like I said before, is align right. We want to align with the companies incumbent capabilities and security and we don't want to take them over. I want to be clear about that. You know, we don't want to take over what the company is already working on, what they've already invested in, so forth. What we want to do is be able to enhance their capability. So, incident response team, we already have basically methodologies of how they be able to, how they handle incident.

Speaker 1: 21:12

Part of what we do in the CSP is that we basically go through an audit or audit Wednesday audit, you know, in a friendly way but basically go through and try to understand what your capabilities and what your capabilities and competencies are already, and then we basically enhance those capabilities in capabilities and competencies by what we do, which is basically look for the threats that are coming in from external, outside, and by enhancing your internal capabilities through your, through your, through your personnel. And so once you have, once, when, what that? What's that going to do for you? Right, that's what that. What that is going to do for you is allow for your incident response team to be able to have knowledge ahead of time of what the threats are. They're going to be able to communicate with our dedicated intelligence analyst, our brass consultant, and be able to apply that information to when there is a breach.

Speaker 1: 22:17

Number one the CSP and information we we worked out in the CSP knew that it's that it was the potential potential for that, for that to happen was going to happen, and then already have mechanisms in place and response times that we worked out together Prior to that threat actually hitting. And so what that's going to do is is is increased as a response time for any kind of incident that occurs. It's going to probably give the incident response team a for knowledge of what to do prior to it happening, instead of them figuring out on the fly, because generally incident response team, you know they go by whatever train protocols they have and they teach them how to do it correctly, but very, very rarely and you can correct me from wrong, jay, but very rarely, you know do they really have, you know, knowledge of what the actual threat was is always happens after the attack, not actually before.

Speaker 2: 23:14

Right, it's typically more reactive.

Speaker 1: 23:18

And so we've already worked with the cyber security team in their incident response team and we've given them you know, we give them, you know, monthly intelligence reports, intelligence bulletin reports, anything that comes in new, as well as what we should have discussed with the CISO and assist or discuss with their team the things that came out of the CSP, and so overall it's going to enhance the capability of the of the incumbent cyber security incident response team. That's really what comes. I'm sorry that kind of came out kind of slow and broken, but it just took me a while to kind of get wrap my brain around exactly. You know how it was going to work without me looking at notes or something.

Speaker 1: 23:59

Anyway that works out, but yeah, that's exactly how it works.

Speaker 2: 24:03

Yeah, okay, that's good. So one other question I'm going to have you, at least under this particular role, is going to be on what every single CEOs are typically concerned with, and that's return on investments. So how does brass demonstrate the return on investments for security services, particularly when it comes to reducing financial risk and losses?

Speaker 1: 24:30

Okay. So BRAS is built to be a long-term service, so working as a partner in what I like to call a proactive sentry to the organization, we basically are built to incrementally improve and fortify the security posture and ability of the company and organization to anticipate threats. The ROI, the return on investment, will be realized likely within six months, because one basically in six months you should be getting updated, basically intelligence reports that deal specifically with critical impact areas. A lot of times intelligence and I'm not trying to talk down on any kind of threat intelligence team out there or anything like that but a lot of times a threat intelligence team basically is just responding to what's coming in on whatever database or wherever they're using, but it's not usually correlated directly to the critical impact areas of the business. So, yes, this could be a threat, but a lot of Intel analysts aren't highly familiarized with what really keeps the business going. And that's where we're different.

Speaker 1: 25:56

Our Intel analysts are intimately involved in what makes the client organization function and what will make the client organization fail, and that right, there is a huge ROI when it comes to building an intelligence capability and apparatus that's going to be able to give you early warning or actionable Intel that's going to be able to help you defend off, mitigate or prevent an attack.

Speaker 1: 26:26

And so, like I said before, in six months you should basically see some big differences on why and it's going to be particularly that's going to be seen in reports and how we phrase the reports and how it's going to actually appeal and how people feel good about it.

Speaker 1: 26:48

It's actually going to be something that makes a difference, but dramatically, dramatically in 24 months, by the level of you should see a lot of ROI, by the level of preparedness for threats that actually have occurred, the security awareness of the employees through the training and the red test that we conduct on a quarterly basis. And, as a bonus a huge bonus the executives to C-suite will have firsthand access to threats facing the company presently and in the future through our Brass chat bot, which is a part of our AI threat engine. We want to talk too much about that. I want to give the whole chip wave, but basically we're working on a machine learning chat bot that will be able to help clients anticipate threats, client-specific threats to the organization, from a predictive analysis perspective. So there's a lot that can come out of that for us ROI.

Speaker 2: 27:51

So yeah, yeah, that's great. That sounds pretty good there. So I only have a couple more questions for you, but this is actually going to be from a perspective of a chief risk officer. So the first category that I'm going to be asking the question is going to deal with risk assessment methodology. So what methodologies does Brass use for assessing cybersecurity risk and how can they be tailored to the specific industry and risk profile?

Speaker 1: 28:23

Yeah, we kind of went over that earlier. But so the thing is, there's a couple of methodologies that are out there that people I think it's one for resilience in particular it's like a 300 ISO or something like that. Well, the thing is, our experience comes from saving the country. I mean, seriously, it comes from capabilities that we've used for 50 years, starting with OSS, moving to central intelligence agency and then going from there. But, in particular, I use the company uses intelligence. Basically, we use the intelligence cycle as our basis for our method for being able to determine, assess cybersecurity risk and this risk in general.

Speaker 1: 29:26

Cybersecurity, once again, once again. Yes, cybersecurity. This is a chat GPT, spit this out. We know cybersecurity is the big bad wolf of what's out there attacking, but you've got to consider the geopolitical risk, the supply chain security possibilities and natural disasters and climate change. All those are factors that we put into our AI threat engine to assess and provide a predictive analysis of what's going to happen to these companies. And that's just one. That's just four factors that we use.

Speaker 1: 30:01

Now what we do so to actually assess the methodology. In a nutshell I mean this is kind of just trying to keep it specific, direct so we establish a priority intelligence requirement, basically priority requirements, based on our CSP, the crisis strategy plan, which provides a business impact threat evaluation. We use that business impact threat value threat evaluation, that's like we do that in about a month's time. It takes about less than a month, about a month, so we can get to work right away, less than 30 days. So we use that business impact threat evaluation to establish those requirements, those pros, priority requirements, all right. Second, we use requirements, those requirements, those priority intelligence requirements, to collect relevant information from multiple sources and databases that are client specific. Now, yeah, I keep saying client specific. Now you know it's not a, you know the client is, we can say, industry specific, but we do try to tailor it back to develop a nexus, a nexus for that specific client. So, if that client has businesses in Ireland, has businesses in Ukraine, has businesses in Israel which is not impossible, has businesses all over the world, what is the threat nexus to that company from a geopolitical, from a cyber, from a supply chain my God, from a supply chain perspective, if that's what's going on right, and so we want to. So we look at that. We basically use those requirements to collect relevant information from multiple sources and databases that are client specific. Then we, or brass, actually moving to, we analyze that data to fair it out threats to the client, both current and emerging, so we collect that information. Okay, basically, there's a war in Ukraine, there's ongoing conflicts in Gaza and Israel and we happen to have a company there, or there happens to be a supply chain issue there because of the ongoing war, in barricades and the navies and whatever else is going there, and so we evaluate that and we fair it out threats to the client and what they may have to look at and then we go right.

Speaker 1: 32:33

Then then Intel Analysts. Once the Intel Analysts gets information which is something that's, you know, I'm going to talk about a little bit is that they get the consultant. The Intel Analysts and the consultant are two separate personnel. There's only two people, three people, three people to really operate per client in the brass infrastructure. That is the leader. That's going to be me or one of my partners, and then there is the dedicated analyst and then there's the brass consultant. That's what pays the fee. That fee, all right, that you will see when you check out the monthly fee, all right. And then the capabilities that go along with that subscription as well.

Speaker 1: 33:12

Now, once that analyst finds this information, analyzes that information, hey, you know they have a huge problem over here in you know the Mediterranean, because the supply chain, their size supply chain, runs straight through there, based on our prior CSP, right once, straight through here and there's no way they can get that information. They know where they're gonna get there in time. You know there's no way they're gonna be able to make that. That delivery, therefore one of their critical impact areas is gonna be affected. Okay, and then that endless a grab will grab there the consultant. All right, that consultant will relay that information to the client and that consultant, if they have to, will be taking the trip over to Israel and using those 30, 80 hours within that particular advisory subscription.

Speaker 1: 34:02

It goes higher once you go to the threat management fund and In and do what they can per what the client wants, done in particular for that Opportunity, because now we're looking at at this point we're looking at a wartime, we're not looking at just business stuff, right, you know we're looking at a situation where we need some sort of Intel ish, you know, diplomatic slash business operator, you know, over there doing things for way, so there may be a team that goes over that but that. But that brass Consultant may be part of that team, because then we have a direct line back to that Dedicated Intel analyst that's gonna be feeding that information and being able to one keep them safe, keep the organization operators say whoever's over to save to freedom data that we've already worked on and giving them potential avenues of Decision for those leaders, because that's what, that's what the CSP does. The CSP gives them potential avenues of decision based in a crisis management Requirement, based on a crisis management situation. For the foremost part, all right and that, and that consultant is going to be to convey that information to the leaders and actually potentially, potentially implement that information as well, and so that that's a big part of what we do. So fine, and then finally, you know it once, that's all part of it.

Speaker 1: 35:27

We evaluate the data quantified and use a red team to educate the client workforce as well. That's part of that's part of the actual methodology that's just going to low detail side profile. But the but the final part of that process, final part of that methodology, is To evaluate the data, quantify it to use in a routine to educate the client workforce, and then we disseminate that data to both the client In multiple forms, as well as our AI to the engine. So, yeah, that's that's. That's pretty much our methodology. It kind of went off on tanda, but yeah, so that's that's it. That's that's. That's that's how we do it. Questions on that one Jane.

Speaker 2: 36:06

No, that was pretty good explanation. I think it was pretty, pretty clear to me and I hope it's pretty clear to our audience out there who's listening intently. So I have only just one more question for you, and it's kind of a big topic, this particular category of third-party risk, because that's has been, you know, kind of one of the Issues that has plagued many companies you know, including, you know, within the last several years, target was a victim of a breach through third-party risk. So what I want to ask you is, with this reliance on having third-party vendors and you know that's increasing these risks Just how does brass assist in managing and mitigating third-party cybersecurity risk?

Speaker 1: 36:51

Well, what we try to do during the CSP. If, depending on, depending on your subscription, I mean that's because that's part of we do we do a level of that in what we call part of the CSP. In part of CSP, we do what we call Vendor mapping. All right, we really have to know what regions, in what companies with third-party companies, are being utilized as as part of the critical impact areas that the company Faced, the critical impact areas of the company. So we don't need to know every single vendor that the company works for, like you know they got something set up for, you know desktop slack or something. But you know we just need to Worry about those vendors that are in the supply chain, in the supply partners, supply chain, that basically could affect their critical impact areas, thus affect the function in the Integrity of their organization. And so we map those vendors, meaning we basically we map them literally, we look at, we say okay, what, where is this? You know where is this company, how is it utilized, where is it in relation to the assets of the client organization? And then from there, we you know, we let me, from our experience we look at it from a CI perspective, a counterintelligence perspective. You know how is this company or vendor Threatening the company potentially? You know, and this is the thing that you know, this is the undercut one thing of a country. This is the behind the scenes thing. You know, this is not something that you know. No one wants to have a hostile, adversarial relationship with me vendor, third-party vendor I mean.

Speaker 1: 38:42

But a lot of times you don't even communicate with third-party vendor.

Speaker 1: 38:45

You know they just, you know this is like you know, unless they really is part of your critical impact area where they're literally you're, you know they're, they happen to ship, they happen to happen to ship things over to you or they are your partner, you know, you know the rec partner. So in those, those particular vendors, we really we really scrutinized. But we do look. We look at them and say, hey, what is the intent? You know what is the capability of this organization and who are they associating with outside of the client organization that we support, and so we look at those, that information and no one go too much into the proprietary way we do it. But the bottom line is we make sure, we tried to make sure that there isn't any obvious threats to the organization that we support and we put them on our our list of Monitoring. As far as Intel and how we look at Intel from, from the brass way, you know, far as they can show that there's no threats to the organization, decline organization Yep.

Speaker 2: 39:57

But that was great, bob. We really appreciate those explanations to those questions I just asked you. So I'm sure our audience is going to appreciate it as well. So I'm hoping that, after you know you answering very thoroughly these questions that you know, it kind of answers a lot, a lot of the questions that our viewers may have had in their mind, or listeners at that, you know, any case. So yet I think that was great. And you know, you and me, I even have much better understanding, you know, and I'm with you on this whole thing myself. So you know, I don't really have anything else to add except that you know I'm hoping that our listeners have a much better understanding of who brass is and what it is Do we actually bring to the table as it pertains to risk. You know our methodologies and and all the other services that we can provide. So that's really all I have, bob, so I'm going to turn it over to you at this time.

Speaker 1: 40:53

All right, thanks. Thank you, moderate net man, and you know digging a little bit into the humans questions for us, but yeah, so, like I said, this is one of the unusual, you know, I would say podcast that we do most of podcast or not. Going to be explanation about one of our sponsors. It's going to be put, but it's. But it's relevant to what's going on in today's world and brass, in particular, is relevant to being able to Keep keep businesses safe, secure in their integrity and their capabilities and resilience In intact.

Speaker 1: 41:29

And so you know we're in and I didn't want to. You know, asshole too, I didn't want to keep saying you know this podcast is brought to you by brass. You know I'm trying to give you a quick, or you know, understanding, but hey, so now you can actually find a brass episode and there it is. But yeah, I appreciate the time. J. Thank you again and hey, by the way, in the show notes, if you have any questions and any more curiosity, the link to the brass website and any information pertaining to it will be in the show notes and that's all. So appreciate it and we will be back next week with some, some real deal Explanation of how to put foot to ask some. That's a real new explanation how to take care of the bad guys. Anyway, thank you and we will talk to you soon.

Speaker 2: 42:21

Take care, folks, I.