Bridging the Cybersecurity Knowledge Gap for Consumers

How MSPs Can Make Cyber Concepts Tangible

Here’s a big “Thank You” to Matt Fisch for inviting me to appear on the FortMesa MSP Cyber Roundtable in celebration of July 4th!

Over 300 people registered to watch this webinar.

This was our first opportunity to talk publicly about our newest product — Cyber Fortune Cookies™

Video of the webinar is above, but if you’d rather read than watch, here’s a handy transcript:

Matt Fisch

Thank you for joining us and we will be getting started in about a minute. Hello, everyone. Thanks for joining us on another episode of the MSP Cyber Roundtable.

We’re actually joining you a couple of weeks ahead of the July 4th holiday. We’re pre-recording. Sorry, guys, you’re at home or at your barbecues and you’re scrolling through social media and you’re seeing this and we are also doing the same thing.

However, I’m really excited that we had the opportunity to bring Anthony Collette from Loistava on today. He’s doing something really, really interesting and neat in our industry, which is he’s bringing physical education products into the cybersecurity awareness space. We’ll get more into that in a few minutes.

But Anthony, I’m trying to set up the perfect July 4th holiday for myself. So tell me where and what are you going to be enjoying? I guess it’s today, right now. Where do you anticipate you’re going to be? Are you going to be at a barbecue? Are you going to be on the beach? Where are you?

Anthony Collette

Well, we’re going to be on a lake for sure. We’re here on Lake Washington. We’ll probably go to a local town called Kirkland that has this awesome lakeside park. It’s a great place.

And on holidays there’s always great events there. So there’ll be a great event there to attend.

Matt Fisch

Is there a food you’re looking forward to at this time of the year?

Anthony Collette

A food? Well, nothing beats a burger. An outdoor grilled burger is always a great thing.

Matt Fisch

Are you the person at the grill or are you like just like asking for the order and having it served up to you? You know, I’ve done both. I like to grill. 

Anthony Collette

It’s kind of fun. It’s sort of like a caveman kind of activity. You can grill. It’s kind of fun. Either way is fine. But there’s got to be burgers and there’s got to be some potato salad in there somewhere.

Matt Fisch

So I’m actually I presume most people watching don’t know this about me. I’m a lacto-ovo vegetarian, which means I don’t eat hamburgers. However, I love manning the grill.

And, you know, if I’m at a barbecue, I’m just magnetically attracted to it. I’m the first guy there, turning on the propane, cleaning, getting everything cleaned up. And then people are handing me slabs of meat and I’m cooking it up.

And I have no idea when this stuff’s done because I don’t actually eat it. But I like the grill station. Yeah. 

All right. Well, so we’re going to get into, Topic of the Day later. But let’s talk a little bit about Anthony Collette and the story that brought you to this Loistava vehicle you’re in right now. So I understand you’ve had some exposure to physical products for a while. So tell me about what brought you here to this space. Your journey.

Anthony Collette

So 10 years ago, in the summer of 2014, we went out to see a movie.

There was a preview for an upcoming movie. And it had Benedict Cumberbatch in it. And he’s kind of cool. 

And this movie was called The Imitation Game. I had never heard of it. It was about these spinning gadgets and wires and code breaking at Bletchley Park and all that stuff.

And I had never heard of any of that. But it all looked really cool. So after that movie preview, I started looking into, what is that? What is that whole Bletchley Park, code breaking stuff? What were those spinning gadgets? And that led me into the historical aspect of cybersecurity. That was really very interesting.

And my partner in this endeavor develops consumer products on an enormous scale. Physical consumer products, private label products for large retail organizations like Dillard’s, JCPenney, Nordstrom, that sort of thing. There’s this laser focus on “who is the customer?” and
“what do they need?” and “what do they want?” And “how do we create a product for them that meets their needs?”

I’ve been hearing those stories from the front lines of consumer product development for 18 years now. It was this combination of things. We looked around the world at what was happening. It seemed obvious to us that cybersecurity was going to be one of the core issues of our era. Five years ago it was bad. There were a lot of hacks and problems going on, but we felt it would get worse, and it has gotten worse. We also noticed that there was this gap between what the cybersecurity folks understood and talked about amongst themselves, and how that message was getting out to ordinary consumers. And we thought, well, one of the ways to bridge that gap would be to use physical products.

We’ve always used physical teaching tools in learning environments to help learners understand unfamiliar concepts, we’ve always done that. And even now, with all the digital tools that are available to us, you’ll still find physical teaching tools in learning environments everywhere from kindergarten up through medical school. Even in medical schools, there are still physical models of joints and hearts and skeletons and all this kind of stuff, because those physical tools help people understand concepts that aren’t familiar.

It’s that combination of things, what can we make that’s physical, that helps people understand, that makes a connection? And how do we focus on the end user?

Matt Fisch

So, yeah, I mean, that’s, you know, I’ve got a sneak preview, of course, but I remember the first conversation we had where I was thinking, well, how do we make this physical, right? I understand scale models of a knee, like visually, how do you do that with cybersecurity? I’m thinking like back in the day, you know, cybersecurity bugs were actually physical bugs in the machine, but clearly that’s not something you can package up and sell. So what would this look like? We’ll get into more of that in a minute. Tell me more about what led you to that point in your career or your life where that was an interesting project you wanted to take on.

You landed with, you had some knowledge of what it takes to bring a physical item and put it in people’s hands and make it tactile, so it could be learning, but how did you arrive there?

Anthony Collette

All of this cybersecurity advice that’s being given to consumers, it all seemed to us to be kind of fuzzy and not very pointed. Our goal should be to find the best cybersecurity advice and transform it into physical reality.

We looked around and wondered, not, “What does Uncle Vinny think?” But what do responsible, well-respected organizations, what is their advice? We looked at what 1Password is telling consumers, which is kind of interesting.

Matt Fisch

Let’s not pop that bubble yet.

This specific advice, I think it makes sense to drill down when we get, so we’re going to go into lecture in a moment. I’m going to be talking about boring cyber risk stuff, but then we’re going to come back out. And I definitely want to go into, we’ve got a few different products that you guys came up with that are going to be either available in the next few weeks or in a few months.

But let’s, let’s go into, let’s go into lecture today. We’re going to be talking about cyber risk.

So generally, and before we get into the larger topic of the day about how people can actually impact cyber, cyber risk at the personal level, it’s really important to even define what, what is cyber risk. And, you know, just on its, on its most basic essential level, cyber risk is a type of risk, right? So when we look at what’s risk, it’s exposure to loss, a bad thing that’s happening, right? A bad thing that could potentially happen. And that possibility is actually really important because risk is actually statistical.

You know, when you have risk, that doesn’t mean the bad thing’s necessarily going to definitely happen tomorrow. It means it could happen now or tomorrow or next year. There’s some amount of chance of that happening.

And then when that happens, there’s some amount of chance that it will either be a little bit bad or very, very bad. And, you know, how bad really depends on what type of risk, what are, how much of a loss, who did it affect? In general, when we talk about risk in cyber risk, we’re talking about risks that impact cyber technical systems. But organizations have all sorts of risks, many of which could be associated with cyber, some of which aren’t always associated with cyber, but are, but have a cyber angle to them.

And I just want to talk about those because when we’re thinking about cyber risk, if we’re not thinking about all of these things, we’re not really performing the mental exercise to put us in a place where we can anticipate a cyber risk. So there’s I think asset risk is the thing that’s most closely associated with cyber. The idea that an attacker is going to break in and they’re going to like break a device, they’re going to put cryptoware on it, they’re going to ransom you.

Right? They’re breaking and they’re impacting a specific asset. I want to stretch that definition a little bit, because while I think physical assets are something people are familiar with, there’s also data assets.

There’s people assets. There’s lists of things that an organization has that can be inventoried so that you could say, oh, yeah, this is a user account that’s safe or not safe. This is a PC that’s safe or not safe. 

It has important company data on it or it doesn’t. Right. So that’s assets. 

But there’s also political or regulatory risk that’s oftentimes associated with cyber. So I’m talking about things like in the case of regulatory risk, I think people are familiar with, oh, you need to be HIPAA compliant in the healthcare industry. Right. 

You might need to be GDPR compliant if you’re in the marketing industry. But there’s also political risks and, increasingly in this world, political fallout anywhere in the world can have an impact on cyber technical systems in your house, in your company. 

Right. And then, of course, there’s legal risks. So you might think about either contractual or liability issues related to a failure of cybersecurity.

If there’s a failure of cybersecurity, am I legally going to be in trouble? Is my organization going to be at risk? Is there going to be a liability associated with, oh, there was an incident. And now I’m responsible for damages. And then operational risks, which is the thing I learned earliest in my career about cyber technical. If there’s a cyber technical failure, is your organization even going to be able to operate? If the printers go down and you’re a company that ships physical products, that actually means you can’t ship anymore.

If you can’t put the shipping labels on, you can’t ship. And in some organizations, if you’re not shipping for an hour, you’ve lost a bunch of money and you will never get that money back. Because there’s a limit to how much you can ship in a day. 

Right. And if you take too long to deliver an order, it’s gone. So operational risks are important. 

And then, of course, there’s the competitive risks. If you’re not effective at cybersecurity or communicating your cyber compliance or cyber safety with your organization, are you going to lose out on business to a competitor that’s much better than that? I think these are all the things we normally associate with cyber. But there’s some other things, too. 

There’s systemic risks. And this is the one that really keeps me up at night. I worry that our industry is not doing what it needs to keep the world safe and that we’re not going to get, the people aren’t going to take this seriously enough until there’s a large correlated loss event that affects the whole world or a whole country.

And I’m thinking the things that I’m scared of are these cyber events that are as impactful or even more impactful than, for example, COVID. Right. There are potential modes of cyber failure that could stop our transportation systems, they could stop our electrical grids and make it really difficult to recover.

So those things, those are systemic risks I worry about. Of course, there’s also financial risks, like someone could actually steal money out of your account. Right. 

We could go further down that list. But I think that I’ve made, I’ve emphasized that there’s lots of different risks that are associated with cyber that go a little bit beyond, hey, my account could get hacked. Right.

Now, when you’ve identified those risks, then you can have a conversation. You can start thinking, how am I going to deal with that? Right. So to have that conversation, you do need to frame that theoretical and talk about it. 

So in terms of an asset risk, as an example, our data has been destroyed. Our business operations are stopped. Right. 

That’s a potential thing that could really happen.

Legal risk. You could be the subject of a lawsuit. Right.

Operational risk. I brought up that if the printers are offline, competitive risk, you know, you’re losing that business to a competitor. 

These are things that need to be in a conversation about cyber risk. When someone’s talking about cyber risk, they’re talking about preventing cyber losses at the organizational level. If you’re not talking about all of these things, you’re not really internalizing at an organizational level what cyber damages can really look like.

And then, of course, what do you do about cyber risk? What is risk management? This is sort of the technical answer is you can do these five different things. You can either avoid risk by, as an example, retiring an asset, removing admin privileges or simply not engaging in a business activity that’s risky. Right.

You can reduce risk. And this is the thing that I think our technical infrastructure partners are most familiar with, which is buy a security upgrade, buy a thing that makes you safer. It’s not always the most cost effective thing because there’s a diminishing returns ability to buy your way to safety. 

Right. At a certain point, you can’t buy any more security, yet you’re still not going to be 100 percent safe.

You can transfer risk. So this is we’re talking about insurance. Right. 

Insurance is one way to transfer risk. You call up an insurance company and you say, hey, I’d like to buy some cyber insurance. And they say, OK, if this bad thing happens, we’ll pay out the five million dollars. 

And you say, OK, that’s great. It only cost me five thousand dollars. That sounds like a thousand to one return on the potential thing that could happen.

It’s complicated, though. You can’t always transfer your risk, all of your risk. There are some things insurance companies won’t insure. 

There are other things that you might think you are covered. But if you didn’t have those coverages right or you told your insurer, hey, we’re doing this really great cyber security stuff. Turns out you weren’t so great at it. 

Your cyber insurer may deny your claim. So you can’t 100% transfer your risk.

There is one other way to transfer risk. 

And our service provider partners should really be aware of this, which is you can transfer or outsource a business activity to another organization. And the reason I want to draw attention to this is many of the people watching here are service providers and your clients are actually transferring their risk to you. And you need to treat it that way. 

They’re transferring risk to you. So are you effectively now managing that risk that they’ve transferred to you.

And then there’s one more here that I think is underutilized, and I want to take a moment to stop here. Let’s take a breather. 

So you can accept the risk. And by accept the risk, I mean, you talk about the risk. Hey, orders might stop. 

We might be offline for up to 18 hours. Right. You can talk to your stakeholders about that. 

And it could be decided that, you know what, we don’t want a whole other set of infrastructure that would make everything redundant. We’re just going to accept that risk. We’re going to document. I accept the risk. We’re going to make the decision not to invest. And I want to contrast this from ignore, OK Wwhen someone doesn’t invest because they don’t exercise a decision making process, that’s ignoring risk. It’s not defensible in court. It’s not defensible in arbitration. 

One could argue it’s unethical or immoral to just ignore problems, right, to just pretend they don’t exist. Accepting risk is not the same thing. Accepting risk is becoming informed, documenting a decision. 

And as a service provider, it’s really important to sit down with your clients. And for any risk that you can’t avoid, reduce or transfer, take those ignored risks and move them into accepted risks. And if your client doesn’t want to accept that risk, the answer is not ignore it. 

The answer should be avoid, reduce or transfer. So have those conversations. So anyway, that’s a big what is risk? What is risk management? What is cyber risk? How do we frame it? How do we do something about it? Wanted to have that basic conversation today.

And with that, that’s the end of my lecture here. Anthony, I know you’re in this consumer cybersecurity angle or taking that personal angle to cybersecurity. And it’s true, actually, you might be unaware of this, but I consider and most of my peers in the industry consider about two thirds of cybersecurity to be people.

And what people do or don’t do. And I’m talking about individual people like every person in the organization, but also the people that are tasked with security responsibilities. 

There’s a set of things you should be doing or not doing. And being aware of that or being knowledgeable, that is really important. And I think in our industry, you may be unaware of this part, but there’s been a big drive the last 10 years to push cyber awareness out. And I would argue we’re not doing a very effective job at it, because at this point, we’ve done things like we send fake phishing emails to people to see if they click on them. But that doesn’t really necessarily lead to the type of awareness that, for example, your products address. 

Or for the types of things I just went over about, hey, your organization should be thinking about how this can affect you and you should be making an informed decision on what you’re going to do about it. 

Right. Which is also a type of cybersecurity knowledge, even knowing that there’s a process. Right. 

To arrive at a decision is something that people don’t know enough about. Now, you’ve decided and we were getting into it right before the lecture to address a couple of these that you talked about. You didn’t use the word, but I’m thinking tangible. 

Anthony Collette

Right.

Matt Fisch

There are cybersecurity concepts that are intangible and you wanted to make them tangible. 

Anthony Collette

Exactly. 

Matt Fisch

So I think before we get into the specific products, you’ve got some physical products and your team’s had some experience. Are we allowed to talk about some of these experience brand names? Is that something? So tell us about some of these experiences that happened before today. 

Anthony Collette

My partner is a consumer product developer. He’s got 25, 30 years of experience developing private label consumer products on an enormous scale. We’re talking about developing consumer products that sell $100M a year.

Or the second project he did for JCPenney, those were consumer sales of $400M a year. He grew both of those product programs about 20 percent to get to that point. Currently, he develops physical consumer products for Pokémon. 

This is not the stuff you’re used to seeing from Pokémon. Pokémon is almost 30 years old. About eight years ago, they decided to experiment with creating physical consumer products that their fans would enjoy. This is not the games or the cards or the videos or anything like that. They experimented with that eight years ago, and about four years ago, they said, hey, we like this. Our fans like this. Let’s do more of this on a bigger scale. They started bringing in people from Big Retail who had experience doing that.

I’ll give you two examples of that. They said, why don’t we do a collab with the Van Gogh Museum? Now, on the surface of it, that sounds kind of crazy, right? What does Van Gogh, a post-impressionist Dutch painter, have to do with Pokémon? On the surface of it, there doesn’t seem to be much of a connection. But Pokémon did that collab with the Van Gogh Museum, and the Van Gogh fans and the Pokémon fans loved those products. 

They literally sold out in 35 minutes. The people loved that.

Also, another example would be that making physical products isn’t only just about, I want to make stuff to sell. 

Another example at Pokémon or any company of that age, when your original fans become adults and they have kids of their own, the question comes up, how do we empower our now adult fans to share their love of the company or the products or the characters with their own kids? How do we do that? That was a challenge. And one of the responses to that was, well, where are parents and kids together and there’s a good, happy vibe? Hey, in the kitchen when they’re baking cookies or brownies. So the groups at Pokémon developed Pokémon-themed cooking utensils, spatulas and other things so that they could use that in the kitchen while they’re having a good time. 

So it’s not just, let’s make stuff and sell it. It’s what is a strategic goal we have? What are we trying to do? Can a physical product help do that? So yeah, there’s a couple examples there. 

Matt Fisch

Now, we’re going to come back to that food angle in a minute, but your go-to-market for these physical products, which we are going to introduce in a moment, I think is with recognition of the fact that people don’t go to the toy aisle and say, let me see what cybersecurity product my 12-year-old may enjoy or my 8-year-old may enjoy for their birthday present. 

That’s not what we’re imagining here. Basically, cybersecurity is medicine, right? And that’s how it’s delivered right now. And I think this is where our audience, I think, might be really excited, which is that we work with hundreds of service providers that they’re visiting client sites, they’re having client meetings, and they want to leave behind this impression that they are going to keep their clients safe for cybersecurity.

But the dual side of that is that the clients actually need to do some things on their own as well. So there’s a potential really interesting intersection between you wanting to take these cybersecurity products into the physical world, and the service providers wanting to leave behind a mark in the physical world, right? And I think that one of the ideas that you’ve been talking about is, hey, booth swag is boring, right? And it could be less boring and could be way more practical. And so we’re going to talk about some swag ideas. 

But I think that for our service providers, I think this is also the type of stuff that you could leave behind with your clients.

Anthony Collette

Oh, absolutely. For sure. 

Matt Fisch

Well, we’ve got a few products here that are in various stages of development. So should we start with the fortune cookies? These are launching, you said, the target’s around August 1? So Cyber Fortune Cookies™, people can go out to the website CyberFortuneCookies.com and sign up to wait?

Not quite yet. We’re doing the wait list in July. 

Anthony Collette

Certainly, we’ll be able to do that by then. 

Matt Fisch

So sometime later this month, you’ll be able to go out to the website. You’ll be able to, of course, be informed when these are ready to buy. And then you should probably do that quickly because hopefully they’re all going to sell out fast, right?

Anthony Collette

We’ll have to reorder more.

I spent a lot of time talking to cyber vendors at conferences here in Seattle. 

And they had a lot of the same concerns: that people were tired of the same old swag. They wondered how do we stand out from the other vendors that are here? Everyone looks the same here in the Vendor Hall. Does anybody really need another imprinted pen? Half of this stuff winds up in a landfill anyway. 

There were a lot of concerns they had.

Matt Fisch

So what’s inside the fortune cookie? You open it up and what?

Anthony Collette

Right. Inside the fortune cookie is a cyber-themed fortune. There’s something related to cybersecurity inside each cookie.

Matt Fisch

Are they bad or are they good?

Anthony Collette

No, they’re good. We’ll keep it positive, right? Thinking about the vendors who are there at a cyber event, we’ll touch on things like password hygiene, we’ll hit the basics, using a password manager, that sort of thing. For the cyber conferences, we might look at specifics, we might want to touch on non-human identity issues because that’s becoming another area of real concern. We’ll finalize 10 or 12 of these cyber fortunes that randomly appear in the cookies.

That’s what we’ll do for the cyber conferences. And then we’ll have another version that’s less technical, that’s meant more for general business use or for exhibitors at a non-cyber conference or for a security awareness event. There will be a Technical Version and then The Basics kind of batch.

Matt Fisch

Well, I’m looking forward to those becoming available. So we’ll make sure to get the word out when those are available. But you’ve got some other interesting products coming down the pike here too. 

Actually, before we move on, you’ve got normal fortune cookies, but then you said something about there’s an extra large fortune cookie.

Anthony Collette

The folks who manufacture these awesome cookies, we’ve got some samples from them. 

They also produce an enormous giant fortune cookie. So there will be one or more GIANT Cyber Fortune Cookies™ with a foot-long cyber fortune inside. These things, they’re huge, they weigh a pound.

And the idea is that for part of this campaign, the vendor could raffle off one of these GIANT Cyber Fortune Cookies™, which would be kind of fun. It’ll be there. It’s kind of fun to look at. 

I don’t know how many adults would really want a giant fortune cookie, but I think most of the adults would look at that and think, my kids would love that if I brought that home. So that’s how we’re targeting that.

Matt Fisch

All right. I’m going to move on to the next one here. Now, this is in development, right? You’re seeking a partner that really wants to bring this to market with you. So you’ve manufactured these dice. Insert brand name here. So tell us about what the intent here is.

Anthony Collette

Most normal folks encounter cybersecurity in the identification or the authorization area, right? It’s about passwords, that’s where most ordinary folks encounter cybersecurity. 

Our goal was to look for the best advice and to transform it into physical reality. We looked at what 1Password is telling consumers on their website. Basically, 1Password says, our password manager makes all these different styles of passwords. 

We’ve ranked them for you from the crappiest style, all the way to the best style, the strongest one. We looked at what 1Password is telling consumers was the strongest kind of password. And we made a physical model of that which actually works.

If you roll these 14 large dice together, you get exactly that kind of password that 1Password says is the strongest one. What’s important about that? Consumers really respond well to hyperbole — biggest, strongest, fastest, smallest. 

These kinds of statements, they simply resonate with consumers. We had that in mind as we produced this. This is what a consumer could use, or it could be in a learning environment to show people, this is what a password manager will do for you.

This is the physical version of a password generator. Yeah, so that’s what that is. That’s CASTALOT® Dice.

Matt Fisch

The symbols make sense to me. Help me understand, are there actually 26 sides on these letter dice?

Anthony Collette

There’s 26 sides on the letter dice. There’s 30 sides on the number dice, because it’s numbers (0 – 9) times those three sets of numbers. 

And there’s 32 sides on the special character dice, because there’s roughly 32 special characters on a standard US keyboard, that are special characters. We looked into password research, and it turns out a lot of ordinary people aren’t even sure what a special character is. Is it punctuation? Is it not? Can I use this? Can I use that? Basically, all the special characters you can use are on those special character dice. 

As long as the website accepts them, you can use them. That is how to turn password advice into something physical, into physical reality.

Matt Fisch

I would love to leave that behind with clients, even if they don’t carry these around in their pocket to generate passwords. I think the experience of seeing what a random password really looks like, would be, most people have not used random password generators, they may have used the Suggest a Password button, in which case they forget about the whole experience. 

They didn’t even see the password, because it just gets filled in. But I think very few people have had the experience of toggling all the dials on a random password generator and clicking Generate and really experiencing that. So this is a neat thing they could live in an office.

Anthony Collette

In a learning environment, if students or learners were using that, that’s going to create some conversations. They’re going to ask some questions about that, like, why is this the strongest kind of password? Or, you don’t expect me to memorize this, do you?

Matt Fisch

So you’re seeking sponsors for this product right now and go-to-market in a few months, right? 

Anthony Collette

Right, exactly.

Matt Fisch

All right. Anything else you want to share about the – these are the CASTALOT® Dice, right? 

Anthony Collette

CASTALOT® Dice, yes. We have design patents on these dice all over the world. We have trademarks for them also.

Matt Fisch

Great. All right. We got at least one more here.

So GhentWare, which, as I understand it, there was some existing guidance out there. Is that right, from the Electronic Frontier Foundation? Or do you work with them? Tell me about this kit and what it does and where it came from.

Anthony Collette

Diceware is a system to create passphrases composed of random words. It’s a way to pick random words to create a very strong passphrase that you would use to unlock your devices or to lock down your password manager. It’s been around for about 25 years. 

We looked at it some years ago and thought, it’s just not ready. You couldn’t make a consumer product out of it in the form it was. But there have been some changes to it.

There was a lot of research done at the University of Ghent in Belgium. And then the Electronic Frontier Foundation took that research and turned it into a new word list. And with the new word list, we felt that Diceware was something that could be packaged as a consumer product. 

So the Electronic Frontier Foundation tells people, download this 65-page book and print it out at home. That’s problematic for a lot of people. We felt, what if we made a completely self-contained kit? It’s a stand-up pouch with a printed book. 

The word list is inside in a book form. There are worksheets. You don’t have to use worksheets if you’re familiar with it, but maybe the first time around you could use them.

And there are five dice. These are standard dice, six-sided dice that are what Diceware has been standardized on for a long time. Our goal with this was to create a freestanding, completely together product that could be simply handed to someone. 

You’re not asking anybody to download anything. There it is. One interesting dynamic with Diceware is that in the past year, the government of Australia is now telling all of its citizens, go to the Electronic Frontier Foundation website and use Diceware. 

Passwords are passé. Don’t use passwords anymore. Do this. 

It’s interesting that a country like Australia is telling all their people to do that. We post about that once a month on LinkedIn and tell people about it.

Matt Fisch

It’s funny. The people I know in Australia love to rag on their own government and complain about some of these cyber topics. But as a North American, I look at what they’re doing there. They’re actually doing some really cool stuff across the cyber spectrum.

You may not be aware of it. They’ve got this Essential Eight thing. They’ve got an information security manual that’s really quite in-depth compared to what most nations publish. 

And they keep it up to date every month. So really, they’re leading there. By the way, I use phrase-based passwords. 

And I don’t use dice to generate them. But I’m a big proponent of this. And I teach everyone to use this. 

People look at the passwords I type in. They’re like, oh, that looks really long. It’s like 30 characters. 

And I’m like, well, it’s not that complicated. Because it’s a series of words. And words are way easier to remember than random letters and numbers and symbols.

And I use a process called a memory palace to store my passwords. And you may or may not be aware of this. 

But human visual memory is actually much stronger than the type of memory you use to memorize passwords and words. And so you can use that visual memory in a space inside your head to store passwords or a whole book of passwords, which is pretty neat. So anyway, this one’s available for branding, too. 

Is that right?

Anthony Collette

Right. The idea is we would work with most likely a larger cybersecurity company and co-brand these products and bring them to market that way.

Matt Fisch

Yeah. So that’s exciting as well. But this is available today, right? You can order this on your website?

Anthony Collette

GhentWare is not available as a consumer product yet.

Matt Fisch

Okay. Okay. And then I understand you have a bunch of awareness stickers that are also available on your website. So I’ll endorse those as well.

Well, I’m just really interested in your process. I mean, these things all make sense. 

But if you had asked me, how do you take cybersecurity and turn it into a physical product, I would probably be scratching my head for half an hour.

Anthony Collette

You know, early on, we had a conversation with a general manager of a VC fund that only invests in cybersecurity software companies. He knew that we weren’t doing software, but he wanted to talk to us anyway. And he said, our industry is kind of young. We don’t have physical products that really do anything yet.

So if you guys can think of something that’s physical, but actually works, our portfolio companies would use them for a variety of different reasons. We would use them to onboard new employees and tell them, we’re really concerned for your online safety. 

Here’s a product to help with that. Oh, and by the way, you don’t want to use your same credentials here at work that you use at home. You want to keep those separate.

He felt it was a good point in time to have that conversation with a new employee as you’re onboarding them and giving them something physical. And for the sales folks to give to potential clients or existing clients. He rattled off a number of use cases and we said, “Thanks, Roger. 

That’s great.” We took that list and put it in a pinned article that we have there on LinkedIn. There are quite a variety of uses for these products. 

We heard from cyber vendors at conferences that they really wanted something new and different.

Matt Fisch

Well, I can’t wait for the Cyber Fortune Cookies™ because those are coming first, of course. 

Anthony Collette

And they taste great.

Matt Fisch

I go to a lot of cyber conferences too, and most of the swag is horrible. There’s been, of course, the stick-on camera covers that were popular over the last five or 10 years. Although these days they’ve become so popular that my laptop has one built in now and that’s becoming increasingly common.

Anthony Collette

Lots of socks, right? You see socks at every conference.

Matt Fisch

Yeah. Well, I don’t know the cyber angle of the socks, but they definitely keep my feet warm.

There’s connectors to keep your charging ports safe when you’re charging your mobile phone in public. I’ve seen those, but I’m really excited to see these come to market and also whatever you come up with next, Anthony. So please keep us updated. What else do you want to share? We got a few minutes here. What actually needs to happen to take some of this stuff to market? I mean, you’ve got to find your sponsors. But then what? Right. You’ve got to come up with a brand concept or? Right. 

Anthony Collette

In the world of physical products, it’s a little bit different in that the designers of the products are generally not the heroes. It’s always the product that’s the hero. 

Do you know who designed your car? No. Most people don’t know who designed their house. So, it’s the product that’s the hero.

Each one of these products will have its own personality, its own look and feel. They’ll all come from us, but the idea is that each product will be its own little hero.

And what else can I say about that? We look forward to this Cyber Fortune Cookies™ project is almost completely done. That will be available August 1st. We’ll most likely launch that here in the Seattle area at a cyber conference.

So pretty soon we’ll be able to tell stories about cyber vendors who used our products and how our products help the cyber vendors exhibit at conferences. One of the big issues we heard from them was they really wanted to stand out and they wanted to make a nice, warm connection with people and attract people to their booth.

Matt Fisch

Well, I’m looking forward to all that stuff.

So next week, we’re actually meeting with the Tech Degenerates on the MSP Cybersecurity Roundtable. This is on Friday, July 19th. Don Sizer and Henry Trim are coming to talk to us about how they’re working with their group on the CompTIA Cybersecurity Trustmark and getting their service providers and vendors compliant with it.

So I’m excited to talk about that. We’re also going to talk a little bit about some vulnerability management basics. But as always, come check us out on the website, on our YouTube, @FortMesa, like us on LinkedIn. 

And I will see you guys next time.

Anthony Collette

Well, thanks, Matt. I really appreciate it.

Matt Fisch

All right. Thank you.

Scroll to Top