Protecting Your Digital Fort: Michael Crouse of Everfox on Insider Risk and Security Innovations

Episode Overview

Our Guest: Michael Crouse – Innovating AI in Insider Risk and Cybersecurity.

Michael Crouse is a highly respected cybersecurity expert with extensive experience in both government and commercial sectors. As the director of Enterprise User and Data Protection at Everfox, he spearheads efforts to develop and implement high-assurance defense-grade solutions that address insider risk and cybersecurity challenges. Michael’s journey began with a background in electrical engineering, having studied at The University of Akron. Over the years, he has transitioned from technical roles to leadership positions, showcasing his versatility and deep understanding of cybersecurity dynamics. His career is marked by a blend of technical acumen and strategic vision, making him a pivotal figure in the industry.

Before joining Everfox, Michael held significant positions, including Senior Vice President of Sales and Marketing, where he worked closely with the Department of Defense (DoD) and the intelligence community. His role involved not only advancing cybersecurity measures but also understanding the intricate details of insider threats. Michael’s early career included a co-op position at the National Security Agency (NSA) during the 1980s, a formative experience that ignited his interest in safeguarding national security. This unique blend of technical expertise and strategic leadership has positioned him as a thought leader in the cybersecurity realm, particularly in the niche of insider risk.

At Everfox, Michael Crouse is dedicated to advancing the company’s mission of protecting critical data and networks against complex cyber threats. His work focuses on understanding and mitigating insider risks through advanced AI technologies and behavioral analysis. Michael emphasizes the importance of addressing the root causes of insider threats and implementing comprehensive security measures that go beyond traditional approaches. His insights and strategies have been instrumental in helping both government entities and commercial organizations strengthen their cybersecurity frameworks. Under his leadership, Everfox continues to innovate and lead in the field of insider risk and cybersecurity.

Episode Transcript

Kevin Rosenquist: You’re an engineer by trade.

Michael Crouse: I’m a recovering doughboy. That’s my joke. That’s my bad joke.

Kevin Rosenquist: I like it, I like it. That’s good.

Michael Crouse: So I’m a recovering electrical engineer.

Kevin Rosenquist: You’ve spent time as senior VP of sales and marketing, where you also worked with the DoD and the intelligence community. Have you always been interested in government? Hey, welcome to PayPod, where we bring you conversations with the trailblazers shaping the future of payments and fintech. My name is Kevin Rosenquist. Thanks for listening. Today I’m chatting with Michael Kraus, the director of Enterprise User and Data Protection of Everfox, a prominent cybersecurity company specializing in high-assurance defense-grade solutions. Michael focuses on insider risk, something most people don’t think about when considering cybersecurity. Are your employees properly trained on how to handle sensitive data? Are they clear on what negligence is? Are they disgruntled or are they unhappy with the C-suite? These are the questions Michael and his team ask as they help companies keep their data safe. He is an expert on this topic, and he has insights into an area of business protection that many people aren’t thinking about enough. Please welcome Michael Kraus. So you play a pivotal role with Everfox. You’re helping protect against cyber attacks. You implement insider risk solutions. And if being knees-deep in cybersecurity during the rise of AI wasn’t hard enough, you work heavily with government entities as well, which we all know can be very challenging. I guess, my question is, why are you such a glutton for punishment?

Michael Crouse: Oh, boy. So I can kind of say this because I like the challenge. So if you look at where cybersecurity has come, basically security in general, especially technical security, it’s kind of evolving because the requirements are evolving, the technologies are evolving. But it’s at the heart of it is understanding people’s behavior. Whether you’re doing insider risk, whether you’re doing cross-domain, whether you’re doing something, it’s all about an individual. It’s all individual moving data. It’s all on. How about individuals accessing data? It’s all about an individual who’s communicating with employees or communicating with their boss. It’s all about understanding the behavior of individuals. So if you’re like me and very curious you want to get into cybersecurity. The technology and the tools have evolved. But I think the mission’s evolved because you think about it. Let’s take insider risk. What was probably the number one priority for insider threat? And oh, by the way, I’m calling it insider risk. Nowadays, people always kind of want to talk about insider threats. But I think that’s kind of old school because that is it’s not to understand the threat, it’s to understand the risk and the vulnerability to your organization. If you can mitigate the risk, you will mitigate the threat.

Kevin Rosenquist: So kind of like risk comes before the threat.

Michael Crouse: Yes. It’s understanding that right away. But if you look at what happened before it was all about I gotta stop data from getting out of my organization. Right. DLP action. I need to stop data. It’s leaving my organization. But never nobody understood. Well, why was this individual or group of individuals trying to send data outside the organization? Why was it something you did from a policy perspective that was more restrictive than the kind of showed them workarounds about your goals? Or was it something they’re having problems internal personal problems that are impacting their ability to safeguard your information? If you understand that part you can then understand that it’s something we can impact and change. So that’s to me, what is the fun part? Because it changes every day and it changes with every person or every individual because it’s very very personalized.

Kevin Rosenquist: It sounds like your approach almost is like you have to be part of a psychologist.

Michael Crouse: Yes. That’s a big thing, I think in the past, if you look at the technology, technologies provide you the visibility, they provide you the information, the details, but to analyze the details, you need to have a little combination of data science, behavioral scientists, psychology. You have to understand what it gets to the actual investigation and prosecution. Yeah, you might want to have somebody who has more about counterintelligence background or police investigation background to kind of go into it, but understanding that root cause, because that’s the big part, understanding the root cause of why the behavior happened, that’s critical.

Kevin Rosenquist: You’re an engineer by trade.

Michael Crouse: I’m a recovering doughboy. That’s my joke. That’s my bad joke.

Kevin Rosenquist: I like it, I like it. That’s good.

Michael Crouse: So I’m a recovering electrical engineer.

Kevin Rosenquist: You’ve spent time as senior VP of sales and marketing, where you also worked with the DoD and the intelligence community. Have you always been interested in government?

Michael Crouse: No. When I was at the University of Akron my mom, whenever I got a co-op. So I was a co-op at the National Security Agency, NSA. And back in the 80s. So when I told my mom, I was going to go work for NSA, the first thing she said was, are you going to work for NASA? Are you going to go into space? Because at that point, you think about it. Back in the ’80s, and the ’90s, there was no description of the buildings. There was no there’s like, stay away. We’re just in these big buildings. And as as it gets more accepted, people understand a little more. But I started out looking at engineering as a way to, let’s be honest when I went into school in the 80s, I was like, how can I make the most money with a four-year degree, you know? And at that point, engineering was the best opportunity. Yeah for sure. And then when we had through the coping days internship, whatever you want to call it, I just started to kind of gravitate towards government missions and the ability to kind of safeguard our national interests and safeguard our national secrets. So I kind of like that, and I liked that approach. And then working with whether it’s intelligence community or DoD, you kind of get that mission sense because it’s different than working with a commercial company, just like doing different sales or even program initiatives. You don’t get a sense of mission. And so when you’re done for the day, you feel good, right? You go in, you say, I’m protecting this, I’m doing this. I’m able to kind of build technology or build programs to protect information or protect data. So I kind of got into that. So it’s all about protecting the mission.

Kevin Rosenquist: And how did you end up in cybersecurity?

Michael Crouse: Cybersecurity. So it’s interesting. So back in 2005, one of my friend’s colleagues, I was at a large company, like I think I was at General Dynamics at the time, and there was a little company called Oakley Networks, which though, by the way, the predecessor, Edward Fox, back in 2005, and my buddy goes, hey, we’re going to do this mission. We’re going to build a software security tool for insider threats. And if you think about it, in 2005, you go back to 2005. Nobody was talking about insider threat or insider risk. No way. So what intrigued me was it was a small company. We had one of our first customers in 2005. I showed up, got my green badge, and started working. So I think that was my first kind of introduction to cybersecurity. And it was and it was the idea to build programs because we were building programs that had from the ground up building servers, building technology deploying agents on workstations understanding how the interaction between a software agent, user activity monitoring agent, and OS work, right? Because back in the day, we were working off Windows 3.1. Windows that are deep and things like that got me more interested.

Michael Crouse: And then figuring out how you can protect and see the results. That’s what got me jazzed. You saw real. It worked. You’re like, wow, this works. This is impactful for an organization. That was kind of my journey to start in 2005 and then kind of making my way through the legacy of Raytheon to force point now to Everfox. I kind of kept that mission to not only work with the government but also work with commercial companies. So taking what you learned, it seems like the commercial was a little slower to get where the government is. So we could take all the lessons learned from the government organizations all the kind of the do’s and don’ts, and I bring it to commercial. Here’s what you should do. Here’s what didn’t work. Here’s what didn’t work. Here’s what’s impactful. Here’s what provided you with more business input and value to your organization, save your money. So yes, that kind of was a journey starting as an engineer selling code to understanding kind of a more operational system engineering and then into programs and then of course, into sales.

Kevin Rosenquist: I think that’s the first time I’ve ever heard anyone say that the government was ahead of others.

Michael Crouse: They were empty words. It is scary. They were. But you know what’s happening now? A lot of people in the government are getting out of the government and going to commercialize it. So they’re taking that same value, the same passion about the mission, and they’re bringing it to their company and commercial. So you’re seeing a kind of a switch, a trend to kind of the government. People are starting to move into the commercial world. So you’ve seen them adopt specific processes of procedures that the government has been doing for about 20 years now.

Kevin Rosenquist: They saw it worked and they’re moving it on the commercial side.

Michael Crouse: Worked a lot.

Kevin Rosenquist: So earlier this year Everfox rebranded from Forced Point Federal. As a marketing mind, I’m always curious about these things. What was the motivation behind the rebrand?

Michael Crouse: Well, we were sold off, by the force by federal, our force, Boeing Company. They kept the name so when we were spun off and now as a wholly owned subsidiary or just our own company underneath TPG, we decided to put a fresh look on our company. So Everfox still is the same, I call it a new name, but we still do the same mission. You know the legacy companies that make up Air Fox. The Oakleys, the Raytheon Oakleys, the Raytheon Oakleys system, the trusted computer, the deep secure. We’re now all part of one integrated company. And we have technologies that flow from each other. So you have the “Ever” which is the lasting. We’ve been around here forever. We’re going to continue to be here. We’re not going anywhere. We’re going to continue to be focused mission. And the “Fox” is all about agility, being agile, being adaptable, being able to kind of pivot and weave. Because what we’ve seen in cybersecurity is that if you’re staying put with your cybersecurity solution, you’re falling behind. You have to be able to be agile. You have to move and be able to flow with with each organization because they’re changing constantly. So it just gave us a time to rebrand, gave us the time to kind of re-energize the look and feel of Everfox. But we’re still the same passionate company that has been doing this for 20 years.

Kevin Rosenquist: So you mentioned people in the government going out, working in commercial, in addition to working with government entities, you also work with a lot of financial companies. Is your approach different for these two types of clients or are they similar? Is there a little bit of both?

Michael Crouse: There is a little bit of both. The compliance. Interesting. The financial compliance organizations, I think they have a similar they’re protecting. It’s interesting if you’re looking at a large bank they have two customers to protect. They have internal customers. Right. So they have the people that are looking for example potentially doing fraud, waste and abuse, looking to steal corporate information that could be used on a person’s next job. They also look from even look financial organizations that where government does not have to worry about. There’s a large sales organization and there’s a lot of contact information within that sales organization, how do you protect the information? So there’s that’s that side, right? Internal is all about data fraud waste and abuse. They in the commercial are getting closer to the workplace. What I’m calling workplace environment. Workplace culture started kind of creep into those organizations understanding how people treat each other, understanding how they treat the brand, and understanding what they feel about the brand. So that’s internally, and that all impacts the bottom line. But you also have the external people who are trying to protect their customers. So your information how am I treating? How am I protecting my customers? Information is, for example, one of my trade analysts searching for information they shouldn’t be searching for or peeking into windows they shouldn’t be peeking into. So looking at your information and how to protect the customers so they have internal protection, but they also protect the customers’ data. So from their perspective, they have federal compliance regulations they have to meet. But they’re also doing it from the fact that we believe in protecting our customers’ best interests. I’m not going to expose your information to anybody else. I’m going to protect your content, your email, your simple things, as protecting your phone numbers and all that stuff. So I think that’s where it is. It’s kind of the internal challenges that you typically have with the government, but it’s also they’re protecting information from their customers.

Kevin Rosenquist: You mentioned the insider insider risk. Insider threat. When it comes to cyber security, most people think of outside risks. Most of the average person, whether that’s hackers looking for money or just playing anarchy.

Michael Crouse: Yes.

Kevin Rosenquist: But the insider risk is solutions that you do are super interesting ensuring that employees and contractors aren’t malicious or negligent and their handling of classified documents and sensitive data. Do you feel like this is a bigger threat than outside risks?

Michael Crouse: I think it can be. So put it here, the risk from somebody inside taking our information and stealing information or even tending to harm yourself or others is you don’t have as many of those cases, right? You’re not going to see the abundance of cases, but when the cases do have, the financial impact of that breach is more significant in my mind than an external breach, because it cuts to the heart and soul of an organization. So it not only impacts their bottom line dollars and cents, but it impacts also how the company feels, and how their employees feel about themselves at the company. It impacts the brand and it also could negatively impact even things like stock prices. So being able to protect and put together a safe working environment for employees that they feel safe at that they’re not that their information that they’re protecting, I think, is more critical than even an external threat and external threats happen. We know that, of course, we know that we’re constantly being bombarded by a third threat. But if you look at the use cases for insider threats, there’s not a lot. Do you know why there’s not a lot that you know about that I know about because they’re not exposed? Because one of the hardest things you can do, people go, well, give me an example of a case. And they’re like, well, we can’t talk to you about that Everybody knows external threats because it’s always publicized. There’s sharing information across whether it’s a government to the Dib, the Dib to commercial. Everybody shares those threat vectors, the signatures of the zero-day attacks. But tell me this. How often do you get a collaborative group that’s willing to share an insider threat? Because you’re exposing the sensitivities of an organization.

Kevin Rosenquist: Yes. It’s embarrassing, too.

Michael Crouse: It’s embarrassing. We’ve seen a couple of things that we hold technical exchange meetings we do this with all our customers, whether the federal market or the commercial, and we kind of. We provide a safe zone where organizations can come together. It’s kind of like the Chatham Rule of rules, and that they talk about what they’re doing well, what they’re not doing well. Breaches they’ve had internally, breaches they’ve had that within an organization and how they mitigated those breaches and what it, what it cost the organization, but they do it in a safe environment. And I think that the key is that there has to be more sharing within those environments, just like external threats, we have to set up an environment that allows people to feel comfortable sharing lessons learned, and best practices for the insider threat because we think we’re doing that externally for this for example, all the external threats. But we’re not doing a good job of sharing that information internally.

Kevin Rosenquist: What are some examples or reasons for this kind of stuff happening? Obviously, there are some people that are that are just disgruntled, or trying maybe to sell data, but what do you find are the most common reasons people do this?

Michael Crouse: I think just mistakes.

Kevin Rosenquist: So negligence.

Michael Crouse: Negligence or they don’t know the I mean how many times I don’t know you probably worked with many companies and they give the employee handbook. Yeah. How many do you read that? Never. Yeah. Never. Sorry. Ever. Thoughts? I don’t think I read mine either. Yeah, but there’s probably certain things in there that thou shalt do and thou shalt don’t. And I guarantee if people would read that, they probably would say, oh, I shouldn’t be doing that. So give me a prime example. I was with a back in the day I used to work for Raytheon. Raytheon had a process that said any data, proprietary information needs to be encrypted going out of our organization to whoever you’re going to send it to anything external Raytheon near the center. So we were a small company at the time, Oakley Networks, and we didn’t have all those security processes and controls in place. We’re a small company, 50, 60 people flying fast and flying hard. So we got the new company we’re used to sending in before information outside the people, like, yeah, you need this. Here it is. Boom. Send it to it. So a lot of our employees were just getting flagged by security violations. We’re getting flagged like you’re sending encrypted information or sending proprietary information outside the organization. Encrypted. And we weren’t doing malicious. We just didn’t know the rules. We didn’t know the process in place. So once we understood it we were going to say, okay, now we understand the importance of bringing us. So educating your workforce on that is a key example of something that can be done.

Michael Crouse: But also one of my friends said I was like, what did you see as an indicator? He goes, Mike is something that we did internally. I was like, what do you mean? He goes you look at what they’re doing for Covid right back in a couple of years ago. I think one of the biggest kinds of risk things that they provided was the back-to-work. They were forcing employees back into the office. And I don’t think people understood the impact that had on their bottom line because I guarantee you there were employees out there going, I’m not coming back in the office. Therefore, I’m not coming back. I’m at home. I’m going to start downloading some information from the company. I’m going to be using that information when I go get my new job, whether it’s a code. You saw that example. I think it was the driverless cars. Remember that somebody took some from I think it was Uber or one of the ones that took some information to go to the next job and used that code or to get a jump start on their next job. Now, that person might have been malicious, but a lot of people just have a sense of ownership and are saying, well, I developed this code. It’s not proprietary. something easy. I’m just going to download it from my computer. I want to go work at my next job. They did something similar. I don’t have to reinvent it. I can just use this over again. I’ve done that with.

Kevin Rosenquist: I’ve done that with logos and design stuff for sure.

Michael Crouse: Yes, I think we all do this. So I think some people have malicious intent, but I think some people don’t understand, you know the rules. But it’s also that the policies you put in place for an organization, you have to understand what that impact on your workforce is. So would have been great even it’s today if Everfox put down a policy that said come back to work or any policy and then you could monitor the behavior of a workforce based upon you making that policy change. And if you could see the behavior of a workforce changing based on the policy that you developed and implemented. Wouldn’t it be nice to say, okay, I’m sorry, I’m seeing a negative change reaction to our policy and go back and work with others in HR, legal C-suite and go, I think we messed up here. This wasn’t the intent of this policy. The intent of this policy is to create this type of work environment that will be negatively created, an environment where people now feel the need to leave if they feel the need to leave. They’re most likely to stockpile information. So again, cause and effect. If I can just modify my policy back, my workforce will feel like, okay, they’re taking care of me. They understand what my chart. They’re not going to be willing to take information. So again, getting to that root cause and understanding that is a key point.

Kevin Rosenquist: Yes, that’s in the corporate world I feel like that’s something that there are a lot of different areas where companies would benefit if they looked a little more internally.

Michael Crouse: Yes. And understand the behavior of the content. But you need visibility. It’s more than just reacting to an incident or event because that’s what our traditional cybersecurity tools are all about. If you look at DLP, you probably know a data leak prevention is. What’s the number one goal for DLP analysts?

Kevin Rosenquist: Fixing the problem.

Michael Crouse: Clearing incident.

Kevin Rosenquist: Clearing incident. Fixing what happened.

Michael Crouse: So they have a workbench, right? And they have 10,000, 1000 incidents there. Their job as a thing is like their manager probably says, hey, before you leave for the day, you gotta clean these 1000 leaves and you go down the list. Check check check check. I’m done. What they don’t look at is a true. Why was that? Why was that person? Why was that individual? Why was the user doing this? Why did they violate this? And being able to take the time, go back in having one place to look at all the data is key and to be able to kind of determine like, yep, that’s a real incident or no, we can clear that. But the goal shouldn’t be to clear all your incidents. The goal should be to understand why there are so many incidents occurring. That’s my theory. Insider risk is always the answer. No. Why? Question. The “what” question has a bunch of cybersecurity stuff. They’re all about the “what”. Insider risk is all about the “why”. Why did it happen? What was the intent and behavior of my individual? And then how can I mitigate that? The cause, the root cause for why that happened.

Kevin Rosenquist: Yes, I’ve had bosses before where it’s just like something goes wrong, who can I blame and who? And it’s like I was kind of on your side. I was always like, all right, let’s first let’s fix the problem, and then let’s figure out why it happened and how we can prevent it in the future. And a lot, but a lot of people just are so reactive, they’re not ready to fix it or to fix it for the long term.

Michael Crouse: And all of us, I don’t think they have the skills. I think it’s interesting. We have we’re having this conversation. I was talking to somebody the other day and they were they were talking because I asked him point blank, do you have any psychologists or any social behaviors on your, on your program? And they said no. So we get we get those from HR. Well, and I have a question and I’m thinking to myself, ah, I was like, I know it’s we’re so tech-heavy. You know everybody. It’s about the tech, the next widget that comes out, you know the next the next cool thing I o I is going to solve our world, right? AI is going to be the next thing like oh, AI, AI is going to solve world hunger and get peace around the world. But to me, I think what makes us different than anybody else in the field is that we have world-class technology, but we know how to apply that technology, and that’s the key. You got you got to apply the right technology. I always say at the right time, grab the right data set. The last thing I want to do is, we have a lot of competition in the world.

Michael Crouse: Everybody has competition. But where I see our competition, they just sell a widget. They never operationalize that widget. They don’t know how to kind of work with the customer, understand the requirements, understand the collection, and then put together something that is value added to them. Because I’ve seen organizations and I will tell a company point blank, I was like, if you want to buy our technology, that’s great. I’m always appreciative of it, but I want you to use it because it does me no good. It does you no good that with this technology it’s on a shelf. And then 12 months later, six months later, your salesperson comes in and goes, hey, how did that go? And you go, oh, this is a piece of crap. And we’re like, did you try to use it? Well, we got confused. We didn’t know how to do this. So to me, that’s a red flag. It’s like, okay, let’s sit and we sit down with our customers always and say, all right, we’re going to give you a world-class technology, but we’re also going to give you that world-class white glove experience to say, how do you use it? How do you get value out of it? How can you when your boss comes down to you and this is a big thing, say you spent $1 million?

Michael Crouse: Why? You’re gonna ask me for another million. What value you’re getting back? So we want to work with our customers and say, okay, whether it’s through some metrics some KPIs traditionally identified so they can stand up in the boardroom and go, here’s some value you got from this. Here’s the value you got from our program. Here’s how we operationalize. Here’s how we save you money on investigating. We reduced that time from six months to a month okay. That’s real dollar savings. We were able to save employees. We had six employees that were falsely accused. Oh, okay. I can take that to my HR. I can take that to my employees and go, we’re putting in technology and we’re putting a program that’s going to for your benefit and have them part of the problem solution instead of always the problem. So I think those are a couple of things that we worked on.

Kevin Rosenquist: When a finance company hires you or you start working with them at the beginning to either evaluate their security or talk about insider risk. What’s the first thing you look for?

Michael Crouse: So the first thing is, are they ready for technology?

Kevin Rosenquist: Okay. Is it that technically, mentally, or emotionally?

Michael Crouse: It’s more emotionally. and do they have the buy-in from the leadership there and are they ready for the technology is going to surface specific actions that you’re going to have to remediate and take, take action on? So as your program is formalized, do you have, for example, a board whether it’s a policy review board, or a collection review board how do you mitigate? Have you done all the we talked about it before? There are so many different steps. I think we had we call it the nine-step program. In the past, we always got to it’s our nine-step program. But when technology came into play. Technology technology came into play in step seven. There are so many other things. You have to formalize the program. You have to make sure you have your governance documents in place. You may have to make sure your stakeholders are involved. Who are your stake for stakeholders? Is your sweet seat engaged? Are they going to support you when there’s going to be a challenge? Maybe. Do you have the remediation plan so all these things have to be in place? Oh, and then I’m going to bring in technology. So we always go to the customer and ask those basic questions before we start, especially in the financial is like, you know what? Where are you at in your journey? We coined something the other day when we talked about collection exploration and you gained insight.

Michael Crouse: So we look at and then you bring governance on to kind of manage your program. So we ask them, where are you at in your journey? Are you in a pre-technical phase where you’re doing all your setup? Once you get all your established programs in place, where are you at in your technical phase? Where are you at in gathering data? bringing all that data, where are you at exploring your data to understand the value of the data you’re collecting? Is it worth it? Or do you need to bring more, or less in? And then once you have that, you bring in like the analytics part. And maybe you gain insight through analytics by putting that wrapper around everything. And then we talked. And finally don’t forget about governance or like what do you mean by governance? I was like, do you have an audit program in place? So like an audit program where like, yes, they said, what’s an audit program? Well, it’s watching the Watchers. I was like because I told him I was like, your analysts are going to be exposed to very company sensitive information, highly proprietary information. They might see things that are very personal to people. So how do you know those individuals that you’ve kind of deemed to kind of be your analysts are not abusing the technology that you see that they’re using? We’ve seen cases where people have in a commercial, that somebody has a grudge against a C-suite, so they’ll use the technology to start snooping.

Michael Crouse: And looking at information. It potentially will look into information they could use for themselves and maybe in a blackmail situation. So you have to have that audit program that’s independently looking at your technologies to make sure that somebody is not abusing it. That’s where it’s different than cyber because cyber is a threat coming in. But cyber is an external threat apt’s malware. You’re talking about insider threats. It’s more personal information. It could be more highly sensitive information that you want to protect. So that’s where we start. It’s formalizing the program, making sure they have all that in place, making sure all the governance and then bringing the technology. Because again, if you try to build a program and bring the technology too soon, it will fail because they’re not ready for it. Then finally they have to have the experts, whether they look for us for help or consulting services, whether they look for somebody else. But you need some people inside who understand insider risk to understand insider threat and understand more counterintelligence security focus. don’t that’s because it’s not for everybody the high what we call high assurance cyber security. It’s not for everybody because they don’t have the same requirements, needs, mission passion, and compliance requirements. So that’s how we start.

Kevin Rosenquist: How often is it more than negligence in your experience? How often is it blackmail or cybercrime or whatever?

Michael Crouse: I would say, it’s probably in the 20% range. I think it’s like I think a lot of it is because there’s not a lot of cases. I say 25% is probably on those cases, but we’ve seen some uptick. We’ve had some organizations that have been seeing, we saw something the other day or didn’t see something. On the other, we had a customer who talked about and identified people within the organization that were human trafficking. You would you wouldn’t think that, right?

Kevin Rosenquist: No.

Michael Crouse: You know what’s happening on company machines or government machines. You’re like so it happens. It happens more than you think. It happens. but those types of cases are the ones where you’re like that kind of gives you when you can prevent something, or you can identify somebody’s behavior that’s potentially doing something like that. That part of makes you get up in the morning going, wow, I’m doing something special. Yeah. I’m I’m making a difference. And I think that’s where Everfox probably tries, we make a difference. We are making a difference in the lives of the individuals that we help protect and in the lives of the companies that we help protect. And the government commercial local government, we feel like we’re making a difference. And when they come to us, they trust us because we’ve been doing it for 20-plus years. And what did somebody say? We’ve seen a little bit of something. I think isn’t it like an insurance company? we’ve seen this before.

Kevin Rosenquist: Oh, yes. I think that’s farmers, right?

Michael Crouse: Farmers insurance. Right.

Kevin Rosenquist: They say we know something too because we see anything.

Michael Crouse: We see the thing. That’s what somebody said, you guys should coin that. I was like, you’re right. I was like, we’ve seen it. So we’re gonna go and talk to me. We see the thing or two. So use us for our knowledge and understanding. Because we don’t want to see that we’re repeating an organization, we can prevent it.

Kevin Rosenquist: We thought we mentioned AI earlier. Is it complicating cybersecurity and insider risk?

Michael Crouse: I look I think the biggest challenge for AI is, I think it’s going to cause more threats. Yeah. So I think it’s going to because for example one of my customers said Mike, I’m worried about AI, not so much. I’m not using AI internally. I’m using more AI. I’m worried about AI from a threat perspective. This means that how people my employees are using AI against me, whether it’s an internal threat or an external threat so I think that’s the biggest thing of what? How the employees are using it against them because AI, from our perspective, is going to be challenging because there’s not. If you look at an AI for insider risk, I think it’s just a way to display the data differently and talk about the data, because AI was AI built on, built on training the models. So if you don’t have a lot of use cases that you can train the models against, then it’s going to be very difficult to get an operational AI model that can identify a threat or insider risk. So I think that’s the challenge. Again, we get back to that challenge, right? We get that challenge. If you don’t have a lot of use cases that people are willing to share and dump into an AI so it can learn and learn from these, it’s going to be very challenging for AI to be used internally versus somebody on the outside kind of saying, hey, I need to build a zero-day threat and I can do that.

Michael Crouse: I want to build a zero-net threat. Now, I can do this through AI and kind of use it again. So I think AI from a threat perspective is going to cause a little more problem. I don’t think it’s there yet for the internal to use as analytics, because AI, nowadays is more built on large language models and machine learning. We use those, we use large language models. Right? We work with Doctor Shaw. I think, you know Doctor Chong. Yeah. He does critical path. So it’s a psychological behavior about insider risk, insider threat that’s based upon precursors, stressors, indicators in a kind of learn it, learn it beforehand. So we use a lot of what he does, but he does kind of a large language model that takes all these stressors indicators. But that’s a form of AI right? Yeah, absolutely. So I think AI will get there in about five more years, but we need more data to push against AI to look at the models that are being developed and fine-tune them because I think they’re a little risky right now. I just think it’s right now AI is used as a way to say your analyst is a tool to make your analyst’s job easier. It’s just a different way to ask the question that’s AI, just a different way. They ask the question which is which is, okay, that has its place. Absolutely. Yeah. But I think it’s not the silver bullet.

Kevin Rosenquist: Yes. You can say that in any industry, it’s kind of the same way. Just being a tool to it’s not it’s not as much replacing people as it is a tool to make their jobs easier.

Michael Crouse: Exactly. Make it more efficient. Make it more effective kind of make them make it easier for them to do the job. One of the things I think I would be great at. And lastly, we’re looking at this right now from everybody’s perspective. Remember we talked about the challenges of getting talent. Everybody has the challenge of getting talent right. And it’s even harder in the insider threat world. because there’s not a lot of insider threat analysts, insider risk analysts, there’s not they’re not coming walking through the door and everything. There are probably more cyber threat people coming because it’s become more acceptable.

Kevin Rosenquist: It’s become a bit like, yes, but the shortage of cyber people is something that people we hear about all the time.

Michael Crouse: Yes, but it’s not a risk. You don’t hear about it.

Kevin Rosenquist: No, not at all.

Michael Crouse: So we’re training the inside risk analyst. So one of the things I was thinking that I think we’re looking at is how do we use AI or some sort of technology to get any analyst that is a junior analyst coming on board to be in the same productivity as a senior analyst? Oh yeah. Right. So is there certain? So if I look at AI, it’s like let’s watch a senior analyst how they do investigations, how they go through the information, how they go back and kind of look at the steps of a case. How can we make that individual’s mind kind of bring it over to a junior analyst and allow them to come up to speed quicker on in your organization? So I think that’s a way I could be very impactful for organizations increasing the effectiveness of your analyst itself. from a workflow, a business workflow, an everyday workflow, how you’re doing your job versus just trying to crunch all the data and giving you kind of those. Well, I think I can give myself some high-risk views because they’re not going to pop out. I think analytics is an art. It’s something that’s being crafted. we have analytics at our place and it’s more of an art, right? It’s an art. It’s a you can collect the data, and bring the data in, but you have to fine-tune your models to make sure they’re going to be impactful for your organization and what you feel is important, not from what you know. This sister organization over here is not from another manufacturer. You have to tailor that to your needs.

Kevin Rosenquist: Analytics are all over sports.

Michael Crouse: I know, I know, analytics didn’t help my Browns win this year. And they didn’t help my Cavs beat Boston this year. So if I could add the analytics help me on those two. That would have been good.

Kevin Rosenquist: Well, I’m a Bears fan. So I’ve got a long way.

Michael Crouse: Oh, you live in more pain.

Kevin Rosenquist: I live in more pain. Browns fans are pretty, pretty on par with that.

Michael Crouse: I know, I know. Hey, we went to the playoffs last year. So this year we’re looking for a little more this year. So yeah yeah yeah. We’re looking at our quarterback and staying healthy all year.

Kevin Rosenquist: Yes, that’d be nice. So that’d be nice. To wrap things up, for smaller financial and fintech companies given the advancement of technology like we’ve been talking about maybe some of these smaller places might have handled stuff in-house, or something. Are you finding that the risks are getting to a point because of technology that even with insider risks, smaller companies and companies that might not have been as focused on these threats are now becoming more focused on these threats?

Michael Crouse: I think so, exactly. I’ll give you a good example. I just got a request the other day from a small defense, industrial-based customer. They have like ten people, 20 people, and they’re asking things about how can I utilize technology from our perspective to protect our interests. Like 20 people And you would think yourself like, no way they’re going to bring technology in there. But they’re asking that now. So you have these very small, even medium-sized organizations that are now getting on board with that because they’re they understand that the impacts they make to National and their company needs to be protected. And despite they can have as much personal touch as they for every employee, they might know each person by first name. I think they’re feeling the need to have that level of visibility across their workforce. Now, what I see in also too, is I think a couple of things that’s going to be interesting to see what plays out. you have SaaS, right? You have SaaS platforms, and then you have the on-premise or even potentially even a virtual environment. I think you’re going to see more organizations kind of potentially go away from one of the SAS because of the co-mingling of data of SAS. Is it the ownership of the data? I think we’re seeing right now organizations that don’t want to have kind of their data sitting with a, with a SAS operator, and they have access to the data, whether it’s the back end.

Michael Crouse: So I see that shift where people are going to work. You can still have it in the cloud. You can put it in a private cloud or a public cloud, but you have access to your data. It’s your system, it’s your data. It’s not a SaaS. And then you can tailor it because the one size fits all within a SaaS environment, which says you build one policy. For many, it’s not impactful because each organization has a similar modification or tweaking of whatever models they want to do, whether it’s analytics or a collection model module. So I think that shift we’re seeing is that organizations say they think it’s important enough to kind of invest their money. Because what security does security cost money? Security does not cost money. So being able to invest that is we’re seeing that shift and taking the budgets that are available is to kind of make that happen, either whether a 20-person company or a 200,000-person company. So I’m seeing that shift that they think it’s important enough if they’re working, especially with any kind of local, state, or federal government. But even those organizations at a small, small federal financial compliance organization, they’re going to be monitored.

Kevin Rosenquist: Yes. How many times do you hear, have you heard oh, we’re too small? No one’s gonna, nothing’s gonna happen to us.

Michael Crouse: But we gotta make it more cost-effective. We gotta we gotta do our part. So the vendors of the world, they Everfox of the world’s thought leaders of the world. We gotta do our part. We have to give them solutions that are more cost-effective, that allow them to enable them. So we need to enable them. And we need to make technology simpler, more effective, more efficient, easier to use, easier to configure. Drop it in the Amazon Marketplace, and drop it on your computer. Boom. You’re done. You’re up in a couple of hours. You have a system up. You can monitor people. So I think technology is going in that direction to make it easier, simpler to use and configure it so they get more value so they’re not spending small organization, not spending. They don’t have the budget to spend millions. England’s. So that’s what we’re trying to do. So that’s our goal. We want to make it easier and simpler, but we also want to make it more effective.

Kevin Rosenquist: I think that’s a great goal.

Michael Crouse: Yes, we’ll get there.

Kevin Rosenquist: Well, Michael with Everfox, thank you so much for joining me. I enjoyed our conversation.

Michael Crouse: Thanks. Appreciate you having me. And good luck Bears this year. I hope you got rid of me. So I’m a big Ohio State football grad or fan. So you got rid of Justin Fields. I hated to see you do that. So hopefully you don’t regret that.

Kevin Rosenquist: I hope so, too. I was when we drafted Justin Fields. Me and my infant at the time, my son, was jumping up and down in my living room, so I was pretty excited about him, and I’m pretty sad to see that it didn’t work out. But maybe the change of scenery will be good for him.

Michael Crouse: Yes. He’s going to my hated Steelers.

Kevin Rosenquist: That’s right. Of course.

Michael Crouse: Yes, that’s even worse than Nebraska. Even worse than embarrassment I got to root for him on the Steelers. And that won’t happen. Sorry, Justin.

Kevin Rosenquist: That’s like him going to the Packers for us.

Michael Crouse: Oh, yes. That’s true. That’s like Aaron Rodgers came out and went to the play for the Bears.

Kevin Rosenquist: Yes, that would be, exactly. Well, thank you, Michael. Have a great day and I appreciate you being on.

Michael Crouse: All right, Kevin. Take care, man.