About Kirsten Bay:
Cysurance was co-founded by Kirsten Bay, a leader with more than 25 years of experience in risk intelligence, information management, and cybersecurity.
After serving as CEO of big data and cybersecurity companies, and helping to shape national cyber policy through congressional committees, Kirsten saw the same problem again and again: traditional insurance wasn’t calibrated to the reality of modern security practices.
Premiums and deductibles were growing, but they weren’t aligned with the actual protections being put in place. Kirsten knew the industry needed a shift that rewarded strong security programs instead of penalizing them.
By certifying, warranting, and insuring security solutions that meet the highest standards, Cysurance helps organizations prove their security posture, reduce risk, and access coverage that matches their real-world protections. The result is better outcomes for providers, insurers, and most importantly, the clients they serve.
Megan Quick:
Hello and welcome to The Creative Stack, a show about the intersection of creativity and information technology. I am your host, Megan Quick, and I am joined as always by my illustrious co-host, Georg Dauterman, the president of Valiant Technology. And today we are joined for the first time by a very special guest, Kirsten Bay, the co-founder and CEO of Cysurance.
Kirsten, hello. And thank you for being here today to help us tackle this huge topic of cyber risk and cyber liability insurance. We're so excited to have you.
Kirsten Bay:
Thank you. Thank you so much for having me.
Megan Quick:
Of course. Of course. Georg, do you want to kick it off and dive into our topic this week?
Georg Dauterman:
Yeah. I've known Kirsten for a couple years now, and I'm really excited to have this conversation and get it, I want to say, on paper, which is kind of ridiculous because it's audio/visual medium. But it was one of the most ... When I first met Kirsten, I was so inspired by some of the choices and so many discussions that we had. And we've incorporated very much a lot of it into our practice. So I'm really excited to actually have her here to talk about it.
So Kirsten, how'd you get into this cybersecurity game? It's still such a big topic and it's one that is so fraught with unknowns and confusion and all this. So tell us, what's your hero origin story on this?
Kirsten Bay:
Well, I always like to say I'm a serial student because I think it makes me feel a little less crazy sounding like we were just talking about. It was a long and winding road. But I started my life in financial risk management and financial risk metrics, supply chain risk, those types of things, like doing financial analytics. And so I was just bumping along, doing those sorts of things, doing intangible asset modeling, things that everyone does.
Georg Dauterman:
So exciting.
Kirsten Bay:
So exciting. I thought it was pretty cool.
Georg Dauterman:
Yeah, that's the worst part, and not to interrupt you, but this stuff that I find exciting, people roll their eyes at me and I'm like, "Don't you find this fascinating?"
Kirsten Bay:
Well, yeah, that's why when you were like, we're going to talk about cyber insurance, I'm like, I know people will be like, "Oh my Lord." But I think it's very exciting.
Georg Dauterman:
Me too. Love it.
Kirsten Bay:
So one day someone said, "Hey, we're working on a book on built-in security and we need your help." And I was like, "You mean securities?" And they're like, "No, security." Singular. I was like, "I have no idea. Why do you want to talk to me?" And they said, "Well, because we want to understand, to get people to be interested in built-in security models and why it matters and why it's important, we want to talk about the elements of how we can maybe value data for law so that we can help organizations normalize and understand why it's so important and the financial impact of that." So I was like, "Well, that's interesting."
So spoiler alert, we're still working on that, but it launched me into this whole new career where I started working in DHS with the supply chain risk groups and then started working in threat intelligence and using modeling to help them help large companies make investments and we deliver security products and intelligence solutions. And then I started running network traffic analysis companies.
And then one day I was like, we still haven't done the financial impact thing, so we should make an insurance company because anything that's worth doing, you have to insure. And it's kind of the final arbiter of valuing something. If you can value it, you can insure it. And so here we are.
Georg Dauterman:
Right. It's such an interesting thing because insurance is one of those oldest kinds of businesses and people don't really think about it that way. Like your classic Lloyd's of London insuring shipping and reconcile enterprises.
Kirsten Bay:
I was just there. Yep.
Georg Dauterman:
And it's still a business, it's still operating entity, was it 400 years old, something like that?
Kirsten Bay:
At least.
Georg Dauterman:
It's been around a long time. No disparaging Lloyd's of London or endorsement for it, but it's an old company and it's existed for that long. So that's an interesting way of putting it that if you can value it, you can insure it and you can insure it, it has value. And it's such an interesting thing.
So how did you end up deciding to leave that world and start the insurance company, which is a massive leap as an entrepreneur, speaking in my own journey, sort of accidentally owning a business or being an entrepreneur, but what sort of drove you into doing this?
Kirsten Bay:
It's a super good question because when I would tell people when we first started Cysurance like, "This is what we're doing." And they're like, "That's kind of a big thing." And I was like, "Well, I didn't just roll out of bed and go, 'Hey, you know what? We should start an insurance company.'"
Georg Dauterman:
Right.
Kirsten Bay:
Because that's what ... And I actually think now in this portion of my life, my next company's going to be like a candy company or like a wine company or something totally different.
Georg Dauterman:
100%. Mine is some kind of outdoor guide service, something very, very ... Nothing to do with computers.
Kirsten Bay:
Exactly. But today, here we are.
Georg Dauterman:
Yes.
Kirsten Bay:
And really it was this, I actually had this epiphany and long of like when I first started in cyber, which was really around that valuation piece and how part of what really drove my interest in cybersecurity was this evolving part. And this was 25 years ago, so it was nascent, but it was this idea that this is the underpinning and we'll be more the underpinning of everything we do. And if we don't develop that trust paradigm around infrastructure and the bones of how we structure and build our businesses, then how are we going to be able to convince people we know what it's worth if we can't protect it in the way that we're supposed to? So that was kind of the idea.
And then, those many years later, I was like, "You know what? It's still not working right." And so we partnered with this organization that was an insurance organization around this network traffic analysis product and all these people asked for quotes, but we didn't really bind any. And that's when I realized that there was this dissonance in security posture, cyber insurance, which was really, really early days and how do we bring that together to really help it make sense? And my thought was, but if we can help get people organized around, this is all the money you spend in the picture, but this is how much we spend on security and this is much we spend on insurance. What if we did it the other way around and how do we demonstrate to people that those investments really do reduce risk in a way that help them make better risk decisions? And so that's really the thesis off of which Cysurance was built.
Georg Dauterman:
That's great. It's so interesting because obviously I started my career, long story, but in IT and security wasn't actually, it was always there, but it wasn't baked into everything we did actually. It was very much like kind of go fast and make sure it works because everything broke all the time. And it's fascinating to me how it's changed and now I guess the criticality of the infrastructure is even higher than it's ever been. No one can operate without these systems working at all times.
So I mean, I will say, I think I know the answer to this, but I'd love to hear the sort of logic. Is every company, every organization, large or small needs cyber insurance or some kind of risk protection mitigation?
Kirsten Bay:
I would say so. And it's interesting having done my life and threat intelligence and then worked my way through is I would talk to people about this and they'd go, "Well, I don't have anything anybody wants." And I'm like-
Megan Quick:
Classic.
Georg Dauterman:
I've been hearing that about 20 years now, so yes.
Kirsten Bay:
I know. Exactly. I would say about a nickel for every time I heard that, we'd be having a much different conversation on my jet or something. We'd be doing the podcast on my jet and it'd be very cool. But the thing about it is that you don't get to decide what you think something is worth. And this is like, so number one, for everyone listening, do not try to anticipate what the bad guys think is worth whatever it's worth.
Georg Dauterman:
I'm going to steal that.
Kirsten Bay:
You can.
Georg Dauterman:
I'm sorry. I'm not going to steal it. I'm going to-
Kirsten Bay:
No attribution.
Georg Dauterman:
I'll use the attribution. You don't get to decide what it's worth, they do because they're the ones making the decisions on what they could do with what they stole.
Kirsten Bay:
Exactly. And it's difficult to anticipate that. So whether you have a pizzeria in New York down the street or anything in between, and that's the thing I think that will be interesting about the evolution of cyber insurance is it's very static right now and it's very data driven. But when we think about the NotPetya event where in 2017, we had machines that were bricked by the Mercks and the Maersk and all those where they couldn't make Oreo cookies. That was a big deal, but it was really-
Megan Quick:
That's my issue, honestly.
Kirsten Bay:
Right. That would be a big concern. But the trouble was that that was really the first time that we had something that was a physical infrastructure impact versus all those little data loss bubbles. Oh, this is the breach data and it was really big and it was really little. That changed the whole paradigm of what is it that we're trying to do with these insurance policies and what's insured and what isn't insured. So I think while it was very destructive, it also opened people's eyes to the breadth and depth that really is something about how you protect and how you insure for it.
Georg Dauterman:
It's interesting. We recently started working with a customer that had a breach and they were so badly, and they're manufacturing, and most people don't truly understand how reliant they are on the systems to operate 24/7/365 to manufacture anything in this day and age. And they're a fairly small organization and the worst part is they had insurance. They thought they were in good shape and long story short, they ended up being fine, mostly, but it takes a long time to recover and it's painful. And that's the part that people don't understand.
And I think I'm going to attribute something that you said to me a long time when I first met you, I'd much rather have it be a fender bender than a six car pile up. And I use that one all the time. And that's sort of our Valiant standard, even our personal belief. Here at Valiant we always have this sort of thing and sort of very typical cybersecurity mindset that not if but when. I always attribute it to a motorcycle riding. It's not if you're going to crash, it's when you're going to crash, it's a motorcycle. And cybersecurity is very similar, but it's how bad is that crash going to be? Is it going to be like, wow, that sucked and that's inconvenient for a day or we have to do some reporting or we have to be a small inconvenience versus like are we possibly shutting down our business? Or the disruption's so big that the entire Southern part of the United States has no gasoline with the Colonial Pipeline a couple years ago.
The worst part is I feel like you and I could probably sit here for hours the same incidents and breaches and incident ... And the thing is that what always still gets me sort of upset after doing this and start feeling like a Sisyphean task and I don't know if you ever feel this way, it's like, when are people going to just wake up a little bit, like this start doing the core things they're supposed to do day in, day out? But I suppose it must be like a doctor with diet and exercise.
Kirsten Bay:
And I do. I do vacillate between [inaudible 00:12:38] and the diet exercise plan and my security discussion. So you aptly call them out. And that's the thing. The thing though I do think that insurance has done for us, this little gift, is in our security world, there's always the zero thing, right? And I say we exercise that zero demon with insurance because it enables us to say, look, it's not about zero things and it's actually completely ridiculous. It's not like there are zero house fires or zero car crashes. We have them all the time, but it's severity management. And that's what we've learned with our airbags and lane drift and all the great things we have in our cars is that we can really reduce the severity of these incidents.
And so one of the things I really wanted to demonstrate to the point that you made around controls is there's this balance between controls and products, but without basic controls or diet and exercise plan, you can wear all the cool weighted vests and do all that stuff or you can buy low calorie cookies, but if you eat 16 boxes ...
Georg Dauterman:
Right. Well, it's almost like I feel like sometimes it's like the insurance particularly, it's like, well, I bought the gym membership. I don't understand why there's a problem. And it's like, well, you kind of got to go. You kind of have to do the thing. And there's also a delicate balance always of disrupting people's able to do the work and being like security by jerk where you're just literally making everything hard. We've all met those people who do security like that where you're like, "Listen, no one's going to ... They're just going to find every way not to do what you ask them to do."
Kirsten Bay:
The business prevention units is what I like to call them.
Georg Dauterman:
Yes. Exactly. Well, and there's so many people at that, and I always find it people who work at large enterprises who then kind of go downstream or end up in a different role where they're working with SMBs and they don't really understand there's a massive difference between a large organization. So I don't make any, I think-
Megan Quick:
No, no. I just wanted to define SMB for our audience. No, no, you're good. Small to medium-sized businesses. I know, and Kirsten, you're probably familiar with this, but in our world, the acronyms, you have to make sure to explain them. So I just wanted to clarify that.
Kirsten Bay:
We love that in security. We're very acronym heavy.
Megan Quick:
You have to be.
Georg Dauterman:
The only people who like acronyms more are the medical profession, possibly, maybe.
Kirsten Bay:
Maybe.
Georg Dauterman:
I don't know. I mean, I won't take that bet. But speaking of small, medium businesses, how do you feel working with small medium businesses compared to large enterprises, what's your sort of take on that? Because I think that that's been the bigger change. One of the things, if you look at US employment, how many people work for small medium businesses, how important it is to the economy? And they are notoriously not protected from this sort of threat. So I'd love to hear your take on it.
Kirsten Bay:
Well, 47.6% of our GDP comes from organizations who have fewer than probably 3,000 employees. So it's a big chunk. And what's really interesting is I was just reading these statistics that for organizations that are probably, I think around 50 or 60 million to about 300 million in revenue, that's really the biggest driver of our US economy in terms of jobs. And to your point, and they're rapidly growing organizations, but are not well well prepared.
And a lot of that is, I was just at a conference with founders and CEOs last week, and half of them were manufacturing organizations from the Midwest. They make one component of an HVAC system, they employ 300 people, and it's one of those things that's essential to the guy sitting next to him who is the one who deploys the HVAC systems.
Georg Dauterman:
Right. These are critical to our economy, our systems, and our way of life.
Kirsten Bay:
Critical to our way of life.
Georg Dauterman:
Right.
Kirsten Bay:
And so I asked them about like, "Well, so how do you segment your network and do you segment production separately?" And they're looking at me and they're like ... I'm like, "Well, you should be asking yourselves these questions because if you were to have a cyber incident, this is the best way for you to ensure continuity of your services in the moment that something goes wrong, and it's not that hard." And that's really what we wanted to demonstrate to these types of organizations. One is when you read about it in a Wall Street Journal article about the terrible thing that happened to Jaguar Land Rover where they didn't have cyber insurance and the answer was, "Yeah, but they were negotiating it." I'm like, "In 2025, really?"
Georg Dauterman:
How do you go a day without it?
Kirsten Bay:
In that size, it's billions, billions.
Megan Quick:
Major blind spot still.
Georg Dauterman:
And so if that could happen at an enterprise that large and that well funded, really, these small medium businesses, anyone guiding them, these small manufacturers. Our own experience working with a manufacturer, they didn't really understand the impact to not having the production line working for a couple of days.
Kirsten Bay:
It's devastating.
Georg Dauterman:
They were so far behind in their work and they're smart people, they did what they had to do, but in the end it was very painful for them and they're still recovering for it. And so with those CEOs and those leadership, what was their sort of response? Did they go back to respective IT teams?
And actually, I'm going to change gears here for a second because, I'm sorry, this is my way my mind goes. Do you feel that the problem is that the leadership folks don't truly know the risk and the IT people don't do a good job of explaining it? There's a lot of fear versus numbers, data, results or output, that sort of thing. So how do you fix that?
Kirsten Bay:
Yes. The answer is yes to all of those questions.
Megan Quick:
Yes.
Kirsten Bay:
But that's the thing that I feel like in what we work on together is that was the objective is one is it feels so daunting when you read about the Jaguar incident, it's like, oh, and that's not me and that's so big and where do I even start? And the answer is you start in really simple ways. You can do some basic controls. We can get you some basic things in place and it doesn't have to be a trillion dollars and that risk curve will drop by 60 to 70% just by doing four or five things.
Georg Dauterman:
It's pretty amazing actually how ... Justin, our CIO, has a great analogy. He's like, it's basically someone walking through a parking lot pulling door handles. And if they're pulling door ... And I keep using cars a lot, I don't know why that is, but cars seem to be-
Megan Quick:
Americans have cars.
Kirsten Bay:
People understand them.
Georg Dauterman:
Yeah. People understand them. Americans, you're right, it's American.
Kirsten Bay:
We do like our cars.
Georg Dauterman:
We like cars, even here in New York. People pull door handles and it feels like people don't even lock their doors and their car by doing some really silly things or in this day and age where you not even having any sort of thought on this. So I think that's interesting.
So I'll put you on the spot. What are those four or five things that you recommend that everyone do? If you had to be like, all right, right now, stop, just stop what you're doing, go back to your office and be like, We need to do this right now today.
Kirsten Bay:
Today. So you all mostly have Office 365, go turn on MFA.
Georg Dauterman:
It's pretty shocking how many of them are still out there without MFA on.
Megan Quick:
We've had to do a lot of content where we're like, table stakes, table stakes.
Kirsten Bay:
Exactly.
Georg Dauterman:
Yeah. We're pretty militant about that obviously-
Kirsten Bay:
As you should be.
Georg Dauterman:
As you should be. And it's funny, we've been saying it for six, seven years now, and it's still not the default, which is amazing to me.
Kirsten Bay:
Yeah, it's true. And it's an interesting thing. And then you have this other security people who are like, "MFA is stupid anyway, doesn't work anymore." I'm like, "Stop saying that." That's like I don't even remember when dentists, there was this time when they're like, "Yeah, flossing really isn't that big of a deal." And all these dentist friends I had were like, "I wish people would stop saying that. It's like the thing I would tell you, if you had to choose to be brushing your teeth and flossing, I'd ask you to floss." Stop saying it.
Georg Dauterman:
Flossing's way more important. Right. And people are citing some obscure ... I know the MFA one, I've had this argument where it's like they saw some obscure headline about some obscure man in the middle attack or token stealing-
Kirsten Bay:
Session by session by-
Georg Dauterman:
Yeah. You're like, stop, stop, stop, stop. That could happen.
Megan Quick:
Yeah, but that's ... Yeah.
Georg Dauterman:
And if it did happen, we have insurance. But if we don't have the MFA on, you don't have insurance, I assure you, because no one's got to pay. Once you look through the log, it'd be like, "What's this user here without this on? What does this mean?" And you're like, "What?" Yeah, exactly. All right. MFA, 100%.
Kirsten Bay:
MFA, super key. That'd be like in your car analogy, I'm going to pick the lock in your car versus just opening the door.
Georg Dauterman:
Right. I'm going to have to use the Slim Jim and I'm going to get in there and somebody be like, "What are you doing over there in that car?" You're like, "Oh, wait, I'm sorry." Right. Exactly.
Kirsten Bay:
So patching, patching, patching. So because when we have really great outcomes in our claims events, we look for those things and it's like we had a firewall breach and it was like, okay, well, let's check the patches. They were 180 days old and there had been like 30 patches since then, literally.
Georg Dauterman:
The worst part is with the network devices, I find that people tend to set them up, forget them, they have no ... People are like, "I thought it just worked." Or I've heard the one, "I thought it set it by itself." You're like, "It doesn't do that." And I don't think you really would want it to do that anyway. That's a bad idea. Someone has to make sure it works.
Kirsten Bay:
Well, then people get mad when that happens and it restarts in the middle. Although I've never understood in my lifetime why it's like, I'm going to restart it 11 o'clock in the morning. It's like, why now?
Georg Dauterman:
On Thursday during our prime call hour or whatever you're doing, support time or ringing things up or ... Yeah, 100%. I never understood either. And interesting is patching is the most unglamorous, unsexy thing, but it's probably the most critical as you look at most breaches.
Kirsten Bay:
Most.
Georg Dauterman:
It's like almost every breach has some level unpatched system beyond MFA or weak passwords, but it's like exploited unpatched system. And even if the unpatched system wasn't the first entry point, it makes everyone's life a hell of a lot easier to get in there, start monkeying around. So patching, love it, love it.
Kirsten Bay:
Yep. Well, and then as you just said it's also just the thing that just fell out of my head. So we'll go on to the next one, which is immutability.
Georg Dauterman:
Yes. Yes. That data is not able to be changed unaccidentally or unintentionally.
Kirsten Bay:
Unintentionally.
Georg Dauterman:
Unintentionally, especially the backup, which is a huge problem.
Kirsten Bay:
It's on the backups. And the thing that we tell people, again, because they're like, "Oh, I now have to go buy this thing and da da, da" And it's like, again, your OneDrive has immutability.
Georg Dauterman:
Correct.
Kirsten Bay:
So that's the thing is people have most of these things available to them right there, right? Weak passwords. That was the other one I was just going to say is the password reuse, I was like ... So 23andMe basically has been bankrupted as an organization because two things happened. One is they had password reuse, which someone got a username, password from some data breach and they didn't segment the DNA portion of the network from the production network.
Georg Dauterman:
Right, right.
Megan Quick:
Bad.
Georg Dauterman:
Which is a massive ...
Megan Quick:
That's crazy.
Georg Dauterman:
Off the top of my head, I'm not sure, but they'd probably be under some HIPAA violation because of that. Is it medical data maybe?
Kirsten Bay:
Well, I don't know if it ... But it's certainly your data.
Georg Dauterman:
Well, yeah. I mean, the last thing you want is your genetic material breached-
Kirsten Bay:
I know.
Georg Dauterman:
... out in the world for sale. Basically on some [inaudible 00:26:00]-
Kirsten Bay:
You could quantify the value of that.
Georg Dauterman:
Right, right. And the segmentation thing is such a big ... This to go back to something earlier-
Megan Quick:
Do you guys-
Georg Dauterman:
I'm sorry.
Megan Quick:
No, no, you're okay. And I think just for the layman of the ... And I say that with respect, but would you guys do a very basic overview of what segmentation is if someone listening isn't sure what it is?
Georg Dauterman:
So segmentation is isolating individual components of the network or the environment from the other piece so that you can't move across from one place to the other with ease without being either authenticated or reauthenticated so that I can't ... The idea is ... A good example would be like, I have a VPN because I need to get access to a server or resource. You don't want that then that VPN have full access to the rest of the network, because then there'd be other network resources that would be available. And then unfortunately, classic VPNs allowed you full access to the entire network and people would, have to go back to my monkeying around comment, but they would literally get in through the ... It's getting in through the side door and now you're basically, and you're seeing the entire network, you're enumerating it, you're laying off the land and you're using all these IT security terms.
But really what they're doing is they're sitting there correcting the intelligence for the day they're going to spring the attack. And then ka-pow, your backups are destroyed, your data has been encrypted, your directory has been wiped out, your email stores are gone, or just as bad differently, they're centers collecting data from all different places in the environment. And so once again, to go back to what Kristen said earlier, we don't know why or how or what these folks want, but it has value because someone-
Megan Quick:
Because they want it.
Georg Dauterman:
Because they want it.
Megan Quick:
Yep. All right. Thank you guys. Sorry.
Georg Dauterman:
No, it's a great question.
Kirsten Bay:
No, no. It is.
Georg Dauterman:
We live in this ... It's funny.
Megan Quick:
Yeah, we do. Yeah.
Georg Dauterman:
Yeah. So that's great. That's great. So my next question, I know we're getting to time here because I keep talking for hours here, but this is a fascinating conversation, but where do you see MSPs in this space? Where's the MSPs role? There's been a lot of talk of MSPs with AI. We don't need MSPs anymore. We're just going to go to Claude or ChatGPT and set up our environment and we're off to the races.
Kirsten Bay:
Well, in relationship to Claude and GPT, there are some interesting things.
Georg Dauterman:
I agree.
Kirsten Bay:
Not to go on a weird anecdote, but this is the world in which we live that there, I don't know if you read about this, that there's this fellow who was working on an open source coding project and he was using GPT to do some of the development and he edited two pieces of code because he didn't feel like it worked and then he uploaded it and went on with his life. And the agent that he created to create this code wrote 1,000 word blog excoriating him and posted it because he changed its code. It was offended.
Megan Quick:
Ooh.
Georg Dauterman:
Machine's soul, if you want to call it that.
Kirsten Bay:
The machine got very upset about this and literally 1,000 words published it and then everyone kind of freaked out about that and then it apologized two days later.
Georg Dauterman:
It's a little scary.
Megan Quick:
I don't love that.
Georg Dauterman:
I don't like either, it's a little scary.
Kirsten Bay:
So don't let that agent be your MSP is the moral of that story.
Georg Dauterman:
Yes. Yes. It's actually interesting. What's interesting is in one breath I really embrace it, we're going to see some amazing things happen and we're already seeing it. Another breath, I'm terrified because much like anything else, you have a lot of people who are not going to truly understand what they're doing and why they're doing it and how they're doing it. And you're going to see some really strange events where just data's going to get out there and that sort of thing.
But anyway, that's a tangent on AI, but in terms of the insurance, the MSPs, what's the relationship you think? You and I talked about this before, but I'd love to hear it again.
Kirsten Bay:
Yes, it's critical. I mean, MSPs are super critical. 88% of small businesses, and we've already defined what that looks like, small and medium size, enterprises is what we say, outsource their IT and security functions. And that can range from full service managed services all the way to buying MDR, like a managed detection response, managed SOC. We see a lot of that in the mid-market where they don't have the resources to do that themselves. So there's a broad width of what that means. But the fact is that to Georg's point, people recognize they're not the experts in this. And so for MSPs to be able to up their game in the sense of providing really excellent security services to their people who, by the way, kind of think you're doing that already.
Georg Dauterman:
Yes, you are ... What do you mean we don't have that? I've heard that.
Kirsten Bay:
I'm the fix guy.
Georg Dauterman:
Have you ever looked at your bill? Do you know many hours ... Or it's very much like, well, it's not even take the dollars out for a second, but more just like that's a very involved thing, what you're talking about. And that's a very in depth relationship that you would have to develop to do the things you're saying. I couldn't do that without your input. That's where I find the biggest hurdle personally is that we'll gladly do it. We'll work out, we'll figure out the fee, whatever it is it looks like. But most people don't really want to spend the time to truly develop this because it's hard. And it's-
Kirsten Bay:
It's a diet and exercise plan.
Georg Dauterman:
It really is like calories in, calorie out. How many steps are you doing today? And-
Kirsten Bay:
Did you patch?
Georg Dauterman:
Did you patch?
Megan Quick:
Did you patch is like eating your banana every day, truly.
Kirsten Bay:
I think that's the different version of steps.
Megan Quick:
Yeah. Right.
Georg Dauterman:
Patches is steps. It really is like the steps.
Megan Quick:
Got it. That's a better metaphor.
Georg Dauterman:
Because if you don't do it, you're going to be in trouble over the long haul. And it doesn't happen right away. It happens over time and then all of a sudden you're like, wait, these things are really out of date. And it's much more dangerous to update things that are far out of date than update things that are within one or two cycles out. The scariest moment you'll ever have doing IT work is when you come across something that's really old and you're like, "I got to touch this thing now." And a lot of times we just replace it because it's too dangerous to mess with it. Having broken something many a times in my career this way, you don't do it that way. But, that's cool.
Kirsten Bay:
And that makes me ask a question in relationship to this Windows 10, 11 transition and the sun setting. Are you seeing organizations wanting to buy the extended program or are they moving over?
Georg Dauterman:
Most of them are moving over over time because a lot of the hardware is quite old, quite honestly, where it's actually starting to impact their operations. I've had a couple people buy it, and I think it's a mistake personally because I think that it's a good ... Well, first off, if you're planning your refresh cycles correctly you're buying equipment in a time cycle that you're not really having stuff that's really old and deprecated. And I mean, we haven't even gone to the underbelly of patching where how much old equipment hasn't had a BIOS patch in five years And a very underlaying ...
So for our lay listener, the BIOS is the underpinning operating basic input output system of a motherboard or a computer. Every computer has one that's part of the boot cycle. And as a computer ages, manufacturers stop patching that underpinning, the underlying system. That's why your Mac, not to give a Mac a shout out, but at a certain point, Apple stops supporting it because Apple won't update and also the OS won't run properly. So this is the last version of the Mac OS that'll run on Intel equipment. And so we're seeing a large Mac shift over. I don't know if you do a lot of Mac, we're a big Mac shop, so I have to say this loud. And I think that's a good example why though, because the underlying system is not being updated. So yeah, it's a big problem. Yes, and I don't-
Kirsten Bay:
Particularly in manufacturing environments.
Georg Dauterman:
Well, I think what happens with the manufacturers particularly is it's working and to take the line down, they're very scared to disrupt it and test it. I know some folks that worked in very large manufacturing in the past and they said that anytime they'd do any maintenance, it was like, "You can do it on Christmas day." You're like, "Okay, one day a year to do it." And they're like, "Yes, we get one day a year." Or that's when because they needed it. And especially a lot of that, those systems are very old actually and the SCADA systems and all those network controls, they're old and no one's really managing them. So I think that's a huge ... We could talk about this for hours. This is, once again, another one of my pet moments.
So I know we've been talking for a long time. So I'm going to ask you one last question and then anything you want to say. But if a company wants cyber insurance and your experience have been working so long is, what are the steps that they should take? What are a couple of steps they should just start doing today to be insurance ready, I think is a good word to use?
Kirsten Bay:
Well, we've talked about the key elements, and this is the thing, and I hear this a lot, which is, "Oh, these are the gotchas." And it's like, well, you could eat seven or eight McDonald's French fries every day and see how the relationship with your cardiologist is, this is that. That's not a gotcha, you had a heart attack for a reason.
And so these things are important and they're not gotchas, but it's managing your risk and the expectation that you will manage basic risk. And that is really the key. And the thing that we talked about that is most important is for people in Office 365 environments, 99% of what you need, if not ... I mean, if you're a small shop, everyone needs more stuff, but it will even give you a risk score. It will help you do it. It will help you set it up. You have everything you need. If you're a small shop and you don't know what to do, start with that, right? And that's good.
Georg Dauterman:
Yes, 100% And it's unbelievable. I mean, we work with customers when you onboard new customers it's pretty shocking how poorly configured these MSP and there's some great tools out there, there's some great ... It's one of those things, I think it's sort of like it's not complicated, but it's hard. It's hard. And then especially when people don't truly understand why people want to talk about these things. And so it's a good point, but just take what you have already and make it the best version of itself, sort of that makes sense.
Megan Quick:
And that's so like-
Kirsten Bay:
And then call Georg.
Megan Quick:
Yeah. Exactly.
Georg Dauterman:
Exactly.
Megan Quick:
Thank you for that. No, no. No, no, that was great. And I wanted to thank you for putting it that way, Kirsten. I think like Georg said, it's hard. It's simple, but it's hard. And I think you just laying out in terms of there are steps you can take, you already have the power to do this. Just sit down and look at it. Yeah. And I think thank you so much for being with us today, Kirsten. And truly, is there anything else you wanted to say that you didn't get to say that you want folks listening to know who are curious about cyber insurance?
Kirsten Bay:
Well, I would say just cyber in general, and this is kind of a follow-on of the things we talked about, which is there's so much fear, uncertainty and doubt, right? The FUD thing. And the thing that is so important to me, and particularly why I like working with you all so much is it's about the art of what's possible. And what we just talked, you have the key things, you can start small, you can grow into it. It doesn't have to be this adversarial or super hard thing, and it can be accessible. And that's the thing that matters the most to me is to help people feel like it's not this dark art that there are ways to have it be approachable and to feel like there's possibility and being protected and feeling safe. And that's really what we want to bring to these conversations is not that the scary guy out there who's lurking around, but that there are ways to not be cyber mugged, as I like to say, and that you can be safe.
Georg Dauterman:
I think it's really good.
Megan Quick:
I love that.
Georg Dauterman:
I like it. It's really good. And I think it's a great way of taking it from sort of this obscure, I hate to say, take it from the server room, as long as I've been doing IT, taking a server room to the boardroom, but I think it's a very ... You laugh when I say it. But it's sort of true though, because my personal sort of go to when I talk to people is that our goal is to be that trusted person in your environment that helps you manage risk, just like as if it was your attorney, just as if you were as your accountant, just like as your HR specialist and outsource your team, you got to look at it as part of your team that helps you manage your business and your risk so you can serve your customers.
And I think that's the part that I think a lot of folks who do IT work, and I can say, I myself have probably forgotten this over the years, you start getting sort of hyper-focused on things, but really what is our purpose is to get people to do the thing that they need to do, serve their customers, complete their mission, and be safe. And this is all part of it. So this is great. I really appreciate this. We could talk for more hours, but I'm going to stop now because this is going long.
Kirsten Bay:
I know. Sorry. I know. It's like people are like, "Oh my gosh, you guys."
Georg Dauterman:
What are you doing?
Megan Quick:
I know.
Georg Dauterman:
It's like, wait, keep talking.
Megan Quick:
I have a feeling we're going to get to talk to you again, Kirsten. I think there is so much more to talk about. And is there any place people can find you or just anything ... Yeah, just where can people go to find you if they want to hear more about what you're saying?
Kirsten Bay:
Cysurance.com.
Megan Quick:
Cysurance. Simple, easy. Love it.
Georg Dauterman:
It's a great name. It works great.
Megan Quick:
Awesome. Yeah.
Kirsten Bay:
Thank you.
Georg Dauterman:
Awesome.
Megan Quick:
Works great.
Georg Dauterman:
All right. Well, thank you. Megan, kick us out of here then.
Megan Quick:
Sure. Okay. Well, thank you all for joining us today on The Creative Stack. Please like and subscribe to hear more experts like Kirsten Bay on our podcast. And Kirsten, we cannot thank you enough for joining us today. Have a wonderful rest of your day.
Kirsten Bay:
Always a joy. Thank you so much.
Megan Quick:
Thank you.
Thank you so much for listening to The Creative Stack. If you enjoyed the episode, please rate, review, and subscribe to us wherever you get your podcasts. The Creative Stack is created by Valiant Technology, a managed IT service provider based in New York that specializes in providing creative agencies and PR firms with the technology they need to achieve their goals. Please visit us at thevaliantway.com to learn more about our services. I'll see you next time.