BSidesSF 2026 - Security on a Shoestring: A Low-Budget Security Revival Tour (Jared Casner)

Today uh we will be listening to a talk delivered by Jared Kner. Jared Kner is the co-founder of Blacksmith Infosac where he helps MSPs and SMBs build autoready security programs without enterprise budgets. He has built he he has been building secure software for more than 25 years. For the past 15 years, he's led software and cyber security at Silicon Valley startups primarily in Gtech, health tech, and fintech. So, welcome um Jared Kner and please a round of applause for um his talk on security on a shoestring budget. Thank you. >> All right. Thanks everyone and thanks for that introduction. I can kind of skip this slide here. Um, so and I'll really just jump right into

it because there's a lot to cover here if you're going to try to build a security program on essentially a Z budget, right? And that's really what the talk is today. So if you are reading this and seeing seeing yourself reflected in this quote, this may not be the talk you're looking for. And that's okay. I I am going to try to be as inclusive as possible today and and cover all aspects of a security program. At the same time, I only have 30 minutes and so I'm going to try to rattle through this fairly fairly quickly. But if your budget for security is a billion dollars, hund00 million, even a million dollars, you may not get

a whole lot out of this, but really this is is built for those or designed for those startups and small businesses that are starting their security program on day one. they know that they are either going to have customer requirements to be compliant with SOCK 2 at some time in the future or at least be uh building secure software and things like that or that they are eventually going to be uh regulated by some government entity whether it's HIPPA, CMMC, things like that. Right? So the the goal here is to help you figure out on day one, how do you get that security program off the ground? Or uh if you're like me at my

last 10 startups coming into an organization that already had software that was already in production, that was already collecting social security numbers and PHI and had no security program uh and was not doing things the right way. How do you start bringing that into the fold so that you can start doing things the right way and protect your customer data and protect your business along the way? So for a lot of you this is going to be old hat. Uh and I apologize for uh any rehash that you will hear along the way that like you already know this. That's okay. My goal here today is to give you at least one thing that you can take

away to your organization that is actionable so that you can start doing it tomorrow. So little preface here. I gave this talk for the first time uh six years ago at Bs in San Francisco. Um a lot of things have changed along the way. I'm going to talk about some of those. One thing that has not changed is my imposter syndrome. So, I appreciate all of you being out here today and supporting us uh or supporting me, but um I am a little bit nervous. So, you're going to see hear me stumble along along the way here, and that's okay. Uh we're going to get through this together. Uh but I do want to talk about some of the things that

are new in the last six years since I gave this talk last. Um the first one is fish resistant MFA and Pasis, right? Web a was released in 2019. So, technically in February 2020 when I gave this talk, web a did exist, but pas are really have become ubiquitous and are being adopted pretty pretty widely right now. It used to be uh recommending folks buy UB keys or something like that for their staff. Um anymore you can get that right on your computer and it makes your life a lot easier. Uh and it makes it a much more seamless and frictionless approach to MFA for your users. So huge fan of fish resistant MFA and pass keys. Um

next up supply chain has really become the default attack vector. And so if you are not thinking about thirdparty risk management and your supply chain as an attack vector, you are missing a beat here. And so I really would encourage you to and we'll get into thirdparty risk management a little bit later, but supply chain really has to be one of your primary areas where you're thinking about security. One of the great things that's happened along the way here is that cloud security tooling has gotten a lot better and it's become democratized. Also, as we've seen new entrance come into the space, cloud security posture management tools have become much more ubiquitous and that's brought prices down. And uh

it used to be for companies like myself, it was almost impossible to get a cloud security posture management tool that was actually affordable or they would even sell to me because of minimums in in terms of number of seats. Um one of the things that's great about how uh ubiquitous it's become is that now I can actually not only buy it uh and buy it directly, but I can buy it in a price that that makes sense for me. Um Demar 6 years ago was relatively optional. Uh it's still I think you can argue because a lot of vendors are still or email providers are still allowing P equals none to come through the demark

is still probably a little bit optional but they're at least uh nominally requiring demark. So if you're not doing SPF and DKIM records you there's a good chance that your emails are getting lost. Um and then I think one of my favorite pieces that NIST added govern uh to their cyber security framework 2.0 a couple years ago and that's been a huge thing. I feel like there might be something I'm missing here. Oh yes, AI. AI is everywhere. So, uh, you probably have heard of this AI thing. Uh, I'm sure it's a passing fad, but, um, it is the thing that's out there. And I, don't worry, I'm not going to spend a lot of

time talking about AI today. So, let's talk about security. Um, what we're talking about today is not building a set of tools, it's building a security program. And so, a couple of caveats before I really get into this here. Uh, first of all, I'm fluent in AWS. I've been using AWS for 15 years. So, I'm going to use the language of AWS. That is not to say that Azure or GCP are bad services. They are wonderful platforms as a service. I just don't know them as well. So, I'm going to ask you all to code switch for me and translate uh in your head to to the uh platform that you like. Um and then I

will also say I will talk about a couple of tools today. The goal here is not to endorse any one specific tool. There are some excellent ones out there, but I would encourage you to do your research, Google it, find the alternative that might work for you. So, this any tools that I talk about, this is not an endorsement of those tools. Um, and with that uh out of the way, we can dive right into this. So, how do you start a security program? It really starts with planning. Um, and for me that is starting with a security framework, right? Whether that's NIST cyber security framework, CIS, uh, and both of those are excellent choices, but

picking something that you're going to align your security program to so that as you build it, you have a framework and an umbrella to to put everything under. And it really gives you that roadmap to to sort things out. This is where I think uh I like CS C excuse me, I like CSF because it provides that really overarching umbrella. But if you really don't know what you're doing, starting with something like CIS where you can build IG1, IG2, IG3 and get a much more opinionated approach can be a very valuable way to get things off the ground from that security framework. One of the first things that almost every security framework is going to ask you to do is

write policies. Now, you can go out to catch GBT and have it write security policies for you and they will be 90 95% correct. Um, and they might be even good enough for what you're doing. If you are thinking about compliance in the future, you might want to do something a little bit more than C uh Chat GBT or Gemini or one of those AI platforms um and get something that is going to be a little bit more uh robust and and guarantee that you're aligned with this uh compliance initiative that you need to go towards. But if you're just worried about getting something off the ground, those AI tools are actually a great place to get started.

With these security policy, you need to have an owner. And this is a uh in the language of Proctor and Gamble and some of the uh large enterprises. This is the one throat to shook. Who owns that policy that when things go wrong, that's the person who needs to to take care of it. But more importantly, when you need an exception to the policy, who is allowed to approve that exception? And when we talk about ownership, if you have too few owners or too many owners, you essentially have zero ownership. So the idea is to have a single person that is responsible for any given portion of your security program. So there there's going to be one person who owns the

whole thing and then one person for each policy really with the idea if you're not doing that, there's something that's going to be missed in the cracks. If nobody owns it, guess what? Nothing happens. And if two people own it, wait, you're not doing it. You're not shoot it's we're falling through the cracks there also. So make sure you have a single owner for any given thing that you're doing. All right. And one way you can do that is to put security in in people's job descriptions. This is actually something that I learned from Bides I don't know seven or eight years ago now. It's I've been coming a long time. So um but putting security in

everybody's job descriptions, right? If your marketing team knows that they need to secure customer data in your CRM, if your legal team knows that they are responsible for the contracts, if your financial team knows that they are responsible for uh securing your bank account and the finances, if everybody understands what aspect of security they own on day one of their employment, they are going to do the right thing by default, but also you can put that into their annual review and bonus them accordingly. And right when when compensation is tied to the things you the outcomes that you want it makes for a lot better uh a lot better process and then we get into threat modeling and

so this is particularly true for application security but at the end of the day threat modeling actually again a talk that uh I heard at bides I don't know three or four years ago somebody made the analogy that security really hasn't changed in 10,000 years. 10,000 years ago, I had something you wanted. You had you wanted to take it from me. My job was to stand out in front with a of my cave with a club and keep you away from it. And if I had a bigger club, I was going to protect my things. And if you had a bigger club, you probably were going to take it from me. And the same thing is kind of true today, right? If

I'm not doing the if I don't understand what it is that I want to protect and don't understand how to protect that, there's no way that I can possibly stop you from getting it, right? So threat modeling is really just that exercise of uh call it risk mitigation, call it how whatever you want, but the idea is how do you figure out what it is that you're protecting and make sure that that's getting protected effectively. Then of course we got to throw some song lyrics into this. All right, next up I want to talk about education. Education does not need to be buying a platform. In fact, on day one, education could be just running your your staff

through PowerPoints and things like that. There are free tools that are out there that will help you with this. Also, Pagerduty at sudo.pagerduty.com has some uh PowerPoint templates that you can go ahead and download. They're free. They're there's one for everybody. There's one for developers. It's it's anything you need. They're a little bit dated. I think the last update was like 2021. So, they're a little bit dated, but it's a great place to start if you're looking for ways to educate your staff without having to spend any money. Um, CISA has great tools. YouTube is a great source of educational videos. So if you ever want to see what a social engineering attack looks like, if you

ever want to see uh what fishing or fishing and look like the uh YouTube is a great place to go, but really most importantly is to bring this home. And so anytime you can tell a story about security that will bring this home for your staff, you'll make your life better. So, one of the stories I like to tell is my my poor brother-in-law uh at the time he was at he was teaching in a middle school and he learned he and the rest of the staff learned the hard way to make sure that airdrop was locked down because one of his students uh broke up with his girlfriend or the girlfriend broke up with him. He got mad

and air dropped to everybody who had open airdrop topless pictures of a 14-year-old girl. Um suboptimal experience for every everybody involved. Right? But when you can bring these things home and when you can educate your staff on why it's important to be secure and how to secure not just at work but at home also, it makes those those lessons much more relevant and they will do the right thing not just with your stuff at work but also with their bank accounts and and uh along the way, right? So uh please do educate your staff. All right, this is kind of a big topic with identity and access management. I'll try not to belver this too much.

The one I want to hammer on the most here is the principle of lease privilege. I think everybody's heard of this before. Um, but the idea here is give people the minimum amount amount of credentials that they need or the minimum minimal amount of access they that they need to do their job and nothing more. And that's true whether it's a human, whether it's an AI agent, whether it's anything else. The the more you can constrain this, the better. Now, we just talked about 14-year-old girls. Uh, how many of you have tried to take a cell phone away from a 14-year-old girl? It's not easy, right? Um, same thing is true when you start to try to take

permissions away from your staff members. So, it's much easier if you can start your security program or start your your credentials with the minimum amount of things that they need on day one of their job and then build up from there. It's a lot easier to give something to somebody than it is to take it away from them. So, please think about that principle of lease privilege early and often uh every time you're buying a new set of software or anything else, start with it scoped as small as possible and then build up from there. Um, and that will save you a lot of heartache over time. I talked about fish resistant MFA, so I

don't want to blabber that one too much. Um, along those lines though are shortlived credentials. The shorter your credentials are, the uh less room there is if somebody steals one of your bearer tokens. And so having those credentials be shortlived will make your life a lot easier. Um, again, if you're building an application, you have to there's a fine balance that you have to make between how do I make this not annoying for my users where every time they click a button, they have to log back into my platform uh versus keeping them secure. So, you're going to have to find that balance and and there's no like one silver bullet that says, "Oh, it must be

11.7 seconds or 32 minutes." Uh, you have to find the number that works for you and for your customers. Um, SSO and skim. These are a hot button topic for me. There's still a lot of vendors out there that play or that want to be uh I'll call it SMB friendly that force attacks for SSO and skim onto you and make you move into an enterprise plan in order to get single sign on or or skim integrations. Um, please if you have the the opportunity to get single sign on and skim, turn those on and force single sign on wherever you can and force MFA wherever you can. Um, you're not going to be able to do that

with when you're on a shoestring budget because you're just not going to be able to afford all the enterprise tooling that you want to have, but wherever you can do that. Um, single sign or excuse me, SSH and RDP. Um, these are the I have a lovehate relationship with being able to to log in this as as an applic as a developer. I love to be able to to get in and tinker and understand exactly what is what's happening on a box and and but at the end of the day I want my boxes to be ephemeral. I want uh if I can if I can make things completely ephemeral then I don't even need to have SSH access. And

so if I can just start building from day one without SSH at all then I'm going to make my life a lot easier in the long run because I don't have to again I don't have to take something away from somebody and I don't have to worry about break glass accounts to get into for SSH. The great thing is a lot of the or all of the cloud providers now have some form of session management. Uh in AWS it's SSM where I can actually get the equivalent of SSH to get into a box if I absolutely have to. But every keystroke is logged when I do that. And it's doing it without having to expose port 22 to

the internet and it's doing it credentialed and it's doing it in a way that is is much more safe and secure than uh than just doing raw SSH. So think about how you're going to if you're going to if you need to do SSH at all, how you're going to secure it. Um and ideally avoid it entirely. Um every ZTNA and Sassy vendor out there will tell you VPN is dead. I say along the VPN. Um at the end of the day, we talked about third party risk management. We'll get into that again actually specifically here. Make sure you're paying attention to who your VPN provider is. A lot of the ZTNA and Sassy solutions out there are very expensive.

VPN is actually really affordable, especially if you're doing something like AWSVPN where you can just uh it's based on consumption and you're paying cents per hour for that connection. And so, uh again, the more you can limit the scope, bring things down, constrain access and and uh your attack service, the better off you're going to be. Um, and then when as you can afford ZTNA and Sassy solutions and and focus more on the zero trust and and making sure that all of your devices are configured properly before uh with their excuse me with your conditional access policies, uh you can move in that direction later, but start with something because something is better than nothing.

Um, how many of you have had uh staff members send you a Slack message with credentials, passwords, things like that? Yeah, too many hands going up right now. Get a password manager. They are not that expensive. Uh I think one password has a a 20 $20 a month plan for up to 10 users or something like that. Um there are password managers out there that you can uh very easily afford even on a shoestring budget. Do it. Share your passwords securely. Um again whether it's one password or something else, go out and find the tool that you like the best that works for you. Get a credential vault. Find ways that so you're not having to to do this on your

own. Uh and then last but not least, and this is one that almost everybody forgets, do your user audits. whether it's quarterly or annually, at some cadence, go through all of your systems and figure out who still has access because I guarantee you there is somebody in there uh the ghosts in the system that still have access that you aren't aware of. And I saw this uh I had a friend uh about a year ago who um ended up in a lawsuit because they had managed to offboard an employee but hadn't offboarded that employee from their AI notetaker. And all of a sudden, their their former employee was still getting emailed. they had signed up with

their personal email and and were still getting emailed meeting summaries that included executive meeting minutes um with that AI note taker. So make sure you were doing your user audits so you don't give yourself a lot of heartache that that there is uh it's simple it takes very little time um and it's something that you can do for free very quickly. All right, who's heard the praise it's always DNS, right? Yeah. Uh a lot should have seen every hand go up here. um DNS things. We talked about Demark earlier. It's it's really no longer optional. All the major email providers are requiring it today. U get your SPF and DKIM records up. Again, the sooner you get

those into place, the better. Um don't just do P equals none. At least get quarantine, if not reject. Um but as you as you are building this out and starting from the the ground up, guess what? Every time you add a new email provider, if you've already got it set to quarantine or reject, you're going to know immediately when things aren't working. So, you can add that additional provider in um and and be very thoughtful about it. And that also helps prevent some of the shadow it where marketing goes off and buys a new tool and starts emailing people without you knowing about it. Right? So you can you can make yourself a lot happier by doing

some of the right things on day one. Uh DNS sec um prohibiting transfer of your DNS things like that also very important. Get your security headers. Uh security headers.com is a great way to check your security headers and make sure you have your content security policy in place. Uh that you are ensuring HTTPS everywhere. These are are very simple things that you can do. And again, building up your content security policy is going to save you a lot of heartache than if you've been running something in production for 10 years. And it's all right, which things am I pulling from? Uh-oh. And now all of a sudden, I'm breaking software. Again, if you if you're building it up, then as

soon as something hits your staging environment or your test environment, you're going to very quickly find out that you need to uh allow list another domain. Um, and building up is a lot easier than tearing down. All right. How many of you love thirdparty risk management and uh reading SOCK 2 and ISO reports? Yeah, lot everybody. Every hand goes up right away. Those SOCK 2 reports, they have never lied to you, right? Every sock 2 report out there is um I've seen the SOCK 2 reports that are scoped down to a single machine in a uh server server closet that is not even remotely close to the entire company. Um so you do need to read your SOCK 2 reports that it is

not enough to just say, "Oh, you've got a sock two. Great, you pass." You need to actually read those stock two reports. Figure out whether the services you want are in scope. Otherwise, you are going to be in a world of hurt later on. Um, again, your suppliers are your biggest weakness because of course you're taking care of your own internal your first party security risks yourself. 100% of you are doing that. I I see lots of heads nodding. Everybody's feeling very confident about their security programs. Excellent. Um, but you you really do need to be thinking about those uh external reports. Stock2gild uh it's s2gild.org has a great rubric. So, if you've never read a

SOCK 2 report or don't know how to read one effectively, um, s2gild.org is a great place to go and and learn how to read a sec sock 2 report. I don't have enough time to go into all the reasons why uh that's important and there are some things that they need to add to that. So, I've got some pull requests pending for them. Um, I haven't put them up yet, but uh there there's some stuff that I'm going to be advocating for, but it's an open source project to help increase uh trust within sock 2 reports. Um, but from that, you also need to probe a little bit more, right? If it's your t-shirt vendor, probably don't need

to worry about your sock two report or too much about their uh security program. But if it's your janitor, guess what? You still need to worry about how they're going to secure things because there's physical controls that that you need to think about. Um if it's your software vendors, what sort of data are they going to be accessing of yours? How do you make sure that you are securing it or that they are keeping your stuff secure and that you can trust what they're doing? And so build those security questionnaires and that doesn't mean send out a SIG or a SIG light. Those are hundreds of questions. Nobody's going to fill those out or fill

them out accurately. What you want to do is instead if you can get it down to 10, 15, 20 questions that are very pointed about the things that you care about the most and really even if you can spend the extra 10 minutes to customize it based on what's in their sock 2 report and things like that, you're going to do yourself a world of good because they're going to spend if you get a sock if you get a security questionnaire and it's only got 10 questions in it, you're going to spend a lot more time making sure that the answers are correct than just saying yes or no. And please, for what for the love of God, stop asking

yes no questions on on your security questionnaires. Uh ask questions that are meaningful and that elicit some sort of uh give and take out of that. All right, because we're in Silicon Valley, I'm going to talk about some apps. Um the OAS top 10 uh first released I think in 2003. It really has not changed much since then and that is a depressing fact, right? There the same things are coming up over and over again. And guess what? But for all you vibe coders out there, the that OAS top 10 is based on the same open source packages that are training the LLMs. And so if you're if you're thinking, "Oh, don't worry. I'm going to vibe code my way into

security," you're probably introducing the same sets of bugs. Um, and and it's baffling to me that 20 years of SQL injection at at the top of the list and now prompt injection is at the top of the list because people have not learned to sanitize their input. So think about your OOS, OOS top 10, use the Zetac proxy to go and test yourself and check for those things. There are free tools out there like Zetac Proxy, Burp Suite, things like that that will help you test your code. Um, do code reviews. This is a great time to be alive if you're a developer. You don't need to have a technical co-founder who can review your

code. You can get AI to do that. It's not perfect. It's not a true replacement for a human review, but it is an awesome way to accelerate yourself and until you get that second developer in house to be able to build something uh meaningful and have some level of uh assurance that the code that you're writing uh is good. software component analysis, whether it's dependabot or sneak or one of the other many uh SCA tools that are out there. It's a good way to again looking at that supply chain. Um GitHub gives you an SBOM out of the box. So like make sure you're using that and understand where to find that. It's it's there. Um

SAS is a little bit controversial because there there are tools like Sonar Cube that are free uh that work um and again better than nothing. There are AI powered tools that are out there that are again they work and they're better than nothing. Um, but they're also going to give you a lot of false positives. And so, again, to the extent that you can bring SAS into your solution, uh, again, even if it's just using Sonar Cube and AI, um, that are clawed code, things like that that are are free or cheap, uh, please do that. You will find things that you didn't expect to find. Um, and it's a great way to just improve

your baseline. Um, and then intrusion detection and intrusion prevention. A lot of times people look at that and say, "Oh, it's got to be way out of reach." Actually, there are vendors out there who are in the AWS marketplace that have between 1 cent and 6 cents an hour opportunities to put IDS onto your boxes and give yourself a little bit of uh additional peace of mind. Again, if you're paying 1 cent an hour for a service, it may not be the industry leader, but guess what is better than zero? One, right? So, you've got to think about those ways to level up a little bit um until you can afford uh the industryleading solutions.

ah logging and alerting. Um, I was I do a fair amount of consulting and and advising of other startups and I had a a client that I was talking to, this is about a year, year and a half ago, um, that could not figure out how to spell HIPPA, but was building a platform on top of an ERM um, or excuse me, an EMR. And uh, it worried me a little bit when I asked this question about what they were going to come back with, but I said, "All right, so uh, you don't have any PHI in your logs, do you?" and they very confidently answered, "No, I don't have any PHI in my logs."

That doesn't sound quite right here because you don't even know what HIPPA is. So, let me How do you know that? Oh, because we don't have any logs at all. Cool. So, how do you debug it when a user complains? Oh, we just SSH into the box and use a Rails console in production with patient health data. That ends now. It's Yep. So, uh centralized logging. Uh again, you want your boxes to be ephemeral. So if you can get away from SSH, if you can put your logs into the cloud, uh whether it's an ELK stack, if you want to do it yourself, uh or one of the many SIM vendors that are out there, Blumir, Data

Dog, I mean, Data Dog, Blumir, I think, has a pretty cheap option available. Data Dog is like $2.50 per million logs per month. If you're a small startup, you're probably not generating much more than a million dog logs per month. So look for those centralized logging services that are going to make your life a lot easier as a developer. Um, you know, again, you can go to all the way to Splunk uh and some of the very big vendors out there and get the industry leader for SIM. Um, but you'll also be paying for that. Instead, you can focus on the the cheaper solutions. Even if it's not a full SIM solution, having that centralized logging will

make your life a lot easier. Um, but then more importantly, put some alerting and paging around that because just having the logs in place doesn't tell you anything if you don't know that there's a problem, right? So, you have to understand when there are gremlins in there that you can do something with. So, Pager Duty, Ops Genie, there are a bunch of uh tools that if you have less than five developers are free to use. Find those tools. Go ahead and put those into your stack. All right, I've got five minutes left, so I'm going to try to rattle through some of this here real quickly. Um, we used to call this antivirus endpoint detection response, EDR, however you

want to call it today. There are excellent tools that are out there. It used to six years ago, you had to have a 100 seat minimum in order to buy a lot of these tools. Most of them now have made it much more commoditized and you can buy them off the shelf, even the nextg AV products um that are 50 bucks per month per user. So definitely put an EDR into your stack. Uh MDM um and device management. Had a friend call me three months ago saying, "Hey, uh we have one of our laptops get stol employees laptops got stolen." Great. You've got an MDM. Let's just go and remote wipe that device. While we're in

here, let's just make sure that understand what the exposure is. Oh, you haven't enforced full disc encryption. You haven't enforced screen lock. Awesome. Just having these tools in place does you no good if you are not configuring them properly. So take the time to configure these things properly. Hire an MSP or an MSSP to help you configure these things. Even if it's just on an hourly basis to get things off the ground. You again will save yourself a lot of heartache along the way. Um in that AWS ecosystem, you've got security hub which includes inspector and guard duty and other tools that will help you uh track your cloud trail logs and and other uh and

vulnerabilities. um when you in order for you to uh understand what you've got in your excuse me, you can't protect what you don't know about. So, make sure you're keeping an asset inventory. Even if that's just an Excel spreadsheet, keeping that asset inventory, keeping a risk register, talking about the things that the risks that matter to your organization is important. Uh and then back up what matters, right? You don't need to back up everything on day one. Uh although it would be nice. Ideally, you're following the 321 rule for backups. Again, that would be nice. But start start somewhere. get something backed up and focus on the things that matter the most to you. All right, so let's go thrift shopping a

little bit. You're already doing step one, which is coming to a show like Bides, which is a relatively inexpensive way of getting a lot of great security content. Um, but even RSA, you can go out uh a quick Google search, we'll tell find you free expo hall passes and and keynote passes, so you can get some great content from RSA, but a lot of those talks will also be recorded and available online. Um, look for VARS, MSPs, MSSPs to help you with these things. If you have if there's a tool that you want that you can't meet the license minimum for ask them for their uh reseller program because you can often find uh they'll they'll even

direct you into an MSP or MSSP that will sell you one or two licenses of a platform that otherwise would be 100 C minimum. Please do negotiate. Almost every vendor out there will negotiate with you even if they have a credit card swipe type of transaction. You can get vendors to negotiate with you. Um and then looking for strict cost budgets or uh budgets and budget alerts will make your life a lot easier. All right. So let's talk uh the money shot here. If you noticed a lot of this stuff was time because time is free, right? So documentation, education from YouTube and page of duty, free tools, uh whether whether it's open source or other

things, um thirdparty risk management, spreadsheets, a lot of these things can be done quote unquote for free because we all know like I said time is free. Um but if you're if you're keeping track, if you're doing 10 million lines of or 10 million uh logs a month at that $2.50 50 cents a per million per uh per month factor. You're talking about $300 a month for that. IDS uh again depending on how many instances you have, let's say it's 10 instances that you're running uh two cents a month. Um EDR at $50 per year per employee for 10 employees. MDM password manager, right? You're talking about an entire security program for less than $5,000 per year

because you've done this on a shoestring. All right. So, if you're going to take one thing away from this talk, your your security journey gets easier the earlier you start. So, just start. The analogy I like to use here is the 401k. If you start investing in your 401k or your retirement account when you're 22, you can put small amounts away and that that amount will compound over time and make you uh help you out with retirement. But if you're waiting until you're 65, uh or in the case of security, waiting until a customer says, "I need a Sock 2 report." You're going to spend a lot of money in order to get there. So, whatever you do, just start

now. Start small. Do something because you will make it will pay dividends over time. Thank you. >> Thank you so much, Jared. And thank you for uh sharing your u valuable insight um on how to build out a security program on a budget. Thank you so much. Um so for Q&A, do you want to take uh one or two questions? I mean, we have one or two questions a minute. Um, if anybody wants to, I can pass down the microphone or you can use uh besides.orgq and a the letter N and then the letter A. >> And if not, I'll be at the escalators after this. So, if you want to come ask questions or connect minute. Y

>> I must have nailed it. Okay. Well, yes, we don't we don't have any questions. >> Oh, >> there's a question. Oh, okay. I'm running to you. Just making sure I don't trip. >> All right, we're out of time. >> Okay. Here we go. >> First off, great talk. Really appreciate all the musical references. >> Thank you. >> Um, do you have any recommendations for a home lab security environment? You know who does? Right here in the front row is Tom Lawrence or Matt Lee. These guys right here would be happy to talk about home lab for hours. >> Hours. >> Very cool. Thank you. >> All right. Quickly a second question. >> I'm glad you can see because I can't see

anything from up here. >> First off, you rock. Um, all right. Say you're like solo founder. You somehow magically get some kind of client. Oh my god. But they're like, "Hey, you should be sock two compliant." You don't know what's going on, how to do it. You maybe got like a month to maybe kind of get there. What What is the path in that month? What would you do like now, you know, to kind of get to a point where you're close enough? >> So, I'll tell you what I did seven years ago when I first encountered this. Um I I was at a fintech and master called Mastercard called and said, "We'd love to partner with you guys. We need to see

your sock 2 report." And I said, "I don't know what a sock 2 report is, but I can show you my socks if you want. I don't know what feed pickics have to do with security, but uh no, in all seriousness, um so what what we what I did at the time was I said, "Look, you know, here's how we're aligning to to the NIST cyber security framework." And I showed them I basically walked them through our entire security program and spent an hour and a half on the phone with their security team and they said, "Okay, it is clear that you understand what you're doing and why you're doing it. Um and so what we can do is put in

the into the contract that uh on contract signature you will become sock 2 certified within uh x amount of time and that gave me an opportunity to get the revenue in first and then and use that to power the cost of the audit and the tooling and all the other things that I needed to do to get there. But it was really because I had good fundamentals in place already and had already built that security program based on a framework. I had a really easy way of of navigating that conversation. >> Thank you. Cool. All right. And I think I'm out of time here. So, like I said, if you have any other questions, I'll be happy to

meet you out in the hallway. We can't stand right in the hallway, so I'll I'll go to the foot of the escalators if you have any. >> Thank you so much. And a round of applause for Jared. Thank you, Jared.