Building Better Developers, the Develop and Work Podcast, Season 20, Episode 744

Welcome to Building Better Developers, the Develop and Work Podcast, where we work on getting better step by step professionally and personally. Let's get started. Well hello and welcome back. As always, this is Rob Brodhead, your host of the Develop and Work Podcast, wrapping up now season 20. Yeah, I added that little introduction because sometimes, you know, it has been a while since I've even mentioned my name. If you haven't seen it out there on the site, you can. Always check out developer.com. There's all kinds of information there, content, blog posts, and of course links to our now substantial list of podcast episodes, topping well over 700 episodes. This one, the last one for season 20, is also going to be a wrap up of a conversation with Christian Espinoza, and we are going to shift a little bit from his, a little bit from his discussions about his business and starting that up and some of the lessons he's learned across the businesses he's built. And we're going to talk about penetration testing, we're going to talk about what that means and some of the things that you need to be aware of so that you can help ensure that your company, your organization, or just your personal stuff is safe. So let's get right back into our conversation with Christian. You mentioned DevOps and DevSecOps. Do you see that the industry or the organizations that utilize that, particularly, I mean, DevOps but obviously it's DevSecOps as well, but really just that, the pipelines, continuous integration, continuous development, those kinds of things, do you see that they are, it's easier for them maybe to build security into those systems and then make that part of it or is that still just like anything else? Sometimes it's good and sometimes it's not so good. I think in general it is easier because they're used to getting the feedback from operations and from security and that continuous development and continuous integration. So they're more agile and they're used to collaborating much more than maybe an older type of methodology that a different software development organization uses. And that's sort of what I was hoping is that it's, and it feels like that is as, because I'm mostly a developer as well, is it feels like that's becoming more, it's almost like you see a gap in it. You see that, you see the process and somewhere in the back of your head you're like, oh, we need to think about security. So at some point you put that into that process and say, all right, we need to check that or validate it or make sure we've got the right code. Take the steps to secure it. So it's good to see and hopefully we'll continue because it is becoming more of a, I think it's becoming more awareness to that is out there is that people are seeing that it's, software is out there, people get hacked, you see stuff in the news every day, somebody's gotten hacked. And so hopefully that's going to keep it, make it a little easier for people like yourself moving forward. Yeah. And what I've also seen is we do a lot at Blue Goat Cyber, my company with medical device manufacturers. So there's always typically a software development component to that. And the FDA mandates specific cybersecurity things are done. And whenever there's a compliance driver like that, like you can't sell your software or your product until it has been blessed by this organization like the FDA. People adhere to the cybersecurity rules. Unfortunately, when there's not a compliance driver, a lot of organizations kind of don't even think about cybersecurity. Like well, nobody says we have to do it. So why should we do it? Because it's going to cost us more time. It's going to cause it's going to delay our project more. It's going to be more costly. So the often they just ignore it unless there's a compliance driver. Oh, that's true. So is there a place that you would direct if there's developers out there that want to learn more about it and make that part of their development? Is there a place where you would point them to to start to get that to be part of their awareness and on their radar? I think OWASP, the Open Web Application Security Project, OWASP.org is a good site. They have a lot of cheat sheets on how to develop your web app, for instance, to prevent like SQL injection attacks or XML injection attacks. And they'll tell you how to do that based on the language or coding your application in. And it's not just for web apps. They have it for mobile and other things. But that's a good starting point to look at. Here's the common ways people break into your environment. And here's the common ways via cheat sheet for each language you use to prevent that from happening. So then you start thinking, oh, I should be coding this way if I have and I'm accepting input from a web form, for instance. I should do input validation and balance checking. And here's how to do it for this specific language on museum, such as PHP or whatever it is. Excellent. Yeah. And I've actually I've used OWASP in the past and gone out there for various things. Usually when it goes back to your earlier point where there was some sort of analysis or some sort of audit, security audit was going to come through or something. It's like, OK, well, we want to make sure that we've prepared what we can. Or sometimes it was the recommendations afterward. Let's go, hey, take a look at this site. Here's for this language. Go check these things out. This is what you need to do to clean up your code or secure your pieces. I do want to I do want to swing back a little bit because you do have a you have a somewhat unique experience there in that you have built and sold a business. And the question you went ahead and turn around and started another business. What what are maybe a couple of lessons learned, particularly now that you've done this once you've built it and you sold it. What are some some lessons maybe that you learned that going into the second one that maybe changed your approach this time around? Well, I hope I've learned the lessons. I paid a lot of dumb tax, as they say, with my first business. A couple of things I'm doing differently in my first business, I. I didn't have clear messaging and I tried to do too many things. We did cybersecurity training, we did penetration testing, we did auditing, we did like a whole slew of things. And I realized that that's too much to try to do. So my new business, I've niched it down to medical device security and penetration testing. This is in penetration testing, focus on health care. So I really need to sit down. And what I learned in my first company was I wasn't getting a lot of sales, a lot of traction until I niched it down in my first company to medical device cybersecurity, because that's more of a blue ocean strategy. There's not a lot of people that are competent competing in medical device cybersecurity because it's embedded systems. There's a lot of different requirements. There's a lot of things you have to know that's different than security web application. So when I niched that down in my first company and wrote blogs on it and got our website SEO, we were like in the top 10 of someone searched for medical device security. And then I started getting lots of leads. So it's kind of counterintuitive as a business owner, at least starting out, or an entrepreneur, you think I need to offer my service to as many people as I can. But then your messaging gets watered down. It not really resonate with anybody versus I'm going to offer it specifically to medical device manufacturers. So I know what their pain points are. I can speak in a way that resonates with them and I will attract more of them. And then once I get that area really dialed in, I can go after something else, but not try to do everything at once, which took me a while to figure out because I always had this fear that, but what if I miss this big opportunity over here? What if this doesn't work? But niche it down. The blue ocean strategy is much better. And that's what I'm focused on my new company. And I'm also leveraging all the systems and the cells, funnels and the pipelines and the things I didn't understand when I first started my first business. So was that sort of did it allow you in a sense when you went to your second to almost like probably the best sort of like almost like rebrand yourself and say, OK, we had this infrastructure, we had these things that we did in the old business. Let's get a sort of a clean start and say, this is our niche. This is where we're going. And this is our message. And then you didn't have that that weight of what you had your your various attempts in the prior organization. That's 100 percent correct. Yeah, I'm aiming. I just really got the new company up and running like in, I don't know, April time frame. So it hasn't been a year, but I'm aiming by the end of next year to be revenue wise where I was after five years with my previous company. So I feel like that I thought not I thought about not starting a new cybersecurity company. But then I was talking to some fellow entrepreneurs and some friends of mine. They're like, you've already learned all this stuff. You could scale this one much faster. Why not capitalize on all the things you learned in the first company? So that that was kind of like the impetus for starting this other company, because I for a while was going to go do more public speaking, do more real estate investing and kind of like abandon cybersecurity altogether. But then I realized I've been in cyber security for like 30 years. Why shouldn't I like try to tap into all my experience and shortcut the success of the next business? Well, that actually brings us to another thing I do want to mention, because you've written another book, The In-Between Life and the Micro. So what is what is that book about? Because it seems like you said you've got a couple of interests. So what is that one about? What is the topic there? That book is, I would say, more of a focus memoir around living with intentionality in the moment. So one of the things that I realized in my life after a lot of dumb tax in my personal life, too, and broken relationships and challenges is I tend to get hyper focused on a macro goal. And sometimes I get so hyper focused on like this big thing I want to accomplish that I have blinders on. And I kind of miss the things along the way, the micro moments as they call them, that might inform me that this goal I'm after is really not what I want to do. And it's I miss the moments that I realize I could add value to this moment and have a more fulfilling life. So it's about that balance of focusing on something you want, a goal you want to accomplish, but between where you are in that goal, living with some intentionality on all the moments that you can create and you can add value to. And that might help you along the way. Yeah, I think that's a that's an excellent point of view. I think that is the that's that work life balance. People are trying to chase. They're trying to find out like, hey, you know, they they and you see all the time people hit this big goal and that macro level goal and they get there and they realize, wow, this is not what I thought it was. And then they lost so much that they missed on that journey. And so there's all those, you know, those micro moments that they pass by because they were too focused on focused on the future as opposed to, you know, living in the now and embracing what was there. And like you said, sort of like pouring into that and getting more value out of those micro moments. Yeah. And that's I mean, that's what this book, The In-Between is about. It's my first book, I felt like was more of a how to the smartest person in the room. This book is more of like, this is what I did. And hopefully someone can learn from that and and have some takeaways. It's where I feel like I've horribly messed things up in the in-between. And I ignored a relationship and it went south because I was so focused on something. And it's where I got things right. There's been times in my life where somehow I was stepped in the moment and did the right thing, you know, so it's about both. Well, it's good to have a little bit of that. It's like to have, you know, that that balance of so it's not all negative stuff and it's not all because that's life life. You know, we sometimes we we stall around, we get it right and sometimes we get it wrong. And, you know, it's finding that finding to take the lessons out of those and also to enjoy the moments that we get where we where we have those successes. Yeah, 100 percent. So as you've gone through this, you've spent this time, you've built a company, you've got another company. Where do you see you talk a little about your your revenue goals and that? But what do you what is really your where do you see yourself going with this with with Blugo with this new organization, this new company? Where what is the goal with that? That or when you when you you said, hey, I'm done sort of shut the door on that old business. Now I'm opening the door on this new one. Where do you where do you see yourself going with that? What are your goals with that? My goals are to scale the business as quickly as possible, but also not have service stuff or anything as we're scaling it. So I'm looking at potentially getting venture capital for for Blugo in my first company. I funded it all myself. So I'm looking to scale up, but I want to keep an eye on what makes this unique, which is not we don't sell products. I know a lot of people in cybersecurity companies have a product they're selling. We want to become an organization's trusted advisor and not oversell them, not undersell them, but give them what they need to help them mature in cybersecurity. Because I think one of the challenges is a lot of cybersecurity organizations just try to sell the 100 percent solution. Whereas if you're if you're a small business starting out, you may only be able to implement 10 of those, you know, 10 things that have 100, for instance. So it's important to keep in mind where somebody is on the cybersecurity mature cybersecurity maturity journey and provide a solution that aligns with that. And that's something I'm passionate about making sure we do. And I'm also passionate about making sure we secure medical devices, because there's been a lot of advances in health care. And I know we've seen a few cases of this where some of those advances have been rolled back a little bit because the medical devices have been compromised. And on average, there's 14 medical devices connected to a patient's bed. So that's a lot of ways an attacker can get in and increase the flow rate on a drug infusion pump and kill somebody or whatever the vector is. So that to me is very tangible. And it's something I as we scale our company, I want to really go after that market. Because I feel like that's something I can get behind, because if someone steals your credit card information, it's like not that big a deal. But if someone hacks into your pacemaker and shocks you and kills you, it's a much bigger problem. Right. So that's why I'm a lot more passionate about that. Now, that is something I don't think we see. I don't think we see that as much in the news. Is that something you see that there are a lot of those taxes is more about trying to get ahead of the game? Or is it something where this is now starting to become an issue where those things are being where those those are being taken advantage of? And there are medical device attacks that are out there on a regular basis. There are medical device attacks out there on a regular basis. There haven't been a lot that have created, you know, fortunately, fatalities. There have been some. But I think as things are more interconnected, there's this whole movement in health care, the the IOMT, the Internet of Medical Things, medical devices are becoming more connected to the hospital network so they can connect to an EMR and get patient data and insurance provider and all that. The vectors are increasing in a hospital and hospitals are notoriously unsecure because they're public areas where people walk in and out of them 24 hours a day. And medical devices are plugged into those environments. And we've done penetration tests to hospitals where we've been able to plant a device on the hospital network and then remotely get into everything, basically, including medical devices. So it's not too far fetched for an attacker to do something like that. What we have seen quite a bit is the effect of ransomware on hospitals. And ransomware has resulted in patients dying. It's not a specific attack against a medical device. But if the hospital is ransomware and they can't process or in process, patients arrive in an ambulance and their systems are down, you know, that that delay, why they have to revert to a manual process can cause someone to have a heart attack to die. So there's a lot of things to consider. Yeah. So now is that where most of your customers are? You focus mostly on with that, as it tend to be mostly in hospitals or do you also go to like clinics and doctors, you know, doctors offices and stuff like that as well, as far as your your security focus? Yeah, our focus is on medical device manufacturers. So they're the ones who have to secure the device. The hospitals purchase the medical devices, but they, you know, they don't usually patch or do anything that the medical device manufacturers do that. So our focus is on medical device manufacturers and health care delivery organizations. It can be a hospital, it could be a ophthalmologist, it could be a dental office, anyone that falls under HIPAA requirements. And so, like, unfortunately, in the world of cybersecurity in different industries, people, as I kind of alluded to before, don't really care about cybersecurity unless there's a compliance driver. So if I am a small clinic with five doctors and I've got patient data, I have to comply with HIPAA. And a lot of organizations don't even know that. So we help them with the audit for HIPAA and with the technical assessment, which is typically a penetration test. So those are our main areas. And we've been focused on health care and medical device manufacturers for quite some time. I mean, quite some time with my previous company, that was our niche. And, you know, we have like, my same team has an experience with this company. Excellent. So now, as people have been listening to you for the last little bit, they may be really interested in reaching out to you either for the book or for security discussions or to get your company to come in and talk to the local hospital. What would be the best way for them to get a hold of you? My personal website is christianespinoza.com. So if they want to talk to me on my book or something or book me to speak. And then my company website is bluegoatsyber.com. And, you know, we can certainly have a discovery session. See if it's a fit and see if we can help. Okay. Well, definitely. I will make sure there are links in the show notes. I want to thank you so much for your time and for joining us and sharing all of this. This is, as I said, I think everybody figured everybody's going to need some notes and paper and notepad. And I think we have more than filled that up. A lot of great things there for people to take a look at and maybe start their day working a little bit more, get that first step on getting their soft skills improved. So thank you so much and have yourself a good day. Yeah. Thank you, Rob. And that will wrap it up. I want to thank Christian for his time with us. It was a great conversation. There's a lot of just a lot of little nuggets that came out of that. As I said, when we started this off, it was mostly going to be initially focused on security and one of these that it's just one of these things that we see a lot. It's becoming more and more part of our business and our lives. But then we got a lot of great stories about how he got to the organization and some of his background that I think also can help those of us that are building in a either building an organization, building a company, doing our little side hustle, and just sort of think about where we want to go from an entrepreneurial point of view. This does wrap up season 20. We will be back next time around. We'll be going with episode one of season 21. Keep an eye out on thedevelopmentor.com. Just stay here. You will get the next episode, whatever your podcatcher is, subscribed and you're ready to go. And we will come back and just continue doing the best we can to build better developers. So go out there and have yourself a great day, a great week, and we will talk to you next time. Thank you for listening to Building Better Developers, the Develop-a-Nor Podcast. You can subscribe on Apple Podcasts, Stitcher, Amazon, anywhere that you can find podcasts. We are there. And remember, just a little bit of effort every day ends up adding into great momentum and great success.