Intro: Broadcasting live from the Business RadioX studios in Atlanta, Georgia. It’s time for Veterans Business Radio. Brought to you by ATL vets, providing the tools and support that help veteran owned businesses thrive. For more information, go to vets. Now here’s your host.

Lee Kantor: Lee Kantor here. This episode of Veterans Business Radio is brought to you by ATL vets, inspiring veterans to build their foundation success and empowering them to become the backbone of society after the uniform. For more information, go to ATL vets.org. So excited to be talking to my guest today, Susan Rouse, CEO of AG Grace. Welcome.

Susan Rouse: Thank you for having me on your show. I really appreciate it and I am really excited about having the opportunity to talk to you today.

Lee Kantor: Well, let’s get started with AG Grace, how you serving folks?

Susan Rouse: How do we serve folks? So AG Grace is an IT services managed services organization with a focus on cybersecurity. So what we do is we help our customers and our potential customers understand where their security risks are, and then we help them alleviate those risks or close those risks. That’s that’s what we do. And and we love what we do.

Lee Kantor: So what’s your backstory? Um, how’d you get involved in this line of work?

Susan Rouse: So it’s it’s a long story, but I’m gonna try to cut it really short. I started out in healthcare. I’m a Navy veteran, and while I was in the Navy, I was a Corbin. After getting out of the military. I transitioned into working for a government agency at the state of Maryland. As a compliance officer. And I learned about the Health Insurance Portability and Accountability Act at that time while serving there. And there was a portion of that rule, the law that required organizations to implement what they call the security rule, which indicated which meant that they had to actually go in and understand what their where their security risks were in their IT infrastructure and then close those risks. And at the time, I just really got interested in it. I really loved what we were doing. I loved how we were, you know, making things better for the organization and protecting patient data. And I just really fell in love with it security at that time. And since then, I pivoted my career so that I would always have the opportunity to help organizations, federal organizations and commercial companies increase their security posture and protect their data and protect their intellectual property.

Lee Kantor: So what are some myths around cybersecurity? A lot of people talk about it. Not a lot of people, in my view, understand it and maybe don’t appreciate really the cybersecurity risks that are happening every day for businesses of all sizes. But do you mind sharing a little bit about kind of the lay of the land, what’s happening in in the world regarding cybersecurity for business owners?

Susan Rouse: So what’s happening in the world is we generally have three different types of what I would call adversaries, right. We have the adversaries that just want to steal your data. We have the adversaries that want to interrupt your business operations, and we have the adversaries who want to take your data, hold it hostage, and make you pay to get it back. Right. And that’s called ransomware. A lot of companies, especially small companies who feel like they don’t have a large footprint, um, on the internet or, and even if they have a website, sometimes they feel like they don’t have a large footprint. And they think that because they’re small that the likelihood that they will be targeted is diminished. But that’s not necessarily true, right? If you have a web presence, if you have a network, if your network isn’t protected, then you are not protected. And adversaries will do whatever it is that they can to infiltrate your environment, hold your data hostage, make you pay for it, or at a minimum, cause severe damage and financial damage to you and your organization. A lot of times without you even knowing it, right? So I heard a person say once, you don’t know what you don’t know. And that really meant a lot of times companies have been attacked or they have someone who have already infiltrated their organization and they don’t know. And the reason that they don’t know is because they don’t have the infrastructure in place to be able to determine whether or not someone has infiltrated their organization and has started stealing their data. And if you’ve noticed, or if you if you’ve read from some of the, um, instances where very large companies have finally realized that they have been attacked. Number one, it takes them months and months and months before they even discover that they’ve been attacked. And sometimes those attackers and or hackers have been in their organizations for years, sometimes or months, just stealing the data.

Lee Kantor: Now is there I mean, maybe there’s a misconception that hackers are these, you know, um, teenagers in the basement drinking Red bull and eating Cheetos. Doing this for fun. But a lot of times these are kind of large organizations that this is their job. Like they treat this like they go into work, they whiteboard, they come up with strategy. It’s like, this is not just somebody kind of winging it here. It’s very organized and it’s very coordinated amongst multiple parties.

Susan Rouse: That is absolutely true. It organized crime organizations do it. Uh, nation states do it. And then you do still sometimes have people that just want to play around and see if they can, you know, break in and steal someone’s data. But it is very organized. It is very covert. And what I like to say is our adversaries are operating 24 hours a day, seven days a week, and they’re in different time zones all across the all across the world, and they get paid to do it.

Lee Kantor: So what? How do you kind of advise your clients in order to, um, you know, kind of at least prevent some of the, the easy stuff because I’m sure that there’s different levels of treatment you have to do when you’re working with the clients. There’s probably like the low hanging fruit, like, hey, let’s not click on emails that look like this versus, hey, you know, maybe there’s more security we have to put in the back end of the computer to protect ourselves from people doing some bad stuff. So how do you kind of work with your clients to explain the risk and the different the variety of risks there are, as well as implementing kind of preventative measures to protect them, sometimes from themselves.

Susan Rouse: Well, absolutely. So one of the things that we we like to do with our customers, our potential clients, is we offer a free initial risk assessment. Right. And with that assessment, we it. It is a tool. And we do use tools with that risk assessment. And we come in and we ask questions and we we run our tools and we show them through the reports from the tools where they’re vulnerable. Right. A lot of times people don’t know that they’re vulnerable. They don’t realize they’re vulnerable. So we show them where they’re vulnerable, which is a surprise to some. They like, oh, well, I didn’t know, you understand what I’m saying. But we show them where they are vulnerable. And then after we, you know, have that discussion with them and we show them where they’re vulnerable, then we help give them some tips on the things that you can do right now that isn’t going to cost you any money or a lot of money to, um, alleviate or eliminate some of those vulnerabilities. Now they are going to be some vulnerabilities that they have where it’s going to take a little bit of time, a little bit of effort, a little bit of expertise, and maybe spend a little bit more money than they were thinking about.

Susan Rouse: And I’m not saying break the bank, but at the end of the day, once they realize where they’re vulnerable and we help walk them through how to decrease their footprint. And when I say footprint, your footprint means that when some your vulnerability footprint like what the actual adversaries can see about your organization just from being outside of your organization, that’s that’s your digital footprint. So once we show them what their digital footprint is and where they’re most vulnerable, we help them close those vulnerabilities. And then we continuously meet with them on a regular basis. And to make sure that they’re still working on closing their vulnerabilities and doing whatever it is that we can do to help them maintain, because you have to implement your your solutions to mitigating your, your, your, your posture. But at the end of the day, you have to always continuously monitor it and make sure that your security is functioning the way that it should and is continuing to protect you the way that you want to be protected.

Lee Kantor: Right. Like this isn’t something that you just buy some software, put it in, and then you’re done, right? This is.

Susan Rouse: No. Absolutely not. Unfortunately, it is not like that. And some people think that it could be or it should be. And the reason why is because number one, technology changes all the time, right? Uh, some of the solutions that you buy have to be managed and maintained. You have to maintain your licenses. And every product that’s a software product or a hardware product, the vendors who build those tools have to maintain those tools and patch those tools, because adversaries are out there looking for weaknesses in those tools. They look for your firmware weaknesses, they look for hardware weaknesses. They look for software weaknesses. Right? And if you’re not constantly working with your vendors and getting those patches and applying those patches on a regular basis. Then adversaries will take advantage of those weaknesses because they do have a way, um, where they can tell whether or not your software or your firmware is up to date. And that’s called footprinting, right? So one of the things that adversaries do initially is they they establish a footprint of your organization. Right. And when they find organizations that have out of date hardware, out of date software, out of date firmware, you are a prime candidate for them to infiltrate your environment, steal your data, steal your financial data, do whatever it is that they need to do to harm your organization. Or. For lack of a better word, harm your organization, either professionally or financially.

Lee Kantor: Now, um, When a company contacts you, is it typically because something bad has happened, or some of them are proactive in trying to get ahead of it before something bad happens? Both.

Susan Rouse: We prefer the proactive approach because it’s much easier, and it helps us establish that relationship because we know that they are vested and they’re trying to they’re having a vested interest in protecting their information. When we have customers who think they’ve been attacked or have been attacked or have been, um, victims of ransomware, it’s usually because they’ve they’ve been victims of ransomware, and now they’re realizing that something happened and we need to fix it. And they’ve already spent money. They spent money trying to get their data back.

Lee Kantor: You mentioned some of the organizations you work with or some of the industries. Is there a niche that you find yourself working in a lot that you’ve developed? Some, uh, You know, some specialized knowledge around.

Susan Rouse: So our primary customers are mostly federal government agencies, commercial corporations, healthcare organizations, small IT service firms, um, marketing firms and financial organizations. And I’m sorry. And also manufacturing firms.

Lee Kantor: So now when you’re working with those, what are those what’s kind of the first, uh, conversation look like after they’ve gone through the security check to see where they’re at? I guess a baseline of of where things stand. What happens next?

Susan Rouse: So after we have our initial consultation and we show them where they’re where they are at risk, the next thing that we discuss with them is, you know, we prioritize, you know, how do we mitigate those risks? We talk about what are the easy things that you can do today that aren’t going to cost you a lot of money, that will significantly increase your, um, security posture. Right? And a lot of those things are just really, you know, one thing is like, um, a VPN, like a lot of companies do not use VPNs or VPN technology, and they don’t require their, um, employees who maybe work outside of the organization to use a virtual private network. Right. Well, you know, when you use a virtual private network, then that establishes a secure tunnel from wherever they are in, in, in the world to wherever your organization is. And now you’re you’re exchanging data using an encryption and encrypted tunnel. Right. So the information is not going across the internet in the clear any longer. Right now it’s it’s cryptographically protected. So we start to talk about those different things that they can do that are easy to implement that they they don’t really have to have a full time person on staff to do, and they don’t really have to. You know what I would say? Um, hire a managed services organization or a managed services provider. Just easy things that they can do right away to start that process of protecting their data. And then we sit and we come up with a strategy and a plan. Uh, what what what in the government is called a plan of action and milestones, right.

Susan Rouse: So this is your plan of action, and this is what we’re going to tackle first. This is how we’re going to tackle it. Um, and this is the time frame in which we want to do it. And then we just work down the list and implement the specific, um, recommended security requirements that they have in a, um, in a, in a timely manner. I’ll put it that way. So what you don’t want to do is come up with a plan that’s going to take them like ten years to implement, right? Because in that ten year timeframe, technology technology has changed and so many other things have changed. So you want to keep the momentum going and make sure that we have we’ve established a nice strategy in which we can close all of those vulnerabilities in a shorter time frame as possible, and also give the organization a time to, to catch up, uh, communicate the changes to their employees to make sure their employees understand what they’re doing, it, what they’re doing, I’m sorry, why they’re doing it, and help them understand, you know, what their responsibility is in regarding, you know, the implementation of these different changes that are going to occur within their environment. Now, sometimes security go ahead. Sometimes it requires that people do things differently. And if they don’t understand why they’re doing these things differently, then people will have a tendency to circumvent. Right. So we want to make sure that they’re well trained and they understand exactly why we’re doing this and what the impact is to the organization and What is the impact to the organization if they don’t follow the new security guidelines?

Lee Kantor: Now, you mentioned VPNs for organizations. Is that something that individuals should be taking advantage of as well, like for if they’re working out of their home a lot?

Susan Rouse: Oh, yes. Absolutely. And I mean, if you most of us already use some type of antivirus solution, right? Like Norton, I think most of us, you know, we have our computers and, you know, um, especially if it’s a new computer, you know, it usually comes with a subscription for Norton or McAfee, right? So even Norton has its own virtual private network solution that you can just add it on. You know, pay a couple dollars a month to have it or, you know, the $50 a year or however much it costs. But yes, as a as a private person or as a person, just, you know, working from home, um, it’s easy to download a VPN solution and use it whenever you access the web, like when you’re visiting, you know, your your, your any financial institution that you have or, you know, any medical for anything. Right. So, you know, if you’re using the internet and you’re using a username and password or whatever, you should be using a virtual private network.

Lee Kantor: Now, can you share a story where you were able to make a positive impact for one of your, uh, clients? You don’t have to name the name of the client, but maybe share the challenge they had and how you were able to help them overcome it.

Susan Rouse: So a lot of our customers come to us primarily because they do business with the federal government. And as a result of doing business with the federal government in their contracts, uh, they are required to to have, uh, certain, um, security controls already in place. Right. And I don’t know if you’ve heard of the, um, missed 801 71 requirements. Right. So, um, the National Institutes of Standards and Technology have written these guidelines that they’re not Nonfederal entities are required to implement when they do business and contract with the federal government in order to protect data. Right. So a lot of our customers come to us because they are federal government contractors, and they are required to implement those in this 801 71 controls. And it’s a set of about 17 different controls that run the gamut from what we call access controls to auditing to configuration management. And also there are some physical some physical security controls as well that they’re required to implement. So one of the things that we really do initially is we do our initial risk assessment with them. We show them where they are as far as being in compliance with those regulations. And then we show them what they need to do to get in compliance with to become compliant with those regulations.

Susan Rouse: And then we just basically start from there implementing we write policies and procedures for them. We help them determine which technology they need to use in order to meet the specific security requirement, and then we help them implement those security requirements. Like so. Say, for instance, if you have Microsoft Office 365 and you have to implement multi-factor authentication, right. So not every everybody, every organization usually has Microsoft Office 365 or some version of Microsoft in their environment, but they don’t necessarily know how to go into Microsoft tools and configure Microsoft tools to turn on those security features. So those are some of the things that we do for them. We just go in, we implement the control, we we enable the security features and then we help train. If they have a systems administrator, we help to train their staff on, you know, where to go and how to do, um, how to do certain things to make sure these security controls remain intact. And also how to, you know, do these things. You know, later on, you know, after we leave. To make sure they they stay up to regulations.

Lee Kantor: It must be such rewarding work to know the impact you’re making in all these organizations and keeping them safe and helping them sleep a little better at night.

Susan Rouse: Oh, it absolutely is rewarding. And one of the things that I like about it the most is that people really don’t understand how vulnerable they really are. And so we come in and we show them. And the other thing is people don’t really know if they’ve ever been attacked. Right. And what we do is we help them discover, first of all, if you’ve ever been attacked and some of some of our clients have been right, some of them, we do find out that, you know, they’ve been exploited, right? And then they don’t really know. Sometimes they can’t even tell what’s been taken. Right. Um, so it’s very involved. It’s it’s it’s. But it is very rewarding because at the end of the day, when we leave, we know that our customers are well protected. They’re well educated, and they can reach out to us and ask us any questions afterwards. You know, the follow up work that we do with them is excellent. It’s like we become their security partner.

Lee Kantor: Yeah.

Susan Rouse: I mean, I guess I would say maybe like a virtual security office or whatever you might want to call it. But, you know, we, we, we become a part of the company, but we’re not a part of the company.

Lee Kantor: Right. But you’re protecting them as if it was your company.

Susan Rouse: Oh, absolutely. Absolutely. As if it was our company. Because at the end of the day, you know, organizations have a lot of data to protect. You have your employee data that needs to be protected, which is what we would call PII or personally identifiable information. Right? Sometimes you have employee health information, which we call Pi, which is your personal health information. You definitely have your financial data that needs to be protected. You have your intellectual property that needs to be protected. And then you also sometimes have your own customers data within your environment. So you want to make sure that not only are you protecting your data, but you’re protecting your customers data as well, and you actually have an obligation to protect their data.

Lee Kantor: So if somebody wants to learn more, have more substantive conversation with you or somebody on the team, what’s the website? What’s the best way to connect?

Susan Rouse: So our website is WW Grace. Com. Um, we are also available I mean on LinkedIn. You know I have a LinkedIn page. Um AG Grace. Com Susan rose um, and also we do have on our website a um, a contact us page where uh, individuals can, you know, just fill out our contact us form and, you know, let us know what they’re interested in learning about. And then we’re hearing about or we all of our services are listed on our website. So whichever service that they’re interested in, um, exploring with us, we have the free consultations, we have the free assessments, uh, the free risk assessments. And we also have, you know, materials on our website like new security newsletters, um, things like that.

Lee Kantor: Well, Susan, thank you so much for sharing your story today, doing such important work. And we appreciate you.

Susan Rouse: Well, Lee, thank you so much for having me. I definitely appreciate it being a part of, uh, this exciting opportunity here with you. And, uh, maybe we’ll get a chance to do it again later.

Lee Kantor: Sounds good. All right, this is Lee Kantor. We’ll see you all next time on Veterans Business Radio.