Outsmarting Cybercriminals in Finance With Brian Edelman

Brian Edelman is the CEO of FCI, a firm that provides NIST-based endpoint and network cybersecurity and compliance solutions for heavily regulated industries. He founded the company in 1995 and has grown it into a managed security service provider specializing in cyber-regulated organizations. Brian is widely recognized as a cybersecurity expert and frequently speaks at industry conferences on topics like regulatory compliance and incident response. He holds a certificate in cybersecurity risk management from Harvard and serves as a Cybersecurity Technology Expert on the Forbes NY Council.

Here’s a glimpse of what you’ll learn:

• [2:17] Brian Edelman discusses FCI and its role in protecting financial services firms

• [2:54] Early days of cybersecurity threats compared to today’s state-sponsored attacks

• [5:35] Why regulators and authorities can be scarier than cybercriminals

• [7:23] Creative theft methods used by bad actors, including CVS debit card schemes

• [13:22] Brian explains how broker-dealers have matured in cybersecurity practices

• [17:02] FCI’s automation approach to secure endpoints and simplify compliance

• [21:17] AI’s role in creating sophisticated cyberattacks and phishing emails

• [27:15] Explanation of the Zero Trust model and its five pillars

• [32:00] Why financial advisors must talk to clients about cyber risks
  

In this episode…

Cybercriminals are evolving, and the threats facing financial services have never been more severe. From stolen data sold on the dark web to AI-driven email scams that can drain accounts in days, the risks are escalating. How can firms protect sensitive client information while meeting strict regulatory requirements?

Brian Edelman, a cybersecurity expert in the financial services industry, explains how firms can strengthen their defenses. He emphasizes the importance of building trust with clients, adopting a zero-trust security model, and preparing with incident response drills. Brian highlights automation as a means to protect endpoints without overwhelming advisors, while warning that AI is making cyberattacks both faster and more sophisticated. His insights provide practical steps for organizations to safeguard data, finances, and reputation.

In this episode of The Customer Wins Podcast, Richard Walker interviews Brian Edelman, CEO of FCI, to discuss cybersecurity in financial services. Brian shares how automation simplifies compliance, why zero trust matters for firms, and how AI is reshaping cybercrime. He explores incident response preparedness, the role of regulators, and the growing responsibility of financial advisors to educate their clients about cyber risks.

Resources Mentioned in this episode

• Quik!

• Richard Walker on LinkedIn

• Brian Edelman on LinkedIn

• FCI

• "Empowering Advisors With the Gift of Time With Rich Whalen" on The Customer Wins

• "Cybersecurity Secrets for Financial Services With Paul Osterberg" on The Customer Wins

• "[AI Series] Revolutionizing Financial Meetings With AI With Parker Ence" on The Customer Wins

• "Redefining Client Discovery in Finance With Marla Sofer" on The Customer Wins

Quotable Moments:

• “We provide cyber protection. We keep the information safe, and we keep their computers safe and secure.”

• “If you don’t have the right logs, you can’t prove your innocence effectively.”

• “Buying a product to solve the problem doesn’t solve the problem, because things change constantly.”

• “With AI, you can tell it to write the email, build the program, and attack.”

• “If it’s hard to do, it doesn’t get done, so security must be seamless.”

Action Steps:

1. Adopt a zero-trust security model: Relying on layered safeguards across users, devices, networks, and data reduces vulnerabilities and ensures only verified systems can access sensitive information.

2. Automate endpoint protection: Automation secures devices without requiring technical expertise from advisors or employees, keeping compliance effortless and minimizing human error.

3. Conduct regular incident response drills: Practicing how to react to breaches prepares teams for real-world threats and strengthens response times.

4. Turn on and monitor system logs: Logs provide the evidence needed to prove innocence when regulators get involved and reduce reputational risk.

5. Educate clients about cyber risks: Advisors who proactively discuss cybersecurity with clients protect both relationships and assets while building long-term trust.

Sponsor for this episode...

This is brought to you by Quik!

At Quik!, we provide forms automation and management solutions for companies seeking to maximize their potential productivity.

Using our FormXtract API, you can submit your completed forms and get clean, context-rich data that is 99.9% accurate.

Our vision is to become the leading forms automation company by making paperwork the easiest part of every transaction.

Meanwhile, our mission is to help the top firms in the financial industry raise their bottom line by streamlining the customer experience with automated, convenient solutions.

Go to www.quickforms.com to learn more, or contact us with questions at support@quikforms.com.

Episode Transcript:

Intro: 00:02

Welcome to The Customer Wins podcast, where business leaders discuss their secrets and techniques for helping their customers succeed and, in turn, grow their business.

Richard Walker: 00:16

Hi, I'm Rich Walker, the host of The Customer Wins, where I talk to business leaders about how they help their customers win and how their focus on customer experience leads to growth. Today, I want to dedicate this episode to a friend and former guest on this show, Rich Whalen of Equity Services. I want to thank him for his support of my show. And also, I have some past guests that have been on here: Paul Osterberg, a Security Basecamp Parker of Jump, and Marla Sofer of Knomee. Today, I'm excited to speak with Brian Edelman, the CEO of FCI, and today's episode is brought to you by Quik!, the leader in enterprise forms processing.

When your business relies upon processing forms, don't waste your team's valuable time manually reviewing the forms. Instead, get Quik!. Using Quik!, you'll be able to generate completed forms and get back clean, context-rich data that reduces manual reviews to only one out of a thousand submissions. Visit QuickForms.com to get started. All right.

Brian Edelman is a nationally recognized cybersecurity expert specializing in the financial services industry. He's the CEO of FCI, a NIST-based managed security service provider. That's a mouthful, Brian, which he founded in 1995. FCI offers a comprehensive suite of endpoint and network cybersecurity and compliance solutions customized for financial services. One of Brian's areas of expertise is cybersecurity regulations and compliance at both the federal and state levels.

Brian is frequently asked to speak at major industry conferences and is consistently quoted in industry publications. And I'm excited to have him here today. Brian, welcome to The Customer Wins.

Brian Edelman: 01:56

I'm excited to be here. Thanks for having me.

Richard Walker: 01:59

Yeah, I'm glad that you could make this. So, for those who haven't heard my podcast before, I love to talk to business leaders about what they're doing to help their customers win, how they built and deliver a great customer experience, and the challenges to growing their own company. Brian, I want to understand your business a little bit better. How does your company help people?

Brian Edelman: 02:17

Well, we provide protection, which being from New Jersey, we're it's what we grew up doing. We provide cyber protection. We keep the information safe. We keep their computers safe, and we do our best to make sure that the bad actors don't get access to either data or money.

Richard Walker: 02:38

So reading your bio that you started your company in '95, I remember back then floppy disks were the threat, right? Transferring Trojan viruses and who knows what have you seen happen over these years that you've been doing this?

Brian Edelman: 02:54

I mean, I would tell you a lot has changed, but also not a lot has changed, right? So when you think about financial services and financial advice and and I did start my career as a financial advisor, actually a second-generation financial advisor, which is where my passion for the industry comes from, because growing up in this business, you realize what a great business it is, and it's a business of trust, right? So when you think about it, you're selling trust. You're selling trust in that. You're going to help guide them in the right manner.

But at the same time, you know, one of the things that was important to me and why I entered into cyber, we were picking up such private information about our clients. You know, my mother and sister were my partners, and they really thought about financial advice as as much more than just the numbers. Right? It was much, much more than that. So as a result, they were collecting a lot more than that.

We were collecting things on our clients that no one knew. And our marketplace was the ultra, ultra high net worth. So these were all famous people that you can imagine. Think of a famous person. I can give you some examples of our clients, but I won't.

But imagine that you're dealing with a billionaire and everybody wants information about them. And you know, the most intimate secrets, the most intimate data. So FCI really started at protecting that information and has transitioned to not just protecting that information, but also protecting the money, because that's the big change. So if you're asking what changed back then viruses and cyber was really a nuisance more than anything else. You remember the and it was like they wanted to get your contacts to send an email to someone else today.

These are state-sponsored. They are if you look at the numbers, the numbers that these bad actors are successfully getting access to its trillions and it is alarming. And you know, when we talk a little further, I'm sure the topic of AI comes out. But the speed in which they're able to deliver really pretty well thought after, you know, attacks. That's really what drives us to keep the information, the advisors and ultimately the clients of advisors say.

Richard Walker: 05:22

Okay, I'm going to ask a question that I had never thought to ask before, okay, scare the audience here. Can you scare the audience with these with bigger numbers and facts that we should really be concerned about with theft and access?

Brian Edelman: 05:35

Yeah, I mean, I certainly think that that part might be easy, but I'm going to tell you, the more scary thing, the more scary thing are the authorities and regulators that come in and start to ask you questions as to why you weren't doing what you were supposed to be doing. That gets pretty scary. And one of the things that is really scary and it's even scary for us, to be quite honest, you know, if there's an attack, if there's something that happens at a firm and it can happen to anybody, right? You click a link, you let a bad actor in, next thing you know, you're dealing with ransomware, extortion. You're dealing where they gain access to different systems.

But when the FBI comes in and we had a case, very interesting case where the bad actors gained access to service forms. So very relevant for this conversation. The the firm in the old days we used to have these rows and rows, if you remember, of filing cabinets. And in these filing cabinets, you had every form you ever could imagine with a client. And a couple years ago they had an initiative to to make those forms digital.

So a firm went out and they followed what they were being told to do, otherwise they wouldn't have touched it. They got a shredding box. They took all those forms. They went exactly as they were instructed. Take those forms out.

Put them in the shredder, hire shredding company. They did everything right. Bad actor was able to get to those forms. And I can always explain how. And the next thing you know, lots of money and really pretty creative.

The bad actors went to a CVS, to a pharmacy. They bought one of those little cards.

Richard Walker: 07:17

Yeah.

Brian Edelman: 07:17

Cards, unbeknownst to me at the time, are actually bank routing numbers.

Richard Walker: 07:23

I didn't know that.

Brian Edelman: 07:23

They either did way. I mean, this is the point of the broadcast is to to share some creative things that we see. So they did that. They submit withdrawal forms and a bunch of the financial institutions, let that money go. Now here's what happened.

Richard Walker: 07:43

Wait, wait, are you saying they loaded debit cards from CVS with money out of people's accounts? Is that what was happening with the routing?

Brian Edelman: 07:50

Without question.

Richard Walker: 07:52

Wow.

Brian Edelman: 07:53

Right.

Richard Walker: 07:54

How do you get that back?

Brian Edelman: 07:55

You don't.

Richard Walker: 07:57

Wow.

Brian Edelman: 07:59

You don't. And that's really, you know, ultimately how you mitigate that risk is by having a plan. And we'll talk a little bit about the importance of having a cyber program and going through incident response and, you know, going through some drills like that, that's in the regulation that everybody needs to do. Fortunately for this client. And what's pretty scary about it is now the authorities, if you if you have enough money that's stolen.

The FBI comes in. And if you haven't dealt with the FBI before, you know, I'm going to tell you that there's some really great people there, and sometimes there's not so great people like anything else. And depending on who you have that comes in and your ability to put together an evidentiary package, just so you know, and so everybody knows you are number one suspect as a financial services firm. Number one. Of course you are.

Because yeah, right off the bat they're like, oh money was stolen. And then they start to look for the evidence that would say it wasn't your firm. It was a bad actor. So it's almost in that case, good to find that there was a bad act. But if you don't have the right logs and that's really what it comes down to when you see these regulatory requirements of financial services firms, advisors and why they're looking for these logs, it's it's because the logs are the most important part to prove the innocence of the financial advisor.

Richard Walker: 09:30

So give me sorry I just want to understand where does your company sit in this? Are you getting a call? A frantic call from a client who's been using your services. And they had this happen to them, or is it right?

Brian Edelman: 09:42

Okay, so we get involved in cyber, whether the cyber is electronic or not. If there's theft, we help our clients. In this particular case, this wasn't even done electronically. If I told you what happened was the shredding company was in financial ruins, they pretended to shred the documents because the client actually had a contract that said shred on Sight. They had a shredding bin that looked like the shredding bin that was theirs, but it wasn't.

They took those documents and sold them on the dark web to bad actors.

Richard Walker: 10:15

Wow. Did they go out of business for that?

Brian Edelman: 10:18

Our client?

Richard Walker: 10:20

No, no, I mean, the shredding company. Did they get sued?

Brian Edelman: 10:22

The shredding company did. The FBI came in and got all the money back?

Richard Walker: 10:27

Wow.

Brian Edelman: 10:28

And I'll tell you, it's a function of knowing the right thing to do. And that's the importance of the drills that are required. Incident response, knowing what to do. So we happen to be experts in incident response. We're experts in protecting the firm so they don't have to go through this.

But it can happen, right? That was following the rules. You. The firm did everything right. And here they are, number one suspect for millions and millions of dollars and even reputational risk.

Right? Think about this. Financial advisors are doing business with people that share their most intimate details. And what happens during that process? Your clients become your friends.

Richard Walker: 11:08

Right?

Brian Edelman: 11:09

So imagine what it looks like in your friend group when you and your firm are responsible for a financial loss. Significant financial loss like that. It's just it it it's something that people just need to be aware of.

Richard Walker: 11:25

Well, and how long did it take for the money to get recovered? And how long were these customers without that money?

Brian Edelman: 11:33

In this particular case, this was a very good client who didn't question the actions that we told them to do. We had them contact every financial institution immediately and put a second factor. Again? Not necessarily. It doesn't always have to be cyber.

So the second factor was any withdrawal request. Pass it by the firm. That's simple.

Richard Walker: 11:51

Yeah okay.

Brian Edelman: 11:52

Financial institutions did that. The FBI did an unbelievable job on the investigation. The financial institutions made all the clients whole in this particular case. Not a single client. Was harmed.

The firm at that point when they wondered what we did for them now. Never wondered that ever again.

Richard Walker: 12:19

I'm sure.

Brian Edelman: 12:20

Which was great. And interestingly enough, the broker-dealer that was involved in it, they learned a lot of lessons because as where they were coming from was it had to be a cyber attack. And we're like, it's an investigation. So an active investigation with the FBI. Broker-dealers need to understand if there's an active investigation with the FBI, you got to follow what's being stated.

So that was kind of an interesting process to try to keep that broker-dealer from being targeted by the FBI because of the conflict that was taking place between the broker-dealer and the FBI. We were stuck in the middle of it, and I'm like, I don't want to be in the middle of it.

Richard Walker: 13:07

How how forthright or how reluctant are customers like broker-dealers like this in being willing to share information with the FBI in a situation? Are they like pulled back and be careful? Or are they just like here's everything.

Brian Edelman: 13:22

There's been significant advancements. So what I will tell you is that the broker-dealers have matured considerably as it relates to cyber, which is a pleasure for us. Right. So where we were once seen, you know, as I mean, listen, you know, we've been doing it a long time. And if we if you're sitting at a broker dealer and you're the security officer, our job is to, number one, protect the client information, protect the advisors, and to help the the institution with challenges that they face right in that process, because it is to be to be a security officer of a financial institution is is really challenging for a couple reasons.

And I'm a former financial advisor. So I can say that number one, on the enterprise side, that's easy, right? The enterprise is buying equipment. The enterprise is attaching that equipment to their enterprise systems. They can hire people to harden those systems.

They can add multifactor. They can do all that stuff. On the enterprise side, the biggest challenge is then, okay, you're supporting financial advisors. And I love financial advisors, but they're focused on helping clients. They're not technical usually.

Not saying usually they're becoming more technical, but they want to buy a computer. They want to load the software that they want to load in order to conduct business. And they want to take care of their clients. That's their primary concern. So there's a big disparity between those systems, right.

Who do they hire in order to help them to configure those systems? An easy example Office 365. You buy it from Microsoft out of the gate. It's not secure. You need somebody to secure it.

If I hire an IT firm, they just know how to get it to work. They don't really know how to secure it. And as advisory firms, they may not know the questions to ask. So you then look at the broker-dealers and say, hey guys. You know, we've seen a considerable amount of, of great work by, by the broker-dealers that are getting actively involved in the field side of the technology.

Just to be clear, I mean, broker-dealers for years have had secure infrastructure for the Home Office, for the main office. Right.

Richard Walker: 15:40

All their operations and trading is covered.

Brian Edelman: 15:42

But you're bringing on new advisors, you know, doing security assessments on new advisors. So you understand whether you're dealing with a secure firm or not, doing some research on the resources, the IT resources they're using. Is it a local guy? Is it a friend? Is it somebody that's part of the firm, you know, making sure that they're using secure systems?

Because at the end of the day, when you're part of a group like you are, when you're part of a broker dealer, if any of the firms within that broker-dealer have an issue, it looks like all of the firms may have had an issue.

Richard Walker: 16:15

Yeah.

Brian Edelman: 16:16

So it's it's a real community thing.

Richard Walker: 16:18

So, you know, one of the, one of the things that you're you're surfacing here, but I'm going to bring up even more clear is that people have to go through a transition in how they treat their technology. In my own company, I'm CEO, I'm a technologist, I know a lot about security, etc. but I just want to buy the computer I want. I just want to use it the way I want. But since we adopted SOC two years ago, I have to follow protocol. So I can't just go get any software anymore.

I have to run it through my division. Who says yes, this is secure, it's compliant, blah blah blah and approve it or put it off in some system. But that part of transitioning your mindset is hard. How do you help your customers go through that? Or are they?

Do they have to anymore? Do they all get it?

Brian Edelman: 17:02

You have to go through that. And we just make it easy because what we sell is automation. We sell, you know, the concept of what we do was, look, my mother and sister are our advisors and they're not technicians. And for years, I had to make sure that their systems worked and I had to do it where ultimately it just was everything was just set right. Everything just works.

So what we do for our clients on the endpoint side is automation, right? We basically have automated everything to make sure that the computer they work on is secure, compliant, and most importantly for their perspective, it just works. They don't want to be told what computer to buy. We made it so that no matter what computer you buy an apple, great. You buy a Windows.

Great. You buy a computer that works commercially and we take care of the rest. It's turnkey. And our automation does everything. So do you have to know how to put the screensaver on?

No. Do you have to know how to encrypt the computer? No. Do you have to know pretty much anything? Well, kind of.

You have to know that if you have an issue with cyber, you have a cyber team. And we make it so easy. You know, you just reach out to our team and our team knows what to do.

Richard Walker: 18:21

So it's different than just say, oh, we're going to buy Bitwarden and turn it on, or Bitdefender and turn that on or any number of tools, because you guys are a team behind the scenes. Who's going to take the call and walk people through this process, right?

Brian Edelman: 18:35

I'm right. And then you bring up a good point. You know, buying a product to solve the problem because it said, oh, you have to buy an antivirus doesn't solve the problem because, you know, like if I were giving investment advice, you know, it's not just giving investment advice. There's more to it. You know, things change, right?

That that software may have worked last year but doesn't work this year. You know the configurations like there's there's just a lot more to it than just putting something on and checking the box. Things have to be configured securely. You want people watching over it in your best interest. You want evidence.

You want evidence that it's there. I mean, think about the simplest part of what we do. Our system does an audit of the safeguards on the machine and presents that to the security officer, who has the responsibility to know your computer is secure. Now, our service says they have to look at it, no question. But as a managed service.

And you said before that it was a big mouthful. But we are a managed security service provider. And that simply means that we take on that responsibility to make sure all those settings are set right.

Richard Walker: 19:51

Yeah. So does this mean your kids have been safe at home this entire time, like you have your house wired properly? Yes.

Brian Edelman: 20:01

I have, and you bring up a very good point. And it's a differentiator when a financial advisor embraces the whole fiduciary responsibility. Right. One of the things that we do and we recommend, and we even have a piece that we can share with the audience around a family security officer, the FSO, if you think about it, in every family, you always have that tech guy that everybody calls because they just got the new. Yeah.

Richard Walker: 20:31

It's me. Yeah, I get it.

Brian Edelman: 20:33

So what happens with with our, our approach with that is to say, okay, if every family has that then also take on some some security responsibilities, right. Set an information security policy for the family.

Richard Walker: 20:47

Yeah.

Brian Edelman: 20:48

Everybody should have endpoint protection on their device. Great. Sign up for a great endpoint protection service. Make sure it's on each computer.

Richard Walker: 20:56

No, no, Brian, I just won't let my kids have devices. Right. That's simple for me.

Brian Edelman: 21:01

And but more importantly, make sure they know you're the one to call when they, they click that link. Because ultimately look at AI and we're going to again probably talk about it some more because I know AI is a big topic. And certainly.

Richard Walker: 21:15

It's my next question, actually I want to get into it.

Brian Edelman: 21:17

I'll give a little teaser on AI, but with AI out there, I'll give you the little piece, which is in the old days when you got an email from the Nigerian prince and there was spelling errors and it was really just not. It wasn't written well. It was pretty easy to spot, you know, somebody fell for it somewhere. Otherwise it wouldn't have been happening. Right?

So if they didn't get money, they wouldn't be sending those out. So somebody responded and is waiting for their inheritance from the prince.

Richard Walker: 21:45

Yep.

Brian Edelman: 21:46

You know, the funny thing would be if they actually received one and we're all laughing at it, but I don't think they are receiving one. AI I mean, the simplest form of AI and we're going to talk about AI, it sounds like in a second anyway, but just think I could take that old Nigerian prince email, run it through ChatGPT or one or the other AI copilots, put it through that and it would write a magnificent email. That anybody would fall for.

Richard Walker: 22:15

In every language around the world and more. Yeah I know, and in fact, really what my question about AI to you is how is it changing the landscape in your view. And I don't mean just the content creation. But literally, why can't ChatGPT do the hacking? Oh, no, no, we got ten minutes.

Maybe. So I just want to preview.

Brian Edelman: 22:36

AI is a wonderful tool. But there are risks associated to AI. You spoke about vendor due diligence, making sure the vendor you're using, the AI vendor when you give them access to your data. What what data are you giving them access to? Are you giving them access to your whole database?

Are you giving them access to a small subset? Do you have good protocols when you're talking to AI to make sure that you're not putting, for example, the whole account number? You can talk about account numbers, but give them pet names, like there's a whole series that should be coming out that tell people proper AI etiquette for things like, you know, the meeting, the AI that watch meeting and gives you instruction after. There's just good practice like that. But here's the thing with AI, the speed that AI can do things.

The inexpensive behavior of AI where I can tell it, hey, write me a program that somebody's going to click a link, and when I click the link, it's going to send my information to wherever you can tell this AI to build that program for you. You can tell AI write the email. You can tell AI you can tell, I mean the power and speed of AI. And I'll give you a quick AI story. Corporate email breaches are one of the most significant issues when it comes to financial advice and financial advisors.

They click on a link. They think they're downloading a document from a client. It's it's it's a bad link. They put their credentials to office 365. They don't have multifactor turned on.

And at the same time that was all old news. Where the new news is AI can get into your mailbox and within seconds figure out who they're going to send an email to to steal money.

Richard Walker: 24:25

Yeah.

Brian Edelman: 24:25

If somebody is going to look for things like, hey, I'm trying to send you a wire. So we saw that take place. We saw a IT firm that helped a prospect of ours. They weren't even a client at the time. They became a client immediately because the AI, the IT team had no idea what to do.

They were just deer in the headlights. Right. So they called us in, and we were able to solve the issue. And a big part of that, thank God they had logging turned on. Microsoft doesn't have that on by default.

So if anybody remembers anything, validate that your office 365 logging is indeed turned on. Because if that's not turned on, we can't help. We analyze those logs, we find where the bad actor is, we find the IP address. We find the email that the person clicked on. We find everything.

We find what the AI did. We find exactly what contacts they may have touched. We can find that stuff out as fast as they can, but it's so fast that literally when I tell you and how calculated it is, they know a day of the week that they have lead time, right? So they start to look Thursday afternoon because they think people's guard is down on Friday and they don't wake up till Monday.

Richard Walker: 25:36

Right.

Brian Edelman: 25:36

So the AI went into the mailbox. It found a client that was trying to send a a check. The AI told the client not to send a check, made up a story about the firm's under audit. They would be better if they wired the money, and they sent them wiring instructions that the client followed through with on Friday.

Richard Walker: 26:01

Oh no.

Brian Edelman: 26:04

And called the validated on Monday.

Richard Walker: 26:06

Right? Too late.

Brian Edelman: 26:08

We got robbed on Monday.

Richard Walker: 26:10

Right.

Brian Edelman: 26:10

So the issue is speed people with AI, the power. You have more people that can do bad things. They can do it very quick. And as a result.

Richard Walker: 26:21

I think. Yeah, I think you just made the case for why nobody should keep email. I mean, email should be a zero inbox effectively, because all that history is there and I'm the worst offender. I've got way too much history in my email.

Brian Edelman: 26:35

That there's something that that Cisa, which is our the government agency that says what we should do to keep information safe. They came out and said, it's not that you shouldn't have anything in your inbox, but your inbox needs to be a zero trust inbox.

Richard Walker: 26:50

Yeah.

Brian Edelman: 26:50

So I want, you know, there's a document Cisa created it. It's called System Maturity Model 2.0. And it says, how do I make sure it's you and only you in your inbox. And there's there's that's exactly what we've been doing for our clients.

Richard Walker: 27:08

Oh that's great. So talk about zero trust. What does that actually translate to. What does that mean to the layperson.

Brian Edelman: 27:15

Zero trust. So there's different areas of security we've had all along. right? We've had endpoint security. So you can install antivirus on a computer.

That's endpoint protection. We can turn on encryption that that's endpoint safeguards. So we know that there's endpoint security. We know that there's user security. Right I can log into a website.

It sends me a code I can type the code in. So it now has a better knowledge that it's not just my username and password. There's now a third factor which is called multifactor. So that's helped with user security. Then they said okay, network security used to be that we all worked out of an office.

There was a firewall in the office. We go through the firewall and somehow we're safe that way. So that was network security. And then your cloud app security. That's where you used to sign up for office 365.

And we thought it was safe. It turns out it needs to be configured safely. Office 365 is one of the most safe platforms, but naturally is not set safe. Just to be.

Richard Walker: 28:17

Right, you got to make sure you set the right settings.

Brian Edelman: 28:19

And then you have data in there. So like you said, your inbox is full, not empty. So so that's the five pillars of zero trust. When each pillar is talking to the other and becomes a dependent on the other, you don't have a zero trust component. You have a zero-trust ecosystem.

So now let's look at this. I go to login to Office 365. It's now set security because that has security assessment. I looked at my security score. Microsoft provides that to you.

Most people don't look at it, but it tells you if you're secure at 20% or 40% or 100%, it tells you how secure you are. I go and I make office 365 secure. I go to log in. And what does it do? It multifactor me.

It buzzes my phone. I'm able to show. Cisa also came out with a document for multifactor that says not all multifactor is safe. So there are. multi factors safer than no multi factor.

Just to be clear of course.

Richard Walker: 29:21

Right.

Brian Edelman: 29:22

But not all multi-factor is safe because of course the bad actors figure out how to hack it. So they were figuring out how to do things like push fatigue and all sorts of other things that are explained in that document. So two good reading documents for the audience one, the Zero Trust Maturity Model 2.0. And the second one is is the phishing proof MFA. But imagine I logged into Office 365.

I said office 365 with DLP and DLP meaning data leakage protection. It means that the content and destination of information is controlled by the platform. I log in, I now know it's it's it's you. So let's just say you're logged in, you know it's you. But now it takes another look at the computer you're using and says, is that a known computer or is that a computer?

I don't know, No see, one of the big tests that the audience can can test is can I log in from a brand new computer? Because if I can, without talking to my security officer, then the the security in our firm is deficient.

Richard Walker: 30:29

Yeah, that's a great test.

Brian Edelman: 30:30

So you should.

Richard Walker: 30:31

I mean, I can go buy a computer.

Brian Edelman: 30:33

Right? Well, if you go buy a computer and try to log in to your systems and see what systems you can get into, the ones you can get into are not part of your zero-trust ecosystem. Make sure that system doesn't have any information you want stolen. It's really that simple.

Richard Walker: 30:48

Yeah.

Brian Edelman: 30:49

So when you add all those things together, when the computer is a requirement to be protected, known and protected, when the user is using multifactor, when the system has been hardened and secured, when a network you're on. We have this great new networking. And there was an organization that was in financial services that had a great slogan. It basically said, you know, the best way to be secure is to come off the open internet. I happen to agree with that.

On the networking side, there's been significant advancements in that where we can take every computer off the open internet without the end user even knowing that that was done. Yeah, it's seamless, and that's really what it comes down to for me. If it's hard to do, it doesn't get done. So the idea of expecting advisors to configure a computer securely, that's really not what's there. So our passion is making it easy for the advisor to be on a secure, known and trusted computer.

Richard Walker: 31:52

Yeah, it's hard enough to remember all your MFA devices and codes and all the different paths. There's enough for us to worry about. So. Yeah.

Brian Edelman: 32:00

So let's think about the systems that should be on zero trust. Right. Password management. You just brought it up. Yeah.

There's a million passwords out there. So should we have passwords that are sitting in a pad on our desk. Probably safer than keeping them in a note area in your outlook, which a lot of people do really excel document where the whole firm sharing an Excel document that someone who leaves the firm could take and copy the whole thing out of. So, you know, these are things that become important for a firm to do. So securing passwords, securing endpoints, securing those systems, those critical systems, having methodology so that when money is being withdrawn, I mean, I like to to, you know, kind of make a joke about how when I was in business with my mother and sister, we only accepted deposits.

We didn't let anybody go out. That's how we solved the problem, because you weren't allowed to take money out. I'm just kidding.

Richard Walker: 33:02

You're right.

Brian Edelman: 33:03

You know, at some point, clients want their money back. And they certainly don't want it in the hands of bad actors. That's why it's so important that advisers talk to their clients about cyber. They should be talking to their clients about cyber.

Richard Walker: 33:16

So, Brian, I have another question for you. I got to wrap this up, actually. And man, ever since I've known you, what, 20 plus years? I think you have always been such a giver of information. And you've done that on this show.

And I so appreciate that. So before I get to my last question, what is the best way for people to find you and connect with you?

Brian Edelman: 33:36

The best way to find me is to send an email to info at FCI cyber com. I have an exceptional team that will make sure if you're looking for me, they'll get in touch with me. If you're looking for somebody else on my team. Also a great way to get in touch with us. So info at FCI Cyber Comm.

Richard Walker: 33:56

Perfect. That's awesome. All right. So look, this is one of my favorite questions. And it's a total departure from everything we've been talking about.

Who has had the biggest impact on your leadership style and how you approach your role today?

Brian Edelman: 34:09

You know, it's hard for me to select one. I've had many mentors. I've been very blessed. I mean, I came into the business with an organization that really had a great mentorship so I could from my mother, who is my biggest mentor. But if I were thinking in terms of the industry, who's active, who's making a difference, it's a Gentleman by Vincent Goyo, that is, he's a gentleman that that, you know, I've been interacting with for a long time.

We have very complimentary styles. I'm an entrepreneur. I'm a financial advisor style. I run my my whole operation, similar to you would imagine a financial advisor does. And he's more corporate.

He's more he is very detail oriented where I'm more idea oriented. And it's been great working with Vincent. He has started a firm called Buckler, which is Buckler, is doing two things. One is it's giving back because you brought up vendor management before and Buckler does and makes it easier for financial services firms to be successful at getting security packages from vendors. So you may know that Buckler has an initiative to do that, but Buckler is making it.

You know, everything we do at FCI and everything Buckler does, which is consistent, is to help the security officers be the best security officers they can be, even if they haven't been trained and they know nothing. They've just taken on the role. They're brave enough to take on that role. They're excited about it. So I would say Vincent and I have been working together on that initiative to give back.

And I would say he has had a profound impact, in what we're doing.

Richard Walker: 36:04

Brian, that speaks to me because I want to empower people to do their best work. And that's exactly what you said you're doing for the security officers. So thank you for everything that you're doing. Man, I hate to wrap this up because you and I could talk for a long time. You've got a lot more to share, but I have to give a huge thank you to Brian Edelman, CEO of FCI, for being on this episode of The Customer Wins.

Go check out Brian's website at FCI. And don't forget to check out Quik! at Quickforms.com, where we make processing forms easy. I hope you enjoyed this discussion. We'll click the like button, share this with someone and subscribe to our channels for future episodes of The Customer Wins. Brian, thank you so much for joining me today.

Brian Edelman: 36:45

It's my pleasure. Thanks for having.

Outro: 36:46

Thanks for listening to The Customer Wins podcast. We'll see you again next time, and be sure to click subscribe to get future episodes.