Cybersecurity Secrets for Financial Services With Paul Osterberg

Paul Osterberg is the CEO and Managing Director of Security Basecamp, a company that helps financial services firms simplify cybersecurity and compliance while reducing risk. He has over 15,000 hours of experience building and leading information security programs and has completed more than 300 cybersecurity risk assessments. Previously, Paul held senior roles at AFAM Capital, National Financial Partners, and NFP Securities. He holds a degree in finance from the University of Minnesota and has completed further studies at Columbia University and the Wharton School.

Here’s a glimpse of what you’ll learn:

• [2:11] Paul Osterberg discusses how Security Basecamp helps organizations regain confidence after a cybersecurity breach

• [4:02] Common client concerns during cybersecurity reviews

• [5:14] Why financial services firms are Security Basecamp’s frequent clients

• [6:02] The most common security gaps

• [7:18] Paul explores human versus automation in cyberattacks

• [10:49] How AI could shift the balance between hackers and defenders

• [13:45] Using AI tools like ChatGPT to enhance cybersecurity work

• [15:16] Teaching kids safe habits in a digital world

• [20:18] Growing risks of deepfakes and the need for safe words

• [21:52] How breaches damage trust and client relationships
  

In this episode…

Many businesses struggle with growing cybersecurity risks, from weak passwords and unpatched systems to sophisticated AI-driven scams. These threats not only endanger company data but also erode customer trust when breaches occur. How can organizations strengthen defenses and safeguard their clients while staying ahead of evolving attacks?

Paul Osterberg, a cybersecurity leader with decades of experience, explains how companies can take practical steps to reduce vulnerabilities. He highlights the value of risk assessments, the value of multifactor authentication, and the dangers of reusing credentials. Paul also emphasizes the human side of security, showing how training employees to think critically and “trust but verify” can prevent costly mistakes. His insights stress that technology and culture must work together to create resilient organizations.

In this episode of The Customer Wins, Richard Walker interviews Paul Osterberg, CEO and Managing Director of Security Basecamp, about building trust through cybersecurity. Paul shares how companies can reduce fear after breaches, why AI presents both risks and opportunities, and how cultivating better human behavior is as important as technical safeguards. He also delves into ransomware, client trust recovery, and the personal side of raising security-aware families.

Resources Mentioned in this episode

• Quik!

• Richard Walker on LinkedIn

• Paul Osterberg on LinkedIn

• Security Basecamp

• "Humanizing Your Brand for Real Impact With Joshua B. Lee" on The Customer Wins

• "Helping RIAs Scale With Smart Workflow Automation With Jeffrey Rusin" on The Customer Wins

• "[AI Series] Revolutionizing Financial Meetings With AI With Parker Ence" on The Customer Wins

Quotable Moments:

• “The number one way we help people is thinking through, 'Where are my risks? '”

• “Risk assessment really is similar to an annual physical from a doctor's perspective, just for cybersecurity.”

• “A common issue we see with financial advisors would be not using complex passwords to access anything.”

• “The incidents or breaches that we help manage are almost always perpetuated by humans, I believe.”

• “The most common thing we see and it would be credential reuse, the lack of multifactor authentication.”

  
  

Action Steps:

1. Conduct annual cybersecurity risk assessments: Regular evaluations reveal vulnerabilities early and keep systems resilient and compliant.

2. Enforce strong passwords and multifactor authentication: Weak or reused credentials are a leading cause of breaches, but stronger logins prevent account fraud.

3. Prioritize software patching and updates: Unpatched systems are prime targets for attackers, but updates reduce exposure to known vulnerabilities.

4. Train employees on security-minded behavior: Cybersecurity often comes down to human choices, but awareness prevents costly mistakes like phishing exploits.

5. Plan for incident recovery and insurance coverage: Breaches can still occur, but having backups and insurance ensures faster recovery and client trust.

Sponsor for this episode...

This is brought to you by Quik!

At Quik!, we provide forms automation and management solutions for companies seeking to maximize their potential productivity.

Using our FormXtract API, you can submit your completed forms and get clean, context-rich data that is 99.9% accurate.

Our vision is to become the leading forms automation company by making paperwork the easiest part of every transaction.

Meanwhile, our mission is to help the top firms in the financial industry raise their bottom line by streamlining the customer experience with automated, convenient solutions.

Go to www.quickforms.com to learn more, or contact us with questions at support@quikforms.com.

Episode Transcript:

Intro: 00:02 

Welcome to The Customer Wins podcast, where business leaders discuss their secrets and techniques for helping their customers succeed and, in turn, grow their business.

Richard Walker: 00:16

Hi, I'm Rich Walker, the host of The Customer Wins, where I talk to business leaders about how they help their customers win and how they're focused on customer experience leads to growth. Some of my past guests have included Joshua B. Lee of StandOut Authority, Jeffrey Rusin of Advisor Tech Partners, and Parker Ence of Jump. Today, I'm speaking with Paul Osterberg of Security Basecamp, and today's episode is brought to you by Quik!, the leader in enterprise forms processing. When your business relies upon processing forms, don't waste your team's valuable time manually reviewing the forms. Instead, get Quik! using our Form Xtract API.

Simply submit your completed forms and get back clean, context-rich data that reduces manual reviews to only one out of a thousand submissions. Visit quickforms.com to get started. Now, before I introduce today's guest, I want to give a big thank you to Jeff Reese, one of the first true supporters of Quik! Way back in 2004, and who was instrumental in helping us go to the next level in our company's evolution. And he introduced me to Paul.

Paul Osterberg, managing director of Security Basecamp, exemplifies a commitment to safeguarding critical financial data and systems in a rapidly evolving digital landscape. Over the past decade, Paul has dedicated more than 20,000 hours to defending the integrity of diverse financial services firms as a fractional chief Information Security officer, or virtual CISO, to multiple financial service organizations. Paul, welcome to The Customer Wins.

Paul Osterberg: 01:50 

Hey, Rich, thanks for having me.

Richard Walker: 01:52

I am so excited to talk to you today. If you haven't heard this podcast before. I talk with business leaders about what they're doing to help their customers win. How they build and deliver a great customer experience, and the challenges to growing their own company. So, Paul, I want to understand your business a bit better.

How does your company help people?

Paul Osterberg: 02:11 

Well, you know, you know, all focused on cybersecurity. A lot of times we meet people in moments of fear. So reducing fear as it relates to maybe helping somebody with a breach or an incident. The number one way we help people is thinking through where are my risks? What threats and vulnerabilities does my organization have and how do I address them?

Richard Walker: 02:37 

So you're not just, hey, I've got a software product, you're actually going in and working with the organization one-on-one.

Paul Osterberg: 02:43

Yeah. The primary element of our business is service-oriented. We do have software under development, and we'll hear about that more in the future.

Richard Walker: 02:52

Okay. So what is it you actually do? I mean, are you actually doing active scans on their systems? Are you helping them make management decisions? What does your role entail?

Paul Osterberg: 03:02

Yeah. So it kind of depends upon the service that the organization is purchased. So if they've purchased the fractional CSO service, we're, you know, a senior leader on a part-time basis in the cybersecurity function in a company, the number one way companies start or engage with us is something called a risk assessment. So that involves taking people through a questionnaire, helping them understand what controls they do have in place, and whether or not they are compliant with regulation. Yes, we do scanning as well.

We call that electronic truth. It's kind of like drawing blood. You know, when you go to your annual physical risk assessment really is similar to an annual physical from a doctor's perspective. We're just doing it as it relates to cybersecurity and not your human health.

Richard Walker: 03:53

Okay, a lot of people hate getting that annual review because they're just totally afraid of what they're going to find out. So are your clients afraid of what they're going to find out?

Paul Osterberg: 04:02

Yes and no. I do think some clients.

Paul Osterberg: 04:05 

Shy away from going through the process, because sometimes it's like I'm being graded, right? You're going to give me an A, B or a C, and I want an A. So we tend to kind of have a private conversation as it relates to the first draft of a risk assessment with the owner, probably the person that's going to feel most graded. And then we that's kind of an in-progress draft. Then we work with the organization to help them remediate those deficiencies.

And then we give them the A. So we want to make sure that we end up with healthy clients. And, you know, 95% of our risk assessment clients end up coming back to do another one either a year or two later and again and again and again. And some of them hire us as fractional CSOs.

Richard Walker: 05:01

Okay. How many of your customers are, maybe I should say, differently? I don't mean the actual number. Yeah. Are the majority of your customers financial service oriented, like wealth management firms or are they fintechs or are they something else?

Paul Osterberg: 05:14 

Yeah, the majority are in the financial services industry, either as independent broker-dealers, mutual fund companies, insurance companies, or financial services companies. We do then do work with fintechs as well, because another service we offer is the vendor due diligence process and the application penetration testing process. So we that allows us to bump into and work with fintech companies as well. And we do do some business away from financial services as well because cybersecurity applies to anybody.

Richard Walker: 05:48 

Yeah. Is there is this inkling of a question I have, which is I don't know if it's a fair one, but is there something that is really, really common that everybody is missing when they call you? Like, is there like this? You always see this happen type of thing?

Paul Osterberg: 06:02 

Yeah, absolutely. That's a great question. You know, there are 5 to 7 key controls that just need to be in place that really help to kind of make you faster than the slowest bear. You know, so a common issue we see with financial advisors would be not using complex passwords to access or anything over the internet, reusing passwords, not using multi-factor authentication. So as it relates to a breach or an incident, I mean, it's really kind of basic.

Somebody ends up signing into somebody's email account and just reading their emails for some period of time. And that is the number one way. Then we see fraud happen because somebody's a bad actor will pretend to be a financial advisor or one of their clients and then send in money for money. Movement. Transaction.

Transaction or withdrawal. So that is probably the most common thing we see.

Richard Walker: 07:01 

Okay, I want to dispel what I think might be a myth. Okay. When you say somebody logging into somebody's email, is it really a human or is it bots and AI now? I mean, are there some guys sitting at a computer, got your password and go look at your email and read it, or is it automated?

Paul Osterberg: 07:18

Well, you know, I have not bumped into a situation yet where there's evidence that it was automated. We're I'm certain of the fact that automation will make and is making hacking easier. I mean, there are examples out there on the internet, for example, like it might be just automation to take a CVV or a vulnerability associated with software. I know Quik! has no CVS, right? But oh sure we can.

Yeah. Common vulnerabilities. These vulnerabilities about software are published on the open internet for bad actors or good people to know, so I can go look up for common types of software like Adobe or WordPress. What are the vulnerabilities associated with them? I can then take those vulnerabilities and then plug them into some application, like Metasploit, which is used to attack an organization or to do what we call red teaming.

So both good and bad actors can be using a tool like Metasploit, which will take known vulnerabilities and allow me an exploit or a series of them that I can use to penetrate a network or a piece of software. So automation does play a role, but it is almost always the incidence or the breaches that we help manage are almost always perpetuated by humans, I believe.

Richard Walker: 08:43

Yeah. I don't know that everybody understands when you talk about CVS. For example, if you have a Windows server, and I used to manage this a decade ago, you run a report in Windows Update and say, oh, here's all your vulnerabilities. And it would show you line by line what they are. Do you want to apply this security update and this one and this one and this one.

Yes. You know, thankfully Quik! is Soc2 audited. And it seems like every single year there are more jumps we have to go over. There's more parameters we have to cover. Yeah.

So, you know, and we do our vulnerability tests and our penetration tests and we find these things. There's always something. It's crazy. This is a nonstop business.

Paul Osterberg: 09:23

It is. So I mean, you asked like the most common thing we see and it would be credential reuse, the lack of multi-factor authentication. The third thing would be lack of patching. Right. So running those scans that show you where am I vulnerable, and then deciding on what I'm going to patch.

And in not all cases, can you patch something? You know, you might have a piece of software. We're working with an agronomy company right now that has software in grain elevators and other places like that. Some things just can't be patched as easily. So the Windows 10 update that has many people kind of freaking out the windows movement away. End of life for Windows 10, I should say.

You know, a lot of people need to get off Windows 10, but in some cases, their software they're running can't move to a newer operating system, right? So we might need to take some other, you know, set of steps to secure something that can't not be fully made secure, like network segmentation. I don't want to get too geeky.

Richard Walker: 10:30

No, I don't mean to. Yeah, I don't mean to. I have two different paths I want to take with you. So first let's talk about artificial intelligence a little bit more.

Paul Osterberg: 10:39

Yep.

Richard Walker: 10:40 

Do you see AI posing a deeper threat in the security and cybersecurity, you know, hacks and attacks that are happening.

Paul Osterberg: 10:49 

I mean, yes and no. To the extent that there's a small to medium-sized business that is probably not leveraging AI or is not working with partners that are effectively using AI. In those cases, if the defenders are not properly leveraging AI or other concepts like zero trust, then I would think that bad actors will have a leg up in using artificial intelligence. I think, I think it, I think all, you know, everybody should be playing with and be intentional about how we are using AI and what risks it might expose us to.

Richard Walker: 11:33 

Do you see anybody trying to do your job with AI?

Paul Osterberg: 11:37 

Absolutely, absolutely. You know, I work. I'm a knowledge worker, right? A lot of what I do is helping people understand what risks do I face and how do I address them. I use, you know, things like ChatGPT, grok, and other tools like AWS, Nova, etc. on a daily basis.

And to the extent that I'm not, you know, I'm likely to become, well, for sure, much less effective for my clients or at some point, a dinosaur.

Richard Walker: 12:15

Yeah. But do you think people are trying to not hire you because they can just use AI to answer that question?

Paul Osterberg: 12:21

No. I mean, you know, this year, even though there's been some choppiness in the economy, we've grown more than we have in past years. You know, I have a relatively small team, but we are intentionally growing the firm. You know, we just showed up on the Schwab platform. You know, we're doing a lot of work with, you know, other platforms.

So I haven't noticed. I mean, we're getting more customers. Not less.

Richard Walker: 12:49 

So yeah.

Paul Osterberg: 12:50

But yeah, I'm sure some people are leveraging AI to do things like a vendor risk assessment that I could do for them.

Richard Walker: 13:00

Yeah.

Paul Osterberg: 13:01

But you have, you have you, how have you seen it impact your business?

Richard Walker: 13:04

Oh I embraced it from day one. I mean, I've been looking at this as an enabler for our business. So I don't have a scarcity mentality at all. No. But I'll look at it from another perspective.

You know, we hire professionals like lawyers and other people to do various things in our company. Lawyers are a good example because it's an expensive hourly rate. Yeah. And if I can have ChatGPT give me a lawyerly opinion of something that might save me an hour of work with that lawyer, not to mention the time it takes for them to turn around. Yeah, and so I'm willing to do that.

But am I willing to fire my attorney and not use them at all? Oh, God. No. I still need their help. And it's just that I want them to do sophisticated things, not trivial things.

Paul Osterberg: 13:45

Amen. Yes. Amen. Yeah. And I do think that has implications for how our younger knowledge workers are going to get trained, when a lot of the things that they were doing, like a new attorney.

Right. I can draft a legal brief as well. And complement it with other tools already available on the internet. So how is, you know, are we going to miss this opportunity of growing those sophisticated knowledge workers? Probably not.

 It'll just somehow change. I mean, we are just adaptive creatures.

Richard Walker: 14:22 

No. It is. It's a bunch of tools. I still think back to the 90s when Microsoft Excel and Word were starting to take root. And if you were still in Lotus and WordPerfect and you didn't migrate, you missed out.

Yeah. And it was just a different tool set. And it enabled different things that you could now do. So I think of AI a lot like that. It's a tool set.

All right. Let me ask you a totally different line of questions. I know I've known you. The reason I know you from Jeff Reese is because you and Jeff were both working at NFP Securities, one of our earliest customers. Yeah.

So I've run into it so many times. I've known you for a super long time. I know you're a father, so I want to ask you. I'm a father, too. I want to ask you a very different line of questions I normally ask.

Okay. But given your business background and cyber, how did you teach your kids to navigate this cyber world and secure them against the threats of online as they were going through their teenage years and growing up?

Paul Osterberg: 15:16 

Yeah, well, you know, a little bit less so than you would probably think. I mean, you know, making sure that they kept their phones up to date and patched, you know, you know, discussions of using multi-factor authentication, you know, but I think it was more just about good human behavior rather than a focus on cyber security more, you know, are you thinking through, you know, complex issues? How are you learning to think, right? And how are you learning to develop habits that involve questioning or, you know, goal-oriented thinking? So, I don't know, probably a little bit less as it relates to cybersecurity than you would think.

Richard Walker: 16:04 

But isn't cybersecurity about human behavior anyway? Yeah, I mean, there's the technical aspects, but I mean, I really think of the world in human behavior terms more than anything else.

Paul Osterberg: 16:16 

Yeah, yeah. Some of the best partners I work with, Aaron Spradlin, is a perfect example. At United Planners. He is always kind of, you know, thinking kind of deeply about technology oriented issues. And he and I have, you know, worked together for a long period of time.

And one of the first things Aaron really focused on, even though he was very technical, was culture and human oriented, kind of the human, the human side of cybersecurity. Are we training people to, you know, a really trivial example, but a very important one would be not click think before you click kind of thing. Are we training people to, gosh, you know, this is out of the normal, even things like slower computers or rebooting my computer on a weekly basis, you know, questioning, reporting something to the cybersecurity experts. I'm just not sure. Let me check with Paul and the team.

Yeah. Prioritizing risks. We don't necessarily have to address everything, but from a human perspective, from a business perspective, what are the right risks for us to mitigate? But yeah, so having processes that train people to be wise. A little wordy there.

Sorry.

Richard Walker: 17:41 

No, but in a lot of ways, it comes down to, you know, being street smart. Yeah. Because like you said, think before you click. Oh my gosh. Every day somebody is trying to pay me money.

There's a remittance. Go click this PDF and you'll get paid. Type of stuff. No. Don't do it.

But I think, you know, as we grow as humans and evolve, we're always learning as we go. And that's why I brought back the kids' perspective, because you're trying to train human behavior in your own kids, but in your profession, you're trying to train human behavior at the same time. And that's what I was thinking about. The corollary of the two.

Paul Osterberg: 18:18

Yeah. And, you know, trust but verify, you know, you know, I work in and around bad actors or thinking about how somebody might try to steal information or money from me. And I do need to kind of constantly challenge myself to, you know, the human is by and large, most humans are great people, right? You know, we want to serve other people. We want to make a difference in the lives of other people.

And the bad actors represent kind of a small percentage of, of folks, you know. So I didn't want to, I don't want my kids. I didn't want my kids. They're now young adults kind of growing up thinking that we just can't trust anybody. We can trust most, most everybody.

But be a bit wise.

Richard Walker: 19:04

Yeah, yeah. All right. Going back to your I was thinking about this with your business. Yeah. I lost my train of thought, to be honest.

Well.

Paul Osterberg: 19:18 

Yeah, I mean, I, you know, you know, we met 20 years ago. Gosh, it's just about 20 years ago. You know, I left NFP to really focus on raising my kids and all of a sudden started working on, you know, over the internet for over two decades. I mean, the pandemic was actually a little bit of a gift to me from a business perspective in that, you know, people became very comfortable just working, just like we are talking today. Yeah, I'm sitting out in central Minnesota and you are in.

Richard Walker: 19:49 

I'm in Austin where we met.

Paul Osterberg: 19:51

Yeah, yeah. Great town.

Richard Walker: 19:53

I moved to where you used to be.

Paul Osterberg: 19:55

Yeah. I love that place. Yeah.

Richard Walker: 19:57

I know what I was going to ask. I appreciate this because the train of thought was done. Should people have a safe word these days? Because AI is mimicking voice and spoofing phone numbers and, you know, trying to behave like your sister who's in trouble and sending money, that type of stuff. Do you advocate for that kind of idea?

Paul Osterberg: 20:18

I do, yeah, absolutely. And you know, something that scares me a bit is just, you know, AI's ability to create very realistic videos or AI to literally create you, you know, and we have this conversation. It's a pretty long conversation. So it'd be difficult. But there are examples where a CFO or a CEO was spoofed.

Their human form was literally the deepfake. And talking to somebody that could authorize the transfer of $25 million in Hong Kong. Right. And this is a true actual example where AI was used to create a rich walker to talk to Paul Osterberg and trick the person into thinking it was the CFO. So those sorts of things and the ability, especially in kind of this time, you know, where there's a lot of a lot of endorphin creating actions taking place over the internet to influence people, you know, freaks me out a little bit to think about the necessity for having a safe word that you would use to prove to me that you are rich, Walker, that that would be the use of a safe word.

Richard Walker: 21:33

Yeah. No, that's a great point. So, you know, talking about that kind of totally negative outcome, losing $25 million or something because of a spoofed actor? Yeah. I want you to kind of talk about what a bad experience that a company has with a breach means to their customers.

What is a bad experience for the customer then?

Paul Osterberg: 21:52

Yeah. Well, you know, so a lot of the cybersecurity industry tends to sell or market talk about the extremes. So I want to be cautious of that. But you know some examples could include you know ransomware is one of the worst types of attack that a company can experience. So imagine hospital systems where ransomware locks up all of their equipment, and it makes it difficult for them to serve on their clients or literally even potentially save their clients.

There are examples of hospital systems being hit by ransomware and the financial services industry. Imagine you're a financial advisor who loses access to your. Let's say you have 25 people working in your advisory practice, and you lose access to all of your devices and all of the systems you use to serve clients for a period of 11 days. What impact would that have on your business, business interruption or not being able to serve them? Typically, in this independent financial advice space, we have redundant systems across many companies.

You know, I might custody my asset assets at Schwab and Fidelity or Pershing. So that serves as kind of a second layer of defense in some cases. But yeah, it's kind of important to not have. Well, it's important to make sure you have good backups so that you can restore all your systems within a short period of time.

Richard Walker: 23:20

Have you seen advisors lose clients over? I don't know, a data breach where the client's data was accessed. I mean, I have.

Paul Osterberg: 23:28

I have to go back to the most common example, right? Not making sure that it is difficult for somebody else to get into your email system. Right. So this is, I would say, 50% of the breaches that I see start there. And I've seen numerous financial advisors lose clients where money was transferred out of an account at company X or custodian Y.

And I mean, that's a terrible discussion to be having with your client. You know, I just the money was typically refunded, but oh my God, you're telling me via your, you know, my relationship with you, I money was taken out of one of my accounts. I've seen that over and over again.

Richard Walker: 24:13

How do you overcome that trust loss?

Paul Osterberg: 24:16 

Yeah. It is a lot about trust. And really the key thing is that the cool thing is that it doesn't take a whole lot of work to put the most primary defenses in place to prevent those sorts of things, but not in all cases can we prevent them. So we bought some insurance.

Richard Walker: 24:35

Yeah, I know a lot of what you're trying to do is, you know, secure the hatches, loss prevention, risk mitigation, etc. but from a consumer standpoint, like me as a consumer, you as a consumer, it seems like our data has been accessed over and over and over again by all the big companies. I don't want to name names, but we've heard them all in the news over the years. Do I have to care anymore? I mean, does it matter that somebody has my social status?

Paul Osterberg: 25:00

I mean, there is some truth to that, right? It's kind of like I remember my pastor at church told me once, you know, that, you know. Yeah. Don't worry about it. You know, I mean, people are going to learn some of our private, confidential information, and that's just the world we live in.

But, you know, when you have a child that goes off to college and their identity has been stolen. And in some way, shape or form, they might have been harmed or an account opened in their name. Yeah. I mean, we can prevent these things.

Richard Walker: 25:39

You know, when I was in college a long time ago in the 90s, and I was working at Painewebber stock brokerage, and I'd been there for, I don't know, 4 or 5 months, I got a phone call. I'm like, who knows that I even work here? Number one. Yeah, it was American Express, and they were asking me how I'm going to pay my bill. And I'm like, you got the wrong guy.

And they verified my social status, my date of birth. And then I said, what's my address? And they gave a different address. So it was totally a fraud. But I was so shocked that back in that day, they were able to figure out where I worked and contact me.

I had no cell phone. It was bizarre, but I mean, I had my identity stolen way back then before most of the cybersecurity stuff was going on.

Paul Osterberg: 26:20 

Yeah, that I mean, that reminds me of some of the conversations we used to have 20 years ago about how your business was born. I mean, I think that's an interesting story, Rich. You've always had this mindset of, hey, there's a problem to be solved, you know? And you were working at Painewebber and then elsewhere, I think. And then you created these Quik! forms to solve a lot of industry problems.

You know, if you'd have if you'd have taken the bait on that American Express thing, maybe you'd have become a cybersecurity consultant 20 years ago.

Richard Walker: 26:50

You never know. You never know. I know. It's funny how my path has meandered. I've always been an entrepreneur, but for me, it's about solving a problem.

That's what I love to do is solve problems for people. And I solved it for myself and everybody wanted it. So there was that. But yeah, the cybersecurity world is not as interesting to me personally because it is just well, first of all, it's vast. And I am part of the challenge, and this is part of the conversation about it for me if you're saying to a customer, I want to put you in a position to never have the loss, which is awesome.

What's the value of that? Because until you've had the loss, you don't know the value.

Paul Osterberg: 27:32

Yeah. What's the value of maintaining trust? You know, what's the value of maintaining data integrity? Like making sure that our data can't be spoofed. Changed.

You know, we want to seek the truth, you know, so it's a lot about, you know, allowing a person to make decisions to keep private what they want, to keep private. If you give me confidential information, I want to maintain your trust. I mean, so it comes back to those human things again, you know, trust, trust. I have faith in you. I feel secure working with you.

I want my future to be secure, you know, so some of these, it's just a different, different business function as it relates to important humans. So this is.

Richard Walker: 28:18 

This is what I love about it at the end of the day, you have a function that is dealing with human emotion. I mean, honestly, that's what you're coming back to. It's true. Trust and bonds that we have with the companies that we entrust money and information to our kids. Anything with.

Right. So that trust is a human thing and you can't just put a finite value on that. Because if it's lost, it's lost. You've lost the customer. Like there is no partway there.

When you've lost it.

Paul Osterberg: 28:48

Yeah. And it's about the employees too. You know, I can think of cases or clients. We've gotten through ransomware events, and, you know, you're dealing with a technology leader that their career was about making sure that their systems operated, that their systems came up in the morning when they were supposed to. And, you know, just that feeling in your heart, you know, it's like, oh my God, my systems are unavailable now. The thousands of other employees in my company are looking at me and saying, what did you do wrong? You know, so it's kind of like, hey, let's give that person a way to make sure that in that, oh, you know, oh, oh, no.

Good moment. How they recover. Yeah. So I feel active.

Richard Walker: 29:35

Yeah. So I feel like one of the corollaries between our businesses is that when it goes wrong, it goes really wrong. Like, customers really feel it when it goes right. That's just the way it should be. Like, it just should go right, so nobody cares.

Like they're not singing your praises because it went right. It's just. Yeah. It worked. Like I joked, nobody cares what brand form they used.

Just like you don't care what brand pencil you use. Yeah.

Paul Osterberg: 30:00

Yeah. I mean, chief compliance Officers can relate to that comment. Chief technology officers can relate to that comment. Obviously CEOs, nobody wants to be in the news. And most of us, you know, kind of feel protected by obfuscation. There's just so many different people that might be attacked.

I'll never be attacked, and I'll never be that person in the news, you know?

Richard Walker: 30:21

Yeah, right.

Richard Walker: 30:23

Yeah. And that's easy. It's easy to say that when you haven't had it happen to you. I have never identity stolen from me. Do you know how they did it, by the way?

They somehow got my social from financial aid at school, and all they did was fill out a paper application for the American Express card and sent it to a fraternity address. The fraternities had opened mailboxes so anybody could find, you know, if you didn't get your mail, you put it on top for somebody else to get. So they just scan it and pull it, and then they don't have to live there or anything so trivial and simple. How they did it.

Paul Osterberg: 30:54

Yeah. It is. And you know, Kevin Mitnick, he's passed away now, but he was kind of known as one of the world's greatest hackers. Hackers. A lot of his hacks were based on physical oriented things like dumpster diving or getting into companies, as, you know, a as a. You know, a. Janitor or something like that. Yeah.

Richard Walker: 31:16 

Yeah. Oh, man. Well, that tells you that the movies are real. All right, so we'll have to wrap this up. And I do have another question for you.

But before we go there, what's the best way for people to find and connect with you?

Paul Osterberg: 31:27

Yeah. Reach out. Look at our website securitybasecamp.com. Search for Paul Osterberg on LinkedIn. And you know come see us at conferences the cheap or Schwab or, you know, smart growth conference.

We're going to that in Ohio not too long from now. Yeah. securitybasecamp.com.

Richard Walker: 31:49

Nice. Awesome. All right. So here's my last question. And it's always one of my favorites.

So who has had the biggest impact on your leadership style and how you approach your role today?

Paul Osterberg: 32:00

Yeah. Well it isn't just one person. I mean, early in life, I mean, clearly my parents, I was also involved in numerous organizations growing up, leadership roles, even the Future Farmers of America. I never intended to be a farmer, but it was one of the best leadership organizations I'd ever been in. Did a lot of public speaking in high school. But long story short, then once I got into the career world, you know, it was a series of people at Deloitte and Touche.

I was a consultant at Deloitte. Pat Bechdel was my managing director there. And I ended up on an engagement at an English broker-dealer. And I met this young CEO named Jeff Montgomery. And then, I mean, we were both in our 30s.

And so that partner Pat Bechdel at Deloitte, and then Jeff, who I followed to Austin, Texas, at NFP Securities to run technology, and ultimately was offered the chief operating officer's role. But Jeff had a big impact on my career.

Richard Walker: 33:08 

Yeah, I remember Jeff, I didn't know him well, but that's awesome. And obviously enough to make you follow him. That's great.

Paul Osterberg: 33:14 

Yep. Yep.

Richard Walker: 33:16

Oh, man. All right, so I want to give a huge thank you to Paul Osterberg, managing director of Security Base Camp, for being on this episode of The Customer Wins. Go check out Paul's website at securitybasecamp.com, and don't forget to check out Quik! at Quickforms.com, where we make processing forms easier. I hope you enjoyed this discussion.

We'll click the like button, share this with someone, and subscribe to our channels for future episodes of The Customer Wins. Paul, I'm so glad to have you on today. Thanks for joining.

Paul Osterberg: 33:43 

Me. Thanks for having me, Rich. I really appreciate it. It's good to catch up, too, after a couple of decades. And I mean, we see each other throughout the year, but thanks.

Outro: 33:54 

Thanks for listening to The Customer Wins podcast. We'll see you again next time, and be sure to click subscribe to get future episodes.