Interview with Robert Fitzgerald, Field CISO at Blue Mantis, a security-first business advisory firm headquartered in Portsmouth, New Hampshire.
Hi Rob. Thanks for chatting with me today. Can you tell me about your journey to your current position?
I actually fell into cybersecurity. In fact, I never thought I was going to be in technology. One of my early jobs was in technology sales, and then I worked in project management. I later landed in job in telecom that turned into an IT job and eventually turned to security. In 2001, I launched my first cybersecurity company, which I sold in 2013. After the sale, I worked with different companies to help implement cybersecurity strategies, eventually starting another company. In February 2023, I sold my second company to Green Pages. This past summer, we rebranded it as Blue Mantis, becoming a security-first business advisory firm that provides technology solutions to mid-market companies.
What makes Blue Mantis different from other cyber companies out there?
The interesting piece of Blue Mantis is that the organization itself is 35 years old. We started in the VAR space, actually selling computer components, and have grown over the years, following the continuing evolution of technology. Many of our employees have been here for 15 years or more, and we’ve built a reputation of being incredibly nice and supportive of our customers. We’re growing like crazy, both organically and through acquisition.
When we’re looking at acquisitions, we’re looking for technologists, engineers, and developers who can engage with customers on the front line. Not that that is their job, but it’s what we want—people on the team who our clients can feel comfortable with. We’re by no means the largest consulting firm, but we intend to take a very dominate role in the market with a security first approach. We want our clients to be sure they have reasonable security in place to protect themselves. We help them design, build and implement, and even at times manage solutions they need to make sure their business can be successful.
What have been some of the greatest challenges in helping your clients with their security? What are you seeing out there?
I think there are a couple of things we’re seeing, in no prioritized order. I would say first that many of our clients are unable to see their own risks, so they tend to feel confident that their organizations are already secure enough. In reality, because we’re working with thousands of clients dealing with thousands of risks, we have a unique perspective into where the risks exist, I think. Second, another challenge is the number of vendors out there. It is overwhelming and having so many choices can make it difficult to identify needs and create budgets. Our company will come in as a team and help remediate an existing solution in place or help create a more impactful security posture using existing tools to complement what they have.
Third, there is a problem with CISOs getting the budgets they need, and I think that’s due to a lack of business education among technology executives. So we spend a lot of time educating them on how to better communicate with the CFO and their board of directors to identify risks and explain why there are financial needs around security protections. And finally, the biggest challenge we’re seeing right now is that there are not enough people to implement and maintain the tools they are buying.
What are some of the misconceptions your clients have about cybersecurity?
As I mentioned earlier, a lot of clients believe that, because they have tools in place, they are secure. What I point out is that the tools in place won’t matter if the policies and procedures don’t work or are outdated or are too complex. You need to align your policies to your hiring practices to meet the tools you want to use in your environment. Another big misnomer is that cybersecurity is expensive. I mean, the reality is, everything is expensive right now. But really, the lack of security and compliance is way more expensive. The final thing is around compliance. I don’t mean the traditional type of compliance like HIPAA because I have yet to see any organization go out of business due to their handling of their data security and privacy posture and compliance violations.
Instead, what I see from a compliance standpoint is contractual compliance coming into play, where a B2B vendor gets hit with ransomware. That impacts the revenue of their customer, another company, and the ransomware victim company being sued for negligently disrupting financial operations of their customer because their customer have a fiduciary obligation to deliver results in the form of product or services and earnings to their customers and shareholders. The ransomware victim will have to prove that they had taken reasonable steps for cybersecurity, and to be honest, that can be incredibly difficult to prove.
What is on the horizon with Blue Mantis?
At the moment, what I’m excited about is the new executives coming in and the number of executives who are moving into new roles. We have a really clear vision on where we want to go and who we want to be within the mid-market. To get there, we have a number of exciting partnerships that we’ll be announcing in 2024.
How do you track risks for your clients?
We have two partner platforms that we tend to lean very heavily on. One of them is called CyberSaint, who we’ve been working with for five or six years. What I like about them is that you’re able to not only identify and track risk, but also capture any progression of those risks. Another platform that we use is 6clicks, a newer AI-driven platform that we are seeing clients like using. But beyond the platforms, an important aspect to tracking risk is getting CFOs to understand not only what the risks are but also how their technology leadership is mitigating those risks, and then effectively communicating that information to the board and investors.
My last question for you is what do you see happening in cybersecurity in the future? Where are we going and what will the challenges be?
I think one of the biggest challenges is getting over this hurdle of entry-level talent needing to have years of experience, or any experience whatsoever. I expect we’ll see companies with less than 3000 employees moving to a managed cybersecurity service over time because building and managing your own team and system is too involved. I also think there will be less scrutiny over vendors, with organizations no longer asking for vendor brand names and being more concerned about getting the security solution and results they need, regardless of product brand. There’s so much happening, and the attackers are getting faster and more savvy, that companies need to do more to react to the speed of cyberattacks, which currently is incredibly difficult for most organizations to manage themselves.
By Sue Poremba
Twingly offers a Dark Web API that provides access to over 16 million posts, articles, and documents each month from the Tor network, pastebins, Telegram, as well as various marketplaces, forums, networks, and free speech platforms. Additionally, Twingly offers a News API with over 3 million daily news articles from 170,000 active global news sources.
