Roku’s hacked data breach – will we never learn our lesson? | Guest Zarik Megerdichian

Show Notes

Zarik Megerdichian, the co-founder of personal privacy controller company Loop8, joins me in breaking down the recent Roku breach, which landed hackers a whopping 15,000 users' worth of vital data. Megerdichian and I discuss the failings of the current data collection and storage model while moving to a model in which biometrics is the primary identification method, coupled with a system of contacts who can vouch for you in the event that your device is lost or stolen. It’s another interesting approach to privacy and online identity in the age of the never-ending breach announcement parade.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

0:00 - Roku's data breach
1:54 - First, getting into computers
5:45 - Megerdichian's company goals
9:29 - What happened during the Roku data breach?
11:20 - The state of data collection
14:16 - Uneccesary online data collection
16:26 - Best data storage protection
17:56 - A change in data collection
20:49 - What does Loop8 do?
24:09 - Deincetivizing hackers
25:21 - Biometric account recovery
30:09 - How to work in the biometric data field
33:10 - Challenges of biometric data recovery work
34:46 - Skills gaps in biometric data field
36:59 - Megerdichian's favorite part of the work day
37:46 - Importance of cybersecurity mentorship
41:03 - Best cybersecurity career advice
43:33 - Learn more about Loop8 and Megerdichian
44:34 - Outro

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

Chapters

• 0:00: Cybersecurity Innovations
• 14:58: Data Collection and Security Concerns
• 25:51: Enhancing Security Through LoopAid
• 32:54: Navigating Challenges in Security Industry
• 40:25: Career Advice and Mentorship Tips

Transcript

Chris Sienko: 1:10

Okay. Today on CyberWork, zareek Meghadichian, co-founder of personal privacy controller company Loop8, joins me to break down the recent Roku breach, which landed hackers a whopping 15,000 user treasure chests filled with their vital data. Zareek and I discuss the failings of the current data collection and storage model, while moving to a model in which biometrics is the primary identification method, coupled with a system of contacts who can vouch for you in the event that your device is lost or stolen. It's another interesting approach to privacy and online identity in the age of the never-ending breach announcement parade, so I hope you'll keep it here for today's episode of Cyber Work. Hello and welcome to this week's episode of the Cyber Work podcast. My guests are a cross-section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends, the way those trends affect the work of infosec professionals, and leave you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry.

Chris Sienko: 2:10

My guest today, zarek Magradićian, is the founder and CEO of Loop8, a personal privacy controller designed to work for the masses. The passwordless system uses biometric identity verification, eliminating the forgot password routine while offering highly encrypted data storage and digital privacy. Zarek is a globally recognized entrepreneur and investor in crypto and technology and venture capitalism. Zarek has co-founded and held multiple technical positions at leading technology companies and is known for his vehement belief in the importance of giving back to the community. So today's episode we're going to be talking with Zareek about the recent Roku hack of data and just talk a little bit about the increasing commonness of data breaches and what we're going to do all about it. So again, thank you very much for joining me today, zarek, and welcome to CyberWork.

Zarik Megerdichian: 3:02

Thank you for having me, Chris.

Chris Sienko: 3:04

My pleasure. So, Zarek, to help our listeners get to know you a little better, I was wondering if you could tell us about when you first got interested in computers technology, cybersecurity. It seems like your tech focus goes way back, so what was the initial spark? What was the thing that got you interested in the first place?

Zarik Megerdichian: 3:21

Yeah, so I'm not your typical tech guy. Starting early on, I'm a graphic designer, got into the internet business in 1998, designing websites, and from that point I fell into a printing business which I use the technology in our advantage and I build the largest wholesale printer in North America. And then I started a high rise investment in, I want to say, 2017 or 18. And my focus was to be around tech people, startups and to fund them, and also I have a passion for mentorship, mentoring and coaching. So that was high-rise investments. Finally, in December of 2019, my daughter, my 14-year-old daughter hacks into my computer and that's how I got into cybersecurity. So that's how I started.

Chris Sienko: 4:24

Can you talk about that day? I mean, did she tell you that it was coming, or did you just suddenly get kind of a pop-up notification like, oh look, who's here.

Zarik Megerdichian: 4:33

So it's December of 2019. And we're in a holiday party. Look who's here. No, so. So it's it's December of 2019 and we're in a holiday party. It's loud, people are all speaking, there's a music and my daughter calls me and she asked me for our Netflix username and password. And I said honey, I can't think it's so loud over here, I'll give it to you.

Zarik Megerdichian: 4:51

Tomorrow and next day I go to her room and go like here's our username and password. She goes like oh, don't worry, I hacked your computer. I ran the computer, brought it up. I go like show me how. And then I realized how having a password is a problem and how, if someone gets their hands on my password, they have access to my computer. They have access to everything. So that's how Loop8 was born. Fast forward, three months later, covid hits us all and we're in a lockdown and I cannot think of anything else except how can we solve this password problem? Except how can we solve this password problem. Finally, I came up with an idea. I ran some tests, talked to some cybersecurity professionals and filed a patent in May and in July I registered LuPaid. And fast forward to today. Why am I telling you this story? Because we started kind of on a path of eliminating passwords and create a passwordless system and user authentication, which is a great subject for today's conversation as well.

Chris Sienko: 6:06

Yeah, I think so. Now I definitely will keep moving on to your career experience here, but I just have to ask again regarding the hack, do you remember what she did specifically? Did she like, do you like, like you say, like a password reset or something and then have access to your email to grab it, or do you, did she tell you?

Zarik Megerdichian: 6:23

It was simpler than that. My daughter is not a tech and a hacker kind of a thing, so she had access to my computer and because I was using Chrome, all of my passwords were already in Chrome and we have it today also. And if I have an access to your computer, I can see all of your passwords. And that's what we try to change. And she knew how to do it. She actually looked on social media, I guess, and figured that out, and that's how she got into my computer and took the username and password out.

Chris Sienko: 6:55

Interesting, okay, interesting, okay. Yeah, I mean, that's a pretty primal one, and I think a lot of people are probably running home to scrub their Chrome browser to make sure that there's nothing going on, or at least restrict its usage. So yeah, so yeah, I mean this is a very interesting development. So I guess my second question for you, I guess, is maybe a little bit different, but you know, certainly you've been striking out on your own path. Based on your LinkedIn experience, you know from the beginning. So you were the founder in 2001 of the company for over Inc and you remain there to this day, and you're the founder and inventor of.

Chris Sienko: 7:29

Was it a higher in set? Sign V I don't know how to pronounce that, I'm sorry. Yes, oh, I rise. Okay, got, is it Hire? And SignV I don't know how to pronounce that, I'm sorry. Hireize yes, oh, hireize. Okay, got it, got it. And then, of course, loop 8. So I mean, it seems like startups are kind of in your blood at the very least, even if security is kind of a newer development. Can you talk about some of the problems you are trying to fill in the space with each of these companies?

Zarik Megerdichian: 7:55

you were trying to fill in the space with each of these companies, sure, so when I got into printing obviously I always loved startups from a very early age, but when I got into printing, my philosophy is always how can I disrupt, how can I change things for better? How can I change things for better? So in early days I'm talking about 2001, things as simple as sending an artwork over the email or FTP didn't exist. It was something so new, and so I took the advantage of the technology background that I had. So I brought that into the printing industry and I just grew that business. And one thing that was very interesting, a side effect of that technology move was my business was in California and my customers were all locally in California, but the moment we opened the Internet, all of a sudden I had customers from New York, florida and everywhere else, and that opened up all the borders for us. That's the technology on that side and with High Rise, obviously it's a passion project. I wanted to surround myself with startups tech startups only and just learn from them and not give them the ropes. I was a 20 year CEO, run a company which is 1600 employees, 12 locations in the United States and Canada and and and I could teach them kind of how things to watch for, things not to do and best practices as well. So that's the high-rise part and LuPaid.

Zarik Megerdichian: 9:39

Obviously, my passion is passwords need to go. Passwords are going to go. Someone's going to change them and we built something that is passwordless. We built a community base and we also try to stay away from a subject of today's conversation, which is data collection. We don't collect your data. We collect some data. We collect only only your email and a phone number. That's it. We don't want to know your name, your gender, your address.

Chris Sienko: 10:10

Yeah, all the security question type data yeah.

Zarik Megerdichian: 10:13

Other things, and we built the technology that we don't even store your passwords or your encrypted vault, and that's very unique to us, because we build a community model that people that know you, they can vouch for you and your ID comes back. There is no passwords to be phished and that's what the loop aid is all about.

Chris Sienko: 10:39

Okay, Well, yeah, let's talk our topic then. As we said at the top of the show, I wanted to talk with you today about the recent Roku data breach. So from as early as January 4th until the reports that started coming in in mid-March, it sounds that hackers were able to infiltrate the streaming service Roku and get access to more than 15,000 Roku accounts, including passwords, stored credit cards though no, fortunately no social security numbers, full account numbers or date of birth, which, again, not sure why they would have those. Roku reported that the hackers obtained log information and tried to buy streaming subscription on stolen credit cards. So do we know more about the breach than that? Do we know about the group responsible? Or, like the attack path? And you know, I was going basically on a couple of press releases. I think that, basically, that Roku gave out but do you do we have a better sense of, like, the sort of technical aspects of this breach?

Zarik Megerdichian: 11:33

Unfortunately, the group is unknown and Roku is claiming credential stuffing. What that means for users is, when hackers are stealing data from some other company and they go to Roku and try that same username and password, chances are they get in. And that's what Roku claimed. However, just three days ago they had a new breach, which is 570,000 accounts were compromised, and they claim credential stuffing on those also. In my view, credential stuffing is someone else's problem. It's not ours. So it's very difficult to tell if the systems were compromised or what exactly happened. But that's as far as I know about this and I can get about this.

Chris Sienko: 12:30

Yeah, yeah, yeah, no, I think that's. You know. Maybe that would happen with a few, but the idea that you could, you know, grab 15,000, there's 15,000, you know duplicate passwords that could be credential stuff seems suspect, I suppose. Or you know whatever else there about the ubiquity of data breaches and the ubiquity of announcements about them at these days. I mean, obviously breaches at this point are sort of inevitable sooner or later, but with some data security and private practices we can do a little post-mortem on the event. So I want to talk about the type of data they collected.

Chris Sienko: 13:11

So Roku was happy to tell its attackers that the attackers quote didn't get any social security numbers or dates of birth, personal account numbers. You know the account numbers are neither here nor there but, like I said, I don't know why Roku needed social security numbers to provide user with their service. You know this is a question that comes up sometimes. We talk about things like you know. Again, like you said, you want the death of passwords, but also the death of the security question, especially as like a resetting mechanism when you lose your passwords. But you know, I don't know why Roku would need to know my birthday, because I don't recall getting any gifts or offers from them on my birthday. It's probably more likely an opportunity to do more selling to me, but I want to just talk to you, zarek, about the state of data collection and some of the things that could and should be changed across e-commerce. So what are some of the worst tendencies that you've seen of companies in terms of data collection and what are your recommendations of stopping this over-collection of data?

Zarik Megerdichian: 14:08

So, unfortunately, data is the new currency and companies are collecting this data and they're making that data available for their organization or they're selling it to data brokers. The bad news is it impacts the users and if their data protection is not to a par and they don't have solid systems, not to a par and they don't have a solid systems If they get breached and hackers now have access to user information, and that's a problematic thing. Social securities and data birds these are very private information and should not be ever asked. I think companies have to be saving information at the very limited level as long as they can function. I was playing a little game Candy Crush kind of like game that forced me to pop up saying I want your date of birth. I ignored and I couldn't continue. For some reason, they decided after a very long time that they should be in the business of collecting data. It's very difficult to manage those, considering how attackers can get into your database and compromise and sell it in an open market.

Chris Sienko: 15:26

Yeah, now I've had a previous guest on that, you know, assured me, or that we discussed the idea that this sort of what we called the Wild West era of data collection is starting to come to an end.

Chris Sienko: 15:38

You know, back in you know the early mid 2000s, I think, the sort of, you know, the way people thought about data collection was get everything, we'll decide what to do with it later. And so it was. You know, every form just had an abundance of. We'll ask about your birthday, we'll ask about your home address, we'll ask, you know, security questions, all this data you know, and we seem to be leaning toward the idea that regulations were coming that would sort of put this Wild West notion of data collection in excess to the end here. But I don't know if that's necessarily proving to be the case here now. I mean, you know, the fact that you know a game like this is telling has suddenly decided that it wants more data from you mid-game indicates that some people are like some companies are not going to go quietly into this good night. I mean, what are your, what are your thoughts on this? Are you seeing like an upswing in in sort of like the last minute, kind of like cash grab of of data collection there or absolutely, absolutely.

Zarik Megerdichian: 16:46

I've seen, uh, in few places that are they're collecting information that are absolutely unnecessary for them, and I think, at the end of the day, if I have an organization, I have to monetize. I have to make money. Sometimes selling ads is critical, but knowing the demographics of the users is gonna make me sell ads much more effectively. And now people are joining this kind of data game. In my view, web 3.0, which is the future of ours, it should be opt-in. Only Anyone who wants to get advertised. They can kind of opt-in and give their information. Everyone else should be staying out, but I think we're still ways away from getting there.

Chris Sienko: 17:36

Yeah, yeah, absolutely yeah. The idea of you know involuntary opt-in and then you have to voluntarily opt out and the hopes that we can flip that for whatever comes next is a good one. I hope I don't know what the about the you know the mechanism of Loop 8 here. Is there anything in the actual data security system around the data you know storage by Roku that you think could have been done better? You know, I mean, obviously the horse is out of the barn now, but are there methods of data storage coming in the future you think that might be able to render wholesale data grabs like this obsolete?

Zarik Megerdichian: 18:19

So unfortunately, no matter the encryption and layer of security, there will be always human error, and every company is as strong as all the connected links. Companies like Roku have third parties, maybe a shipping company, maybe a payment company. These are all third parties and if their security is not up to the standard, the hackers can come through that channel and attack any organization. So it's difficult. A lot of companies have been trying very hard to solve this issue, but the human error remains the biggest problem, because we make mistakes and hackers are banking on that.

Chris Sienko: 19:06

Yeah, yeah, and there's just, there's just not really a way, if you know, even if you briefly let someone in, like there's just no way to unlet them in at this point. It seems like once they're in, they're in. So, yeah, I mean, you know, this is maybe just a venting point I've had with a couple other guests, but I want to just kind of talk about it. Just seems like at this point in 2024, you know, every other week I'm getting a notification from you know, a utility company, a streaming service, my CPAP, my, you know, bank We've been breached, We've been breached, We've been breached, we've been breached, we've been breached. You know, and it's one thing to say, oh, your, your password got compromised, please change your account, your password that you can usually do that fast enough that nothing really happens.

Chris Sienko: 19:47

But we're hearing so much about, well, we got vital data from the users. I didn't really realize that, like my CPAP machine was giving out my home address and my social security number and you know, and then they all kind of it's all just kind of gets wiped over with like, hey, have a free year of credit monitoring on us and maybe freeze all your credit lines in the meantime. But you know. I mean, is this something that we're just finding ourselves getting used to, Because it just seems like it's really accelerated in the last couple of years and, you know, obviously a loss of trust is coming. Do you think that this is going to be a mechanism towards, you know, consumers not working with companies that are this sort of like flagrant in their data collection? Do you see like a sea change coming?

Zarik Megerdichian: 20:34

Well, it's unfortunate. We have to be careful not to let people get used to these breaches, because we lose sensitivity towards all of those things. We need the industry leaders, apple's, google's and Microsoft's and all the top players to get together and work on this data privacy issues. The bad news is Apple is really trying to create a security around their own ecosystem, google is Microsoft and until these guys get together, we're going to have these breaches. One of the biggest thing is we used to talk about MFA, two-factor authentication and the latest MGM attack, which was a seam swapping. They called and they stole the phone number and they bypassed the multi-factor authentication and they attacked the entire network. So something fundamental needs to change and I think this larger organization have to kind of get together and think of something other than firewalls we were building for four decades. We're building firewalls, we're building seams, we're building honeypots, all kinds of stuff but at the end, the users are humans and humans make mistakes.

Chris Sienko: 21:59

Yeah, now, at this point I was going to move over into the career aspect and career tips and so forth, but I want to. You've talked a little bit about Loop 8 and your sort of alternative to passwords, and this seems like the place here if you would like to tell us about the sort of mechanism of what Loop 8 does and how it sort of goes beyond passwords. As you said, there's a biometric aspect to it, but can you sort of walk our listeners through how it actually works?

Zarik Megerdichian: 22:27

Sure, so in Loop 8, my first goal was I don't want to collect data. I'm only going to collect data that I need to make sure I can empower the user. So we collect emails and phone numbers. Today we have a plan by before end of the year that we don't even collect phone numbers, only emails. The system works is also your username and your encrypted vault sits on your own personal drive. We kind of went to that route. You have an iCloud or you have a Google Drive, unlike 1Password or LastPass companies that collect all of your encrypted data and keep them on their server and they become a massive target for the attacks.

Zarik Megerdichian: 23:16

Lupin's system is a passwordless biometric and what we built, which is very unique to us, is called TrueAid. What you do is you designate eight people and all you need is three of the eight saying I know Chris and Chris's identity is going to get restored, entity is going to get restored, and that's what kind of how we built this technology, which is very user-centric. We build a cookie killer and a history cleaner. So when you're traveling through the websites, you don't want anyone to know where you went after you left their site. So the cookie killer is included, is part of our suite.

Zarik Megerdichian: 24:00

We build a safe which is very unusual encrypted safe for computers which only opens up with your biometrics. There is no password. In our world, there is no password, it's only biometrics. And we also have a dark web monitoring. So every time you're browsing through an internet, if you're going to Netflix, we can trigger saying hey, your username and password was compromised. Go ahead and change this to something that takes maybe two million years to be broken, instead of a simple first name and your date of birth and those kind of stuff. So that's our story of Lupe.

Chris Sienko: 24:41

Yeah, that's interesting. I feel like that was certainly something that other types of file sharing things got right in the mid-2000s in terms of making everything on each person's individual computer and obviously an attacker, obviously, if you're you know, you know an attacker can attack one person's vault and maybe they bypass that person's phone or whatever and are able to do some other things. But there's not. It really cuts down on that idea of like this treasure chest of 10s, of 1000s of sets of credentials. All you need is that one sort of attack space.

Chris Sienko: 25:19

Now, again, you know we talked about we use the metaphor of like remote you need is that one sort of attack space. Now, again, you know we talk about, we use the metaphor of like remote work versus an on-prem work, of being the difference between defending a castle versus defending a, you know, a village of tents, and so here you know, I think the opposite is true. You can only attack one person at a time like that. So am I getting that right, that you know that there's not that sort of like war chest at the beginning, at the center of your sort of file management?

Zarik Megerdichian: 25:43

That's. You nailed it, chris. That's absolutely the case. Our design was look at LastPass as a company 35 million users, bunch of encrypted files and they became a target, because imagine a bank that has $35 million in there. Now imagine a bank that has only $8 in there. That still can be targeted, but there is not a whole lot of incentives for hackers. That's what we're building. If they want to come after you, they have to find eight other people, break their keys it's all sharded and and then they get to you. Only that's one person. Yep, this it's not. So. That's our, that's our vision. That's our vision for the future as well.

Chris Sienko: 26:31

So, and uh, that's the difference in lupate and you talk about the, uh, the sort of recovery aspect of it, because I mean, mean, I know that obviously biometrics, you know is, is a very effective certainly every time I, you know, have my face in front of the phone here and it's doing the little doobly-doo thing and then suddenly I'm in, I'm in my bank or whatever, like, um, you know, I, I understand empirically why that that works. But like, if you lose your phone, if you lose your device, um, and you said you have sort of like eight connections that vouch for you, how does that work in terms of like, recovering yourself? Obviously, the whole thing is to get away from the whole security questions aspect and the whole, you know, reset my password with the IT department or whatever. So what, how does that work with regards to the, the sort of eight connections?

Zarik Megerdichian: 27:19

Sure. So the way it works is you only need three of the eight. The reason with eight? Because when you lose your phone, you have to recover as fast as possible. You can't wait, and if someone's on a plane going somewhere, you can't wait for them to land. So the way it works is when you sign up for LuPaid, you assign the people you trust could be family members, friends, siblings, anyone and what happens is in their app, they accept to be a recovery person and if you lose your phone, all you do is you get a new phone, you go back to LuPaid, we'll recognize you coming back by the phone number and email and we'll send the information to your true aid and all you need is three people saying yes, this is Chris, and your identity comes back.

Zarik Megerdichian: 28:14

So we're going back hundreds of years to a village. When people came into a village, they knew each other and we want to stay away from stealing your password. And and and that old cartoon I had, la times or it was new york times that no one knows on the internet. You're a dog. Two dogs are talking to each other, right, right, that's that 1996. Four decades later, we're still on that stage of no one knows, on the internet you're a dog, so we're trying to change that.

Chris Sienko: 28:49

Yeah. Now again, I just want to drill in a little more on the sort of mechanics of that. So when you get a new phone you put Loop 8 back on, you sort of say of say I lost, you know, I I lost access to this previously. And then you send out a notification and so like those eight people all get kind of like a notification on their phone or device saying chris wants you to vouch for him, will you do it, or whatever. And then you talk to them on the phone. They say yeah, it's me and I did. I asked for that. Is that the idea?

Zarik Megerdichian: 29:20

that's absolutely the idea, and one thing is, when we contact your, your users, we we actually send them a message saying do not say okay until you talk to chris right, yes, okay that's good, or someone else is not coming in pretending to be Chris and trying to recover Chris's identity and get in there.

Zarik Megerdichian: 29:44

So that's the message we're sending, and when they talk to you, you say, yeah, it's me. All they do is they push a button. We have an amazing test that we have done over here. It takes 10 seconds and your entire passwords. You have all the. Everything kind of gets recovered, okay. So so that's that's that's.

Zarik Megerdichian: 30:07

It goes back into your, your sort of vault, phone vault or your device vault and and one of the things that lupate does, which is different, and and my daughter's hack is a great example uh, right now, if you have access to my computer, if you can find a way to get into my computer, you can see all of my passwords in Chrome extension.

Zarik Megerdichian: 30:28

But with LoopAid, we created a tunnel with phone and Chrome and when you open the tunnel, which is just a face ID, your passwords are available for a limited time and the moment you close the tunnel, you hit lock, your passwords are back on your phone. They're not in your computer and they're protected by your face ID. So, very different approach. And the side effect of this, the cool side effect of this is I can walk to anyone's computer, borrow their computer, scan a QR code and all of my passwords will be available on their computer. I can do my work and lock. Everything is back on my phone. I walk away and they cannot access any one of my accounts. So it gives us a mobility, yeah.

Chris Sienko: 31:19

Yeah, love that. Well, okay, so I want to sort of divide my next question a little bit in half. So first, you know I wanted to ask you about your advice for people who want to get into this particular field of you know, for LoopAid or you know other things like that. If you have any advice on you know, the types of training or work or projects that you want to see on a person's resume to indicate that they would be a good fit for doing this kind of work. And then I guess my second part of that question that I didn't ask before is have there been any recent like challenges that your team, in terms of like implementation or you know an unexpected, uh, you know tech consequences around putting loop eight together that they were solving? Like, what are the kind of problems, uh, you know, that need to be solved to put this in place? And then, what kind of people, uh, do you think are good at doing that kind of work?

Zarik Megerdichian: 32:23

Okay, so first is anyone with a security background is a great candidate for a company like ours, because all of my co-founders and I have six of them. They're also security specialists, pen testers, cisos, and these guys are specialized in protecting data. Those are good type of candidates. But my favorite candidate is a person who thinks outside of the box. When I was starting this project, I met a lot of people in Silicon Valley area to get this project going and I could see people didn't really believe in this. So I called this project Project Impossible back in 2001,. Posted on LinkedIn saying I'm starting a project impossible because anyone I talked to they said it's impossible.

Zarik Megerdichian: 33:17

So having an open mind, getting into a new tech business, will get you in a different level. You're going to grow in the business, you're going to thrive and and you hopefully develop a technology that it's good for 2024 and beyond, and it's not one of those maintenance areas. So that's that's my recommendation. So that's my recommendation People can do. Pen testing is usually the best one I really like data privacy and data governance, working with lawyers. The cloud engineering is a big thing because we use Amazon or Google or Microsoft. They don't guarantee the security, so we have to be responsible for our own security, so that is very important. So that's what I recommend for new starters.

Chris Sienko: 34:20

Yeah, yeah, well, yeah, ok, so go back to my question again. Were there any particular and I'm not doing this as a way of like interrogating loop eight, but rather like I know that, for example, using a password manager or whatever, that certain websites will do certain security workarounds with them? You know your emails on one page and then your password gets asked on the next, and sometimes that makes things go a little wonky. Or you know they do certain things that if you're trying to, like you know, add a new, you know new password or whatever. Were there any kind of like implementation challenges with regards to the sort of websites that you were interfacing with or the sites that you were attempting to sort of move credentials through?

Zarik Megerdichian: 34:59

Yes, yes, we always have those, always have those and we're still fighting them today because lots of companies develop software in a different standard. Some of them are very, very organized and standards and some just name, password, fields, something else and and it's very difficult to detect those. So we definitely have that. Our team is identifying and fixing as we go forward. All major organizations are covered. I think we have 1,000, tested, 1,000 sites, but we still come across a lot of missed password that doesn't show up in the right place and we're still seeing those things and, as we see it, we document it for our quality assurance so we can add that to our list and correct the problem. So, yes, we do have some of those challenges.

Chris Sienko: 35:56

So you were mentioning that your six co-founders all have specializations. Do you have any thoughts on specialization in the industry specifically, and within that, are there any like big skills gaps that you're seeing amongst candidates who might be trying to work for you? Are there things that you think you know? Either people are not, you know, going wide enough in their knowledge or they're being too specialized, or they just don't understand. Maybe soft skills or other things Like. What are some of the blind spots that you've seen, if any?

Zarik Megerdichian: 36:29

Unfortunately, when it comes to the world of security, there are too many roles and too many systems, so finding a person that can come in and work on your security stack is difficult. So my advice for anyone who's interested in this is educate yourself. There's a lot of good information out there. Try to learn as much as possible, because any organization you get into you can learn on the job, but at the same time, you have to have some background. So that's the biggest issue right now, which is because the field is too large. My favorite functions I kind of briefly talked about is high-level architecture of security, testing is great, cloud engineering is good and data privacy. These are areas that I highly recommend for anyone who wants to get started into this field.

Chris Sienko: 37:26

Yeah, I think that's all fantastic. Advice and I think it's also always worth remembering is that if you have an even moderate level to medium high level of security knowledge whatever you're missing in it you're going to be able to get on the job fairly quickly, as long as you can sort of demonstrate that you understand the concepts and, like you said, across a sort of a wide spectrum of things. I imagine it's probably more appealing even if you're hiring someone you know in pen testing that they also have a rudimentary knowledge of cloud or a rudimentary knowledge of, like you say, architecture. There's this understanding that you're not going to like self silo too much.

Zarik Megerdichian: 38:08

Absolutely.

Chris Sienko: 38:09

Yeah, now, um, I want to ask you, of course, uh, you clearly uh love what you do Can you talk about your favorite part of the work that you do and what it is that makes you excited to keep pushing and learning every day?

Zarik Megerdichian: 38:21

Uh, it's. It's one of the greatest feeling, chris, to wake up every day and and think about I'm doing something that, hopefully, will change the way we do business we did, the way we work, the way we enjoy our, our digital life, which is now getting bigger and bigger. So, uh, so that's, that's the most exciting part about, uh, this business, uh, thinking outside of the box, doing the impossible projects, and then that's what gets me out of the bed every day. So that's the exciting part about doing something different.

Chris Sienko: 38:56

Love it Before we go here. I know we're getting close to the end, but you mentioned the importance of mentorship to you. Can you talk a bit about your history as a mentor or a mentee and why you think it's important for there to be a robust sort of mentor mentality in security?

Zarik Megerdichian: 39:15

Yeah. So when I was starting my business, I learned a lot of things the hard way and I wish that there was somebody there to help me kind of get there faster. That's why I always recommend find a good mentor. Look for a person that can shorten the distance from where you want to start and when you want to end by giving you guidance. So mentorship is huge. What I do with my startups that I mentor is I teach them not only today, when you're starting, think about the exit, how to structure your business so you can sell it one day hopefully. And those are some decisions that people don't know. They think, oh, we're going to sell one day. But having some guidance on early days is going to put you in the right direction and that's very critical. So I highly recommend find a person. If you're a startup, find a positive person too. So because a startup life is difficult, it's complicated and it's hard, but when you have good friends and positive friends, then the journey becomes much easier.

Chris Sienko: 40:25

Now can you talk about for someone you know, if you're kind of early, mid into your career, you know certain people might be of a mindset of like, well, I don't you know who would want me for a mentor. I don't you know, what do I know? Or whatever Like. Can you give me some indications of like, what indications you would, you know, know about yourself that say, okay, I'm, I'm a, I'm a worthy mentor? You know, I need to start looking for mentees Like what, what's, what's the sort of like, what, what's, what's the Rubicon that you cross? I guess.

Zarik Megerdichian: 40:55

So what I'm looking for is people with experience and and that's usually a person that's gone this this path and and they have experience and anything they can share with me that would be useful. One thing that I'm noticing with people that I mentor is I have two different types of people. One they don't listen. They think just by being in a room they may gain some wisdom. But listening is a key because what I'm sharing is an experience from my side. But what you do is you collect those information and you use them in your business models, which is could be very different business model, but overall, most of these rules are set for businesses. So, but that's usually surround yourself with people that have business experience, have success and and that's the type of advice you want to get Don't get it from a guy who never ran a business, because he may not know some of these things, challenges that you may be facing. So that's how I would say find the next mentor. Get yourself close to anyone who has experience and is willing to share with you.

Chris Sienko: 42:13

Yeah, Now, clearly you've had a very successful career and it's still going on, but can you tell our listeners what's the best piece of career advice you ever received? What's the?

Zarik Megerdichian: 42:25

best piece of career advice you ever received? Well, I think I just gave one of them, which is very, very important Surround yourself with positive people. That's one of the key points. My biggest advice that I received in my career that helped me a lot was delegating. As a human, we're very, very much I'll do it myself kind of. We do a lot of micromanagement, but last I had a good mentor. He said Zarek, last I checked, god only gave you two hands, and when you delegate, you can multiply that. But when you delegate, you can multiply that. And that's how I built an organization with 1,600 people in 12 states and Canada and I only had two hands. And that's the best advice I can give that we have a natural tendency to hold on to issues. By delegating, not only we're building a very good team, we're also expediting, we're going with a super fast speed towards our goal.

Chris Sienko: 43:35

Yeah, yeah, I think that's such a great piece of advice and so hard for people of a certain mindset to let go of that. The idea that, like, if I let someone else take part in the work, then they get to take part in the glory, you know, like I think there's, there's a part of that. If I do it all myself, then it was all me, you know, and I don't. I don't think that's ever feasible and I think it does. Like you said, I think it kind of narrows your, your possibility for success.

Zarik Megerdichian: 44:01

Yeah, absolutely, and, chris, I had because of the organization. I had countless managers and I was fortunate to be able to see good practices and bad practices. And I saw a person that would come in at 5 am and leave at 8 pm and was micromanaging everything and was always behind for two weeks and the team really didn't enjoy working with this person. And then I saw another person that would come in, had a team standing like soldiers and delegating the process and the best performance, and so that's a difference Delegate. Your life is easier, you work less and you reach your goal much faster.

Chris Sienko: 44:43

Yeah, love that. Okay, so one last question. You talked quite eloquently about the Loop 8 platform. If people want to learn more about it or how to check it out for themselves, where should they look online?

Zarik Megerdichian: 44:57

We are at loop8.ai, okay. However, we're still in a stealth mode. We are open, but we have a limited VIP invitation. We're doing a lot of user testing, but loop8.ai is where you can enter your email and we'll notify you in a month or so to start downloading.

Chris Sienko: 45:24

Nice and if people want to learn more about you.

Zarik Megerdichian: 45:30

Zarek, where should they look online? Are you on LinkedIn? Yes, I'm on LinkedIn, zarek Megadichian, I'm pretty active on LinkedIn, so you can message me on LinkedIn and usually that's the best place for me to get to know you.

Chris Sienko: 45:38

Our listeners are very LinkedIn oriented. I'm sure you'll be getting some connections after this episode.

Zarik Megerdichian: 45:43

Fantastic Looking forward to it.

Chris Sienko: 45:44

All right. Well, thank you so much for joining me today, Zarek, and for helping me to kind of lower my blood pressure about my Roku account.

Zarik Megerdichian: 45:52

I'm glad I could do that. Chris, Thank you for having me on.

Chris Sienko: 45:55

Absolutely. And as always, as we close off here, thank you to everyone who is watching and listening and writing into the podcast with their feedback. If you have any topics you'd like us to cover or guests you'd like to see on the show, feel free to drop them in the comments below. And, as always, before we go, please check out infosecinstitutecom slash free, where you can get a whole bunch of free and exclusive stuff for CyberWorks listeners. This includes our new security awareness training series, work Bites smartly scripted and hilariously active set of videos in which a very strange office staffed by a pirate, a zombie, an alien, a fairy princess, a vampire and others navigate their way through age-old struggles of yore. This is a great security awareness training tool and it's very funny. Go check out the trailer on our site. This is also still the best place to go for your free cybersecurity talent development ebook.

Chris Sienko: 46:41

You'll find our in-depth training plans and strategies for the 12 most common security roles, including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ics professional and more Quite. A few of those roles were talked about in today's episode. You want to know more about them? Go to infosecinstitutecom slash free and yes, the link is always in the description below. One last time before we go. Thank you so much to Zurich, magrideshian and Lupate, and thank you all for watching and listening Until next week. This is Chris Senko signing off, saying happy learning.