Mind the Gap: Cybersecurity as a Strategic Imperative for Your Business
The more we use technology, the more we’re exposed to potential cybersecurity attacks and breaches.
And let’s be honest, technology isn’t going anywhere.
If anything, it’s becoming a more important part of our lives and businesses, which exposes small and medium-sized business owners to more risk than ever before. And with this risk comes a need to tighten cybersecurity protocols and ensure they are protected from a potential attack.
To make that goal a reality for small businesses Greg Tomchick, spoke with us on a recent episode of the Stride to Freedom podcast. Greg is the CEO of Valor Cybersecurity and is on a mission to help any size business identify and manage potential risks.
His passion for cybersecurity didn’t just come out of the blue—it came from a very real and very costly cybersecurity breach.
While operating a software development firm, Greg and his team helped other companies manage their technologies—software, apps, websites, and everything else a business needs. But, at that time, he was not focused enough on protecting the things they were building.
Because of that, they were exposed to threats.
And, sure enough, Greg’s team suffered a devastating cybersecurity attack that impacted many of their clients and cost six figures to turn around. When seeking help, Greg couldn’t find any local companies that supported small businesses through cybersecurity breaches.
So, he set out to create one. Valor was born from the necessity of small companies to have support, knowledge, and expertise in the cybersecurity area.
Where to Start with Cybersecurity?
Many small businesses understand there are real threats out there, but the biggest question most have is—where do I even start?
Greg and his team at Valor always begin their engagement with a holistic cyber/economic risk assessment. This is the proactive side of cybersecurity because it evaluates potential risks and vulnerabilities. A risk assessment may look at:
- Product development lifecycle to ensure it’s secure from beginning concepts to the end product.
- Database protection through multi-factor login and access control.
- Business processes gaps where security threats can be exploited
- Potential areas of risk that can be adjusted and fixed
Then there’s the reactive side. If a cyber-attack does happen, what’s a business to do? Valor provides a 24/7 hotline service for their customers and can deploy experts to the worksite within 24 hours. They start right away to sift through information and figure out what happened. This allows them to quickly diagnose the issue and start to resolve it.
Every small business needs their proactive and reactive plan—cyber-attacks are too real of a threat to ignore it.
Cybersecurity to Save Money
If protecting private data is not enough of a motivation to prioritize cybersecurity, money definitely is.
In his own experience, a cyber-attack cost Greg six figures to fix and in the end, even that wasn’t enough to save his company. Cyber-attacks are terribly destructive, in terms of time, money, and resources.
There are two ways to save money by prioritizing cybersecurity in your small business:
- Avoiding costly cyber attacks through proactive security measures.
- Reducing cyber insurance premiums by demonstrating to insurance providers that your company is less of a liability to them is the other.
Valor helps clients both ways. The second is an interesting concept—Valor provides a comprehensive report for companies testifying that they’ve reduced their risk. This can then be brought to an insurance provider to negotiate lower rates, saving the business thousands of dollars in premiums.
There’s so much more in the world of cybersecurity. If you’re interested, listen to the full episode with Greg on the Stride to Freedom podcast. There we talk more about the differences between cybersecurity and IT, and how tools alone are not enough to solve a problem.
The Stride to Freedom podcast is hosted by Stride Services. Contact us today to learn more about our back-office accounting and CFO services, including stable and efficient bookkeeping, cash flow management, and actionable analytics for growth. You’ll enjoy this Podcast episode with Greg.
We are fortunate to have Greg available to spend time with us on this edition of Stride 2 Freedom. If there is a speaker you’d like us to interview, click here and let us know. Stay well. Stay safe. Stay healthy.
Show Notes and Links From Episode:
Greg Tomchick: LinkedIn
Greg Tomchick: Top 10 Takeaways
Greg Tomchick: email@example.com
Russell Benaroya: Hey, everyone, welcome back to another episode of the Stride 2 Freedom podcast. I am your host, Russell Benaroya. The Stride 2 Freedom podcast is designed to help business leaders get and stay in their genius zone.
What is your genius zone? Well, it’s that thing that you do or that place where you spend time that feels effortless for you, where you create the most value in your life and in your business.
What’s our genius zone at Stride? Our genius zone is helping business owners use data to make better business decisions, and we do that for IT services firms and agencies.
Okay, enough about us. I am excited to jump into the topic today and thrilled to welcome Greg Tomchick to the Stride 2 Freedom podcast. Hey, Greg.
Greg Tomchick: Hey. Good afternoon, Russell. Looking forward to the discussion. Thanks so much for the opportunity, and ultimately looking forward to bringing more leaders back to their genius zone through this discussion.
Russell Benaroya: Which I think we will definitely do. The more time we can allow for business owners to not spend time thinking about their cyber threats, the better. So, good segue.
Greg is the CEO of Valor Cybersecurity, a cyber services firm providing cyber threat assessment, compliance readiness, and incident response. He and his partner, Jeff White, founded the company as a result of what Greg will share, a very personal circumstance that he had with a cyber attack incident in a previous company. And I’m going to let him share that story.
I wanted to bring Greg on the call because cyber attacks are here, they’re not going away. And they do not just expose themselves at the highest level of enterprise. Small businesses are also facing threats, and they can be detrimental to growing and operating the business.
We have to be responsible for security. And as business owners, it’s pretty confusing what we’re supposed to do. So Greg is here to help us untangle that web and figure out a path forward. What do you say we jump in, Greg?
Greg Tomchick: Yeah, I’m all for it.
Russell Benaroya: You’re all in. Before we start on Valor, which is where I want to spend the majority of time, you were in the minor leagues for three years. You committed yourself full body to baseball. I’m curious to learn a little bit more about you through that commitment in that journey.
Greg Tomchick: Yes, sports was absolutely a huge cornerstone of who I am as a person. It helped me work on a lot of different areas of my life that I wouldn’t be able to work on otherwise, unless I was able to play a sport like baseball, where it’s all about failure at the end of the day.
I was able to, early on, focus on the mental aspects that you needed in order to get through the different obstacles that that sport had within it. So every level you moved up, you had to persevere and add skills or tools to your tool belt and use those to create value for your team and create value for the game.
It was one of those experiences that I wouldn’t do it any other way. I met some incredible people. It’s all about the team. I still have that mentality today. Just putting your body through the ultimate test really tests your mind at the end of the day.
When you train your mind right, you train your body in alignment with that. When you have a mission you’re going after, I think you can really accomplish anything. And that’s how I made my way to the minor leagues when I had no business being there.
I was told, as a young person, I wouldn’t make it out of high school because I would get injured because I was tall and had a whippy motion as a pitcher. And I made it there.
That was one of the reasons why because I had people along the journey that said, “You might not make it.” And that made me that much more informed in order to get there.
Russell Benaroya: I appreciate you sharing that. You then jumped into a new field or another field, which is that of entrepreneurship and building a business. Tell me about that transition and how ultimately, you created what’s Valor today.
Greg Tomchick: Yeah, it’s a great question, Russell. The company, I think, started many years before. When I was in college, I went to a school that was starting up an entrepreneurship academy. I wanted to be a part of that ecosystem.
I saw a gap that companies could not afford to develop: technology, software, web apps, websites, things that every business needed. We were able to serve all of the companies that were going through that entrepreneurship academy as well as some local businesses. But we were not focused on protecting what we were building.
We were very excited about building these technologies. We were incredibly passionate about making a great user experience, making them look great. But when it came down to it, we were not looking at protecting it. And that bit us in the butt in the end and put that company on fire, both internally and its clients.
Shortly after that, once I got done with the minor leagues, I went on a rampage and really tried to learn everything there was about cybersecurity so that I can make sure that that person beside me that’s running a business does not get put in the position that I was in. There are some very simple steps that they can take.
Russell Benaroya: Just so I understand, you had what sounds like a software development firm?
Greg Tomchick: Absolutely.
Russell Benaroya: Okay. You were building software for clients, many that were in this entrepreneur academy, and you suffered some kind of cyber attack?
Greg Tomchick: Absolutely. That was called a SQL injection, for the more technically-inclined folks out there. Basically, information connects to a database where that data is held. And when you have access to that database, you can change things up.
That changes what the website or application portrays on it. Somebody was able to get in there, wreak havoc. That impacted multiple of our clients which cost us money, cost us time to have to explain what happened, cost us resources that we had to expend not on doing client work but on putting out a fire that they had never dealt with before.
I wasn’t able to find anybody in my community here or from Virginia, one of the biggest navy bases, to help me put that fire out. So we had to do it ourselves.
Most of the organizations around here are really defense-focused so government-based and they didn’t help the small business around here put out a cyber fire when it happened. So I made it my mission to be that person, that when somebody has that, call me anytime. And I’ll help you work through it.
Russell Benaroya: Was the attack a targeted attack specifically on your business? Or did this come from some virus that was propagating broadly, and you just happened to click the wrong button?
Greg Tomchick: It’s a great question. I’ve investigated hundreds of incidents up to this point of other companies having cyber attacks. What we found out later was it was through a vendor that was doing quality assurance on our database.
Basically, somebody got into their organization which caused that person to what we call island hop into our organization and wreak havoc. And they saw that as a benefit.
We spent six figures to put out what I call the fire. And it was impactful, I learned from it. But it also gives me the ability to resonate when a board is having a cyber attack or if they want to actually proactively prepare and prevent that from taking place in their business.
Russell Benaroya: If Valor existed back then, and you had been working with Valor-
Greg Tomchick: Yeah, we would have searched cybersecurity locally and we would pop right out [inaudible 00:09:27].
Russell Benaroya: What would Valor have done either proactively or both proactively and reactively to mitigate that inevitable which is like, “Hey, this is likely going to happen at some level. There’s going to be some threat.” How would you have mitigated that as a partner for your previous company?
Greg Tomchick: I’ll start with the proactive side because I think that’s important for the audience here. If that company or myself would have come to Valor and said, “Hey, this is something I’m concerned about. I’ve seen it in the news. I’ve seen other companies have this happen. Where do I start?” I would have them do some type of risk assessment.
We would have gone through and said, “Okay, your main business is developing software. Let’s make sure we have a procedure.” A secure software development lifecycle procedure so we understand what our software development life cycle depends on to really get from concept to end result for the client and deliver it and be productive for them.
If we would have put together that process, we would have seen this gap which was, we were depending on somebody else for QA and not asking them how they were protecting our database on their end. Did they have multifactor? Did they have access control to make sure the right people were logging in?
I think it would have definitely started there. That would have probably teased this out. But some of the things we would have recommended are further configuration of the database to make sure only certain people were able to access it.
On the reactive side, we deploy now within about 12 hours. So if a company calls us, we basically have somebody that works the line 24/7, answers the line, triages what actually happened, what they suspect took place.
Then basically, we have the information to investigate within 12 hours when a cyber incident happens to a company. We start to sift through the information, figure out where it came from. So we would have been able to help probably save, I would say, weeks because we had to do it ourselves.
We had to research it on YouTube and Google and try to figure out, how do we get over this obstacle? Nobody we know has had this take place. Because we weren’t in DC. We were in a smaller area, smaller community.
We needed resources, we didn’t have them. And that’s the resource that Valor creates today for this community but also others throughout the US.
Russell Benaroya: You went on, I’ll use your words, a rampage, which sounds aggressive, to start Valor, to serve the community with both proactive and reactive services around cyber threats.
Maybe talk about what the scope of those services are today, the types of companies that you work with, and maybe the ideal circumstance for a client to come to you. And then what you probably often face is the less ideal circumstance with when they’re coming to you.
Greg Tomchick: Yeah, it’s a great question. I think, who do we serve? And then I’ll go into a little bit about the scope of what those services look like. We serve technology. So you think about a SaaS company, an IT-managed service company, companies that deal with technology.
We serve financial companies. So people that have financial transactions going back and forth. And then we serve defense contractors because that’s near and dear to our heart. That’s the industry that we really grew up in, around this area.
If you think about what we help people address, it really all comes down to most companies have a regulatory requirement around cybersecurity or they have to have cyber insurance.
If they don’t have that, they have customers asking them, “How are you protecting our data? How are you protecting our communications?” Things of that nature.
A lot of times it’s either a compliance requirement or they have a vendor ask them a question about cybersecurity or they’re actually concerned about, as their company is expanding so rapidly, “We really need to protect this proactively or something is going to go wrong. We’re going to miss something. There’s going to be a gap in our strategy. We need to do something about that.”
That’s really where the journey starts, to get somebody to take the first step. If you don’t take the first step, Russell, you’re never going to get 10 steps ahead.
I think that’s what more people need to do when it comes to cybersecurity. How do we deliver on that? So we have a free rapid cyber threat assessment where the company can answer 10 to 15 questions. We’ll give them recommendations based on that profile free of charge to get them to say, “Here’s what you should be doing. If you’re not doing that, here’s some things to consider.”
We offer a more comprehensive assessment for what we call our cyber threat assessment, which is a little bit more upgraded, where we actually go into the business, get a little bit more hands on, speak with the leaders of the organization to understand what’s important and what they really want to protect at the end of the day.
Then once we provide a report, we don’t provide tools. Our recommendations are not going to be a toolset that we offer and we get a commission off. We have a vendor agnostic assessment. So it could be everything from partnering with your IT service provider to putting in these pieces of equipment with these configurations, things of that nature. Or it could be drafted into an incident response plan.
We support all of those initiatives as what we call fractional CISO, virtual CISO. So it’s really everything that a chief information security officer would do as a security leader of a business. We provide those exact services for, as I mentioned, those industries, those communities, and organizations that are navigating those unique pain points from that standpoint.
Russell Benaroya: Why did you feel that the scope of services that Valor provides was or is the right scope of services to solve a need in the market that you perceived wasn’t being addressed by others?
Greg Tomchick: Yeah, it’s a great point. Cybersecurity as a formalized industry, as an industry that can serve into other businesses is still pretty young.
Early on in my career, after I got out of baseball, I went to work for a government contractor. And then I went to work for a company called Navigant in Washington, DC.
They were offering something called legal technology services. So it was, what are the lawyers doing in a case that is going to require an additional expertise area? And cybersecurity bloomed out of that. I think the FBI, the CIA, the NSA had a big deal to come up with that. But it’s still very young as an industry.
Myself, Jeff, some of the other folks on our team have had a lot of success at a very high level. So you think fortune 50, the American Airlines, the Kubotas, the Caterpillars, these very large organizations.
We had a lot of success rebuilding a lot of their cybersecurity programs because it needed revamp from big four fatigue. They had so many cooks in the kitchen around what their security program should look like that it got overly complex.
We would go into those environments and simplify them. And we wanted to make sure these companies that are starting these things from scratch, just starting in cybersecurity, have a viable product or service. They know it’s great in the market, it works.
They know the benefit. They want to protect that benefit from continually growing and making sure nothing is going to disrupt it. We wanted to bring more of that expertise at the high level to them, to give them what we look at as a fighting chance to get out of that small business potential bucket.
It gets them to be able to leap over and say, “We’re now a medium business. We’re now a large business. We’re moving up the maturity chain that we want to move up. And there’s nothing that’s going to stop us from getting there because we know where we stand.”
Russell Benaroya: Why wouldn’t this be something that MSPs IT service providers might do?
Greg Tomchick: It’s a great point. We have discussions about this every day because we have a few IT MSP partners. I think it’s a gap in expertise. I think cybersecurity and IT are not one in the same.
Cybersecurity is really involved with data and information, confidentiality and integrity. And IT is responsible for availability of systems, making sure everything’s up and running, making sure things are secure from the tool standpoint.
When it comes to the data standpoint, the incident response procedures, things of that nature, and actually the structure around a whole security program, I don’t think there is a lot of expertise out there that’s not in a tool.
A tool can only solve certain problems, it’s only a tool. It has to have a strategy around that just like you guys do over at Stride when you’re looking at somebody’s back office systems, how their whole business is structured from a system standpoint.
Those tools are just tools, at the end of the day. They’re not going to really solve the main root cause of whatever issue that organization is going through. So we try to look at things like that.
We’ve seen MSPs out there offering cybersecurity as a service where it’s a stack of tools, and that does get the organization to take the first step. It gets them to the next maturity level. But that’s not going to be what gets them to the next maturity level at level three or level four.
It requires a strategy. It requires experts who have built these programs before, and it requires more than just tools. So I think IT MSPs will be leaders in this along with cyber insurers.
They are going to be leaders in providing cybersecurity services because they’re at the epicenter of making these transactions happen from either a technology or an insurance standpoint. They’re going to continue to have a huge impact.
I think at the end of the day, we want to be a value-added partner to MSPs because you can’t be everything to everybody. And when you have value-added partners who provide niche-specialty services like we do, I think it elevates the trust with the client.
It shows that you have your domain lane and are experts at that and look to the right people to address common concerns like cybersecurity.
Russell Benaroya: You mentioned insurance, and it looks like you have a role to play in helping companies provision cyber insurance. Can you talk a little bit about that?
Greg Tomchick: Yeah, this is one of those areas I’m very excited about. We’ve been working on this since we started the company back in 2021. So we’re about a year and a half in business. Yep, coming up on a year and a half.
When we started the company back in 2021, the cyber insurance and cybersecurity savings discussion was not taking place. We were extremely passionate about it.
We wanted to take our assessment from any company that we worked with directly to their cyber insurer and say, “We have elevated, we have increased their cyber maturity, which lowers your loss exposure likelihood. So you should be giving them a premium reduction.”
Since bringing that assessment to the first cyber insurer, we’ve been able to save thousands of dollars for companies on their cyber insurance premium. And really seeing the success of that interaction and these companies saying, “We’ve been paying 10 grand a year for our cyber insurance premium. Now we only pay five. That’s going to free up money to put here. We’re now going to be able to do further things that we want to do.”
Also, they have a more accurate policy. So it’s a win-win across the board, the insurers love it. We’re actually trying to go after more of a business tax break from doing some of these cybersecurity activities, which is an interesting development that we’re pursuing now. But doing the right thing should be incentivized.
As an economics major in college, it’s in my blood to make sure the things that I interact with or incentivize and make sense for people to do because it’s the right thing to do. And it’s going to benefit all involved. So if you can give somebody a little bit of incentive to take that first, that second, that third step, we want to be a part of that journey for folks.
Russell Benaroya: Yeah. Are you operating as an insurance broker?
Greg Tomchick: No, we’re not.
Russell Benaroya: Oh, okay. How do you build the bridge for a company that wants to get the benefit of demonstrably being proactive in cyber readiness and get the benefit of premium reduction in insurance policy? Do you work with a certain carrier?
Greg Tomchick: Absolutely. It all starts with what we call a cyber threat assessment, where we go in and really understand what the business depends on, what needs to be protected in a priority order. And then some initiatives that should be prioritized.
Basically, what we do is put those results into a framework. NIST cybersecurity framework, for example. CIS Top 18, there’s a couple of different ones out there. And we bring that framework to the insurance provider.
We have a good relationship with some of the top ones. Most companies do not do this. They do not submit their recent assessments to try to bargain for themselves.
Basically, what we do is we do the evaluation. From that assessment, we can understand what their policy should look like and what limits they should have in each area of their policy. And we basically take that, compare it to the current cyber insurance policy or what has been recommended by the insurer.
Then we go back and say, “Here’s what it should look like. And here’s the framework that we put together based off of the recent assessment”. Basically, most of the time they say, “Okay, that works.” It’s a little bit of negotiation. But if you don’t ask, you’ll never know.
Russell Benaroya: Yeah. Awesome. When you think about the growth of your business, do you anticipate or desire growth to come through channel partnerships like MSPs or direct to companies?
Greg Tomchick: It’s a great point. There is some liability when it comes to cybersecurity services. Just like IT services, if you break something, there may be something involved.
We’d like to separate the liability when we work with an IT MSP. We value partnerships. I think that’s why we started the company. It was all around culture. It was all around specialization of services.
When you’re a specialty service, you need value-added partners who have the other parts of the ecosystem. We’ve worked for companies that had that full lifecycle model where they did everything in cybersecurity, and we served everybody.
That was not a model that I felt was sustainable, at the end of the day. You have to know who you serve. You have to know their pain points. You have to serve them with something that’s going to make their life better at the end of the day. That’s what we set out to do. And we want to make that a reality each day.
Russell Benaroya: What are three key learnings from your baseball career that you have brought to company building, specifically at Valor?
Greg Tomchick: So many lessons learned. Lessons are blessings in my mind. It all comes down to when you fail. And that was one of my biggest obstacles as I got out of baseball and I went into business.
When you fail, do you get a lesson from it and then find a way to move on from the feeling of failure? Or do you hold on to the feeling and not learn the lesson because the feeling is so strong?
I think baseball taught me that. When I got out of baseball, I didn’t know how to react to that in the real world when it came to putting myself out there to fail.
I think three lessons that really resonate with me, actually, it’s funny you mentioned this. I’m actually getting ready to publish my second book, which is called Athlete Entrepreneur. It’s actually with 10 other professional athletes that turn entrepreneurs.
We each have a chapter where we write some of the things that we think are most impactful to our journey as entrepreneurs. I think one of the things that really sticks out for me is environment. So making sure your environment is conducive to what you want to accomplish.
I think that environment is a key thing. It always was with baseball, where the people that supported us, the janitors, the people that were doing laundry, things of that nature, when you showed them appreciation, and I take this into our world today, everybody has a part to play in the equation when we’re on the field, when we’re off the field.
When you have that environment set, whether that’s at your home, in your place of business, I think it’s really conducive to a healthy mindset. We have 90,000 thoughts a day, I think it is, or 70,000 to 90,000. 80% of those are negative. So if your environment has anything in it that may bring negative thoughts, it’s going to really allow those negative thoughts to take over.
I’m a huge component of that. I think teamwork is always something I continue to beat the drum on. Nothing happens alone. I learned that early on in business. I definitely tried to, as I was young, start businesses alone and try to perform the service. And you hit these bottlenecks.
When you have other people that support you, that complement the things that you’re not necessarily good at, that’s where I think magic happens. That’s where you’re able to really stride to freedom in your business, where you can depend on other people and really have that accountability amongst yourselves. I think that’s where great teams, great companies are built.
To wrap it all up, I think impact has been huge for me. In baseball, it was going over to the sidelines when I was walking to the bullpen and saying hello to some fans and just introducing myself.
When you’re passionate about something and it means something to you and it really matters at the end of the day and you feel the impact not necessarily just for yourself but when somebody else is realizing that impact, I think that’s what it all comes down to.
I saw it in baseball. I tried to pursue it each day in business when it comes down to making decisions based off what matters, which are the people. If we can make a positive impact on other people, leave them a little bit better off, I think that’s a life well lived in my mind.
Russell Benaroya: Greg, love it. Thank you so much. Let me ask you one last question, which is really the genesis of why this podcast even exists. And that is, how do you best help business leaders get and stay in their zone of genius? How does Valor do that?
Greg Tomchick: It’s a great point. I think it’s really helping them identify and address cybersecurity threats and business requirements. We all have complexities in our business.
When we don’t properly look at those complexities and find ways to address them, whether that’s doing your own research or looking to experts, they build up in what I call technical debt. You know the word debt.
When you use technology like we have and have the overdependence on it, it creates debt which is somewhat intangible, builds up over time. And then it blows up like a balloon. We help business leaders to stay in their genius zone by making sure that that debt is reduced continuously so that their business can thrive.
Russell Benaroya: Love it. You also help business leaders have more confidence and peace of mind that they can drive their business forward with the comfort knowing that they’ve been proactive in mitigating against threats that otherwise could be really devastating for their business, but they’re on top of it.
Their vehicle of equity value creation is sound. And that frees up some headspace to focus on growth.
Greg Tomchick: Absolutely. Yep. And the certainty that nothing is going to bring that down from the uncontrollables. You reduce the uncontrollables. Absolutely. Well said, Russell.
Russell Benaroya: Yeah. Greg, thank you so much. I was excited to learn about Valor. I wanted the community to learn about Valor. But maybe what they learned more about was you and your why of even endeavoring to start this in the first place.
I think it’s organizations that are grounded in a purpose that build a bridge to better client relationships, more commitment to striving to live your principles. And Valor certainly comes across as the kind of organization that I would certainly feel I would want on my team. So thank you, Greg. I really appreciate it.
Greg Tomchick: Absolutely, Russell. It’s my pleasure, and I look forward to helping more leaders get back to their genius zone.
Russell Benaroya: Awesome. Well, listen, thank you, everybody for listening to another episode of the Stride 2 Freedom podcast. We will look for you on future shows. Have a great day. Take care. See you, Greg.