Intro (00:06): You’re listening to the #fortheloveofemails podcast, powered by Netcore, a weekly show dedicated to helping email marketers, marketing enthusiasts, and professionals of all walks, engage, grow, and retain customers. Through reliable, smart, and effective email communication and engagement. Discover actionable ways to increase ROI and deliver value through email innovations, personalization, optimization, email deliverability, and email campaigns.No fluff tune in to hear best practices and tactical solutions from the best thought leaders and practitioners master your email communication now.
Matthew Vernhout (00:42): Hello and welcome to the, #forthloveofemail podcast. I’m your host Matthew Vernhout, vice president, deliverability for Netcore cloud. I’d like to welcome you today. San Masiello chief security and technology officer at Beckage to the show. Sam, welcome to the show.
Sam Masiello (00:56): Hi, thank you so much for having me glad to be here
Matthew Vernhout (00:59): For two decades. Sam was focused on technology and security solutions for some of the email’s biggest brands, including MX Logic, return path, and Groupon before moving on to roles with organizations such as Colorado cyber and Beckage If you don’t know them, Beckage is a law firm focused in technology data and security, privacy, Sam and I also spend a fair amount of time together advocating for a safer and more user-friendly internet with the coalition against unsolicited commercial email or costs for the past nine years. We’ve both been on the board of directors for this community-based organization. Sam, I know I just gave a bit of a background, but what is the day to day in the life of Sam at work?
Sam Masiello (01:39): Yeah, it’s pretty complicated, you know, at our firm, as you mentioned a moment ago, we focus primarily on data security, privacy, and, and incident response as well. And so, in addition to helping, build the street program at the organization, I also, consult with some of our clients as well on some of the issues that they’re having. So whether it’s working with our attorneys and digging into some of the issues that they’re following up on relative to incidents that our clients may have had, or potentially working with clients on helping build, policies and programs for their organizations to build a security practice. So it’s pretty busy between, you know, juggling the corporate security responsibilities, those technology responsibilities at Beckage versus helping the attorneys as well. But, it’s a lot of fun really, while there is plenty to do, certainly at any given point in time. it’s a lot of fun as well and the team I work with is great. So, it’s a great place to be great company,
Matthew Vernhout (02:32): And it sounds like you work on both sides of the fencing event consulting for clients, and then internally managing your network. That just sounds like a ton of responsibility on the day-to-day.
Sam Masiello (02:40): It is, but, you know, that’s part of the reason I love it. You know, I love the challenge. I love the opportunity to be able to grow, my skillset as I build out the organization for Beckage, but also at the same time. it’s great to work with our clients as well. You know, our clients have a strong desire to make sure they’re building strong security and data privacy programs, especially as the regulations continue to evolve and do regulations continue to get passed. There’s, there’s a lot of awareness that companies need to have around how they are collecting and protecting information, and what they’re collecting and how that data fits into some of those data, privacy regulations that are coming out. And they’re also looking for guidance as to how, you know, are these regulations applicable to them and how do they, and what do they need to do to become compliant and how do they need to get there? And then on the incident response side, as you know, breaches are happening every single day, like you don’t have to look far in the news to find, information on a new breach that’s occurring. And so we were contacted on a pretty regular basis by, insurance carriers and clients of ours as well, to help them follow up and coordinate their breach response.
Matthew Vernhout (03:41): Yeah, like when we were preparing for the show, one of the things that we went and found was, you know, there was 99, like significantly sized data breaches last year in August alone. Right. And as you know, we saw last year, the decentralization of the office workspace, which just makes it richer targets and a wider network that you have to protect, right? How do you see this trend? Continuing like data breaches 10 years ago were relatively small and infrequent. Now it seems we’re getting multiple every day. Where do you see this trend going?
Sam Masiello (04:15): it’s a trend that’s, unfortunately, going to continue. I mean, as much as, you know, as much work as we’re trying to do as an organization, you know, to help organizations be aware of, the things they need to be doing from a data security and privacy program perspective. As I mentioned, we have a lot of work to do on the incident response side as well. And the amount of data that companies are collecting, really is what these guys are after. And if anything, they could potentially monetize whether it’s data, whether it’s, the encryption of data through attacks like ransomware. I mean, these guys realize that data is the lifeblood of an organization. When I say these guys, they are the threat actors, right? The threat actors realize that data is the lifeblood of an organization.
Sam Masiello (04:55): And so whatever they need to do or they can do to potentially monetize that information is what they’re going to do. And so it doesn’t matter. And I think the important aspect of this, that it doesn’t matter what size organization you are. You’re potentially a target where they’re not just going after the big guys. We’re not just going after the financial institutions. I’ve been in security for a long time. And one of the things that I’ve heard a lot from people is, well, we’re not a financial institution. We’re not a big e-commerce company. We’re not a this. We’re not that. We’re not a target of these guys. Well, quite frankly, you know, while certain threat actors specifically will target larger organizations, a lot of cases, what they’re looking for, targets of opportunity. And if you’re one of those organizations who feel like, well, we’re not an X, or we’re not a Y, or we don’t have, data, that would be interesting to these guys, their wrong, because it doesn’t matter where they’re getting their data from, or it doesn’t matter who they’re targeting.
Sam Masiello (05:46): It doesn’t really matter to them who they’re compromising everyone to them is a target of opportunity. Anyone who has data that could potentially be leveraged in a way that could make them money in some way, you’re a target for. And so that to me, I think is the biggest message is people have watched the growth of the number of incidents that have been occurring over the past few years is I think the, I hope that the belief that we’re not a target because we don’t have this, or we don’t have that, or we’re not this type of company. I really hope that that belief has gone away because I think the evidence certainly shows that you don’t have to be one of those companies to get a target. You don’t have to be one of those companies to potentially get attacked by ransomware or, you know, by some other attack, everybody potentially is a target and the landscape has changed, right? It’s all about how do they get money? How do they monetize the information that’s available to them? And they don’t really necessarily care how they get it.
Matthew Vernhout (06:42): Yeah. And I would say, I see that trend in email as well, talking with brands or talking with, businesses, you know, having my own website domains, I have, you know, a number of domains that I manage as an example, you know, recently. And I think I do pretty good in regards to authenticating my own domains. But recently one of my domains was attacked and then had thousands of messages spoofed using the domain. And it’s a domain of a single user. So when businesses say I’m not a target, I always use that as an example. You’re not a target, but I am. How does that make sense? I don’t have any e-commerce, I don’t have any, I don’t even have a website on the domain as an example, but it sent 20,000 messages on Tuesday.
Sam Masiello (07:22): Yep.
Matthew Vernhout (07:22): Right. Those weren’t approved, but thankfully due to strong authentication, most of those didn’t deliver. Right. So, you know, tying in the role of an SCO to, you know, the email marketing space, obviously being an email marketing company and an email marketing podcast, I’m going to tie these two things together, you know, where do you see brands struggling with, you know, their email solutions? You know, email is probably one of the biggest doorways into an organization for delivering malware, delivering ransomware. where do you see sort of those gaps and what should businesses be looking at not only to protect themselves but to protect their consumers when it comes to their email marketing efforts or even their email efforts in general.
Sam Masiello (08:13): Yeah. That’s a great question because, you know, and certainly, as I look at the intersection between marketing and security, right, there certainly needs to be a lot of collaboration there, between the marketing organizations that are collecting a lot of data and, and effectively, I would say own the customer relationship, right. I mean, at the end of the day, regardless of the amount of data that you have, the marketing organization owns the relationship with the customer, from my perspective. So there’s because of that, a lot of connection, a lot of obvious connection between the marketing team and the efforts that they’re trying to do to collect data on whether it leads email questions or, you know, however, they’re trying to get their information versus from a security perspective, how that information is being protected. And then also tying into some of the privacy regulations as well, to make sure you actually have a business need to collect the information you’re collecting and making sure that you are properly disclosing the information that you’re collecting and why.
Sam Masiello (09:08): But then as you think about some of the things you’re talking about from a marketing perspective, relative to things like deliverability, that’s where some of the authentication technologies like DMARC can help come into play. And the last couple of places I’ve been at, it’s been something that we’ve struggled with a bit, as it relates specifically to the primary brand domain. Because if you look at a lot of organizations, right, they’ll have some set of domains that they may have defensively registered for protection against spoofing, for example, or they may have brands that they’ve acquired along the way where they’d acquire new domains. And they’ve either continue to leverage those domains because of the brand recognition that existed for those domains, or they folded them into their own brand domain as well. So as you start thinking about the universe of emails that are being sent from a brand and a particular time, and the number of sources by which those emails may be coming from, it can be difficult to really collect all of that data and make sure that, well, for one, you establish a standard whereby and say, right, these are the senders of the email.
Sam Masiello (10:12): They’re allowed to send emails on behalf of our domain. And sometimes that can be the most difficult part because you may already have relationships with 20 different vendors that are sending emails as randomaine.com well, all right. How do you start looking at then a segregation strategy because you can’t the way DNS works and the way email medication works, you can’t necessarily pack 20 email vendors into a single SPF record or DMARC record. And so you just start thinking about what your segmentation strategy is going to look like and start thinking about what are the types of emails that we send out and how do we do a better job of segmenting those streams into different subdomains so that we can do a better job of protecting those with SPF records and DMARC records that will actually allow us to be able to start setting policy for them to help prevent the issue you were just talking about a moment ago, where your domains, your brand domains getting spoofed.
Sam Masiello (10:59): And that can be difficult, especially when A you already have a fair number of vendors that are already sending as your brand domain, but B you have an organization that is fairly large and fairly complex in some cases where you have people, not necessarily because they’re trying to do anything malicious, but they’re just starting to set up new, new domains and new campaigns and new things that are also going to send out an email on behalf of your brand. And they may not be aware of the standard that says, oh, these are the brand domains or these are the vendors you’re supposed to use to send emails for that particular brand or subdomain or whatever. And so to me, the hardest part has always been, not just the collection of that information cause there are lots of tools to help you do that. Or there are lots of commercial tools.
Sam Masiello (11:43):
That’ll help you collect the forensic data or the aggregate data from your DMARC record to help you understand where that data is coming from. But then it’s all right, how do we start taking action on that data? How do we start using that data, right? How do we start? As I mentioned earlier, establishing that standard and saying, these are the brand, these are the vendors that we can use to send emails for our brand, such that we can then lock down the email streams and be able to actually set a more definitive report, enforcement policy for your DMARC record, either start quarantining or rejecting things that don’t fall into your standard. And then once you actually establish that standard and you set that policy, that’s when you can start being a bit more stringent when say somebody in the marketing organization or some other organization decides to set up some new email campaign using some vendor you’ve never heard of before and suddenly they’re up in arms because their email is not getting delivered well, but then at least you have the policy to be able to lean back on and say, well, the reason your emails not getting delivered is because you didn’t follow the standard and follow the policy.
Sam Masiello (12:39): But that to me has always been, especially in larger complex organizations, the biggest hurdle to get over, it’s not collecting the data is one thing, but it’s, it’s how you start actioning on that data and start putting that data into a policy and a standard that has always been the more difficult part, because, at the end of the day, it’s a difficult conversation from a security perspective to say, well, you have to start, you have to stop using that vendor, right? Because from the business perspective, they’re gonna say, well, that’s the one we signed the contract with. So that it’s all about, you know, more about the planning and the segmentation internally to accommodate the business needs, but also doing so in a way that is scalable for the organization, but also fits into the posture that you’re trying to build from a security perspective as well.
Matthew Vernhout (13:18): And I think, you know, what I’ve seen is you don’t get good buy-in if it doesn’t come from the executive level, if you have your marketing team trying to do this and your security teams like we’re getting to it or vice versa, the security team says, yes, we need to do this. And the sales team is like, well, we’ll figure it out as we go kind of thing. You need to have that focused effort across the board. And I think that’s really the only way to do it, because like you said, there are partners, there are vendors, there are support services. Maybe you’re using a third-party support tool that is sending email as your domain. And yeah, over time, SPF records get full, too many characters, too many lookups, too many includes. And part of that I think comes back to awareness of the IT team. They may not be aware. They just keep adding, oh, someone said, add another include. Okay. We’ll just add another include. and, and I think there’s certainly some education stuff going on there that we need to continue as an industry. and, and hopefully, organizations like yours continue to push that effort as well when you’re working with clients, especially post-compromised.
Sam Masiello (14:29): Yeah, right. Yeah. I realized I was picking on the marketing organizations there too, but it’s not just marketing. Right. It’s HR like there’s, there’s, there are lots of teams within an organization that may have to send out an email for benefits information for what have you. And so, while I was picking on marketing, I didn’t necessarily mean to just pick on that, but there are lots of teams within any given company that may potentially need to be sending email to the employees, or may need to send an email on behalf of that brand that needs to be having these same conversations
Matthew Vernhout (14:57): Right now. I think it’s sometimes easier to bypass the security policy by going for $10 a year, registered domain, and it’s close, that people shortcut for those exact reasons. And obviously, that’s a problem. I’ve seen agencies in the past registered domains on behalf of their customers because of internal policies preventing that from happening and all of those things circle back to make the life of the CSO problematic.
Sam Masiello (15:22): Exactly. Right.
Matthew Vernhout (15:23): So thinking
Matthew Vernhout (15:24): About some of those things, right. Are there real-life scenarios where you’ve experienced this as a CSO that you’ve had to then, you know, internally bring the hammer down and what kind of things do you look at to prevent that from happening?
Sam Masiello (15:37): Yeah, I’ll answer the question. The first question, the answer is yes, right. There have been situations where I’ve had to bring the hammer down, but unfortunately here’s, here’s the other problem you encounter, right? You’ll have other executives in the organizations. This goes down, back to your comment earlier on executive buy-in right. And it’s, it can be very difficult to obtain sometimes if the executives, even sometimes aren’t even necessarily willing to follow the commitment that they made to you as a security organization to follow through on those standards. Right. one of the previous places I was at, we had, someone who is in charge of the marketing team, who within his own organization said, we are no longer going to stand up to new vendors for sending out third party emails. And then somebody within his own organization decided they were going to establish some relationship with some vendor we hadn’t heard of before and suddenly instead of falling on his own policy and said, you know, this is what I said, we’re going to do.
Sam Masiello (16:30): He said, well, okay, we’ll just, we’ll figure out a way to make it work. And so sometimes even, even when you think you have the buy-in that you need to have sometimes the pressures of the business, or sometimes just the ease of convenience of not telling somebody, no, you know, this makes some people sometimes even go back on their own words. So that’s sometimes is another hurdle that you encounter is when, you know, even when you think you have that, buy-in sometimes the people who provided you that buy-in aren’t even necessarily consistent with their own thorough messaging. So I don’t know if there’s, you know if there’s really a good answer for that to rate how we’ll even, you know, how we’ll get past that problem, but that’s, that’s part of the iterative problem. I think we regularly have within security is, not only that partnership and that executive buy-in, but also making sure that that executive buy-in remains consistent once established.
Sam Masiello (17:17): And that, to me, I think, is going to be something that’s, like I said, there’s not an easier, there’s not an easy answer for, and at the end of the day, the security team needs to support the business. Right. And so, you know, while we certainly will establish the policies and standards that we want to establish and need to establish to be at, in order to be pained, the operational effectiveness of the security team, there’s going to be always that balance that has to exist with the business as well. And that doesn’t necessarily mean that you know, the security team, always says, no, right. And that’s the thing we always have to make sure we get away from as well is you don’t want the security team or the IT organization or whatever technology organization you’re working with could be viewed as the department of no.
Sam Masiello (17:59): And I think that’s largely been a stigma that we’ve been trying to overcome. I would say for the past 10, 15 years, is that a lot of times people say, well, I want to go to security teams. They’re just gonna tell me no. Well, all right. if that’s the mechanism by which you operate as a security leader, you’re not really doing well to fit in within the business, right? You need to figure out a way that you can still make sure that you are establishing and maintaining, standards and policies in the organization that isn’t introducing additional risk to the organization. But at the same time, you do need to fit into the business as well. And sometimes you have one of those. Yeah. But conversations to say, well, I’m not going to tell you, you can’t do this, but we’ll try to figure out some way that we can support you in the way that you need to, that you want to do business. But at the same time that we’re not jeopardizing our posture from a security perspective as well.
Matthew Vernhout (18:46): Yeah. I’ve experienced that as a compliance officer at a previous role where, you know, you’d get pushed from the sales team to say, at least from the ESP point of view, if we want to sign these guys and you do a review and you say, yeah, okay, these guys are okay. Or sometimes you get those clients. And you’re like, not really, these are the ones we maybe don’t want to work with just as a pre-vetting type solution. And I always, I did get called that Mr. No, which was not really a fair thing, I think because I was always, no, but if we did it this way, right. And I think that’s a fair statement, right? You need to be able to say no, but you shouldn’t just say no without options, we should say no, but we can find a way. Right. We can figure that out. And I think that’s really where I think a lot of that contention comes from between the marketing sales organizations and the compliance and security sides, in the end, we’re all on the same team, trying to serve customers and make money as a business. But we have to go about it the smart way. I think that’s probably a fair way to say it
Sam Masiello (19:54): Well. And if you’re viewed as a barrier to the business, to the conversation we’re having earlier, right. People will find a way to get around you, right. Maybe it’s the signing with an agency that’s going to register domains on your behalf and, and, you know, prevent your security team from getting involved and prevent possibly your security team from even knowing what’s going on. Right. So it’s important to make sure that you are balancing security with the business as well, because if you do, then people will view you more as a partner and less of an inhibitor, they’ll say, all right, I’m gonna be able to go to Tibet or I’m gonna go to Sam and we’re gonna be able to have a reasonable conversation about how we’re going to be able to accomplish the business goal that we’re trying to achieve.
Sam Masiello (20:31): And in some cases, there may not be a good way to do it, but in most cases, you should be able to work out some sort of compromise that will be suitable enough for the business, such that they realize that A, I can partner with you, but B I’m not going to look for ways to go around you because at the end of the day, people are being given the task that they’re given, and they’re trying to do a good job, and they’re trying to get those things done and they’re going to do whatever they need to do to get that done. They are going to do whatever they need to do to follow the, generally, just follow the policies and standards of embedded and provided within the business. But if you don’t provide them some way to be able to work together with you, they’re still going to find some way to do their job and get what they have to get done eventually
Sam Masiello (21:06): anyway. And if that means going around you such that you don’t have any visibility to what’s happening from a business perspective, that’s very risky. And so it behooves you as a security leader to be a partner to the business and be someone who is approachable and be someone that people want to work with to come up with solutions and also feel like that they can come to you. And that you can come up with a solution that will help work, that that will help suit their requirements as well. So that not only will they want to come to you again, but they will also encourage others to come to you as well. And so that’s, to me, that’s, that’s the biggest piece of success or failure as it relates to being a security leader, is your ability to integrate with the business and be a partner with the business. Because if you can’t do that, you will fail spectacularly because of the amount of shadow it, you will have to go around you that you’ll have no idea about.
Matthew Vernhout (21:53): So, so speaking of that, right, who owns within a business, if you will, the proper authentication email, is it anyone group or individual, or do you see it as it’s everyone’s responsibility?
Sam Masiello (22:10): it’s certainly a team effort. You know, I think, you know, the implementation part of it, you know, has always, I was always rested with my team, with the security teams, because they’re the ones that either have access to DNS have knowledge of DNS, right? The more, technical underpinnings, the more technical gory details of that. Right. But when you think about the overall process, or we talked earlier about, there’s a process involved here that provides a lot of coordination between the security teams that are going to do the implementation, but also the organizations that are going to be looking to send an email on behalf of the company, such that they understand what guard rails they need to work with them such that, you know, they, they understand what the expectation is, for a security perspective, but again, that partnership needs to be there such that they can work together on those solutions and what that’s going to look like. So it’s definitely a team effort from my standpoint. Well, again, while the technical implementation will rest with the security team, there needs to be that understanding and that policy and those standards that really drive how it’s going to be done. But it’s a team effort to make sure all of that actually happens.
Matthew Vernhout (23:11): And is it enough to simply publish authentication records versus check them on the way in?
Sam Masiello (23:16): No, not only do you need to check them on the way in, but you also need to make sure you have a process by which you continually evaluating what you have in your records, right? Because you may, you may, off-board vendors you’ve been working with for a while. You may be onboarding new vendors. And so you have to have a process by which you’re going to do intake, but you also make sure you have to have a process to be able to do off-boarding as well. Because like we were talking about earlier, there’s only so much space right. Within these records. And so as you think about the, the governance and the management of these records and your segmentation practices, your segmentation policies, all of that needs to be considered as you’re putting these together. Because if you want to be able to onboard a, let’s say a new vendor to handle certain types of transactional mail, you need to look at what you have and say, all right, do we have any space within the existing record to add another vendor?
Sam Masiello (24:01): Are we still doing business with the vendors that are still here? Can we take some of them out? and so to me, it’s an ongoing process and ongoing maintenance process. But again, while the security team may own the implementation of that record from a technical perspective, that’s where the partnership and the process come into play within the business as well, to make sure that the records are being managed appropriately with the business and the business understands who they’re partnering with and whether or not we potentially may need to look at additional segmentation strategies to better fit what we’re trying to do. You know, maybe we need to look at segmenting our transactional mail streams in different ways or our business receipt or notification mail streams in different ways to be able to accommodate what the business is trying to do. But keeping in mind that we do have some technical limitations that are in place based off on, just how big those records can be.
Matthew Vernhout (24:51): Right. I think that that’s something I see. And I advocate quite a lot, as well as the idea of at least quarterly, or maybe semi-annually review your authentication records and make sure you still need them, right. If you’re not doing that, if you don’t change vendors fine, right. Maybe you can do it once a year, but I think you’re right. Things get stale. You know, things get out of, out of sync. Someone does an update, a record somewhere that all of a sudden you have problems. You need to have a process to catch those.
Sam Masiello (25:20): Yeah. Especially, if you’re in a position where you have either move towards or are actively moving towards a reject DMARC record, right. Because if you’re not doing that governance and you’re not keeping those policies up to date, you may find yourself with mail getting quarantined or rejected. That may still be a legitimate email. And so it’s important that not only as you’re establishing these records and establishing these processes, but the maintenance is important. If you’re going to maintain a policy enforcement record and DMARC with off quarantine or reject, because like I said, you may find yourself with email not getting delivered that you either need or want to be delivered.
Matthew Vernhout (25:56): Yeah. And I’ve heard so many horror stories from brands going through the process of turning on DMARC at a non-policy and finding infrastructure. They had no idea they were still using, whether it’s an old vendor that just descending transactional mail, that they have no idea what’s going on. or whether it’s a partner sending on their behalf. And they weren’t aware, you know, I had a conversation with, another consultant a couple of years back, and he said, you know, the client I was working with said, they told, they told me that for email vendors. And when we turned on DMARC, we found 18,
Sam Masiello (26:31): But that’s not uncommon. That happens. That happens almost. I’m going to say universally, but I would say that probably happens more often than not. Right. Maybe not to that, maybe not to level that level of scale, or maybe even more, right. If you’re a large organization, you may think you have four or five vendors you primarily partner with and say, you know, we, we send all of our emails through these couple of vendors, and then once they turn on the DMARC, reporting policy and they see just how large, that, that scale really is, some of it may be an illegitimate email that you want to eventually stop the DMARC policy anyway, but chances are, you’re going to find that the universe of people that are sending mail on your behalf is a lot larger than you think it is.
Matthew Vernhout (27:11): Yeah. And another, another, another colleague actually that we both know that it was a former postmaster at a large social network when they turned on DMARC thought they had 300 mail servers and found 3000 internal to their network. So they were off by a factor of 10. So, you know, that’s that, that 10% engineering time just turn on another mail server and send, right. So, you know, there are internal horror stories that make sense, and then external horror stories that, you know, make everyone freak out, hear them, you know, I guess, as a CSO, how would that, how would you react if you all of a sudden were off by a factor of 10 on the number of legit internal to your network, mail server sending you
Sam Masiello (27:52): Yeah, that’s a, there’s a lot of work to do there, certainly. and that’s typically where, you know, as we’re talking about policies and standards, right, that’s where we start looking at all right. You know, how many, how many mail relays do we really need within the organization? And what, what purpose are they serving? And basically just say, going forward, give them 30 days to migrate or whatever, you know, what that central timeframe is and say, we’re going to start using these couple of mail servers to, to send mail and we’re going to start blocking everything else, the firewall. So, I mean, there’s, there’s a, there’s an easy way to fix that problem. but you know, but, but it’s one of those things again, where it involves that internal coordination and that internal work, because, that sort of thing happens, right.
Sam Masiello (28:27): Just like, just like, as a CSO. And you’re doing scanning for vulnerability on vulnerabilities on the network, you usually end up when you first start doing that effort, usually start off by finding a lot more systems than you thought you did on the network. Like even the IT organization may say here’s our inventory of assets. In fact, one of the things that I typically do with it, organizations when I come in is we start reconciling the inventory that they think they have versus the inventory that I start finding with vulnerability scanners, which typically can be off by a factor of like 30 to 40% in some cases. And that’s, and that’s part of exactly the reason you just brought up a moment ago, where people are standing up through systems on a regular basis to serve particular functions, whether it’s an engineering project development project, what have you, they just start standing up a whole bunch of servers with you know, they’ll go install default Linux on them and set up Sendmail or whatever.
Sam Masiello (29:14): And suddenly you have another mail server on your network that you weren’t aware of before. And so it’s a pretty enlightening thing. When you start being able to use tools, as some of the tools we use from a security perspective, but also tools like DMARC to really start providing greater visibility into what your universe really looks like. Because regardless of how meticulous teams try to be with their inventory management and ensuring that they understand what’s on the network and what, and what’s running on that and what ports are open and what traffic is actually traversing, it, it’s not until you really start digging into it and taking a look at it that you really get that full picture. And then you realize how much work you really have to do to clean that up. And that’s not, you know, and that’s not just the security organization, right?
Sam Masiello (29:54): That’s a lot of times it organization that ends up having to do that work because it’s bare systems that are, that have all the sprawl. It’s just the tools that are giving you the ability to see what you weren’t able to see before. And when you think about it from a risk perspective, right, from an organizational standpoint, all of those systems present a risk because if you didn’t know, they were there, chances are, they’re not being patched. They’re not being updated. You don’t know what the configuration of those machines is. Maybe they’re open to the internet, maybe they’re open relay, right? There are all sorts of potential options and threats and risks that these systems could be presented that you didn’t know about before that you now have to deal with. Because as I said, these systems present all sorts of different levels of risk to the company that, everybody needs to make sure they’re accountable for.
Matthew Vernhout (30:40): Absolutely. I think that’s something that, you know, it’s unavoidable, technical debt is a thing. It’s a real thing. People experience that across all different parts of the organization from marketing to sales, to HR, to IT mostly falls in their world, I suppose, because they own the systems. what about like, an example of an organization you’ve maybe worked with in the past that you had to basically wrangle the marketing team or wrangle and other team to bring them into compliance and how did you like achieve that in a way that benefited everybody? Cause I think that’s always, the key thing is how do you make this a win-win for everybody? So they’re more likely to follow procedures the next time.
Sam Masiello (31:23): Yeah. I think the most important aspect of it is just to try it’s from a security standpoint. It just tries to make it as easy as possible, right? Because if you make the system too complex or too difficult to follow, then it’s going to be difficult, especially for non-technical people to understand, you know, there’s a lot of technical underpinnings to things like email authentication, for example. and so you need to make sure that the process is as easy to understand for the people that are outside of IT as possible. So the way that I’ve typically done this in the past is I’ve worked directly with the people generally, who are the ones that are creating these services. And you’ll work directly with the folks who are creating the new websites and creating the new campaigns and working with the marketing and the HR organizations and whoever else in the company wants to send an email, to establish what those standards are like.
Sam Masiello (32:09): We worked with them to do it, like, you know, tell us, like, we’re not gonna dictate to you what those vendors are, what those standards should be. You tell us who they are and we’ll help work around them. Like we’ll, we’ll put the policies and the standards around what you want them to be, but once we establish them, then the expectation is you’re going to follow them and you’re going to continue to follow them. which as you know, we’re talking about earlier, isn’t, you know, doesn’t always happen. sometimes, you know, the accommodations have to be made to continue to grow the organization and sometimes work with different partners and vendors. but that’s, as long as you at least establish the guardrails that you all want to work within, then at least you have something established as opposed to being just kind of a free-for in the wild, wild west.
Sam Masiello (32:48): But what I typically do is I say, what do you need? Right? Tell us, tell us what your guard rails are that we need to work within. And we’ll set that up relative to what your requirements are. And to me, that always makes a much easier conversation because then again, it’s not the security team being dictatorial to the organization. It’s creating that partnership. It’s you tell us what you need and we’ll establish, and we’ll create the technology. We’ll create whatever you need around that. but again, going forward, we need you to then follow what we agreed to.
Matthew Vernhout (33:17): I love that because I actually think it fits in so many other realms within the business beyond security. It fits with working with your legal counsel to understand the requirements upfront and bring them in early so that you don’t build something and then need to tack on GDPR compliance in the end or CCPA compliance. In the end, it gets built-in from the beginning. Same with privacy, same with security. bringing these teams in early while you’re still planning the project or planning to onboard a vendor makes a huge difference in the end that I think a lot of organizations have that fear of now what we talked about earlier, they have the fear of no. So they just say, well, I’ll just bring them in right at the end when they can’t change, which then makes bigger problems. I’ve seen it. I’m sure you’ve seen it.
Sam Masiello (34:05): Absolutely. And I think that goes across the board, right? Anytime you have teams that are involved earlier in the process where they can identify additional requirements they may have, or additional risks that may be involved, the sooner you involve all of those, all those stakeholders. Then while you may have more people as part of the process, you get better buy-in and, and everybody’s had their opportunity to have their seat at the table to state their piece, to state any risks or issues that they have as opposed to the opposite approach of trying to involve as few people as possible so that you have nobody that gets in your way. And then realizing that, oh, we should’ve worked with security or we should work with this team. We should work with that team later on. And then suddenly they end up with a bunch of roadblocks in their way, because of all these people who didn’t have the opportunity to be part of the process.
Sam Masiello (34:51): So I think you’re exactly right. You know, while you do have to be careful of too many cooks in the kitchen, right? Because you could end up with some pretty horrible scope creep at the end of the day, because everybody feels like they need to have, you know, this, this, this thing or this widget or this, whatever, as part of the one Datto release, you do still need to make sure that whatever, whatever you’re doing at least still has the visibility and the awareness of the proper stakeholders in the organization. So that when you actually do get to the launch of whatever it is you’re trying to launch, then at the very least you have the right people involved throughout the process and they had the opportunity to state their piece along the way.
Matthew Vernhout (35:26): Yeah. I think that’s always a big one is at least giving me the opportunity to say something as opposed to override the whole project. Right. I thought the intention is to have security come in and override the whole project or legal come in and override the whole project.so yeah, I think that’s always one of those things. I think that organizations need to do better. They need to involve more people upfront so that you at least catch the important gotcha Items upfront and then from there, move forward with the, you know, these are mandatory requirements. These are maybe version 1.1 and requirements are, and these are one point X or, you know, whichever style requirements so that people know they’re coming as well. I think those are always important things to look at. Say, I’m, we’re just getting to the end of the conversation here.
Matthew Vernhout (36:14): I just wanted to ask if you had a couple of tips that you could give to our audience. Now, remember they’re mostly marketers, mostly, you know, IT, medium-sized business, small business, and some very large enterprise, around the world financial institution, what type of tips would you give them to take from today’s conversation back to the office so that they can have this conversation with their teams and say, I need to understand, or I need to learn, or we need to do X, Y, Z thing. What types of tips would you have for them to take from that?
Sam Masiello (36:50): Yeah. So a couple of things, I would say that for one, you know, partnerships are going to be key, right? I know we’ve talked a lot about partnerships from a security perspective with the organization, but as you think about the marketing teams, right, and the types of data that they’re collecting and the types of data that they’re responsible for as part of the customer relationship, I think that that conversation goes both ways, right? You know, the marketing team needs to make sure that they are establishing those relationships, with the proper teams internally as well. And that’s not just security, that’s not just IT. Right. We talked earlier about legal, for example, and understanding some of the, the privacy regulations and the implications of some of the new privacy regulations and some of the data that’s going to be collected from that perspective and how we need to and what we need to be protecting from that standpoint.
Sam Masiello (38:13): If a marketing or marketing team wants to launch a new marketing campaign, then they’re likely going to have to involve the security team or the IT organization in some way, maybe the legal organization. And so having those relationships and establishing those relationships upfront to me is, is always the most important cause like we were just talking about a moment ago, you want to make sure that you are including all the right stakeholders along the way early. So you can have those conversations and you can understand what are the limitations that we may, we may have in place, or what are the things we need to plan for as part of the launch of this new, whatever it is. and if there’s nothing to need to plan for it, great. But at least people have had the opportunity to have that conversation with you.
Sam Masiello (38:49): And you’ve been able to outline those things up front and establish what those guard rails are supposed to be. But to me, that’s, that’s the most important aspect is making sure you have those relationships and making sure that you are, cultivating those relationships on a regular basis because everybody there in an organization is dependent upon others at some point in time for something. And you want to make sure that people feel like you are a partner as part of that process. secondly, I would say, think about, as you think about the various mail streams that you have is going to go down to the more technical angle here for a moment is make sure you’re establishing what those, what those segmentation strategies look like. Because, there, as we mentioned earlier, there are going to be some limitations to what you can do from a technical perspective.
Sam Masiello (39:29): And so start having those conversations internally to decide how do we want to segment these mail streams in a way that’ll allow us to be able to help prevent some of the spoofing problems that may potentially occur in the event that we don’t do this the right way, because what ends up happening is if you do end up with your brand getting spoofed, and there are emails being sent out on your behalf, that are spoofing your domain that is sending out all sorts of different types of spam emails, right? Those things could present brand loyalty problems for you, and they could present brand presentation problems for you. And so those are the things you need to make sure you’re aware of. And the way that you start fixing those problems is by establishing those segmentation plans, establishing with strategy, establishing those standards, and then working with it organization and security organization to actually put those policies in place.
Sam Masiello (40:14): You can monitor your mail streams, put that DMARC reject records in place and be able to better protect your brand as a whole, but it’s not just sending emails and it’s not just, you know, getting messages into people’s inbox. It’s also the brand protection angle of it as well. And I think that’s an angle of it that we can’t ignore because it’s something that is not easy to do. It takes time to do, but it’s time well spent at the end of the day if you do it and do it right because then you’ll ensure that the messages that are getting delivered to the inbox from your brand are actually coming from you.
Matthew Vernhout (40:47): Thanks very much, Sam. You’ve heard it here. Go make friends with your senior security, legal, and privacy people so that you get it right. Buy him a coffee, buy him a tea, get to know him, build those bridges. I think that’s a great way to put it. So then Sam, thanks very much for being part of the netcore #fortheloveofemail podcast, tell our listeners how they can get ahold of you or Beckage if they want some help in regards to legal compliance or security needs.
Sam Masiello (41:13): Yeah. So our website is www.beckage.com and, I am at S Masiello on Twitter. I am also at [email protected] for email as well. So if anybody has any questions or wants to reach out, just feel free to hit me up anytime.
Matthew Vernhout (41:29): Great. Thanks very much, Sam. So we hope that this session has really sort of enlightened your, view on security and the requirements and really how it plays into that global aspect of your organization. So, as I said, go make friends with your security team. They want to know about it. It’ll make everyone’s life easier in the end. If you have any questions about email, please check out netcorecloud.com. We are here to help you with your AI-powered email delivery and campaigning needs. We make a great security partner as well. Thanks to our relationships with people like Sam, helping us and having these conversations, you know, both personally and professionally, so don’t forget to subscribe to our podcast on all your favorite podcast channels and players. And once again, visit netcorecloud.com for more information and stay tuned for our next episode. Thanks again, Sam, for joining us and our listeners out there, take care, stay safe.
outro (42:28): You’ve been listening to for the love of emails, podcast powered by Netcore, hit subscribe in your favorite podcast player to make sure you never miss an episode to learn more about effective email communications and engagement through AI-powered email solutions, visit Netcore.com the only global email engagement leader, delivering marketing ROI and value to 20 plus global unicorns and 5,000 plus brands for over two decades.