Published on: October 10, 2024
Brian Johnson, founder of 7 Minute Security, recently sat down for an interview with SafetyDetectives to discuss his journey from IT professional to cybersecurity expert. What began as a passion project—a podcast designed to offer quick and actionable security insights—has grown into a full-fledged cybersecurity company. With his extensive background in IT, Brian brings a unique perspective to 7 Minute Security, emphasizing the importance of not only identifying vulnerabilities but also guiding clients in remediating those issues, setting the company apart in the industry.
Brian reflected on how the 7 Minute Security podcast has evolved from brief, on-the-go recordings to an educational tool for businesses and professionals alike. While the podcast started as a quick listen for busy security enthusiasts, it has since expanded in length and scope, incorporating expert interviews and deep dives into cybersecurity topics. Brian continues to focus on educating others and giving back to the community, a value that remains at the core of both the podcast and the company.
What inspired you to create 7 Minute Security, and how has your background in IT and security shaped the company’s approach?
When I got my first job in security, I wanted to create a podcast that would help people like me (long-time IT professionals who wanted to break into security). I also thought most podcasts were too long, so I wanted to create something that was a quicker listen (full disclosure: the 7MinSec episodes are now much longer than 7 minutes 😊).
When 7 Minute Security become a formal company a few years later, I think my background in IT helped bring more credibility to what we do. A lot of cybersecurity companies are very talented and can hack your network to pieces, but many lack the experience of actually building and maintaining networks, so they can’t help guide you towards actually remediating the findings of a penetration test.
Can you share how the 7 Minute Security podcast evolved and its role in educating both professionals and businesses about cybersecurity?
The podcast started as a passion project I was doing on the side while working IT gigs. I would record 7-minute episodes about cool things I was learning – everything from writing policies to social engineering and penetration testing. At the time, the episodes were almost like voice notes to myself that I shared with the listeners. I usually did the recording in my car while on the road to client sites.
In 2017, I announced that I was going to turn 7 Minute Security into a cybersecurity company, and that helped us get work immediately from listeners of the show. I’ve now expanded the episode length (friends joke that I should rename the show “The Arbitrary Length Podcast”) and incorporated interviews with interesting security experts. I’m so thankful the show started as a passion project,, because the focus is still to educate others and give back to the community.
How do you approach security assessments for organizations with different levels of maturity in cybersecurity?
We try to spend a lot of time understanding what processes and controls each organization has in place so we can propose our work accordingly. We want to learn about what their business is all about, what their crown jewels (sensitive data) are, and the people/software/services they use to manage their security program. In other words, the penetration test we propose to an SMB with 50 people and no dedicated IT staff is going to look vastly different from a 1,000 person company with a dedicated IT team and a suite of tools dedicated to stopping attacks.
Can you talk about the difference between a full penetration test and the “light” pentest you offer?
Our Light Pentest is perfect for small companies and/or companies who have never had a penetration test. We follow a methodology to find as much “low hanging hacker fruit” as possible in a 2-3 day test. A more traditional or full penetration test will last 1-2 weeks and include custom goals set by the client. For example, for some of our more mature clients, they may ask us to try to gain access to their backups and demonstrate how an attacker could steal the data or infect the network with ransomware.
How have you seen the threat landscape evolve with the growth of remote work and cloud adoption?
We have seen an increase in attackers going after our customer VPN connections by trying to guess an employee’s password for days or weeks at a time. We have also seen a rise in text and phone calls to our customers from people pretending to work for their company’s IT department, asking for access to the computer to “fix a problem with your home Internet not working with our servers.”
What are some of the key challenges in getting companies to invest in cybersecurity training for their employees?
One challenge we’ve seen is there are more and more security companies out there offering low-priced computer-based training for employees. Company leaders tend to buy these and then require employees to complete a set of modules every year. Fundamentally that’s a great idea (and ticks the box from a compliance standpoint), but these users have told me they often just fast-forward through the videos because they’re out of date, too long and/or too boring.
We encourage companies to mix up their training program and incorporate a variety of delivery methods such as live training and short email newsletters about relevant cybersecurity stories. One of my customers even puts security awareness training posters up on the inside of bathroom stall walls. It sounds funny, but hey, people are sitting there for a moment and you have their attention, right? Great opportunity to learn about security!