In an insightful interview with SafetyDetectives, Matthew Fisch, Founder and CEO at FortMesa, shares the journey that led to the creation of the company. With a background in management consulting and cybersecurity advisory, Fisch identified the escalating demand for cyber risk management and the lack of expertise in the field. This realization prompted the development of software solutions aimed at empowering individuals with technology proficiency to navigate the complexities of cybersecurity. FortMesa’s unique approach lies in partner enablement, collaborating with service providers to deliver cost-optimized solutions and educate end customers on cybersecurity investments. Fisch emphasizes the importance of not reinventing cybersecurity tactics and recommends following established standards, highlighting the role of service providers as liaisons in this process. The interview provides valuable insights into FortMesa’s commitment to making a significant impact on global cybersecurity challenges.
Can you talk about your journey and what motivated you to start FortMesa?
I’m in the second half of my career, but I’m maybe closer to the middle than the end. I spent the last 10 years before I started this company doing management consulting, a lot of cybersecurity advisory. I worked with other service providers, and sometimes I worked with end clients directly.
It was always in demand, a skill set, the ability to walk into a company that had no cybersecurity strategy and help guide them on how to protect their critical assets, their critical systems. Over time, two things became evident in that consultancy.
The two things that were clear:
- The demand is exploding for cyber risk management. This has been clear for at least the past 10 years. My practice grew to the point where I was always busy, but I wanted to be able to create a larger impact. I could have hired more people, but what I really wanted to do is make a dent in the problem that’s happening in the world, and handling a few clients wasn’t going to do that. So I decided to pursue software to create a far-reaching solution.
- Not only do people need cyber risk management, but the people that are really entrusted to protect systems don’t really know how to do it very well. The skill set is not as available as it’s needed. There’s lots of data on this; the U.S. Department of Commerce funds yearly studies in conjunction to figure out the need for cybersecurity jobs. They come up with huge numbers, and it seems like that number stays steady every year. This is because it takes 20 years to grow someone to be able to manage cyber risks the right way.
With this information in hand, myself and many industry peers have come to the resolution that we need software solutions.
I decided to focus specifically on software that allows someone that’s pretty smart with technology, but not necessarily smart in cyber, to become smart in cyber.
During our testing, we found the things that could reduce the most risk that are the easiest to adopt for that audience. Then, a few years ago, we started scaling operations and started a partner program. We don’t sell to end customers that have their own engineers. We sell to cybersecurity service providers, or IT outsourcers, and MSPs, that are providing cybersecurity services for their end customers.
This allows us to have a real impact on the world. We have a little over 200 companies using our software, each of which has their client lists. Some of those companies may only have five clients while others have several hundred. That creates a big impact on this problem of how we mobilize the masses to do the things that are actually going to protect themselves in cybersecurity.
What are some of the unique approaches that Fort Mesa uses to stand out from other solutions in the market?
We exist in the software space where there are other products out there that technically do the same things that we do, but what makes us different is that we’re partner enablement.
Other products work directly with end customers, enterprises, and small businesses. Since we work through the service provider, things are just different enough that we create this unique value. Our workflows are just subtly different in a way that if you’re trying to run a business managing 30 clients, our workflows are a little bit better.
For most companies in the world, cybersecurity does not create profit. It costs money. The losses cost money. If you get hacked, it costs money, and also stopping the hacks costs money. It feels like a lose-lose-lose optimization scenario, where as a business, you’re trying to figure out what’s the least amount of money you can spend without getting destroyed.
With FortMesa, we support service providers that actually have a profit model around cyber. Their job is to service companies that need the help. We don’t just need to be able to do these technical things to reduce risk in an organization. We also need to help our service providers explain to the customer things like:
- Why do you need to invest in this thing instead of that thing?
- Why do you need one item of A and one item of B and one item of C?
- Why do you need someone to do something every 30 days?
All that education actually helps the end customer invest in the right things that are cost-optimized. This helps our customers look good, and it helps them sell those services. Then, of course, we also do the evidencing.
What are some strategies that you recommend for businesses to manage cyber risk effectively?
The first thing I would say is don’t invent it yourself. Anyone who says that they’re really smart in this stuff and you should only listen to them is wrong.
We do not invent the tactics or the methods or even the selection of methods that work well for cybersecurity. There are governments, non-profits, and NGOs full of people that are really smart about cyber. They’re in working groups where hundreds of people from hundreds of companies work together to come up with solutions like what is the best practice for today.
As an end customer, what you should do is choose the right standard and follow it. Your service provider’s job should be to be a liaison or a concierge. They should help you choose by explaining why X is the right standard for you, based on your company size and industry.
We didn’t invent it because someone else did, and that’s really the crux of it; no one is as smart as all of us.
How has the shift to remote work impacted cyber security strategies?
Clearly, as with all digitization, it has accelerated things. There’s a lot of risks inherent in remote work. Your laptop computers that used to be in a secure office are now at home in an unsecured office. Your employees that you could trust because you could see them are now people maybe you’ve never met. So, there are some really big changes in what to expect out of insider risk, which is risks that your employees present.
It can be that it’s because your employees have it out for the company, but that’s not usually how it actually manifests. Generally, people are just careless when it comes to cybersecurity. They are just trying to get their jobs done, but they become a risk if they’re not following best practices. The COVID pandemic magnified this several times, and it’s a big problem to solve. We have all the tools in the world. What it’s really enabled is people to step over the starting line in investment. There were probably many companies that were holding back on making new cybersecurity investments, but with COVID, they realized that they have to. If you’re still on the starting line and you haven’t made any new cybersecurity investments since before COVID, boy, are you in trouble.
What role do you see A I playing in the future of cyber security?
I’m not a huge AI believer, although we do take advantage of AI in our product. There are hundreds of thousands of ways to break into computers, but attackers are not that creative. They don’t use hundreds of thousands of ways; they may use hundreds to low thousands. One of the ways we leverage AI is targeting which of those ways attackers use. We can leverage AI for that; it’s standard data available in the industry. We’ve been successful using that data to stop cyberattacks.
However, there are people that are trying to get AI to do their jobs for them. And I think that they’re less successful. AI is great for a task where you need to take a massive amount of data and be a little bit smarter about the conclusions. But some people are hoping that AI is somehow going to make cybersecurity unnecessary. However, the fact is that attackers have AI too, and there’s nothing you can create that attackers can’t also counter.
The reality is, until AI is smarter than people, it’s faster but not smarter, we’re still going to need people to do the job.
What cyber trends do you anticipate for 2024 and beyond?
People are getting serious about governance. Cybersecurity incidents and breaches did not make it to the front pages of world newspapers until 10 years ago. It wasn’t until some major breaches that it started to trickle to the front pages. Now it seems like you can’t go a week without seeing news about major cybersecurity attacks.
In response to that, people have been scared. They fear security, cybercrime, cybercriminals, nation-states, and hackers.
When people are afraid, anyone who raises their hand and says, “I will make you safe,” feels like the savior. Unfortunately, the reality is a lot of those people are just out for a buck. So a lot of people have invested a lot of money in cybersecurity, and it hasn’t produced the necessary results.
The industry has been trending towards best practices, standardization, and following industry standards. I think in 2024, what we’re going to see is people need to evidence that it works with governance. They need to prove it, and they need to put processes in place that continue to prove it.
We’re seeing that, and I think insurers, governments, court systems, and arbitrators are adopting that to decide who has to pay for losses. They recognize the necessity of this governance, and if you’re not doing it, you might be at fault.