In this episode, cybersecurity veteran Don Goldstein, CEO of 5Q and longtime CISO, joins us to explore the hidden risks of Agentic AI and what professional services firms must do to protect themselves. As excitement around autonomous AI agents builds, so too do the security vulnerabilities—many of which are still poorly understood. Don explains why this technology is a game changer and why adoption is inevitable, but also outlines the specific threats that come with it and the guardrails founders should be putting in place now. If people are your biggest asset, AI may soon be your most powerful one—and also your most vulnerable.
TRANSCRIPT
Greg Alexander: Hey, everybody. This is Greg Alexander. You’re listening to the Pro Serv Podcast, brought to you by Collective 54. This is a podcast dedicated to founders and executive leadership teams of boutique professional services firms. So if you market, sell, and deliver expertise for a living, and you want to make more money, make scaling easier, and make an exit achievable, this is for you. On today’s episode, we’re going to talk about cyber security risk in the context of transforming your people-driven business to be an AI-driven business. Artificial intelligence is the buzzword, but it is affecting our industry, professional services, more than most. And there are some downsides and things you need to protect against. Joining me on the call today, the subject matter expert and long-standing, well-respected, well-liked member of Collective 54 is Don Goldstein. Don, we’ve got a bunch of new listeners and new members who might not know who you are, so could you start off with a brief introduction of yourself and the firm.
Don Goldstein: Sure, Greg, thank you. I serve as Chief Information Security Officer for 5Q Partners. It’s a professional services firm that provides managed IT and cyber security solutions to the commercial real estate industry. That’s our niche. It’s been around for almost 11 years. I’ve been with the firm for almost 7 years. I come from a deep cyber security and information technology background, mostly in the corporate world. But in these last almost 7 years in the entrepreneurial world, it’s been quite a journey. I’m a partner in the business. I’ve run the business. I serve as a fractional Chief Information Officer and Chief Information Security Officer for our clients.
Greg Alexander: Okay, sounds good. So Don cares enough about our community that when he started to see all of our members become pioneers and early adopters of AI, he reached out and said, hey, just FYI, there’s some security risks that everybody needs to be aware of. So that’s the reason for the session today, and I’m so grateful that he did so. With that, Don, I’m just going to start at a high level, which is: what are some of the main AI risks to professional services firms in particular?
Don Goldstein: Greg, the reason that I surfaced this—it just happened to be on Ransomware Day—and I get a lot of information from my security community. It turned out on that particular day, KnowBe4, which a lot of companies use for phishing testing and security training for their employees, came out with something. Roger Grimes, who’s very well known in the industry as a security professional, said, hey, ransomware is going to get a lot easier for the bad guys now that they have AI tools. You don’t have to be as smart, you don’t have to be as sophisticated. And what does AI do in our professional services firms? It expands our threat level. It expands how many threats we actually have, in addition to all the threats we have on a daily basis by our people clicking on something they shouldn’t, and then getting compromised. So what I think is really happening here is, as AI has accelerated, so have the threats associated with the AI. And because we’re not really prepared for it in terms of security and how we think about it—Greg, if you think back to when the internet first started, there weren’t any guardrails around the internet. So companies have had to provide those guardrails, right? They’ve had to filter the internet. They’ve had to filter emails. They’ve had to put antivirus. All those things. AI is going to be no different. The guardrails have to be in place, or there’s just a lot of opportunity for that compromise. And as professional services firms, we thrive on trust. Our clients have to trust how we do business and how we guard their data.
Greg Alexander: Yeah, well said. You know, it takes a lifetime to build a reputation and one trust mistake to destroy it. So it is well timed. Don, knowing our community, which is made up of founders and executive leaders in smaller firms—what we call boutiques—what steps can they take to mitigate against these risks so that it still allows them to capitalize on the opportunity that AI presents, but maybe in a less reckless way?
Don Goldstein: Right. First thing I think every professional services firm needs to do is think about what their crown jewels are. It’s no different than any other business, whether it’s a Fortune 500, public company, private company. What is the most important information, the most important systems that you run that contain your data and how you provide service to your clients? Those are the things you need to focus on in terms of your protection. So first, know what you have. And then think about the guardrails you need to put around it. Are you investing at all in cybersecurity, or is it an afterthought? As you scale and as you get to that magic number of revenue per employee that makes for a great exit, you have to think about how much you invest in your security program. Do you have policies around it that you educate your people about—what they can use, what they can’t use, how they use it.
Don Goldstein: Are you protecting that data so it isn’t exposed to the external world? Because if you’re not careful, that’s what could happen with AI. And so you really need, as a professional services firm, if it’s just not something you think about, know about, or know how to deal with, using some external, fractional resource to help you think through the things you need to do. We do that in the commercial real estate industry, but there are plenty of opportunities to find those professionals around that can help you with that journey. That little investment you start to make can pay off big time to maintain that trust.
Greg Alexander: You educated me on this term: third-party risk. Can you define it and tell us why those in professional services firms should care?
Don Goldstein: So there are two aspects to third-party risk. One is the third parties that professional services firms use for their business. And then the other side of that is often our professional services firms are third parties to other companies, meaning Fortune 500 large companies hire us to do services for them. We are a third-party risk to them if we get compromised, and it impacts our clients. That’s risk to our clients. If they’re in the Fortune 500 and they’re a public company, that may be something they have to disclose. And the last thing a professional services firm wants is to be a headline in the Wall Street Journal. Yeah, so that’s on that side. But on the side of professional services firms using third parties—well, what happened on July 4th? You may not know about this, but I know you’ve been in the tech industry, and you’ve heard of Ingram Micro. That is probably the largest reseller of IT products and services. They were breached. They had a ransomware attack on July 4th. They still have not recovered. That impacts everyone who uses their platform. So they are a third-party risk. If you’re doing any business with them, now what do you do to serve your clients? That’s a big problem. And that’s why you have to think about it from a client perspective and also from your own perspective of how you go to market.
Greg Alexander: You know, the Ingram Micro example is a good one, because we’ve got a large group of our members that are in the IT ecosystem. They’re either clients of the partners of Ingram Micro or Tech Data or one of these other big distributors that serve largely small businesses. That’s a really good example to bring that up. Let me ask you this question, staying on the third-party risk thing for a moment. Because our firms are small—I mean, our founders are literally running their firms off their mobile phones—because their entire tech stack are SaaS providers, and they’re in the cloud all the time. So they’re not investing in their own cybersecurity. They’re trusting the SaaS providers that they use to take care of them. Are they crazy? Or is somebody like Salesforce or HubSpot or someone like that protecting them?
Don Goldstein: You just have to think about the fact that they are bigger targets than you are.
Greg Alexander: Because they have deeper pockets, right?
Don Goldstein: And I’ll give you another example of a third-party firm that a lot of us use—Asana. Well, they came out with something that they put on their AI platform that was on May 1st of this year. What happened was they discovered flaws, and they had to shut that system down. But that was only on June 4th. So for 34 days, about a thousand out of 130,000 of their enterprise customers were exposed. Their data was exposed that they had on the Asana platform. So why do we have to worry about the third party? Because we have no control over what happens to them. And we sometimes are that little fish in that big sea of their customers. So we have to protect ourselves in multiple ways, and we have to be aware that that risk exists.
Greg Alexander: Interesting. Let’s say one of our members got attacked—and I don’t even know if that’s the right word, but I like it because it sounds bad—what do they do?
Don Goldstein: Well, the thing you do first of all is, you don’t think about it when the attack happens. You think about it now—meaning you need something called an incident response plan.
Greg Alexander: Hmm.
Don Goldstein: You can get templates for that. They’re out there in the public domain. You can have someone help you with that. What you have to do is determine how you’re going to respond to that kind of incident ahead of time. Who’s going to be involved? How do you make sure that your systems you can recover? Because when you get hit, the first thing you’re going to think about is, do I need to shut things down? Could it get worse? Because you often don’t even know what happened in the beginning stages of an attack. And usually that attack happens after they’ve already been in and camped out for a little while. So you have to be prepared with a plan so you can recover. You have to know who you can engage to help you with that recovery, help you with that forensics. You need a cyber insurance policy because they will guide you as well. Every professional services firm should have a cyber policy and know what’s included and what’s excluded. And then the next phase of that is test it—doing something called a tabletop exercise. Just again, there are firms. It’s not that big a deal. You can hire a firm to help you with that and lead you with that, but practice it. Because then what you don’t want to have happen is practicing it when you have the answer.
Greg Alexander: Yeah, yeah, exactly. Good advice. Cyber insurance—is that affordable to the small business owner?
Don Goldstein: It actually is.
Greg Alexander: Okay.
Don Goldstein: And I think most firms probably already have that, probably because their clients require that on almost every deal. In almost every master services agreement, they’re going to ask, what’s your cyber insurance? What are your limits?
Greg Alexander: True, although some of our members are doing business with other small businesses, and they don’t really even have MSAs, so that’s a really good call out—as is the incident response plan. I’m writing this down because I’m sure Jeff Klowman, who’s usually on top of this stuff, probably already has one. But I’m gonna double check with him.
Don Goldstein: Happy to help if Jeff needs some help.
Greg Alexander: Thank you. Thank you for that. I’ll probably take you up on it. You know, the other one that just came to mind—I’m always complaining. I happen to bank with Chase, and it’s such a pain in the you-know-what with the verifications and authentications. But actually, thank God they do that, right? It’s in my best interest to go through all that. So I’m appreciative of that. You know, Don, someone like yourself, who is a CISO, let me ask you this question: what keeps you up at night?
Don Goldstein: That loss of trust with my clients and with my team. I just can’t think of a worse scenario than that. Why? Because look at these big firms. You know Ingram is going to survive their breach. Target did 11 or so years ago, right? What big company hasn’t been breached? What big bank hasn’t had an incident? They’ve recovered. We’re in a little more vulnerable position. That Asana breach I talked about—that cost them 7.5 million dollars for that 34 days. And that may just be the beginning. So breaches typically cost in excess of 5 million dollars, and some of what your cyber insurer may cover, some may not. So the question you have to ask yourself is, if something happens to you, can you remain in business? So what keeps me up at night is something that I don’t know about that may be happening, may happen. And if that does happen, can we recover quickly enough and regain the trust of our clients?
Greg Alexander: Yeah, you know what I find interesting is that I have service providers that serve me—I’m their client—and they’ll ask me for something, a document or whatever, and I’ll send it to them. And then part of their work is they’re sending me something back. And you can tell in their response that they just loaded my document into ChatGPT and generated a response. And then I’m saying to myself, well, is my personal document now in ChatGPT’s LLM? And like, do I want that? Should they have disclosed that?
Greg Alexander: So we’re talking about cybersecurity risk in the context of AI today, these big models are they protected.
Don Goldstein: That’s a really interesting question. Because OpenAI just announced that they are putting additional measures in securing them from being attacked. So think about it. If those AI providers, those big ones—OpenAI, Gemini, any of those—if they get attacked, I mean, that’s the tip of the spear for all of us. Right? So should an attacker be able to get to your personal data? Well, first thing you should know is, your personal data is probably out in the dark web anyway. All of ours is—so know that, all right? But banking information, stuff you would absolutely never ever want to have compromised—if you’re providing that information, and the person you’re providing it to or the entity isn’t giving you a secure way to provide it, then chances are they aren’t doing the right things. So anytime I’m asked for something, I’ll say give me a secure link. Every bank will do that. Every entity that’s asking for personal information has a way to do that. So just ask the question first, and make sure you’re comfortable with that. But to send something as an attachment in an email—probably not a good practice.
Greg Alexander: Yeah, I mean, just a very practical yet valuable tool, along with a fractional CISO, along with insurance, along with an incident response plan. So lots of value packed into this session, Don. We try to keep them to 15 minutes. So we’re at our time here. But thank you for doing this. I look forward to our member Q&A where they’ll be able to ask you questions directly. But, as always, it was good to see you, and thanks for the contribution.
Don Goldstein: Thank you, Greg. My pleasure.
Greg Alexander: Okay, just to conclude here—a couple calls to action. So if you’re a member of Collective 54, and you’re now very nervous, like I am, and you want to ask Don more questions, please attend the private member Q&A and he will do his best to address your concerns and give you some helpful hints. If you’re not a member, and after listening to this, you say, Damn, maybe I should be—go to collective54.com and fill out an application, and we’ll be in contact with you. But until the next episode, I thank you for listening, and I wish you the best of luck as you try to grow, scale, and exit your firm.
Note: This transcript was generated by Zoom.