91. Reinforcing Board Cybersecurity with Gary Evee

February 16, 2026
Season 13
Episode 1
 Uncategorized

In this episode of On Boards, hosts Joe Ayoub and Raza Shaikh welcome Gary Evee, cybersecurity leader and founder and CEO of Aprivé. His company is pioneering a concierge approach to cybersecurity protection, providing services that protect high-value individuals and families from the digital threat landscape.

Drawing on more than 25 years of experience across IBM, cybersecurity leadership, and board service, Gary explains how breaches increasingly originate through individuals rather than systems. 

He highlights how personal devices, home networks, and online data exposure create vulnerabilities for executives and board members, and why cybersecurity must extend beyond the corporate perimeter. He currently serves as the board director of Aware Inc. and is a trustee of Dedham Savings Bank. 

Key Takeaways

  • People are the primary cybersecurity risk
    • Most breaches target individuals and start in simple ways with phishing emails, password reuse, or compromised personal devices. 
    • In cybersecurity, people are the weakest links and organizations often lack in providing continued digital protection for executives once they step outside the company’s firewalls
    • Home networks and personal accounts often lack even basic security controls and so cybersecurity is a risk for anyone that works remotely, travels, or brings their work home from the organization. It can even impact your family.
  • Aprivé: Personal and enterprise-grade cybersecurity
    • The company offers a white-glove services that protect individuals, their home network, devices and digital footprint
    • Aprivé is unlike other cybersecurity companies and proactively helps people get the protection they need in places outside of the enterprise 
    • Aprivé’s services cover six pillars
      • Password and credential security
      • Home network hardening
      • Mobile and personal device security
      • Online identity and digital footprint management
      • Financial and account monitoring
      • 24/7 concierge support and incident response
  • Boards and executives are high-value targets with outsized exposure
    • Even the best board portals don’t flag when a non-authorized user logs in with stolen credentials taken from a phishing malware or compromised device
      • When an attacker gets access, they can gather information that could lead to reputational damage
    • Aprivé’s services ensure everyone within the enterprise is protected, assessing the vulnerability of each individual — especially the C-suite
    • The company also serves high profile and public figures

Quotes

“People continue to remain the weakest link.”

“ What we found was [people- C-suite leaders and High-value individuals] oftentimes have no one thinking about protecting them once they left the organization.”

“Even the best board portals assume that the person that’s logging on is legitimate.”

“If I steal your credentials through a phishing malware, a compromised personal device, the system doesn’t see me as an attacker, it sees me as a trusted user.”

Links

Aprivé

Guest Bio

Gary Evee is a visionary entrepreneur, investor, and cybersecurity leader dedicated to redefining how the world’s most influential people safeguard their digital lives.

As the founder and CEO of Aprivé, he is pioneering the next frontier of personal cybersecurity, Executive & Lifestyle Defense, a model that blends technology, concierge service, and intelligence to protect executives, high-net-worth individuals, and families from the evolving digital threat landscape.

With more than 25 years of experience spanning technology, cybersecurity, and business transformation, Gary is known for his rare ability to bridge innovation and trust. Before founding Aprivé, he served as an executive leader in IBM’s Cybersecurity Business Unit, helping Fortune 500 CEOs and global enterprises navigate emerging threats while scaling IBM’s security portfolio worldwide.

In addition to his work with Aprivé, Gary founded Evee Security Consulting Group, advising corporations and public institutions on cyber risk management, identity protection, and incident response. He also founded CyberTrust Massachusetts, a pioneering public–private initiative that develops the next generation of cybersecurity professionals through education, workforce development, and real-world defense programs.

Gary serves as a Board Director at Aware, Inc. (NASDAQ: AWRE), a leading biometrics and identity authentication company, and as a Trustee of Dedham Savings Bank and Charlesbridge Bank. He is also a Visiting Fellow at the National Security Institute at George Mason University, contributing to national discussions on cybersecurity, policy, and technology innovation.

A sought-after speaker and thought leader, Gary regularly shares insights on executive risk, digital identity, and the future of cybersecurity, empowering leaders to safeguard what matters most in an increasingly complex digital world.

Transcript:

Joe: [00:00:00] Hello and welcome to On Boards, a deep dive at what drives business success. I’m Joe Ayoub, and I’m here with my co-host, Raza Shaikh. Twice a month, On Boards is the place to learn about one of the most critically important aspects of any company or organization; its board of directors or advisors, with a focus on the important issues that are facing boards, company leadership, and stakeholders.

Raza: Joe and I speak with a wide range of guests and talk about what makes a board successful or unsuccessful, what it means to be an effective board member, and how to make your board one of the most valuable assets of your organization.

Joe: Before we introduce our guest today, we want to thank the law firm of Nutter McClennen & Fish who again sponsored our most recent On Boards Summit in their conference center in the Boston Seaport. Nutter has been an incredible partner with us in every way. We appreciate all they’ve done [00:01:00] to support this podcast.

Our guest today is Gary Evee. Gary is a visionary entrepreneur, investor and cybersecurity leader dedicated to redefining how the world’s most influential people safeguard the digital lives. He is the founder and CEO of Aprivé, where he is pioneering the next frontier of personal cybersecurity with executive and lifestyle defense, a model that blends technology, concierge service and intelligence to protect executives, high net-worth individuals and families from the evolving digital threat landscape.

Raza: With more than 25 years of experience spanning technology, cybersecurity, and business transformation, Gary is known for his rare ability to bridge innovation and trust. Before founding [00:02:00] Aprivé, he served as an executive leader in IBM’s cybersecurity business unit helping Fortune 500 CEOs and global enterprises navigate emerging threats while scaling IBM security portfolio worldwide.

Joe: Gary serves as a board director of Aware Inc, a leading biometrics and identity authentication company, and as a trustee of Dedham Savings Bank and of Charlesbridge Bank. He is also a visiting fellow at the National Security Institute at George Mason University where he contributes to national discussions on cybersecurity policy and technology innovation. Gary, welcome. It’s great to have you today with us on On Boards.

Gary: Joe, Raza, it’s a pleasure to be here this afternoon. Thank you.

Joe: We talked a little in the intro about [00:03:00] your background. How did your background lead you to the point where you founded Aprivé?

Gary: Yeah, thanks. It’s been an interesting journey. It’s been a journey of 25-plus years. As I said, it’s hard for me to believe that I have been in the technology space for over 25 years. But over those 25 years, I’ve had an opportunity to do so many different things along the way, and I recall very vividly as an intern starting at Lotus and getting exposed to this early blooming industry and then being part of IBM through an acquisition where I had an opportunity to become part of this large conglomerate that had so many different pieces.

But one of the first things that I started working on and who knew that this would sort of transform my journey was a product called IBM Antivirus [00:04:00] and that product, back in probably the mid-1990s, again, I never envisioned where this would take me, but that was sort of my first actually exposure to the cybersecurity. It wasn’t even called cybersecurity back then. Quite frankly, I don’t think there was a name for it. 

Raza: I guess personal computer security or PC security.

Gary: That’s right, Raza. The solution on the market was to protect OS2 and Windows for those of you who remember OS2. There’s probably a lot of our audience who’s like, “Oh, what’s OS2?” But OS2 was the predecessor to Windows, but I had an opportunity to sort of work on that product early on. And then fast forward, IBM made a number of acquisitions, decided that they wanted to sort of consolidate all of the sort of disparate pieces into one business unit through a large acquisition that we made of a company called Q1 Labs that had a signature product called QRadar or SIEM and so I had the good fortune of working on [00:05:00] bringing these pieces together and helping to launch the IBM business unit.

So, fast forward, I’ve decided that I had this sort of this entrepreneurial spirit to go out and build my own business and that led me to an MSP business, and along the way, I saw this sort of reoccurring issue in the market that just wouldn’t go away, and this issue that kept on reoccurring was really around how enterprises continued to find themselves up in the crosshairs of bad actors. But most of the breaches that occurred was because of people, people were the number one reason for breaches occurring inside of organizations.

Joe: Hey, what do you mean by that when you say that?

Gary: Yeah. So, if you think about an organization today, most organizations, most breaches, they typically happen because someone received a phishing email, didn’t recognize [00:06:00] it was a phishing email, decide to click on that phishing email, and then, lo and behold, the bad actor is able to steal credentials and get a hold of the network or get a whole data or other things inside of the organization. So, these aren’t high tech in most cases or sort of brute force entries into corporate networks or organizations, these are really simple unsophisticated attacks, but they’re really sort of targeted at the individual.

When we looked at breaches and we did sort of these post-breach incident reviews, we often found that it was because someone inadvertently reused the same password, they clicked on a phishing email or they did something where they shared credentials across multiple individuals inside of the organization.

So, for us, we sort of looked at that and said, “Hey, wait a minute, you know, people, they continue to remain the [00:07:00] weakest link.” What we found was they oftentimes have no one thinking about how to protect them once they left the organization. So, once they left the organization, they go home to their private lives and there is absolutely no one thinking about how to protect those executives, their families, protect their home Wi -Fi, their personal devices, online accounts, or even from AI impersonation. So, they were left, quite frankly, with no one to support them. 

Joe: So, the enterprise may have excellent cybersecurity protection. Once someone leaves the organization, they are vulnerable. Are individuals also vulnerable when they’re part of the organization, but maybe they’re working from home, they’re working remotely, someplace as they travel. Is that also part of the problem?

Gary: Yeah, it is. It’s multifaceted. If you have someone that’s working from home, [00:08:00] we strongly encourage that every company should have policies in place for how those employees are enabled to access corporate resources. I think the COVID has certainly sort of encouraged more and more companies to move towards a hybrid model, but also, if you’re going to do that, it is important that you make sure that you have some of those controls in place.

But there are a number of companies again that find it very challenging to do so and so one of the things you assume is that when an employee is working from home, they’re working from a secured location where their home router is secure, and that’s not always the case. One of the things we see at Aprivé is that most individuals have yet to change the password that was issued when they brought in their router into their home. They are still using the default password on that router. Many of them have not even changed the operating [00:09:00] system, the firmware on that router. It’s still outdated. So, those are all things that could lead to exposure or risk for an organization.

Raza: You’ve made a really, really clear case that with mobile devices with home access to corporate information with AI impersonation, with proliferation of so many things, now the threat landscape to the individual once they step outside the corporate walls is much bigger, much multifaceted, and much complex, and that’s where Aprivé comes in. So, now describe the offering, or what does Aprivé do to solve that?

Gary: Thank you, Raza. So, Aprivé is a digital bodyguard. We’ve now seen that attack is the same. The softest point of entry right now, the softest target remains people, and so Aprivé as the digital bodyguard, when attackers come after you, not your company, we’re there. We watch [00:10:00] your digital life, we spot for trouble really early on, we step in before it can hurt you, so we’re looking at everything from your home network, is it secure? Your personal devices, is it secure? Is there anything online that potentially can be exploited, that could potentially create risk for you or your family? So, just like a physical bodyguard that anticipates threats that are out there and protects you and your family, we do that on the digital side.

Raza: It actually extends to the family because that is an indirect and even a softer way to get to the target for those. Gary, I saw the Aprivé product, i’m very, very impressed. You have about six key pillars and aspects that the product covers. Describe for our audience what those six things are.

 

Gary: We really start with the basics. We start with passwords, do you have a password manager? You’d be surprised at how many individuals continue to [00:11:00] use things like 12345. They may add an exclamation point, maybe a double exclamation point, and so those are one of the first things that bad actors look for. They look for credentials, and they know that number most are just simply reusing those over and over. It doesn’t matter if it’s a personal email, corporate email, bank accounts, social media account, and so password manager is one of the things that we actually put in place and work with our clients to ensure that they’re utilizing it effectively.

The other that we actually spend time on is a home network, and so you heard me mention the importance that having a strong security and hardening your home network. It’s very similar to your corporate network. There is lot of resources and time and investments that is made on protecting the corporate network.

The same thing should apply to your home network. You should ensure [00:12:00] that you’ve got strong passwords on the network, and so we’ve got a home network capability. Raza, you mentioned that we’ve got mobile devices now, and in some cases, we have individuals that have multiple mobile devices, so how do you make sure that you protect those mobile devices?

In addition to that, your online identity is also something that could be leveraged and utilized by a bad actor. So, one of the things that we do with our service is we’re looking to make sure that there’s nothing out there that could potentially be used to conduct or launch an attack on on you or your family.

Literally, I’m sitting here today with a prospective client and we’re going combing through their information and we can get into their Facebook accounts, family information or password. Like a lot of that stuff, it’s just readily available. A lot of our lives are readily available online, so we do that as well.

Then we’ve got a sort of our financial security component, which really looks for anything [00:13:00] that may be unusual that’s happening with respect to your bank accounts, and so we will go in and we will call those out for our clients.

Raza: Just for our audience, Gary, just to describe what you’re saying there, there are these digital data brokers, hundreds of them out there, that have dirt on you, meaning information about you that can be used to launch an attack, and part of your offering is to go clean that up by asking them to remove information, which by law we are allowed to and get your digital footprint reduced out in the world. I think that is a really, really great service.

Gary: Yeah, absolutely, and for $10, Raza, I can go out and buy information on you, and I can then use that information to conduct a very sophisticated or unsophisticated phishing attack on you, and so it’s not that expensive to [00:14:00] gather dirt on someone. I can pay someone 10 bucks to a student or intern, and this day and age, I can just ask AI or Facebook. 

Raza: Now, Gary, you originally mentioned that people are the weakest link, but for Aprivé specifically connected to high net worth individual, famous people and board members, why is this more important for those to be protected by the elite digital bodyguard that Aprivé provides?

Gary: Let me start with boards for a second. I think a lot of your audience here are board members. Even the best board portals assume that the person that’s logging on is legitimate. However, if I steal your credentials through a phishing malware, compromised personal device, the system doesn’t see me as an attacker, it sees me as a trusted user, and so now think about all this information that I’m able to gather [00:15:00] about your bank or your corporation, or user that could potentially lead to not only reputational damage, brand damage, but it also could have financial consequences, compliance consequences, regulatory consequences as well.

There are these regulatory and compliance consequences that also comes along with this for boards as well. So, boards typically have looked at this as a corporate IT or cybersecurity, whereas I think in this day and age, the problem is not simply about data compliance or systems, but it has to come back to people.

Joe: So, first of all, this is scaring me. I just want to say that, and it should scare virtually everyone that’s listening. But let me go back to what I think is a really important distinction between what you’re doing and maybe what others do, which is [00:16:00] finding the places outside of the actual enterprise that also need to be protected. Isn’t everyone doing that or is what Aprivé is doing either unusual or perhaps unique?

Gary: Yeah. So, thank you for that question, Joe. I would actually thought a lot more companies were doing this. There’d be a lot more offering this service. A lot more companies requiring or requesting this service. The answer is no. I think what we’ve generally seen since we’ve launched Aprivé is that there are a handful of companies that are out there who are doing bits and pieces of it, but no one’s looking at it holistically in a way that we’re looking at it.

There are a couple of things that for us that are non-negotiable. The first thing is, if we’re going to go protect an individual who leads an organization, we’re not going to do that with technology that’s less than what they have inside of the organization. [00:17:00] non-negotiable, right? There’s no CIO or CISO that would use consumer-grade protection to protect their systems and protect the data inside of those organizations. It doesn’t happen, right? Yet what we say is go buy a $10 a month solution and good luck.

For us, that is something that we have said, if we’re going to go out and we’re going to do this, we’re going to offer enterprise-grade solutions, which is why when we go out and we conduct these engagements and we deliver our services, everything that we use is something that would be used inside of a Fortune 500 company.

Joe: So, you actually will look at not only obviously the enterprise, but everyone within the enterprise and everyone like board members who has access to the information. It’s an all-inclusive search that you do to make sure that everyone that [00:18:00] could essentially represent a vulnerability is protected.

Gary: The answer is yes. Anyone that could potentially pose a vulnerability should be protected, and so that could be in a C-suite. In the C-suite, that could also pertain to your executive assistant. It could also pertain to your IT director. So, what we say is anyone that could potentially create risk for the organization should be covered by what we do.

Joe: So, if you have thousands of employees and a board and a number of people in senior management, all of that needs to be reviewed to see where the potential risks might be?

Gary: Yeah, absolutely, and so we say you should look at the entire organization. While we spend a lot of time to sort of focus on the high-value, high-profile individuals, the C-suite, we also tell organizations you should be thinking about how to protect your entire [00:19:00] organization and rank-and-file employees inside of that organization as well, so they are not exempt, I think, from what we do and what organizations should be doing to better protect their organization.

Raza: Joe, just to describe it, like the other alternate is DIY, do it yourself.

Joe: That’s a very, very sophisticated approach.

Raza: That is a very, very sophisticated alternate and the default. 

And of course the human complacency and laziness dictates that that method does not work.

Joe: Or people don’t really know what they’re doing. Let’s face it, most people probably maybe aware of the issue, but would not be aware of exactly what they need to do to protect themselves or the company or organization with which they’re working.

Gary: Joe, you’re a hundred percent correct, and that’s what we hear from our clients. So, our clients come to us because they say, “We know we should be doing something, but I don’t know where to start. If I look at what’s out there, I don’t know whether [00:20:00] or not I should procure this product, that product, this service, that service.”

They simply just don’t know where to begin, and then we look at, do I have the skills? So, Raza talked about do it yourselves, a lot of them don’t have the skills to figure out how to implement it, and then you’re not going to monitor it 24 by 7. Next time they may even look at it is when the subscription comes due. So, just the skills required to deploy deploy and to maintain it is not something that they readily have, and I think the other part of it is, the threat landscape is always changing. You’re now dealing with things like AI that is becoming more and more sophisticated.

We hear from our clients, “What are you doing around impersonation, because there is this great fear with AI now able to take my voice and take my likeness, my image from things that are available online and use it to conduct things like wire fraud [00:21:00] and other types of malicious activities?”

Raza: I was reminded of those famous high-profile incidences myself and thinking about that. Some of us may remember. It’s a little older, but John Podesta’s Democratic National Party’s emails got hacked with this method and there are countless other corporate examples in the corporate world as well. This AI impersonation reminded me that just before AI was hot, I heard that they were going to use my voice as verification when I call into a customer service call, I know that is going to be very short lived.

Gary: Raza, I called the bank recently and they asked me whether or not I would like to use my voice for my account. I politely said, “Yikes.” 

Joe: Bad idea. What if someone is a part of a company that doesn’t have protection? Do you actually work with individuals or [00:22:00] is it mainly enterprise related?

Gary: No. We work quite a bit with individuals, and we have a lot of high net-worth, high-value individuals, folks that we deal with high-value individuals that have come to us, so they run large family offices. They’re individuals who are sports figures. There are individuals who just have by share, they do a ton of giving in their communities, and so they’ve got high visibility within their communities, and so those individuals have come to us because in some cases, they’ve become victim of a cyber extortion or victim of cyber fraud and so our services have been something that they have been able to lean on.

Joe: So, one solution, rather than waiting for ransom to become a factor is to hire you.

Gary: Yeah. Joe, you’re hitting on one of the things that I think customers love about our service it’s we’re proactive and so instead of sort of waiting, it’s kind of like making sure that [00:23:00] you’re doing your annual checkups to your doctor, being proactive, going to the gym, eating well and doing all those things. What we do is very proactive. We’re not reactionary, and so what really our clients and those who are thinking about this to do is to not wait until there is a problem, but to engage early and to put the right measures in place to protect themselves and their families.

Joe: If an enterprise has hired your company to cover senior employees, whatever, the whole ecosystem that might actually lead to trouble and somehow they get in anyway and there is some kind of situation that has to be handled. What involvement does your company have?

Gary: So, we do have incident response. I’ll give you a good example, Joe. I don’t need to make it up and give you an example of something that just happened last week. We had a client of ours who was getting ready for a presentation. In the midst of getting ready [00:24:00] for the presentation, she wanted to order something off of Staples. She thought she was going to the staples.com site, landed on a site that had malicious malware on it and so she clicked, and before she knew it, this thing was looking to take over her machine, and in a haste, she unplugged everything and called us.

Joe and Raza, that was the day of us launching and going public. This is on Wednesday afternoon, and so, lo and behold, what we were able to do was quickly jump on with her and we were able to, utilizing the tools that we had in place, quickly identify the issue, remove it and restore her PC to full health, and she is super thankful. We asked how the presentation went, she said, “Could not thank you enough. It was outstanding.” And she has given us permission to be a client testimonial for our service.

Raza: Gary, these [00:25:00] important high profile and public figure people are busy. Even if they know how to do all the security themselves, they don’t have the time. So, really talk about the concierge and white glove model that Aprivé provides. How long does it take for me to be fully secured?

Gary: Thank you for that question. Yes, we offer a white glove concierge service. For that reason, we do recognize that these are folks where time is of the essence. They do not have the expertise and they just simply want to hand it off to someone with the expertise and can quickly guide him through it.

We can onboard a client within a matter of 30 minutes. We have brought that down consistently and we’re looking to go from 30 minutes to hopefully less than 10 minutes here, but you can actually be fully onboarded with our service inside of 30 minutes. 

Raza: Then the onboarding is one part of it, I think you alluded a little bit. What is the [00:26:00] 24/7 monitoring protection, that part of your concierge service?

Gary: We have agents that we will deploy that will continuously look at your devices to make sure that there is nothing malicious, identify risk, and then quickly work to remediate those risks. If there is risk that is discovered, it will send us an alert and then we will then intervene on your behalf. We don’t ask our clients to do anything. It will notify us and it is incumbent upon us to then respond and address that risk that was discovered.

Raza: Are you basically providing this as one yearly price service subscription?

Gary: It is provided as an annual subscription for our clients, and typically for our clients, our service is roughly about $5,000 per year, so somewhere between $4,200 [00:27:00] to $5,000 per year and so it is a SaaS-based subscription model.

Joe: Gary, if an enterprise client has hired you and you’ve fully installed everything that needs to be done, and despite all your efforts, so the efforts of your company, a bad actor does get in and holds them ransom to get their information back. What is your response and to what extent do you insure against that?

Gary: Yeah, so we do have an insurance provider that we will use to actually provide insurance to the individual. Our insurance policy is over a million dollars, depending upon what level of liability that they’re looking for, and so that’s available at the individual level, and then companies carry their own liability inside of their organization. But at the individual level, we do have insurance that will cover an individual up to about a million dollars worth.

Joe: Great.

Raza: Gary, maybe one other thing to talk about, [00:28:00] talk about the Aware B oard. What is that organization? Talk about Aware and the organization.

Gary: I have the great fortune of sitting on the board of Aware and just recently had become chair of the board for Aware. But Aware is a biometrics company? It’s sort of primary service is around biometric identification.

What we want to know is you are who you say you are, and we use that through biometrics, and so if you think about if you’re going through the airport, as an example, there is a biometric scan you can use your face recognition, in some places, they use fingerprint verification, but what we want to know is through biometrics. Is Joe who he says he is? Is Raza who he says he is, and still we do that using biometrics capabilities.

Joe: Fantastic. Hey, Gary, it’s been a great conversation. Thank you so much for joining us today on On Boards.

Gary: Joe and Raza, thank you. Can’t thank you enough. This has [00:29:00] been a fantastic conversation. Thank you for allowing me the opportunity to talk a little bit about Aprivé and what we’re building here at Aprivé. We’re really excited about it. We think that we are in a phenomenal, phenomenal space. We’re really looking forward to 2026 and what’s ahead for our company.

Joe: Thank you all for listening to On Boards with our guest, Gary Evee.

Raza: Please visit our website at OnBoardsPodcast.com. That’s OnBoardsPodcast.com. We’d love to hear your comments, suggestions, and feedback. If you’re not already a subscriber, please be sure to subscribe to Apple Podcast, Spotify, or wherever you get your podcast. Remember to leave us a five-star reviews.

Joe: And please tune in for the next episode of On Boards. Thanks.