Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
LIVE from SecureWorld Denver: Radical Transparency - Closing Keynote
95 Plays1 month ago
Recorded LIVE: The Bare Knuckles and Brass Tacks closing keynote at SecureWorld Denver!
Titled, "Radical Transparency," George K and George A took on the holy trinity in cyber: people, process, and technology.
For each part they break down where we need radical transparency to build trust, on both the buying and selling sides of the industry.
They also ask something new of the audience...
Recommended
Transcript
Introduction and Keynote Speakers
00:00:06
Speaker
I hope everyone has enjoyed the day, has had some great conversations, met some new faces. Wanted to thank you all for being here. I appreciate it. Secure World appreciates it. Thank you to our leaders who have helped us put this event on. Thank you to our sponsors, our associations. We couldn't do without you. We have a fantastic closing keynote coming up. I'm excited to bring up these two people who are go-getters. They're here to change the game in cybersecurity. Help me welcome George Alcura and George Kamaide with the bare knuckles of brass tacks.
Podcast Introduction and Keynote Theme
00:00:35
Speaker
um All right, Denver. Thank you for having us. We'll start out with the basics. I'm George K. with the vendor side. And I'm George A., a cheap information security officer. Together, we are Bare Knuckles and Brass Tax, a cybersecurity podcast that tackles the all the messy human bits inside cyber, buying, selling, trust, respect, and all the rest. And we are very pleased to be here. We're talking about radical transparency today.
00:01:01
Speaker
It is a talk based upon literally hundreds of hours of interviews with every kind of person in the cybersecurity ecosystems buyer sellers founders VC CROs entry level practitioners see so's and ah all points beyond.
00:01:17
Speaker
It is going to be weird. It's going to get loud. I'm going to take you to places that you haven't been before, but we're on this journey together and it's going to be fun. It's a treat for us to be here because as podcasters, we're usually stuck behind the mic with our guests and we just sort of release it under the wild, cross your fingers, react.
00:01:34
Speaker
But we have you here. So as the captive audience, you will become part of this show as well.
Icebreaker and Conference Fatigue
00:01:40
Speaker
So I'm going to start with a little bit of an icebreaker and then we're going to get started. You've got conference brain on, which means you've been in talks all day. You have heavy carbs in your stomach. You got glass in your hand. Thinking may not be as clear. Has anyone seen the movie Inside Out? raise your hand All right, so the best part is being able to zoom in and see what people are thinking. I cannot see what you are thinking because of the conference fog, so we're gonna break through it just a little bit. I want you, so there's joy, disgust, anger, I'm missing one, sadness.
00:02:13
Speaker
um I want you to just shout out what you're feeling when you hear the following phrase as if it were part of this
Transparency in Sales and Relationships
00:02:20
Speaker
keynote. So pretend we didn't come out here and do this intro. Instead, I came out here and said, in the ever-evolving world of cybersecurity, what would you be feeling? Just love it. Yes! scott What if I came out and I said, AI is changing everything. um That wasn't one of the emotions.
00:02:42
Speaker
all right well This ain't that. So we're gonna talk about radical transparency and we have in our sites the holy trinity of cyber security, people, process, and technology. So we'll start with people and I'll start with a story. So three black hats ago I was on the vendor marketing side and sales team wasn't getting it done. We had this big expensive event that we were trying to fill and I had some relationships on LinkedIn just from
00:03:13
Speaker
I'm casually doing the things that you do on LinkedIn, liking, commenting, posting, whatever, and I invited this guy, Cole, you're going to blackhead? What are you doing here? And he said, yeah, that's cool. All right, I'll do it. And then didn't think anything of it. And then sure enough, he showed up. And we had what is probably the shortest and most transparent sales interaction ever.
00:03:37
Speaker
which is like, hey, man, just send me some shit. I'll give it to the team. We'll take a look at it. But you're cool. We should hang out. That was it. We acknowledged the dance. That's what we called it. We acknowledged the dance between the vendor and the buyer. And for that, the relationship was stronger. So that's where we're going to start. We're going to start with people. And we're going to shine the first transparency spotlight, the first notion of radical transparency on relationships.
00:04:05
Speaker
Yeah, so first of all, just the the context of George's story on the other side of it, let's not forget the groundwork that George laid as a seller. He had been engaging with me on LinkedIn, passively commenting on some of the similar things that I've been commenting on, and providing really good engagement at that. Not stupid comments, and for God's sakes, not GPT-made comments. Everyone knows it's fake. Just don't do it.
00:04:27
Speaker
But he was engaging with me. So when he sent me the invite to the event, I wanted to make a point of coming to his event. Because I like the guy. He seemed cool. It was the end of the day. I was exhausted. I had been working the floor with my CIO and my SOC manager. We had a bunch of problems we were trying to solve for. It had been a really long day. And really, I almost forgot to go to the event, to be honest with you. And I was like, oh, I got a rush to get to this thing. and I got there with five minutes left to go. right That's how close to the wire it was.
00:04:57
Speaker
And I think just out of sheer exhaustion and just not wanting to play into this shit anymore. And I don't know about you guys, especially if you're, if you're CISOs, if you're practitioners, if you're in senior leadership positions, when you've had a long day and you have to have that conversation, fuck the dance, dude. Like here, give me your collateral, give me what you guys do. I'll send it to my team. If they like you, we'll bring in for a demo and go from there. If not, let's just have a drink, call today. Five minutes or less.
00:05:26
Speaker
But then that spun into a relationship that lasted three years plus, and we are here. All that is to say, we have to think about how we develop our human relationships, and particularly from hiring to promotion. It has to be an intentional process. How we select, how we develop, and how we promote our personnel is going to be the biggest critical factor to determine their success as individual professionals,
00:05:54
Speaker
as well as our success as organizations trying to employ them. You really have to put a level of effort and care into thinking about the individual desires of those persons. right So the way I kind of run things with my team,
00:06:11
Speaker
um I'm really all about benchmarking and setting attainable goals that have real rewards. right If we achieve certain projects, if we make certain deployments or imp implement certain things correctly, and a certain amount of time has passed,
00:06:26
Speaker
And you know, they might get a certification or two, something they really want. I don't ask my team to get certs. Between you and I, I think certs are kind of a waste of time, but we all have to do it because RFPs and blah, blah, blah, so like whatever. But I don't care about certs. I care about skills, right? So if they want to get a cert, cool. That's your benchmark. That's your goal. Let's say they achieve it. You know what I do? I promote them. And if I can't promote them, I give them a raise because they earned it.
00:06:55
Speaker
The thing is about the carrot. You can dangle a carrot, but if you keep pulling it back when it's time for people to actually collect, they're going to leave. And they're going to hate you. They're going to hate your organization. That's not a good experience. If you create an environment where people are willing to be vulnerable and share their goals and share their ambitions and share their passions, and you as their leader,
00:07:20
Speaker
are trying your best to enable that while meeting your own KPIs and your own team KPIs, you are developing teams and personnel for success.
Employee Growth and Leadership Principles
00:07:31
Speaker
Yeah, so who here has applied for a job in the last, I don't know, 30 days, three days, seven days? Anyway, who has gotten no reply? Who has gotten rejected within three days? How about an hour?
00:07:51
Speaker
All right, so we all know the pain of the applicant tracking system, the ATS. I don't know if anyone saw this news, but an entire HR team got fired essentially for a typo because they had automated the hiring process. So they ah the manager that was trying to hire a developer who was proficient in Angular, the development language, kept going back to HR and they're like, we don't have any candidates. He's like, in three months, why don't we have any candidates?
00:08:17
Speaker
And so he did a test where he created a new email and put his own CV in and got rejected immediately. So he checked the criteria and the team had written AngularJS, which is a discontinued JavaScript language.
00:08:34
Speaker
Two fucking letters had robbed that organization of the human talent that it needed to grow, to proceed, right? So when we think about relationships, when we think about people, that is a need where we need to be more transparent in our interactions and not so reliant on rigid tooling, AI, blah, blah, blah, that is not valuing those relationships.
00:09:03
Speaker
Yeah, so really what we're talking about, if we're gonna talk about radical transparency, we also have to talk about radical ownership. So if you are a manager of personnel, whether you are a security practitioner or even on the sales side,
00:09:16
Speaker
More specifically, though, for practitioners, you have to own your recruitment process. I'll tell you right now, I don't rely on recruiters. I don't rely on recruiters. I don't rely on LinkedIn for applications. It's not to say I don't post jobs. I do post a job when it comes up because I want people to know about it. But I rely on my network and I rely on developing my own talent.
00:09:39
Speaker
So as a leader, you should be investing yourself in the community and mentoring students, mentoring people who are younger in their career, and building solid relationships with them. And I'll tell you what the exchange is, right? Because you're giving a lot. You're giving your time, your energy, your passion to these individuals, try to make them better, seemingly for nothing to them, right? Wrong.
00:10:03
Speaker
What you should be developing are personnel that you potentially could see yourself hiring sometime down the road. Your coaching should be to build them up into the resource that you need them to be. Because if you're a good leader, and I think we're all good leaders in this room, if they can be a good resource for you, they can also be a good resource for someone else. So the advice is still good.
00:10:26
Speaker
But you then have a pool. You have a pool and a network and folks who like you, folks who answer your call. And depending on their employment situation, when your opportunity comes up, your call is just the one that they're looking for. That level of ownership in your operation and your personal development, that is what's going to give you that sort of advantage in sort of creating the pipeline that you need so you're always having staff available.
00:10:56
Speaker
Realistically speaking, you have to think about end to end, what is the point of the relationship, right? You have to look at, is it going to be a short term or long term hire? What is the intent? What is the point? to And if they're there for the long term, if you want to make them part of the long term team, they're not just there for a project, how are you going to develop them? Can you work with them to build a one, three, five year plan? Of course, you know, they might leave after two years, they might leave after six months.
00:11:26
Speaker
But that's not your job. Your job is to enable them for as much success as you can while they are under your employ. That's it. But the relationship, the investment in the relationship is the benefit and the value to your team and your ability to staff it with good personnel that believe in you and that will follow your leadership.
00:11:48
Speaker
And science backs it up. Anita Woolley, who is a organizational psychology professor at Carnegie Mellon, did a study. They recruited a whole bunch of people to work on a counter-terrorism case study that they had and had solved. I mean, it was a case from and from the intelligence community. They had a ground truth. They had a whole bunch of experts, and they had a whole bunch of non-experts. And the non-experts outperformed every expert through that ground truth exercise through one strategy change
00:12:20
Speaker
They were given the opportunity to plan ahead of time, which was to determine who had the relationship to what part of the case. What was the responsibility? What was the accountability? How are they going to communicate? um And basically by doing that, they had established trust.
00:12:36
Speaker
And from there, they saw further and further performance gains. And the science backs up that performance as a team is what builds that cohesion. Not at the beginning of the day when they try to get you to do the trust exercise that literally no one ever wants to do.
00:12:51
Speaker
I have never been through a trust exercise and been like, I do trust these people now with my profession, with my career. That doesn't start at the top. It starts from within, and it starts by valuing those relationships among your coworkers. It is performance comes from investment in the relationship. And let's talk about performance for a sec, right? So I don't know about you guys and your backgrounds, because cyber is wonderfully a diverse field from people's backgrounds within that point of view.
00:13:19
Speaker
i ah I have a non-traditional background. I don't have a STEM degree. yeah Really, I don' i have have a i a dual major in politics and psych. How did I end up here? right But the fact is that everything I've done in my life, ah you know if if you know me at all personally, I've been a competitive athlete in one thing or another since I've been seven years old. right I've been on all high level teams, generally in like contact sports like football, wrestling, rugby, Muay Thai boxing, that's my jam.
00:13:51
Speaker
but I've also been a coach in those environments as well. So I kind of understand high performance coaching. And when I thought about myself as a leader within a business organization, what I noticed was that the same principles that made me a successful coach when I get those opportunities are the same principles that make you a successful manager and leader of people. You are leading a high performance team. I have my team trained on a couple of different mantras.
00:14:20
Speaker
First thing is, and this is day one when I arrived in September 2021, and full disclosure, I'm the CISO of RubyLife, AKA I'm the CISO of Ashley Massen.
Vision and Motivation in Cybersecurity Teams
00:14:30
Speaker
I rebuilt security there. i had to I had to build up the morale and the pride in the work and the organization of a team that had been pretty beaten up for a long time.
00:14:42
Speaker
When I came in, I said, we will achieve world-class security. That's our standard. That's our mission vision statement. World-class security. And it's how I start every single annual briefing to my board. Ruby security, in quotes, world-class security.
00:15:03
Speaker
When that bar is raised, people have something to believe in that's bigger than themselves. They have an aspirational goal. It's tangible. World class means meeting industry standards, means meeting this standards, means meeting our compliance standards. Believe it or not, I achieve cyber insurance for us. If you know how hard it is to achieve cyber insurance, considering we're the organization with that breach, it's a pretty big deal.
00:15:33
Speaker
It all comes down to giving your people something to believe in and you believing in them and treating them like they're the stars because they are.
00:15:44
Speaker
If you're a senior leader, in the rare case, you know when I'm lucky, when I either have time to do it sometimes, or if I really need to because you know we're scrambling and I go back into analyst mode, I don't get to chase bad guys anymore.
Cross-Training and Team Engagement
00:16:00
Speaker
I don't get to build code. I don't get to do the fun things. My job is to run P&L, budget, determine software. But my guys, they're the stars. And I have to treat them like stars. And they've got to feel like stars.
00:16:15
Speaker
And that's what I do. Every single person on my team, from the team leads down to the bottom level analysts, I tell them, you guys could be the best in the world at what you do. Let's take the opportunity to be the best in the world at what we can do. Now, tech has had some tough years lately. A lot of layoffs, a lot of cutbacks. Unfortunately, I've been you know kind of victim to that too.
00:16:39
Speaker
I've had to cut pretty much 40% of my team in the last year and a half, which is a very difficult situation to deal with, right? It's hard to maintain morale in that kind of situation. So in my mind, I thought, OK, what's the lesson here? Well, I was in the Canadian Army for a long time, and we kind of don't really have a lot of people, but we still got to do the same thing you guys do because we're your allies. So in the Canadian Army, we cross train. We cross train on everything. you know There's no riflemen in the Canadian Army. We're all riflemen.
00:17:09
Speaker
There are no signalers, and well, there are signalers, there are dedicated signalers, but everyone has to know how to use the radio. Everyone has to know how to drive the car. Everyone has to know how to maintain the trucks. right It's not just singular jobs. like You guys are cool. In the American Army, it's like you're a lug nut guy, you're a lug nut guy for four years, then you get to be wheel guy after like two years. It's cool. right But in our forces, we have to cross train. So I was like, cool. I have a situation where I have to keep people bought in,
00:17:37
Speaker
And I have to meet all these different things that we were doing with the bigger team, but with a smaller roster. So I put it to my team and said, hey, you guys know the situation. This shit sucks. It's rough right now. What can you guys do that's outside of your primary wheelhouse? So I got everyone cross training on a different function. So I have my SOC guys working on either appsec or security architecture.
00:18:02
Speaker
My AppSec guys are cross training on SOC skills. My architecture guys are helping out with trust and safety. My trust and safety guy is actually becoming a data analyst and managing our data breaks. Everyone has taken on a whole new skill set this year on top of their normal one. And guess what? We're still maintaining service delivery. We're still maintaining standard, even though our team's been cut by 40%.
00:18:25
Speaker
And everyone is super engaged because the challenges they're getting are exciting. No one day is the same as the next. And they're always engaged. There's always challenges. There's always projects. No one's bored. I don't like being bored. I don't want my guys to be bored. That's the whole thing. The cross training is equally part of a high performance coach's mindset.
00:18:50
Speaker
Yeah, pro tip, cross training is also, this is the only time, maybe the only time I'm gonna say it, is going to make you more resilient to the disruption that comes with AI. That's it, no, this is the only time I'm gonna say it. So, you know raise your hand if you have a threat intelligence team.
00:19:08
Speaker
If you got a sock, you got GRC, you got these, what does that sound like? To me, it sounds like human specialization, which makes perfect sense because that is how human teams have been architected since time immemorial. You are very good at that. Continue to do that. You know, it's very good at narrow specialization.
00:19:26
Speaker
machine learning, right? So when you start to ask security leaders, okay, well what happens when you can ingest much more information, analyze it much faster, and what's gonna happen? Like if you could threat model in two minutes what takes your team two weeks right now, what will you do with that information? It will run into a bottleneck made of human meat.
00:19:50
Speaker
because the team is architected along narrow specialization. And so when we think about this larger picture of relationships and the people and people processing technology, investing in our people is also investing in their future into a future that we have not yet architected, but is coming regardless.
Radical Transparency and Industry Standards
00:20:09
Speaker
So that wraps up the people portion of the presentation and we're gonna try something new. So this is where you gotta wake up.
00:20:17
Speaker
Whoa, everyone stand up. Stand up, everyone stand up. That sounds better on audio, did you know that? Yeah, stand up. All right. You don't have to stand the whole time. All right. Let's go. So at the end of every section, I'm going to say we what we need radical transparency on. Right. So when we think about and I'm going to point to you and I just want you to shout the words radical transparency because you're going to manifest this shit. All right. So when we are now looking at our people, what do we need?
00:20:52
Speaker
Yes, so weak sauce. Let's try it again. When we think about our people, we need radical transparency. All right, we're not a megachurch. Sit down. um all right
00:21:18
Speaker
So I got a story for you guys. So if you guys listen to our show at all, you guys know I am very much all about shitting on bad sales, shitting on bad account management relationships and all that. But the flip side of that is the sellers I do have, I have very, very close and good relationships with.
00:21:41
Speaker
In fact, they are my main partners. They're my enablers of success. And I carry them across all my employers. I've had the same general stack at every shop I've worked at with generally the same teams, the same group of people. Those year over year relationships, they carry over. So this is the story. I am a big ah ah RF customer, Macquarie Future. It's a great tool. I love it. If you guys ever know anything about threat intelligence, you guys know what it is.
00:22:12
Speaker
I'm going up for renewal last year. This is a true story. So I'm meeting up with my guy in Toronto and he invites me to this like American Thanksgiving football watch party. He's always like, cool, all right, that's awesome, it'll be fun. We're there and really we're just having a good time. We weren't there to talk about business. It was just one of those, hey, I'm having an event. You're one of my main customers, come on out. But we both knew that renewal was coming. We had to come up with terms in like six weeks.
00:22:39
Speaker
So at one point, and I've got to be honest with you, we had two, three, maybe 12 pops. So things were kind of sloppy. And at one point, I looked at my guy. His name was Will. And my staggering state, I was like, Will, Will, could we talk about the shop for like two minutes? And Will, who's seeing like three of me at this time, I was like, Will, just look in the middle. Look at the one in the middle.
00:23:06
Speaker
and And so he's like, all right. And I said, Will, listen, man, I talked to my boss. I can't do 7% year over year. like I can't do that inflation rate, man. Is there any way that you can like meet me halfway on this? like Will was like, man. And I think ah this might have been he was just a little bit you know inebriated, and he was a little bit too loose with it. But he's like, man, I'll drop the inflation altogether. Don't worry about it.
00:23:31
Speaker
But I also knew the pressure that Will is under from his bosses, because we had sober conversations about it. Because the last time we had dinner, he actually talked about what he was facing in his organization. And he opened up and was vulnerable to me, just like I am to him about the problems I have. So knowing that, I said, no, no, no, look, why don't we do 3% on inflation this year? We'll figure out the terms on year two, year three, but I'll give you the 3% this year. Just get your boss off your ass.
00:23:59
Speaker
And with that, in less than three minutes, $150,000 renewal was signed. well Right? And that's all it took. We had cheers about it and kept on drinking.
00:24:11
Speaker
It's the power of the relationship, though. That's the part. So we're shining a light on transactions now. So radical transparency when it comes to transactions also. So he has it easy because he is the buyer so he can just like blast. So I have it harder on the vendor side because if I bad map the thesis and they stop buying. So but here is where the radical transparency comes in because on our podcast we say the quiet part loud.
00:24:37
Speaker
Are you continuing to go to the vendor events, kicking the tires, eating the steak, drinking the whiskey, doing the whatever, and you're not really in the market to buy?
00:24:50
Speaker
Right, we call them on various names, tire kickers, plate lickers. Are you a bad faith buyer? So that's where we need radical transparency. It's fine. I can't buy this quarter, cool. The reason we need that radical transparency is because if you value the relationship with your seller, what you're trying to do is protect them from the nine second most feared words in sales.
00:25:16
Speaker
Let's open Salesforce and see where you're at. They need to know you're not buying this quarter. They can move you in the forecast, get the heat off, and then you can stop complaining about the outreach. But if you don't let them know their boss is on them,
00:25:33
Speaker
Email them, call them, get an answer. So you you can't have it both ways. You can't entertain or avail yourself of the entertainment and not be transparent about your needs, your budget, and when you can buy, if you are going to buy. That would also be helpful. Can't buy this year. Cool. um Do you need education? We'll continue to do that, but please and thank you, don't put any more on the tab. Right?
00:25:56
Speaker
I think the important thing too is to look at what are your actual, as a seller, because I'm i'm looking at this as the buyer and I'm trying to look at what you're trying to do here. Are you driven by growth or are you motivated by a good product? I can tell the difference when I'm talking to someone if they're facing quota stress or if they're talking to me and they're just willing to talk about a really good product or service they have. Because that that quota stress, and you know I mean, I work in the dating space.
00:26:26
Speaker
right Generally, people can tell when someone's really thirsty, and that's not too hot, is it? right No, it's not that hot. right And sales is the same thing. If you're really desperate as a seller, I kind of want nothing to do with you. right But if you're relaxed and you're speaking to me like a human being, and you know what's going on, then you know We have an opportunity to work together. And if we're going to work together, sales cycles in cyber last anywhere from three to 12 months. So that's going to be your relationship. Sal up. But the important thing is you got to be my partner. All right. Let's say you convince me to buy. I like your shit. I like you. Let's make it work. I now have to convince a whole bunch of stakeholders on my hand
00:27:14
Speaker
that this is the purchase we need to make. I have to win over stakeholders. I have to win over a board. I have to win over a CFO. I have to win a business case and a POC. And by I, I mean we, because it's your POC. Here's the important thing, though. right As long as you become partners with your sellers, then you can actually achieve good things. And in that that partnership process, as you're trying to close the deal on engagement,
00:27:44
Speaker
You are setting yourself up, or you should be, for a good relationship throughout the entire duration of contract and going into renewal. You lay the groundwork for your relationship as you're going through the sales engagement. If you are honest with each other, if you're transparent with each other, if you're good to each other, if you're kind to each other, look, I have to say it.
00:28:09
Speaker
because we have reached a point where people are so flooded with information and outreach, I think we've lost a sense of kindness and humanity in how we interact with each other, and it has destroyed the quality of the interactions. So if you are actually willing to demonstrate kindness in your communications with your sellers or your prospects, genuine kindness, it's going to be reciprocated.
00:28:35
Speaker
Right? And if you guys have that partnership and it's there, let me give you this piece of advice. I swear to God, every seller in the room, please listen, take this back to your CRO. If you are running a POC with me or any CISO, for the love of God, please tell your BDRs not to contact me. Don't fucking try to pitch cold open to an organization you're already POCing.
00:29:05
Speaker
Because as ah as a buyer, when I see that, I'm like, oh, in this organization, the left hand doesn't talk to the right hand. I'm not going to trust them with my data. I'm not going to trust them with my business. Automatic fail. Yeah. Speaking of automatic, automation is where that gets all a little sticky.
Impact of Automation on Sales Relationships
00:29:23
Speaker
Automation is what is alienating that sales process. This week, our poor colleagues in Florida were facing ah what Richard Byrd earlier referred to as a cataclysmic shitstorm. And I don't know if you saw, it but a number of people came to LinkedIn and said, can you please stop trying to sell to me? I'm busy boarding up my house.
00:29:48
Speaker
I promise you that it was not their intention to be that annoying at that time, but there was some workflow running in the background and a lack of awareness of maybe these people are so worried about their survival, this is not the best time to reach out about, insert whatever widget you want here.
00:30:07
Speaker
right And so that's where automation is a decimation of the the relationship and obfuscates those transactions and and sort of reduces them to the ick.
00:30:19
Speaker
right so Say with me, when it comes to transactions, we need medical transparency. Yes. There we go. So now that we are through people process, we are now talking about buying the technology. um I have a friend who has a very successful boutique cyber consultancy. They're very good at the process and the people part. Shout out to Reveal Risk. He's telling me a story of a client that had suffered a breach despite, and I repeat,
00:30:52
Speaker
despite having three EDR tools, which is like the Swiss cheese model, I guess, but then you left the cheese outside and you forgot about it because one of those EDRs did catch the malware and sent it promptly to an inbox that nobody was monitoring. So you have a lot of tech.
00:31:16
Speaker
and no process and no people, and it's not gonna go. So we are gonna shine a light here on the culture, I'm a cultural anthropologist, by training the culture of what I would call techno-solutionism, right? We're just gonna take our way through the problem, ah and maybe much to the chagrin of some of the vendors, that's not going to get us to where we need to be in terms of securing our data. Yeah, let me tell you guys a story. So I have another one of my my favorite suppliers.
00:31:47
Speaker
um We'll just say they're a very large supplier that maybe does DNS for like 25% of the internet. You guys can probably figure it out. So when I was starting that relationship with them, I kind of inherited like the initial perimeter kind of security offering from them. And my predecessor had bought that.
00:32:08
Speaker
Then we started to look at some different issues. And we were trying to solve some different problems. And you know and we knew their tech stack. And and the difference was was, at the time, we had an account rep who was absolutely a brilliant guy. This guy, every time he talked to you,
00:32:25
Speaker
He always delivered value. So if we had a question about something within the tooling or configurations, he had the answer. But in every single email, in every single phone call and interaction, he always tried to pitch another product that was specifically valuable for us. ah He knew what our problems were. And he knew where his tech stack could help us. And he kind of had it on a script. He knew to bring up things at a certain time. So we always knew kind of like roadmap, OK, if we want to solve these problems,
00:32:55
Speaker
these guys you might be the ones to go for. And if you know anything about you know vendor management, it's a lot easier to work with a larger OEM that has a diverse ah catalog because we've already done the vendor review process. So I don't have to go through that whole shit and seeing if you guys are like SOC 2, Type 2, ISO, and all that stuff. We can just go straight into the business. And that's what happened.
00:33:22
Speaker
Little by little, product by product, you know we went from a zero trust firewall, then we bought their bot management solution, then we brought some egoss egress i or egress IPs because we had some folks working in Europe, and then we kept looking at some other solutions that we were buying from them and it's still continuing to this day. We are continuing the, quote unquote, land and expand of this organization within our shop.
00:33:49
Speaker
and it is completely symbiotic, it's completely happy, nothing feels forced. What does that tell you? The relationship is everything. The relationship, however, was married with the process. So we got the technology because we needed to update our business processes around that technology.
00:34:11
Speaker
if we have a need, and this is a mid-size shop problem. So I mean, a lot of larger enterprises maybe don't think with this level of nuance because they don't have to. But for us, we're very, very concerned about every dollar we spend. So the process behind why we're buying a tool and why we're implementing it has to almost be baked in and built before we even buy the thing. Because when we go into POC, we have to see if it actually works within our business process.
00:34:38
Speaker
We do not have tools that we purchase and just sit on the shelf. My CFO and my board would not have that. So we have to get optimization out of every purchase we make. That means every process we have when we buy a new tool has to be updated to utilize that tool.
00:34:59
Speaker
This is where the training of people on new software, on new tools, the building of processes, and the acquisition of new technology comes together when you have a trust-based relationship between vendor and buyer.
00:35:16
Speaker
And I think for the vendors, this is something new, especially if you're selling SaaS out there, you think I am selling software, the SOW assign, job done. It is now at the stage where there is so much tooling out there that if you are going to sell and you are going to continue that relationship, we are out of the heady, frothy days of 0% interest rates, so you can't, as a startup,
00:35:38
Speaker
I think that you're just going to like churn logos and burn logos. and just It's okay, I'm just going to get more new logos to replace the ones that we messed up before. you're selling software, and then you are in the relationship. And when you're in that relationship, from that vendor side, you need to start thinking about how do we coach through process. Because it's one thing to sell the technology and do the standard like onboarding process, three days, two weeks, whatever. You're done. Now it's yours. And I back off on a hand you to customer success, which is really a sales function, which is just tracking you for the renewal.
00:36:10
Speaker
That relationship has to be continuous. And that is how you learn more about the business, how they're utilizing the tool. They may also, from a marketing standpoint, be using it in ways that it was not intended in getting a different utility out that we now can go to market with. But you will not know that unless you have that transparency in that process and understand the culture inside that organization. right So this is this is the the other half of that radical transparency. And I know people, process, and technology is like a interesting heuristic, but of course none of them exist independently of the other. right I think you've heard it throughout here, the word relationship ah and transparency, because the relationship touches every part of those that holy trinity. And I'll say this in closing.
Kindness and Ethics in Cybersecurity
00:36:56
Speaker
right stop trying to take advantage of one another. And that's kind of a big part of the toxicity of you know the business that we're in and the lot of vendor-client relationships that are around now, is there are seemingly a lot of folks because they're under massive pressure for growth, massive pressure for quota for ROI, and practitioners are under massive pressure to solve problems at as little a cost as possible.
00:37:25
Speaker
We are forced, or we can be forced, to be in this game where we're trying to take advantage of each other, we're playing these chess messages with each other to try to drop the price and get the most value out of the purchase possible. And if you're the seller, you're trying to jack up that rate as much as you can to deliver as little as you can to optimize your value in your gross margin. I've worked on the cons consulting side. I know what I'm talking about. We need to cut that shit out.
00:37:53
Speaker
We really need to cut that shit out. If we're gonna fix this industry, and we're gonna make it not so shitty and exhausting to work in, and if you were there last night at our event, and if you came to RSA, you know CISOs are tired. You know sellers are tired. This shit sucks. So why don't we go back to actually trying to deliver value? Instead of 1,000 calls a week, how about 10, but three of them are solid prospects?
00:38:22
Speaker
right Instead of 50% growth, how about a healthy 20 to 30? Why don't we actually try to solve each other's problems? If you're a VAR, if you are there to help resell a product,
00:38:37
Speaker
Maybe instead of just giving us a PO every year to three years and that's your whole contribution to the thing, take your 10 to 15 points, stick with the relationship, help with the implementation, work with the client, actually bridge the gap, be actual value add. But again, that goes back to my original ask.
00:38:58
Speaker
Let's be kind to one another. Let's be genuine with one another. And let's stop taking advantage. We can make this industry a better experience. It's in our hands. And we're going to do that with. Thank you. We are bare knuckles and brass tacks.
Q&A on Transparency in Sales
00:39:18
Speaker
Thank you, George and George. We got time for a couple questions if anybody has them. Yep, right here. Have you ever had a kind of coming to Jesus moment with a sales rep where they've kind of dumbed down their service after years of purchasing with them? Where it's like, you know, When they first hit market, they had, you know, all the cool stuff. Yeah. And now they start throttling back and, you know, start all the carding a lot more. Yeah. Uh, I certainly have. And the fact is you have to look at, do you have like enough need to replace them? Right.
00:40:02
Speaker
My big belief in security is if it's not if it's not broke, it doesn't need to be fixed. So yeah, they might not be giving you up all the dimes and whistles anymore. But if their product is still reasonably priced and it delivers on the fundamental use cases that it needed to, I don't think about that stuff, man. like I got too much shit to worry about.
00:40:25
Speaker
Yeah, dude. Someone give George a question. Is there room full of practitioners, sucker? Has there ever, it's so loud, sorry, has there ever been a time where radical transparency backfired for you? Oh, that's a good question.
00:40:43
Speaker
of I don't think it's backfired, but it's definitely ripping a band-aid, and it's gonna sting for a little bit at first, but you end up coming out the other side stronger. um That has happened, it's usually more internally. like You know, flat out tell like the manager, of the product or the CEO, like that strategy is not going to work and this is why. And you told me to do this and it blew up in our face and now our customers are screaming at us. And out of a protective crouch, they'll probably bite back and pull rank or do whatever because people do that. That's cognitive psychology.
00:41:24
Speaker
stings for a few days and then when the fever dies down, like it's gonna be clear. But I think as long as you're approaching the radical transparency with very clear speech, people can absorb that blunt force trauma. If you come at it with knives out, like I want to make my point and hurt you, then you're invoking the defense mechanism and they're just gonna, you know, that does not get you anywhere. So there is a difference between radical transparency and just being an asshole.
00:41:56
Speaker
that Oh, another one. Anybody else before we go back? Okay. We got one back in the back. So one of the things I've noticed probably in the last eight years is on the sales side, the turnover rate, the, your customer account manager, your customer success manager, all those people, it feels like every four months I reach out,
00:42:24
Speaker
and it's a new person, it's a new manager, it's a new regional person, we've been moved, we've been, so the whole building trust, and I remember building trust with people, and spending time, and spending lunches, and understanding our needs, and providing new solutions, and a VAR actually meant value added reseller. But I have to say, in the last five, six years, you might hear it in my voice, I'm a little bitter about it, as a Chief Technology Officer, I just don't have time to reiterate what we've been doing and what we bought from a from a company three years ago or two years ago or even a year ago and their whole sales team has turned over or the whole account management team has turned over so it's it's more of a statement than yeah sorry question what's your first name Richard
00:43:11
Speaker
Hey Richard, I'm new to the account. Catch me up on what's been going on. right like That's super annoying. It's exhausting. um There are several symptoms of that. so On the sales side, there's a lot of burn and churn because private equity or VCs hold unrealistic sales targets.
00:43:27
Speaker
and The classic strategy leadership management strategy is to rip and replace the entire team. um They'll bring in a new CRO, and they're like, I want my own people, and they'll tear it out. um They're just sort of moving furniture on the deck of the Titanic, generally.
00:43:43
Speaker
ah to to get that done, because if we went back to like investing in the people, if if the process is failing, you would invest, I see a deficiency in my people. But to your point, ah thank you for that question, because it brings me to a point that I totally forgot to bring up in the talk, so bonus, is that I think, and and my my day job is as head of community for the CISO Society, so I basically listen to CISOs all day long,
00:44:09
Speaker
is do not forget or abdicate your power as a consumer, as a customer, right? um I think your title, if you're a CTO, is sufficiently big enough for people at your suppliers to be scared if you start kicking up dust. And that may be escalating way past the customer success manager or whatever literal human shield they're putting between you and them and going straight to management at their user conference at whatever ah at the customer advisory board meeting saying like look, I don't know what you're doing. But this is like unacceptable that you are making me work harder to just have like a daily interactions with you.
00:44:53
Speaker
i I'm not sure why that is. I think, you know, like if if you were dealt that hand in a retail environment or something, like we're inured to this idea like, no, I'm not putting up with that. Like I have power as a consumer.
00:45:04
Speaker
I think as as technological consumers, we have forgotten that you also have that power because I will tell you from the vendor side, if you came at me on blast and I am VP of sales CRO and somebody like the CEO is copied in, that email will be talked about for weeks because they will know that that is the top of the iceberg.
00:45:25
Speaker
and that there is a lot below. um And I see that, again, in the Caesar Society, I see that in the Slack of them cross-comparing notes like, hey, has insert vendor name here been doing this to you lately, whether it's jacking rates or whatever. And people start to make noise and suddenly something happens where they're like, oh, we can't afford to piss off all those customers. Like, let's bring up my favorite ah lampshade problem at Black Hat. like there You're not going to rip that technology out tomorrow. It's not like, I'm not coming to the Starbucks anymore. I'm going to that one. um You can't. But if you say, like I do not agree with these values and we're going to talk about this at our next advisory board meeting, they will put something on that because that will scare the hell out of
00:46:17
Speaker
So I don't know, don't abdicate your power, like feel empowered to like kick up a storm about that. These are great questions and great responses, but we are unfortunately out of time for today. Let's give George A and George K another round of applause. Thank you. Thank you, Denver. Love you guys.
Podcast Promotion and Closing Remarks
00:46:40
Speaker
If you liked what you heard, be sure to share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tax drop every Monday. If you're already subscribed, thank you for your support and your swagger. We'll catch you next week, but until then, stay real.