Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Lessons from 25 Years in Cyber, from Corporate to Startup to Consulting and Back image

Lessons from 25 Years in Cyber, from Corporate to Startup to Consulting and Back

S3 E31 · Bare Knuckles and Brass Tacks
Avatar
156 Plays16 days ago

This week we talk to Allan Alford talking about his 25 years journey from CISO to startups to consulting and now his return back to corporate America!

George K and George A talk to Allan about:

  • His wild career journey - and what motivated his most recent career decision
  • His new gig at NTT Global Data Centers, and why data centers are the next hot thing in security
  • The truly global scope of his new gig
  • Why people and process beat technology EVERY time - even in tech companies!

Allan also drops some straight FIRE about vendor relationships - including the sobering fact that in 25 YEARS, cold outreach has matched his actual needs exactly ONCE. Vendors, there’s a lot of learn here about how to stand out before and after the contract is signed.

-——

🇨🇦 We’ll be setting the stage on fire with the opening keynote at SecureWorld Toronto on April 8th. And…we’ll be closing out the show with our signature event, the Cyber Pitch Battle Royale!

Use our exclusive discount codes to save on registration for SecureWorld Toronto:

  • BKBTSWC1 $50 off - BKBT Conference Pass
  • BKBTSWO1 $50 off - BKBT Open Session Pass
  • BKBTSWP1 $75 off - BKBT Plus Pass

Register to watch the can't-miss Cyber Pitch Battle Royale in Toronto! Practitioners get in free.

————

👊⚡️BECOME A SHOW SUPPORTER

https://ko-fi.com/bareknucklesbrasstacks

For as little as $1 a month, you can support the show and get exclusive member benefits, or send a one-time gift!

Your contribution covers our hosting fees, helps us make cool events and swag, and it lets us know that what we're doing is of value to you.

We appreciate you!

Recommended
Transcript

Introduction to Customer Needs & Product Limitations

00:00:00
Speaker
Let's be real. No product is doing 100 percent of what you want doing done. None of them are. And even the ones that come in and tell you we're doing 90 percent are probably only 80 percent because you're cracking the sidewalk is not the same as the other guy's crack on the sidewalk. There's a little bit of variation there, right? Always how well they own what they don't do.
00:00:18
Speaker
And then how well they work with you when they discover that your need is actually different from what was sold. That's the two real criteria right there. And one one is the customer service piece George is talking about. And the other is kind of that that ownership of of product, right? Do you have access to product management when you sign the deal as the customer?
00:00:35
Speaker
Can you meet with product management on a regular basis and say, hey, We love you guys, but this lack of this one feature is killing us over here. And are they responsible? Or like, hey, remember at the QBR when you showed us the roadmap and you said that was three months away and it's now been six months and that thing is not. be Oh, CISOs have memories for that stuff. And, you know, there's companies that will just sling these things out there and not track their own stuff over time.
00:00:59
Speaker
The CISOs always track it. Always.

Podcast Introduction with George and Alan

00:01:08
Speaker
All right, this is Bare Knuckles and Brass Tacks. This is the cybersecurity podcast that talks about the human side of the industry. It is trust, respect, and everything in between. i am George K. with the vendor side.
00:01:20
Speaker
And I'm George j A., Chief Information Security Officer. And today we got another holy roller of a guest. We have the one, the only Alan Alford, who has been CISO for...
00:01:31
Speaker
Over 25 years and has been in every seat on the vendor side, the VC side, his own consulting company. And now we've had him back on the show because he has stepped back into the corporate world.
00:01:44
Speaker
And we were excited to kind of track that change and also note all of the observations he's had over the course of his career. Yeah, Alan is an absolute, I don't know to say he's he's a force to be reckoned with.
00:01:58
Speaker
The guy is just, he sweats, he spits, he breathes knowledge. um I mean, he was driving value there that entire episode with a lot of really good perspective. And I think, you know, the one thing I like about Alan the most is as smart as he is, as accomplished as he is, 25 years in this industry, he is still just the kind of guy that you want to sit down, have a drink with and just talk shop.
00:02:20
Speaker
And he brings that energy. What's the day? Absolutely.

Alan Alford's Disclaimer

00:02:25
Speaker
Hey, you guys, before we begin, i know we're going to be talking some about my career change in my new job and my new role. I just wanted to say any opinions expressed in the show by me are mine and only mine, not the opinions of my employer.
00:02:37
Speaker
I am not representing or speaking on behalf of NTT Global Data Centers or NTT Data Inc., Alan Alford, welcome to the show. Well, thank you for having me. It is wonderful to be back with you gentlemen. ah George and George Epic Bare Knuckles and Brass Tacks podcast. I'm grateful to be here and I'm so glad you asked me.
00:02:58
Speaker
That's right. The last time you were here as sort of a co-host in our weird project and now you are full on guest. Wait, wait, no. RSA. Oh, that's right. We were his guest. Yes, you guys were on my show at RSA. So so this is part three.

Alan's Career Transition and Challenges

00:03:15
Speaker
But I feel like it's a particularly good time because now you're in the hot seat and you are the guest and you have made career change recently. have made a career change. I have indeed. For the benefit of our listeners who don't know, can you talk through that career change? And let's start with, you know, what was that decision-making process like for Okay. Well, many...
00:03:37
Speaker
Many moons ago, I worked at NTT Data Services, which was a really large, really cool, interesting company doing really cool um sort of IT consulting and business process outsourcing and all kinds of cool stuff for clients. I was the delivery CISO. I was over the client estate.
00:03:52
Speaker
Which meant any security stuff that came up with our myriad clients, I would be involved in that, um whatever that might be. Sometimes it was architecture, sometimes it was incident response, you know, some of this, some of that.
00:04:04
Speaker
um Had a good time doing that. But at the time, i was also advising for TrustMap, one of my favorite startups. hmm. And TrustMap started talking to me about, wouldn't it be cool if you came over and were a little more active with us? And I was like, well, I've always wanted to be a CTO. And, you know, next thing, you know, lots of talking. And all of a sudden I announced to NTT I'm leaving and I'm going off to be a startup CTO.
00:04:25
Speaker
Well, I had my startup adventures and my story, you know, in the startup space goes like a lot of folks, some ups and downs and whatever, you know, but but it's you know, it was a good bunch. I still like TrustMap. I'm still friends with the company, the CEO, the new COO.
00:04:38
Speaker
I actually rose to the ranks of COO while I was there for that matter, but ultimately decided it was time to break out and go do my own consultancy for a while. And did that for a couple of years, built that up, got to the point where I had a salesperson, a marketing person um doing real biz dev, a partner, a bench of 1099s. Like we built it from just Alan is consulting to a full practice and program. And I got to actually bust, you know.
00:05:02
Speaker
bust out the CEO chops there and do some of that. That was fun. um But I realized a couple of things. Like, it's interesting. People talk about the freedom you have when you work for yourself. Everyone's like, oh, it must have been amazing being so free.
00:05:15
Speaker
And I'm like, if by free you meant working 80 hours, paid by the hour, no PTO, lousy health care, and working every weekend and every morning at 4 a.m. and every evening at 8 p.m. Yeah, sure, it's free. it sounds like the army. Holy shit. It was crazy. It was crazy. Like I've done, I've always worked too much wherever I've gone. Like Chad over at TrustMap, I'll tell you, Alan worked every weekend and drove himself crazy.
00:05:36
Speaker
And I always do this voluntarily, but this time it was involuntary. This time, if I didn't maintain that pace, I couldn't sustain the operation. Right. Like I had to just really, really, really kill myself basically doing it.
00:05:50
Speaker
And I started really missing PTO. I started really missing evenings with my family. i started missing good health care benefits as opposed to paying a ridiculous amount of money for really mediocre benefits.
00:06:01
Speaker
And i ultimately got to a point where i was like, you know what? A return to corporate America wouldn't be such a

Joining NTT Global Data Centers

00:06:06
Speaker
bad thing. And right as I'm having this realization, NTT calls and they say, hey, we missed you.
00:06:13
Speaker
And I'm not with data services now. I'm with NTT Global Data Centers, which is a whole nother company. It's the third largest data center company on planet Earth, works with all the big clients and all the folks you might imagine want to have data centers leased, data center space, et cetera, cetera. It's a really interesting and fascinating business. It's amazing.
00:06:33
Speaker
the amount of money that gets thrown into building and bringing up a data center. And then, and then the fact that these things are largely pre-booked before they even go online or, or even a hundred percent book before they go online. Like it's a very fascinating business. It's a cool business model. And the first thing I did when I hit the ground with these guys was I just met with all the business leaders from all the other departments that do all the things specific to this business that I didn't know about.
00:06:55
Speaker
And there's real estate people and there's construction people and there's, you know, ah it's just, it's been super cool learning this industry. I'm having a blast. That really bucks the trend. I feel like I've seen a lot of CISOs of late exploring the idea of VC. So work consultancy or, so I just thought that was really interesting when I saw that you went back the other way, but you, yeah I mean, you raise, you raise a good point. I've done some consulting and biz dev is the worst. Yes. Like, yeah. I, you know, when my oldest daughter was not born yet, like, like,
00:07:27
Speaker
ah You know, two years before she was born, I was running a consultancy in Austin at the time. I lived in Austin and I was a you know small and medium business, IT, cybersecurity, web development. Like we did it all. If it was your technology solution for your small business, I was your guy.
00:07:42
Speaker
And I had artists and designers and web people and network guys. And I had a whole team I'd built up and grew it 300% year over year. It was, it was booming business. I had a blast doing it.
00:07:54
Speaker
And then my daughter was born and it was that same thing. I realized like, oh, yeah. I can no longer live in this unpredictable income, you know, 20 hour work days on occasion kind of lifestyle. I got a kiddo now. So I sold that business and and went back to working for corporate then. So, you know, I've gone back and forth a couple of times.
00:08:09
Speaker
um I definitely value working for myself. Don't get me wrong. I think it's fun. It's a rocket ride. But. You're doing two jobs at a minimum. One is the actual job you're there to do. And the other one is selling to make sure you have the next one lined up.
00:08:22
Speaker
like And that's at a minimum. And as soon as you add employees, now you're also managing and, you know, et cetera, cetera. um Yeah. So I've done it a couple of times, but I'm, i'm you know, at least for this, you know, foreseeable future, I'm back in corporate America is where I'm

Global Remit and Industry Shifts

00:08:36
Speaker
at.
00:08:36
Speaker
I mean, and I'm talking like the next eight years, probably I'm going to be i'm going to be doing the same thing here. That's pretty legit though. I mean, like I really, like I personally, I appreciate that um that kind of shift and pivot because i recently went through the same thing and, um you know, I'm I'm double hatting my role. So I have my day job still, but now I'm also the field CISO or the senior technologist at a technology law firm. I'm the only non-lawyer executive, but everything I'm doing there is the consulting side of the house. So it's running essentially a security consulting practice that focuses a lot on compliance integrations.
00:09:11
Speaker
yeah But like George is saying, like doing the the biz dev part of it, it's fun on some levels, but then it's absolutely exhausting. Thankfully, I don't have to deal with quotas and all the usual salesy nonsense. But like yeah going from the, okay, I'm client side, I'm in charge to like, okay, client, I'm going to say something that might offend you, but I need you to do the thing.
00:09:33
Speaker
right. right So I have to ask, though, just but with what you're doing now, it's a really cool job. Obviously, ah in in guest research, I took a look at what you guys are up to.
00:09:44
Speaker
Really big scope. Amazing organization. I think, you know, it's funny. In my market predictive analysis of where I think the security industry is going, I think the two biggest kind of opportunity sectors are, one, ah secure AI implementations, and two, secure data hosting.
00:09:59
Speaker
So as as usual, Alan, you are on the beat of the pulse of the cutting edge of where industry is going. Right. That's pretty cool. I was going to say to George, I started the VCSISO thing before a lot of CISOs wanted to do the VCSISO thing. I was doing it. I was a CISO before most of the CISOs were CISOs. Then I was a VCSISO before most of the VCSOs were VCSOs.
00:10:17
Speaker
And now I'm in data centers. So if if if i'm if I'm tracking well, this is the next big hotness. Yeah, you're like my analysis says you're on point on that. So kudos to you.
00:10:30
Speaker
My question is, how mature is the program you're currently inheriting? And what challenges ah for your first 90 days are unique to today compared to past times that you like newly stepped into a CISO role and you got to build that program up?
00:10:44
Speaker
What's the difference? So so this this one's very unique. um I've got a brilliant team. I've got a global remit. I've got a parent company with a CISO organization that I'm tied into directly as well as reporting directly to the CEO. So it's really hard to compare this one to other past things.
00:11:06
Speaker
And it's hard to say what's kind of cool and not cool and all of that, because at the end of the day, I've got this massive umbrella over me represented by the parent company's Office of Information Security.
00:11:19
Speaker
And a global CISO who's in charge of 180,000 employee company that owns multiple companies. And Global Data Centers is one of the owned companies, right? yeah But I'm also direct to the CEO of Global Data Centers. So I have a global remit. I've got a GRC function. I've got a cybersecurity operations function.
00:11:35
Speaker
I've got players in EMEA, India, you know Singapore, Jakarta, Indonesia, ah Malaysia. Literally wherever there's a landmass landmass. Well, it's it's interesting. Like it's it's a little more clever than that. It's wherever there's a landmass where some dirt is available near some power.
00:11:52
Speaker
I mean, if you really want to summarize it and and and shortchange it, that's what it is, right? You have to buy real estate that's that's big real estate that's affordable that you can throw something large onto. And then you also have to have obviously good power to feed whatever you're going to build. And so it's the intersection of power and and and and viable real estate.
00:12:11
Speaker
that sort of forms the the matrix of it. And I just got back from ah Mumbai and Bangalore meeting with my teams out there and ah performing in conjunction with the parent company's team. we're We're running around doing audits of the data centers and auditing the team practices and looking at the different regions around the globe while simultaneously getting to meet my people in person that I've only seen on Teams calls up to now. And, you know, so so it's been it's been really cool.
00:12:35
Speaker
um I would say that versus a lot of the other CISO gigs and VC, so gigs and things I've done in the past and what friends of mine are doing, I think the biggest differentiator on this one is it is so fricking global. It is just global, global, global.
00:12:50
Speaker
And, it was a company formed of multiple companies, right? And so the usual rules apply that, you know, hey, these guys are doing this part really well. These guys are doing this other part really well. Like different teams shine and have their strengths and show where they're really, really just nailing something. And so one of the things I'm doing is I'm running laps around the planet and going,
00:13:08
Speaker
We're going to take your model for this. We're going to take your model for that. We're going to take your practice for this and your practice for that. we're going to make everybody do them all by the best of breed of everybody. Right. And so that's the biggest challenge I've got over the next year is is is roping in the best of breed from regions B, C and D and turning it into best of breed across all the regions.
00:13:27
Speaker
And that's the fun part. That's interesting because I think most vendors would think, oh, Global Data Center, very the index on the tech side of the equation. And what you're explaining is your it's all process, right? You know, I don't care where you go. I've i've worked at technical startups. I've worked at cybersecurity companies. i've I've been a CISO at more than one cybersecurity company now.
00:13:51
Speaker
And I would still argue people in process trump technology nine times out of ten. ah even in a technology company, right? Because at the end of the day, sound practice, sound discipline, sound process, sound practice, repeatable, documentable methods and processes, the tech comes and goes and changes and morphs on a constant basis, right? You don't write a policy that says thou shalt use EDR.
00:14:12
Speaker
You write a policy that says thou shalt protect your endpoints because last year's AV is this year's EDR is next year's who knows what. Right. So to me, the people in process piece is the is the most vital and most important and always will be.

LinkedIn Dynamics and Student Engagement

00:14:24
Speaker
And obviously stay on top of the technology trends nonstop. Lean on your CISO homies. Find out what the latest and greatest is for each problem statement, et cetera, et cetera. All disclaimers apply. But at the end of the day, people in process for me.
00:14:36
Speaker
Yeah, well, that actually brings up the next question. So it's like you read my notes or it's like you've hosted a podcast before. It's I'm interested in since you have sort of gone back and forth between sort of vendor side, client side and everything in between.
00:14:53
Speaker
What are the changes you've observed this? the industry between your past NTT life to now, because you have the unfortunate luck of having announced a new job on LinkedIn, which means the crawlers and scrapers ah hit your title, which means you went into somewhere and they're all coming for you. So what what is the what is the general like sense of the difference between your previous life? You know, what's been interesting, like is specific to LinkedIn, the weird trend that I've seen this time, which I've, you know, I've already got what 34,000 followers. I've maxed out connections, which, you know, you max at 30.
00:15:30
Speaker
um I noticed this time when I announced the new job, I got a lot of students coming out of the woodwork to connect with me. That's interesting. which and And there's always been a trickle of students throughout. Don't get me wrong. But this time there was a spike of new jobs. Suddenly lots of students wanting to talk to me.
00:15:47
Speaker
ah The usual sales folks crawling out of the woodwork, you know, et cetera. um And, you know, I've started this thing since I maxed out at thirty k I've started this thing on LinkedIn where I just wait for a message to come in and I look and see, is it somebody trying to sell at me?
00:16:02
Speaker
Okay, probably yes. I scroll back. Have I ever had an actual dialogue with them ever? No. How many times have they sent me a message? Three, four, five, six, eight, 12. Okay. Knock them down, remove the connection and accept a connection from a student.
00:16:16
Speaker
Oh, I like that. And I'm slowly cycling out. Like if you're just blind selling at me and my favorite is when they say things like it's been a while since we chatted and I scroll up We've never chatted. You've just spammed me. There's a difference, you know, and I'm weeding those out and replacing them with these students. So I've got this massive backlog of people wanting to connect. And as I filter out the the negative sales experiences, I replace them with the students and the actual practitioners and the folks that actually want to connect for real.
00:16:44
Speaker
um Nice. And that's what that's that's been the biggest change I've seen for some bizarre reason. Lots more students. Hmm. Interesting. Not what I expected, but great. Yeah, like I find it interesting. like You know, it's funny. um You know, Octavia Howell.
00:17:00
Speaker
Yeah, so Octavia and I are like super, super tight, right? And um at some of the last events we've gone to, we found that there's just been an overabundance of students there. yeah And this is separate from the question i actually want to ask, but it's just more like a CISO to CISO take.
00:17:15
Speaker
A lot of these students, man, like they come to us at these events and they just like want, want, want. And I think like it's becoming exhausting because I know I feel the

AI Hype and Business Transformation

00:17:25
Speaker
same as her. And like we were both right about this. You go to some events that are geared for, you know, information security decision makers like direct level and above. And of course, you have students and volunteers there. Right, right. But, you know, we're there to network with our peers.
00:17:39
Speaker
And then these students are taking up all of our time and energy. And it's you don't want to rude to them. But at the same time, it's like, kids, you guys ain't the point. Yeah. Yeah. no It's, that's a real challenge and that's a real struggle. I absolutely have experienced that myself as well.
00:17:54
Speaker
And where I've gotten to personally is I kind of have to draw ah boundary. And this is, this is coming from the guy that never draws any boundaries and will work 80 hours a week without thinking twice about it, et cetera, et cetera. But when it comes to the helping students and the helping those that are new in the career, et cetera, I basically declare that I'm never going to have more than three active mentees at a time.
00:18:16
Speaker
And if I have three active ones and some student approaches and wants some help, I will tell them upfront, this is a one-time deal. I'll help you with this one thing you're asking me for, but this will not become a relationship because I just don't have the capacity.
00:18:28
Speaker
um I've got three, I'm working on the three I have. Now, sometimes one will peel away. I mentor folks that that have just made CISO, for example. And they get their legs under them and they get moving and they don't feel like they need the mentoring anymore. And i realize realize, hey, it's been a couple of months and we since we chatted. OK, you're off the active roster and I can take one more now.
00:18:43
Speaker
um And I try to limit to three max and I'm just transparent and honest about that. It's like, hey, i appreciate you guys have needs. You know, I get it. I was new in the career and desperately needed help, too. But. But there's only so much capacity I have. So here is my capacity. This is what my offer is. Take it or leave it. Right.
00:18:59
Speaker
And it's transparent. It's honest. It's real. And it's not just off putting and shoving them away either. it's It's, you know, putting some boundaries on and and explaining. And at the same time, there is an allocated portion of every week where I am, in fact, giving back to the new folks in the community. Full stop. I am. So.
00:19:16
Speaker
That's my solution. I put boundaries on it. Perfect. And thank you for doing that. That's actually for the CISOs listening. That's actually really sound advice. Obviously Alan doing a good job of just being a good human. So the actual question, how much pressure, and it's interesting because you're working in the DC space, how much pressure are you for seeing around AI enablement and what's your strategy for it?
00:19:38
Speaker
That's a whole conversation in its own right. Like a big conversation in its own right. Um,
00:19:47
Speaker
The AI revolution or whatever we want to call it. Let's start with that. There's equal quantities of honest to goodness. Oh, wow. What's coming? We still don't even know yet. Mixed with massive amounts of excessive hype.
00:20:01
Speaker
And the truth is always somewhere in between those two. Right. Always in between those two. So somehow, some way we've got a real AI revolution that we don't really have a full scope or understanding even yet. I don't think of what it's going to actually be and mean.
00:20:14
Speaker
um We look at what does it require? And we all know that GPUs is the du jour, right? And what do GPUs require? Racks. And what do racks require? Data centers. yeah know So connect the dots. i'm I'm in a really good industry at the moment.
00:20:29
Speaker
um It's interesting to me where and how AI can be applied to the business itself, where and how AI can be what what fosters and fuels the business, where and how AI becomes a ah large customer base. You know, there's the intersection of data centers and AI, just like with the rest of the revolution. I think there's still so much to be seen, right?
00:20:52
Speaker
um I think every business, every business, I don't care what you do, can benefit from some degree of AI on the actual business processes themselves. So let's imagine I sell shoes for a living, you know, some kind of AI algorithm to figure out what kind of shoes are hot and what's selling.
00:21:07
Speaker
OK, so let's make sure our shoes include red. Red seems to be hot, you know, and whatever analysis of the market. And then and then using AI to help come up with freaky, cool new designs and using AI to come up with ways to make the same shoe with less overhead and using AI to figure out distribution networks and channels. I mean, like like FedEx was built on a premise that that the the guy that formed FedEx.
00:21:29
Speaker
It was part of his MBA program, right? He he had a, he had as, you know, whatever his project was for his MBA. And he said, we're going to create these centralized hubs. And even if the package is just going right down the street, it's still going to go through the centralized hub before it goes down the street.
00:21:42
Speaker
And the folks that ran the MBA program were like, that's the dumbest thing we've ever heard. Well, he went and formed FedEx and, you know, the results speak for themselves, right? Picture AI getting involved in that kind of thinking.
00:21:54
Speaker
You know, like today we distribute packages by way of X, but some AI algorithm could discover that we actually need 3.7 distribution centers for every 1.5 humans. And, you know, whatever the crazy like AI can figure stuff out that we don't even know to go figure out. It's, you know.
00:22:09
Speaker
To me, the biggest value of AI is it's the next step beyond data mining. And data mining was already an esoteric art form of finding the trends where you didn't expect to find them, finding the trends that you didn't know were there, you know, doing doing the after the after-the- fact analysis on a data lake to say, hey, wait, I have no idea why, but every Tuesday if someone buys a bagel, the odds are high on Thursday they're going to get in a car crash. Like totally unrelated, seemingly unrelated data and spotting out those trends. This is what AI does.
00:22:40
Speaker
In milliseconds. and And we're going to discover whole business processes and whole industries completely morphing and changing because of AI doing weird trend spotting and weird trend outlay.
00:22:51
Speaker
It's that that to me is probably the most exciting part of it.
00:22:58
Speaker
um Hey listeners, if you dig the snark, the stories and the big swings we take, we'd appreciate your support. You can now become an official supporter of the show. You can send us a one-time gift or sign up as a member to provide ongoing support. Memberships start for as little as $1 per month. Just follow the link in the show notes.
00:23:21
Speaker
Each membership tier comes with a unique set of benefits, including exclusive discounts to the BKBT swag shop and even advisory services for your team. So really, for less than you'd pay for one cup of coffee per month, you can support the show.
00:23:37
Speaker
It covers our hosting fees, helps us make cool swag, and it lets us know that what we're doing is valuable to you. Many thanks to listener Evan D for his recent pledge of support. We'd love to have yours too.
00:23:50
Speaker
Now, back to the show. um
00:23:57
Speaker
Alan, before earlier, you had mentioned people in process, but when it came to technology, you mentioned checking in with your peers.

Learning through CISO Communities

00:24:07
Speaker
It stood out to me. I believe you used the term CISO homies.
00:24:10
Speaker
Yes, CISO homies. But so i guess now, again, a lot of my questions are you're now back in this hot seat. A lot has changed. We have a hypothesis on this show that, you know, the the SAS B2B market of 2016 is very much in the past. And in 2025, it's very different. And one of those aspects is buyer behavior, how people buy, how they interact.
00:24:36
Speaker
So i guess my question is, how are you thinking about learning about new technologies? um And kind of let's go through that, the philosophy, like how do you source ideas and and and stuff for your addressing any gaps?
00:24:55
Speaker
And then let's work tactically to what is your advice for vendors out there in terms of how to achieve that reach short of like, like we all hate the spamming. So like, let's ignore that. What, what are the practical steps to improve that?
00:25:10
Speaker
So first, where are you getting the ideas? And then second, how, how would you tell your startup peers to, to achieve that?

Vendor Approach to Practitioners

00:25:17
Speaker
Yeah. So having gone back and forth, vendor to practitioner and practitioner to vendor and all this several times now, I, I feel like,
00:25:28
Speaker
You know, I was talking to a friend about one day I'm going to be a CEO of a startup. This was years ago when I wanted to be a CEO of a startup. I never did. And I'm and i'm glad I didn't. Yeah, good for you I no longer have that dream. But at some point I did have that dream.
00:25:38
Speaker
And his challenge to me was, well, you got to have this great idea before you start. And I said, no, you don't. You have to build a team. you know, get a solid crew, get a solid set of thinkers, then come up with a cool idea.
00:25:52
Speaker
He's like, wait, what? Isn't that backwards? And I was like, no, it it really depends on Silicon Valley model versus Israeli model. That's, that you know, the Israelis tend to do that team first, idea second. But the reality is the idea will come.
00:26:03
Speaker
and And the reason I say the idea will come is, you know, if you are a practitioner and you are going through the grind every day, You start to realize there's cracks in the sidewalk.
00:26:16
Speaker
And what you generally do as a human being when you see a crack in the sidewalk is you just step over it. it It may not even show up on your radar as a problem statement. It's just an annoyance or a nuisance that you rapidly work around and don't think twice about. I'll give you an example.
00:26:30
Speaker
Microsoft Outlook. it's got a lot of features that suck. We all know it and we all keep using it, right? Like I would rather have Outlook than than a browser-based email solution. It's not perfect. it It has all these quirks. I've just learned to work around those quirks and I never think twice about it, right?
00:26:46
Speaker
Well, the difference between that and the person that comes up with a great idea for the startup is the one who says, well, hey, I don't like the sorting and searching feature. I don't like the fact that when I do this, it reverts to that. I don't like the fact that when I click this, it makes me go back to a default to click that or whatever the experiences you're having in your business or with your tool or whatever.
00:27:05
Speaker
And somebody will come along and say, OK, that's a problem. That's a problem statement. That's a crack in the sidewalk. And instead of just stepping over it, I'm going to come up with a way to solve it. Now, for a startup, you need big cracks. You can't you know, you're not going to make a successful startup based off of fixing someone else's software application. It's a bad example in that regard.
00:27:21
Speaker
But you are going to make a successful startup if you are saying that over here in my cloud space, I have this awesome capability, but then there's this other capability. And in between, there's nothing. You know, look at look at some of the newest companies that are coming out. Look at who Wiz is acquiring, for example, and you will see that there were people recognizing that, you know, step One, let's get a handle on our DevOps. And step two, let's get a handle on our cloud assets.
00:27:46
Speaker
And step three, let's get a handle on how all that stuff is configured and secured. And, you know, as we evolve whole new types of technology, a need appears. I have this and I have this and there's a giant gap in between. Well, I'm going to go start up a startup to address that gap in between. Right.
00:28:01
Speaker
so So to me, whether you're a vendor or a practitioner, step one is always have a clear and clean problem statement. Know what your crack on the sidewalk is. Start there.
00:28:11
Speaker
Now, as a vendor, if I'm going to approach you and I'm going to try to sell to you the solution that I feel fills that crack on that sidewalk, it's really simple. Don't assume I have the problem.
00:28:23
Speaker
Don't blindly thrust at me. Don't assume that your solution is the sole solution to the problem. Reach to me in a wave partnership and gently float the idea that I may or may not have the problem. And, you know, do you, right? Are you concerned about this crack in the sidewalk?
00:28:39
Speaker
You may get a CISO comes back immediately says, not at all. Don't care. You may get a CISO comes back and says, oh, my God, that's been driving me and insane for the last nine months. Talk to me. You may get a CISO who says, yeah, but I've already got a solution. um It's going to vary. Some people may see it as a small crack. Some may see it as a gaping chasm, you know, but but as the vendor, just don't don't come in guns blazing. Don't come in with the assumption that you're all that, because the biggest problem in this industry is that the marketing teams convince the sales teams that they are really, truly God's own solution.

Maintaining Customer Relationships

00:29:09
Speaker
And that's the wrong approach for a sales guy to take with a CISO. Full stop. That is the wrong approach. You want to start with something much more simple and elegant. Hey, we're solving this kind of problem over here. If you happen to have that problem, let's talk.
00:29:25
Speaker
It's really that simple, right? and Yeah. And can you speak a little bit about how your conversations with your peers go? Because I know you're in the Tinkerers. You're also, you know, full disclosure in the CISO Society, which is a very active forum in terms of people asking about either capability or by name. Exactly.
00:29:42
Speaker
Yeah. i'm in I'm in a half a dozen slacks, if not a dozen slacks. um And then some other stuff, too. I'm on a couple of I've got a Signal Chat and a WhatsApp chat and I'm part of CISO XC and the Dallas community and blah, blah, blah.
00:29:53
Speaker
Yeah. I will generally do the same thing. Hey, guys, I keep tripping over this crack. Is anyone else tripping over this crack in the sidewalk? Oh, yeah, I am. Has anyone done anything to fix it? Oh, yeah. I looked at so-and-so. Go check out so-and-so.
00:30:06
Speaker
I get one name. Let's say I run the circle of the CISO homies and I come back and all I got is this one name. We're going to make up company names now. Penguin Inc., right? Penguin Inc. solves this particular problem I'm having. Okay, the very first thing I'm going to do is jump on Google and type, who competes with Penguin Inc.?
00:30:21
Speaker
ah Ah, look, there's also mask ink and other penguin ink. All right, let's go look at all three, start doing comparisons, do some research, do some notes, reach out to them proactively instead of having their random salespeople throw on, you know, its some the intersection of when I needed the thing and when the sales guy approached me in my entire life, that has been an actual intersection one time and one time only. And that was when the CEO of TrustMap first approached me when I CISO at Mitel.
00:30:46
Speaker
And I was exactly looking for what he was exactly selling at the moment he approached me. That is the only time in my entire career that's ever happened. How long, how long how many, how many years? Oh, that was the year.
00:30:57
Speaker
Oh, good Lord. I've been I've been in cybersecurity 25 years. I just want that to sink in for people. So in 25 years, there has been one moment where like the sort of like cold outreach hit the exact moment of need. That's yes very sobering.
00:31:13
Speaker
One time in 25 Just just to go through CISO history, you're talking about Mitel, like Terry Matthews' company, Mitel? Yeah, yeah. I was their CISO. Okay. Hilariously enough, Mitel, which is based in Ottawa, their current CISO is a really good buddy of mine, Bill Dunyon. Shout out to Bill.
00:31:29
Speaker
Bill is also want to bring Bill on the show just as a primer because he actually was like a former seller, one president's club. And then went over the CISO side the house, became CISO. Oh, too funny. Full circle. It's just That's crazy, man. He replaced Arvin who replaced me. Arvin went on the black belt. That is nuts, man. That is nuts.
00:31:49
Speaker
um wow So this was, yeah, many, many, many moons passed, but I was, I was sees what it might tell back in the day. So, yeah. So at the end of the day, bottom line, um I will generally reach out to them proactively and they get all excited because you go fill out their form on their webpage and the next thing happens, is very sort of salivable meaning and boom boom boom it's moving, right?
00:32:08
Speaker
Versus the likelihood that, the that I'm even going to remember I was approached by someone at Penguin Inc. I don't go, I just jump on the website and say, Hey, I'm interested. I want I want to demo, Right. Versus going on to my LinkedIn and searching for Penguin and trying to find if I ever had a rep reach out to me like that wasn't a relationship that was formed. You know what i'm saying? That was just somebody blah, blah, blah, blah on LinkedIn.
00:32:29
Speaker
It doesn't stick. It doesn't make me want to go search. I just go hit up their website. And now whichever BDR answers the query that I proactively put into the system is the one who gets the credit for the deal, not the guy that spammed me on LinkedIn a year and a half ago.
00:32:41
Speaker
Yeah. But this is also like the four dimensional chess that I'm i'm trying to encourage vendors to play, which is the only reason your friend would have recommended them is because the company has invested in the stability and the performance of the product.
00:32:57
Speaker
They also have likely not been assholes. yeah right So there's been a customer success moment. They have felt good. They've got the warm and fuzzies. They have the trust. And so I think there's so much attention on this outbound sales activity and not enough on like make the customers happy because they go talk about you in the communities you're not in.
00:33:18
Speaker
And that's it's a really long tail play, but it is sustaining over time, given how many you're one of many CISOs that is in like a dozen communities. Yeah, you're all talking.
00:33:29
Speaker
We all talk. We all talk. and And I'll tell you right now, if you're sleazy, if you're skeezy, if you're crooked, if you fail to deliver, if your product ends up being snake oil, any of those deep negatives, word gets out fast.
00:33:42
Speaker
Yes. I will say who wants, you know, who else has this crack in the sidewalk? And I'll not just get back. Oh, go to Penguin Inc. That's who solved my problem. I'll get back 18. Don't go to masking. They suck. For every one positive, three negatives will chime in. if If the experience was truly negative, people have no qualms sharing that negative. Those come out so fast.
00:34:02
Speaker
and And I don't know about you, but I know that for me and and in the communities I'm in, in Canada, especially. it's not just about the product itself, right? It's about like level of service care and support.
00:34:13
Speaker
Bingo. Right. So a lot of people have like really cool products. The marketing is great. And then you sign on. So like dating, so everything I do is related to dating. It's like they court you real good. Yeah. And then they get you. Yeah.
00:34:25
Speaker
Right. They, they take you to bed and they do the thing. And then suddenly all that wonderful support and show and tell and about your service. Aren't you answering texts anymore? Oh, I'm seeing someone else too. Yeah.
00:34:36
Speaker
yeah i and And I have to say this. like I have a story in context with this. So I just implemented and they're a great company. Now, we got courted to the nines on this whole POC. I ran like a super long POC. It was like six months from discovery. I went through like 14 different solutions to narrow it down to them.
00:34:54
Speaker
And through that courting process, they gave us all the attention in the world to nail that business, which is great. But I knew I had the vibe. I was like, wait a minute, we're going sign this and they're going to go crickets on us come implementation time.
00:35:06
Speaker
And lo and behold, for all of January, we couldn't get barely any responses from them. But they redeem themselves. They recognize the problem. They brought in a new VP of service delivery.
00:35:18
Speaker
And then they just had an executive alignment call with me and and my architecture lead, my SOC lead on Friday. And they came in hat in hand and acknowledged, guys, we fucked up. yeah We fucked up. This is what we did.
00:35:30
Speaker
I'm cleaning house. I'm changing the entire organization. We're going resource-based. We're going project-based. We won't let this happen again. Cool. They gave me their phone numbers. Like, it's like. wow Ownership is a magical thing, isn't it?
00:35:43
Speaker
They've they've solved their reputational issue because it could have been bad. It could have been like, well, do I break contract now? Like, what do I do? But yeah, it's an amazing thing. ah You know, like when I was at TrustMap, we would bend over backwards to keep working with people, you know, here's some product suggestions, everything else. Like I was, cause at one point I was running a product over there too. And, you know, we really, really, really, as a small startup, we're just killing ourselves to satisfy everybody and stay with them and hang with them. Right.
00:36:11
Speaker
But the bigger the company, the harder that practice becomes to maintain. Right. And, and ah like shout out to Arnica. Arnica is one of those little ones that, that is now, you know, they're up and coming and,
00:36:22
Speaker
Great POC and then instant support and and help from them. We had, you know, hey, why isn't it doing this? Oh, here's how it does this. And I mean, real times chats and and ah product feature integrations and just they were so responsive and so cool. I really dug working with them.
00:36:38
Speaker
um And I'm trying to think some of the big ones I really like working with, too. Like, you know, CrowdStrike gets punched in the face all the time, but they're actually a pretty cool shop. I think George has done a really good job with that place. And I think after the the whole blue screen of death thing that happened, the way that he did recovery of the brand, recovery of the technology, and they reclaim the narrative.
00:36:57
Speaker
Like that is that we we should be writing about that at like some kind of like information security and MBA course. Absolutely. Because that is, that's how you handle a crisis. Yeah. Yeah. It was well, well and artfully managed for sure.
00:37:10
Speaker
And I'm a, I'm a big fan of them. I'm big fan of Arnica. There's just, there's some standouts for customer service that really, really, really just come through. And at the end of the day, half the time, I mean, let's, let's be real.

Episode Wrap-Up

00:37:21
Speaker
No product is doing a hundred percent of what you want doing done. None of them are. And even the ones that come in and tell you we're doing 90% are probably only 80% because you're cracking the sidewalk is not the same as the other guy's crack on the sidewalk. There's a little bit of variation there, right? Always how well they own what they don't do.
00:37:38
Speaker
And then how well they work with you when they discover that your need is actually different from what was sold. That's the two real criteria right there. And one one is the customer service piece George is talking about. And the other is kind of that that ownership of of product, right? Do you have access to product management when you sign the deal as the customer?
00:37:55
Speaker
Can you meet with product management on a regular basis and say, hey, We love you guys, but this lack of this one feature is killing us over here. And are they responsible? like, hey, remember at the QBR when you showed us the roadmap and you said that was three months away and it's now been six months and that thing is not. be Oh, CISOs have memories for that stuff. And, you know, there's companies that will just sling these things out there and not track their own stuff over time.
00:38:19
Speaker
The CISOs always track it. Always. Nice. Well, Alan, this has been a blast. Obviously we could go on for hours, but I think there's just a lot of gold in here. And i want to thank you for jumping on late at night and sharing your trip down memory lane and your forecast for the future with us.
00:38:37
Speaker
Right on. It's really good to see you again. Happy and healthy brother. Oh my God. Yeah. Yeah. Fit to fight. Yeah. No, over the, over the cancer, over the foot surgery, over the knee surgery. Although the next knee surgery has been scheduled.
00:38:49
Speaker
You guys heard about the accident in Saudi Arabia, right? Yes. yeah Oh, my goodness. I'm still recovering from that. That was Thanksgiving Day. I went through physical therapy, healed up three fractures, two sprains, and now they're telling me the PT wasn't enough and I got to go in and do the surgery on the ACL.
00:39:03
Speaker
Shenanigans. Yeah, we'll still be rooting for you on the on the other side. Which one's the fighter? Is it me or is it you, dude? Well, he he fought a mountain. You fight humans. Yeah. Yeah.
00:39:14
Speaker
I, I, I, uh, my, my friend that crashed into me, we both nearly went off the 200 foot cliff because he crashed into me. Right. Like I, so I ended up saving his life and and we ended up both very close to dying even with, and i told him we're going to get custom t-shirts cause it was this, we were hiking in a place in Saudi called, uh, outside of the outside of Saudi about two hours outside called the edge of the world.
00:39:34
Speaker
And I'm going to make a t-shirt that says I stared down death at the edge of the world. Yeah. That is a bad-ass t-shirt. Yeah. And it's true. Yeah. All right, Alan. Well, thanks so much for the time, and we'll see you soon.
00:39:47
Speaker
Take care, y'all.
00:39:51
Speaker
If you like this conversation, share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tacks drop every Monday.
00:40:04
Speaker
If you're already subscribed, thank you for your support and your swagger. Please consider leaving a rating or a review. It helps others find the show. We'll catch you next week, but until then, stay real.