Episode Cover Image

349- Beyond traditional perimeter security with Trent Heiser

349- Beyond traditional perimeter security with Trent Heiser
Dissecting Popular IT Nerds
349- Beyond traditional perimeter security with Trent Heiser
Loading
/

Trent Heiser, CIO at QC Supply, explains how going beyond traditional perimeter security is the only way forward in today’s dynamic landscape.

Zero Trust is no longer an IT initiative.

Whether you’re a CIO, CTO, IT manager, or just curious about how top leaders think… this episode will challenge how you view security in the modern enterprise.



Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

349- Beyond traditional perimeter security with Trent Heiser

3 Key Takeaways

Episode Show Notes

04:06 – Basic security fundamentals

11:07 – Zero trust model explained

16:42 – SASE capabilities

21:01 – Approaching security budgets

28:29 – Building relationships

36:03 – Future of cybersecurity

Transcript

Speaker 0 | 00:00.300

Hi, nerds. I’m Michael Moore, hosting this podcast for Dissecting Popular IT Nerds. I’m here with Trent Heiser, Chief Information Officer at QC Supply. Hey, Trent, how’s it going today?

 

Speaker 1 | 00:10.488

It’s going well. Thank you for having me.

 

Speaker 0 | 00:12.489

Yeah, very good to have you on the program. It’s time for our icebreaker segment. We call this Random Access Memories. I ask a question and then you respond with the answer that comes to your head first. So, Trent, your first question is, how do you balance your IT-related work or study with your personal or social life?

 

Speaker 1 | 00:33.367

I don’t have a personal or social life, really. So the big thing is, I end up in my computer pretty much all day and all night. And even my significant other, she’s in IT, too. So we we live around our computers.

 

Speaker 0 | 00:48.700

Well, that makes it easy, doesn’t it?

 

Speaker 1 | 00:50.562

Yep.

 

Speaker 0 | 00:52.704

So what is the most annoying or frustrating IT related myth? or misconception that you have encountered or debunked?

 

Speaker 1 | 01:01.751

Oh,

 

Speaker 0 | 01:02.512

I asked a good question there. Yeah,

 

Speaker 1 | 01:04.214

you did. So I would say one of the things that I keep coming across is the myth about Java being free still. Oh,

 

Speaker 0 | 01:16.204

interesting. Go into that one.

 

Speaker 1 | 01:18.166

Yeah. So, you know, Oracle changed, you know, when they bought Java, they changed their licensing. I think it was in 2021 or 2020, something like that. And then they weren’t, my take on it is they weren’t making enough money. So in January 2023, they changed it again. And with that, they basically opened it so they could charge you based on the number of employees you have, whether you have Java installed on all the desktops or not. People think that still Java, you can just download it because you can still go and download it. So they think it’s free, but it’s not.

 

Speaker 0 | 01:52.271

It’s not free. Java is not free. Well, and, you know, Java is interesting because it’s it’s one of those compile on the actual computer applications. And it’s interesting because it leads to a lot of processing power on the actual endpoint itself and rather on the server. So I’ve never been a fan of Java for that.

 

Speaker 1 | 02:16.262

I’ve never been a fan of Java either. And I love the fact that you have like a Zool Java, you have OpenJDK. You know, you have all these open source platforms now that are available that are going, OK, we don’t like what Oracle did with Java. So we’re going to try to make it better. And they’re trying so hard to make it better.

 

Speaker 0 | 02:35.358

They are. They are. That’s a good point. Absolutely on that. All right. Here’s your last question. What is the most fascinating or intriguing IT related fact or phenomena that you have learned or discovered? Yeah. Another stumper. Yeah. I’m getting good questions here tonight.

 

Speaker 1 | 02:56.607

Yeah, I think so. It would be…

 

Speaker 0 | 03:00.069

This is a tough one.

 

Speaker 1 | 03:01.269

Can you ask Kostya one more time here?

 

Speaker 0 | 03:03.051

Sure, yeah. He’s asking me to repeat the question like I’m on a game show. I love this. Exactly. What is the most fascinating or intriguing IT-related fact or phenomena that you’ve learned or discovered? I know. The wheels, there is literally smoke coming out of his ears right now, guys. Yeah,

 

Speaker 1 | 03:23.485

I know. It’s amazing. So, you know, I would say that it’s got to be around, it’s got to be around cybersecurity, right? And let me go a little further into that, is it’s normally about the people and cybersecurity and the incidents that are going on there. Those are the things that really… Those are the things that really surprise me and get me going on on just like when I start talking about cybersecurity, I start talking about the people aspect and awareness training. These are the things that are like basics that aren’t being done. And you see it over and over again.

 

Speaker 0 | 04:06.422

You know, that’s so true. There are so many. I come across this all the time. I end up working with a lot of businesses and a lot of different businesses. And it’s amazing to see how many businesses just completely disregard items that they should be doing that are just basic checklists.

 

Speaker 1 | 04:30.744

Basic housekeeping stuff.

 

Speaker 0 | 04:33.306

We see so much businesses that go out to get cybersecurity insurance and stuff like that. And they fill out a questionnaire. The cybersecurity insurance company will give them a something to run on their network and then they get the insurance and move on. And but they but they disregard what’s on that question. It’s on the questionnaire for a reason. Right. I mean, if you’re not training your employees about the risks about cybersecurity and what can come at them, that’s one of the worst possible ways. I mean, didn’t MGM get hacked because of a user?

 

Speaker 1 | 05:13.026

MGM got it’s actually help desk. I was just reading about this again because of something that I was working on and their help desk got it.

 

Speaker 0 | 05:22.551

Oh, my gosh.

 

Speaker 1 | 05:23.652

Because they didn’t they weren’t doing user verification when someone called to the help desk.

 

Speaker 0 | 05:28.643

See, it’s just the most basic things that end up getting them. And the fact that it was part of their IT team, it’s even worse. But it’s going to happen to everybody. You know, I’ve personally been in organizations where I’ve seen it happen on multiple occasions. You know,

 

Speaker 1 | 05:48.293

people. Yeah, I was going to bring up that, like, you know, you talked a little bit about the risk and the insurance, you know, doing the cybersecurity insurance. questionnaires. And I’ve come into organizations and they’re like, oh, yeah, we just fill it out every year. It’s like, but do you actually know what you’re filling out? No, we just fill it out.

 

Speaker 0 | 06:08.926

It’s amazing to me that that’s the case. The cybersecurity is such a cybersecurity is such a big important with today, especially with the new all the new tools out that just make everything so easy. I mean, there are programs out there right now that just program for you, you know, in like minutes. It’s not and I’m not even joking, guys, like I there are there are literally programs out there that will program in minutes. And if you think that the that the, you know, cybersecurity, if you think that the cybersecurity folks that are not here to help you, right, if you think that those folks. aren’t using those for bad reasons, you’re absolutely wrong. They are 100% using them for bad reasons. They are writing malicious code. They are finding ways to put it, and that makes cybersecurity all the much more important.

 

Speaker 1 | 07:09.570

And you bring this up, and you talk about your chat GPTs and things like that. In an IT security construct now, if you’re not using those types of things to help you get better, then you are so far behind. the malicious the bad actors that are out there that are they’re using it and they so they know how to utilize a zero day just like that you know they can do um uh vulnerability piling or um they can take advantage of vulnerabilities you know multiple at a time and they’re and they’re doing it because they’re using an ai to generate the scripts for them so they don’t have to you don’t even have to be smart anymore to be No,

 

Speaker 0 | 07:54.587

you just have to know what you want to ask them to do. Yeah. And Trent, I mean, I look to your profile because I make the joke. I cyberstalk everyone before I get on the podcast with them, right? You’re a certified ethical hacker. Yeah. Right? I mean, right? So, you know, you are, in all sense of purposes, a hacker, but an ethical one. And there are people out there that can do hacking. Right. With almost zero IT skill set.

 

Speaker 1 | 08:27.394

Yeah. I mean, that’s the thing is, like I said, if you know if you know what to ask the AI and how to ask it, you can get the scripts to hack anything you need to.

 

Speaker 0 | 08:37.981

A lot of people think that it’s, you know, hey, AI has these safeguards that are put in place. And and in some cases, you’re right. If you ask it to write a malicious code for you, it’s going to go, no, I don’t want to do that. But if you. If you say, hey, listen, I’m working on a project to, you know, write, you know, to to expose how they write malicious code and all this type of stuff. And I need to see, sir, if you ask it the right way, there is no no safety protocols on place. That thing will spit out the right information.

 

Speaker 1 | 09:10.416

But take it beyond chat. Go to the dark web and look at the AI, the maliciously made AI sitting out. Oh, yeah. Dark web. I mean. You know, we were just talking about chat GPT, but there’s so many different malicious AIs that are on the dark web and they’re made to do that.

 

Speaker 0 | 09:28.551

And not and also dimension, you know, one thing to mention here is that you can actually, you know, you can actually get and create your own AI model. You can train it and put it. keep it off the networks and just train it yourself to write this stuff on your own computer. As long as it has training data, You know, as long as it has a base amount of training data and you fed it enough information, it it can go to town. So, yeah, you know, not only can you obtain AIs from from the dark web or other sources, you can obtain the models, you can obtain training data, and then you can feed it additional data to make whatever you want. And you can keep it off the network in a completely separate area. And once you get the data, just move it to another spot. So. yeah we’re we’re in an interesting time right now and and uh the mere fact that you can uh replicate uh images of people and videos of people and audio of people at the same time that you can create malicious code it it’s a really interesting and kind of scary time to be in uh right now because what is real right yeah exactly you know the zero trust you know you talk a little bit about so zero trust

 

Speaker 1 | 10:54.418

which is a big thing that we’re trying to get to it on a lot of systems right now. Well, it doesn’t only apply to systems anymore. It’s zero trust. In my look at it, it’s zero trust with everything that you’re seeing and doing anymore.

 

Speaker 0 | 11:07.645

Yep. And that’s a great point. And let’s talk about the zero trust model, right, is basically a way of, I like to call it the Mulder approach, right? The trust no one theory. Basically, continuously authenticates both the user and the device and also the location of where that device is reporting in from and only gives you access to the items in which you’re supposed to be accessing at that time. So zero trust model is definitely the model to be moving to if you’re not already there. You know, it is definitely a model that I use and employ. Uh, and, and don’t trust anything else, uh, at the moment. But yeah, I’m glad you brought that up. It’s, um, you know, we, we hear, we hear buzzwords, right. And we hear zero trust as a buzzword. But, um, the, the reason behind, uh, zero trust, um, is because we are operating in this moment, which we cannot trust people internal to the network anymore. We can’t trust people, uh, obviously can’t trust people external to the network. Um, everybody’s operating out of everywhere. They’re all over the place. You know, they’re no longer in the place where, uh, they used to be. It used to be everyone went into an office and worked from there and then they left and went home. Right. And that’s not the case anymore. Everybody is, um, 24 seven working in different locations, different countries, different, uh, locales. And, uh, it’s hard to detect whether or not they are supposed to be working from that spot or they’re not. So zero trust model is basically taking advantage of the fact that we don’t know that. So we need to continuously verify this person is the right person. This device is the right device. And this location is the right spot that they’re supposed to be in. And they’re supposed to be accessing this certain thing. Yep. Did I break down zero trust pretty well for you?

 

Speaker 1 | 13:09.971

You did break down zero trust very well. Thank you. I hear a lot of people use a lot of different approaches to zero trust. But I, you know, it’s one of the things where like. you go into an organization and it happens more times than not where you you’re going into an organization and they’re like you know we want to go to zero trust or we want to do nist or you know whatever um you know i’m going to talk more about zero trust right now but it’s one of the things where people get into it and they’re like their approach is more of a a trust but verify an older school mentality toward it and it’s like well when you start taking people down the road of an actual zero trust They’re like, wait a second, wait a second. That seems intrusive. It’s like, no, it’s not. We’re protecting ourselves at this point.

 

Speaker 0 | 13:54.117

Very, very true. Very true. What is what is your take on zero trust and and how is it kind of affected your your team?

 

Speaker 1 | 14:08.245

So for me, zero trust, it’s not you have to break it down into the different segments. Right. So you have the zero trust network. Right. And then you have the zero trust access, which is more or can be more along the lines of identity or just an access management. And that is where you have the zero trust on that aspect of it. So you have like a privileged management system to say, OK, you can you’re going to get access because you verified who you are and you’re going to get access for 45 minutes or an hour or whatever it is. And then you have your zero trust network. which goes to the device verification every minute, right? Because we’re on a minute by minute almost in most of the zero trust stuff that you’re talking about. And so you have to kind of combine those because you’re combining zero trust of identity and zero trust of device. And if you leave out one, That’s where you can have a problem. And so it’s a constant review of the data and the auditing capabilities to make sure that the zero trust on the identity and the zero trust on the network or systems are in line.

 

Speaker 0 | 15:22.394

Yeah. And what advice would you give to our audience listening that maybe they have not yet?

 

Speaker 1 | 15:31.613

moved to zero trust or they’re looking to move to zero trust what what advice would you give them so one of the things that that i would probably look at the most when it comes to the zero trust is don’t don’t think that you’re going to get it all done in one day or you know even possibly one fiscal year um but start with something start somewhere you’ve got to start down the road of like so okay if your firewalls are coming up for a refresh start looking down the road of a sassy model that has the zero trust built in, you know, where you can do reverse proxy, you can do some of these functionalities. Or if you’re going and moving more toward cloud with your identity and things like that, you know, make sure that you’re implementing either a PIM or a PAM to help offset that and go down the road for identity zero trust. It’s not just one or the other. It’s like you kind of have to start building somewhere.

 

Speaker 0 | 16:27.531

So let’s talk about SASE. Right. These are all good, all good information. Let’s talk about SASE a bit. Explain to the audience the capabilities of SASE because it’s such an amazing tool.

 

Speaker 1 | 16:42.372

Well,

 

Speaker 0 | 16:43.052

it seems like it’s a tool to really say service, but yeah.

 

Speaker 1 | 16:46.313

Yeah, but it seems like it’s still evolving, right? You know, the idea of SASE really kind of started striking right around the pandemic, maybe just a little bit before. And. At first it was, okay, well, we’re going to put our VPN out in a virtual firewall sitting in a pop somewhere and have that VPN back to our head end, you know, our central location. Well, that was great, you know, and we started moving down that road. And then they started putting, okay, well, if we’re going to have the firewall there, we’re going to have next generation services there. So we’re going to be able to do a detection of any malicious traffic. Okay, that’s, you know, that’s all going well. Then they’re like, well, we want to push that to the device and want to make sure that the device to that remote firewall is secure. So then they start securing, okay, well, if you use just a straight VPN client, you’re not going to be able to have that level of security. But if you start doing a client that’s capable of your EDR or XDR and your host identification, you start tracking that. And then it starts. putting your device into a a um a hash and saying okay if this hash has changed in the last minute pick it out if it hasn’t it’s still allowed right and that’s that’s a really neat way of approaching it because at that point you’re not trying to have your remote service try to identify whether it’s anything changed on that computer it’s has that hash changed or has that token changed yeah so it’s a really good way to look at it and And I don’t know if that’s a really, you know, if that’s kind of explaining or answering your question.

 

Speaker 0 | 18:31.862

There’s a lot to explain with Sassy, right? There’s a lot of capabilities of it.

 

Speaker 1 | 18:35.663

Yeah, I mean, because they keep adding on to it. You know, now DLP has gotten built into it. You know, your DNS filtering has gotten built into it. So there’s so many things and they keep adding more to it. And that makes me really excited for the security of tomorrow because that’s going to continue to evolve.

 

Speaker 0 | 18:55.329

Yeah, that’s it. No, I like how you explained it, especially how you talked about, you know, you know, we’re connecting back to a location, right? Back to a, you know, like a firewall or something at a location, you know, and with SASE, that’s not necessarily the case, right? I mean, you and not at all, right? You’re, you’re actually not, you don’t have to do that anymore. So you’re not dependent on that location, which is a great option. a great option to have for as a business, right?

 

Speaker 1 | 19:28.446

And you look at how SASE has been evolving and the fact that they’re picking up all of these different SaaS providers now, right? So they’re taking their, you know, the firewall or the SASE security that you’re beginning to know and love and you’re taking it and going, okay, we want to extend that security stack all the way to our SaaS products. So, you know, your Microsoft 365, your… Google Cloud, whatever it is, they’re trying to get to the point of extending the reach all the way to those pieces. So your security is truly end to end.

 

Speaker 0 | 20:06.366

Yeah, no, I love that. It’s a great, uh, uh, it’s a great way to, uh, um, to explain it. I would deal with this a lot. So, um, uh, I think you’re explaining it pretty well. Um, you know, the cyber security is definitely a love of yours. You can tell while I’m there. Um, it was funny cause, uh, um, I, you know, everyone knows I, I, I interviewed people kind of before this as well to try to, uh, dig up some information to chat about here and make it interesting. And one of the things I wanted to segue away from cyber security for a minute. And, but I, I will segue back. I promise is that you have a love and I, and it’s a love guys, a love of budgets, right? Did I, did I? Yes.

 

Speaker 1 | 20:53.760

No, you nailed it.

 

Speaker 0 | 20:55.181

Explain to me the love of budgets. I sure, I have a fondness. I don’t have a love.

 

Speaker 1 | 21:01.606

But let’s please tell me the reason why the love of budgets is IT always gets the short end of the stick and cybersecurity even gets the shorter end of that. Right. So the thing of it is, is part of it is when you’re building your budgets and you’re having the conversations, it’s about meeting the financial officers where they are. Right. It’s they want to save money. You know, it’s not always about just explaining to them. It’s like, look, what you’re going to do, this is going to cost you money. But. You may save money someday down the road, right? It’s about putting it in terms of risk for them. And so, okay, because CFOs, they love risk. They love understanding risk, or at least they think they do. And so we talk about that. And so when we start talking about budgets, we’re talking about what type of risk tolerance do they have? What type of risk will they accept? And when you start talking about that. they start moving a little more away from the technology. Oh my God, we got to stop people from buying things and start moving toward, okay, well, you’re trying to mitigate risk. Okay, we can get behind mitigation of risk. And so that’s why I start loving budgets because look, I’m not having a fight about technology as much. I’m having a conversation with the powers that be that says, this is what we’re trying to accomplish. This is the risk we’re trying to mitigate. This is the risk we’re trying to, you know, in the case of insurance transfer. Um, and have those conversations. And that’s why I love doing it because in the end we get to have a conversation about ultimately it’s my love, which is, you know, risk and cybersecurity, but they understand it because it is a risk level.

 

Speaker 0 | 22:44.418

So I’ll take it one step further, right? Because I love the way you approach it with the risk. I would, uh, um, I would take one step further. And what I would do is I would also understand, uh, from those, uh, from those C levels, right? what their pain points are, what their issues are. Identify those pain points, hide them back to the solution that you’re trying to implement to mitigate the risk. And sometimes you’ll find that the solution for the risk mitigation will also alleviate the pain point. So for instance, I mean, here’s a silly one, right? Just a silly type of pain point. Let’s talk about CEO that goes to log in every day and has to keep switching up passwords and everything like that. Right. So you say, hey, well, you know what I want to do is I know you got all these applications that you have out here. I want to take them and I want to single sign on them, you know, back to our identity provider. Right. And that’ll make that’ll actually mitigate the risk of, you know, having these out here that don’t have. probably don’t have MFA and all this stuff. And they were going to tie it back to our identity provider, which has got strong security stuff and able to work. And it’s going to make it so you can log in with one password and that password’s secure. And it’ll reduce the amount of passwords we need to kill when somebody leaves, right? And it’ll reduce that whole risk. Now, not only have you done exactly what you said to do, which is the risk, but you’ve also given them a pain point. to reduce, right?

 

Speaker 1 | 24:23.582

Oh, you nailed that. I mean, and it’s funny you bring up single sign-on because that’s like one of the things that whenever I go in, you know, and have a conversation, not with necessarily the C-levels, but just have a conversation with managers, directors, what those level and say, look, if we can remove sign-on from, you know, say 60% of what you’re doing on a day-to-day, would that help? And it’s like, well, God, you know, that’s a huge thing. And they’re willing. you know, to your point, they’re willing to spend a little extra money to remove some of those sign ons.

 

Speaker 0 | 24:55.791

Yeah, everybody wants to make their job easier. Right. And it’s not even about making their job easier. Right. It’s about giving them back the productivity time. Right. And that’s the that’s the huge piece of it is we spend so many so much time here with. Well, actually, I’ll say it this way. Security. security objectives often align with making things easier. It didn’t used to be the case. It used to make things a lot harder. But now the security objectives actually align very well with sometimes reduced costs and also the ability to make people’s lives easier in the organization.

 

Speaker 1 | 25:36.494

Well, look at passwordless. You know, the implementation of passwordless is a perfect example of what you’re explaining there, right? Because you’re making everybody’s life a lot easier and you’re increasing their productivity and you’re actually enhancing security.

 

Speaker 0 | 25:51.116

Absolutely. Absolutely. It’s it’s remarkable. It’s remarkable to see that it’s a it didn’t always used to be the case, but it is most definitely the case now. And the alignments of reduced cost and. easeability and usability and security all coming together if you follow you know methodologies like nist and zero trust and uh and you follow the methodologies correctly and you’re put and you put them on place uh incorrectly then you will end up synergizing those three which will make everybody happy in the organization and you’ll feel a lot better because you’ll be safer yeah it’s a it’s a really really big deal And I’m glad that I’m glad that you did share your love of budgets with me so that we could have this talk. Let’s talk a little bit about a little bit about building relationships with with coworkers. And before we get into the building relationship with coworkers, I want to I want to just double check with you on something, because you had mentioned to me something that you were one of the most forgivable people that you will never meet. Right.

 

Speaker 1 | 27:08.627

Forgettable.

 

Speaker 0 | 27:09.688

Sorry, forgettable people. I said that wrong. You’re one of the most forgettable people that you will never meet, right? Is that what you said to me?

 

Speaker 1 | 27:16.032

That’s what I said, yes.

 

Speaker 0 | 27:17.233

I think me and now the audience need some actual context on this.

 

Speaker 1 | 27:25.098

So early on in my career, I was one of those people in IT that I would be working at a company for a number of years, and I would see somebody that I worked with every day for… you know, two, three years, I’d see them out in the world and they’d be like, I have no idea who you are. And I’m like, I literally talk to you every single day. And they’re like, yeah, I have no idea. And I was like, okay, well, one time I can understand, but this happened at two, three different companies. And so I got, I kind of got proud of the fact, I was like, man, I must be really forgettable. So, um, I, I’ve kind of gone down this road of I’m the most forgettable person you’ll never meet because you won’t remember meeting me.

 

Speaker 0 | 28:07.228

Wait a second. Have we had you on the podcast before? I just don’t remember.

 

Speaker 1 | 28:10.570

Right. Nope. Nope. Not at all.

 

Speaker 0 | 28:13.052

Well, when I have you on again, I’ll make sure not to remember it. So no, that’s great. Now, let me ask you a question, though. If you are one of the most forgettable people you’ll never meet. Right. How do you build relationships so well within the organization?

 

Speaker 1 | 28:29.125

See, that’s the thing is, like, I’ve always kind of wondered, like, because when I’m talking to the people that are that are my coworkers, you know. There, it’s, I’m talking to them about things that are important to them. And I think this kind of also kind of plays into why I become forgettable because I’m talking to them. Like I have a really good friend that he’s a CFO and he and I have conversations over and over again. Most of the time it’s about financial things because that’s what he likes to talk about. Sometimes he’ll ask me questions about IT things. And in the end of the day, when he goes and goes, oh, I need to, I need some IT help or I need something done for IT. He doesn’t even think about calling me. He calls somebody else. And I’m like, but why? And he’s like, well, I never thought about it. And so it’s like, look, I love having these conversations. He thinks very highly of me. I think very highly of him. But I’m not the first, you know, I’m not the IT person he thinks about, which is fine. I don’t have a problem with that.

 

Speaker 0 | 29:24.427

I just realized, by the way, you would make a great like secret agent.

 

Speaker 1 | 29:29.029

Yeah, probably.

 

Speaker 0 | 29:30.370

You just walk right in. They’d forget about you. You know, you should be a spy. I mean, that’s, that should have been your calling.

 

Speaker 1 | 29:38.373

That probably should have been. But, uh, you know, so, and that’s why I build these relationships and these relationships last. I mean, I, I have, you know, my old COO when I was at Aspen, um, he and I are still good friends and we still talk. And the C the CIO that I had at, um, company in Omaha, you know, she and I still talk. Build these relationships that are long-term that we can have conversations. What are you doing in technology? What are you doing on operation? What are you doing in financial? I like having those conversations because it means a lot. First of all, that we can have the conversations. But the other part of it is that they become more than just coworkers. They’re friends. And that’s what becomes important to me. Yeah, I can go on LinkedIn and I can have all my connections in LinkedIn. But if I… contact any one of those guys, I know that they will help me out with anything I need.

 

Speaker 0 | 30:35.290

Yeah. See, that ability to have that dependability and know that they’ve got your back while you’ve got theirs, I mean, you can’t take that away. That’s a great part about being part of a team, right, is that you’re able to have each other’s backs and be able to do whatever you need for each other. So building those partnerships, to me, is huge within an organization.

 

Speaker 1 | 31:00.660

Oh, and building it across different organizations. I mean, it’s, you know, you’re talking just the organization, but I’m sitting there looking at it and going, you know, people that I worked with 10 years ago, we’re still talking, like, usually on a weekly or every two week basis, but we still talk. I mean, that means a lot. And especially for me in IT, when, you know, IT is usually the dirty word that no one really wants to talk about. The fact that we have conversations still to this day after 10, 15 years, it means that I actually made an impact.

 

Speaker 0 | 31:34.845

Yeah, no, I think that that’s I think that’s awesome. I think that’s the way in which that’s the way in which we need to be doing it and personalizing it, in my opinion. Yeah. You know, it is a you know, I hear stories all the time from friends and stuff like that with with their IT departments. And. And the, and the stories you hear are, you know, I got off the phone, they didn’t trust me. They didn’t talk to me. They didn’t, uh, uh, do what I needed and stuff like that. And, and I kinda, you know, every time I hear that, I’m like, man, you know, they missed the mark. They missed that mark. Right. Well, they didn’t do what you said to do.

 

Speaker 1 | 32:14.388

And I, and I, I tell this to my help desk guys all the time. And I actually, I was having a conversation with my manager just before this all and about this exact thing. It’s like. have our help desk needs to take that extra time. They need to make it a personalized level. And we’re trying to fill a position in the help desk. And with that position, it’s like, okay, they’re an absolute opposite type of personality than one of the help desk people that we already have in place. But that’s what we need because personalities don’t always drive. So you need to have that contrast in personality. So that way, if someone doesn’t get along with, you know, help desk personality a they can go to help desk personality b and they they’re treated or they feel like they’re treated better and it becomes more of a personal uh approach now that’s a great uh great point um i think that uh um in

 

Speaker 0 | 33:10.549

the world that we mentioned that we’re living in right now which is full of things that are not real right and things that uh um you know that are artificially created um Having those types of genuine, I would say, genuine moments, right, with people, regardless of if they’re a team member or they’re a partner that you have or they’re a, you know, they’re somebody that you meet on the street, right? The having these meaningful moments matters. And and I think it. And it’s the thing that’s going to remind us that there are some things that are still real, very real in life. I’m going to segue off to our final segment. It’s the IT crystal ball. And this is where we discuss the future of IT, right? So we’ve been sitting here talking about the current situation. And it’s so funny because I’ve done a bunch of these and it was AI, Um, and, um, and it’s been the, uh, the constant theme, right. Right. But AI is no longer the future, right? I mean, uh, there are articles now, uh, stating that we’re about a year away from a genetic AI, right? So, um, we’re, we’re moving away from generative and moving on to the next step, uh, literally, uh, um, probably, you know, either this year or next year, which is an interesting, uh, um. theory. So, um, so, you know, that’s where we are right now. We’re currently at a generative AI, and that’s no longer, um, no longer a thing that, uh, is, is in the future. We’re going to be talking about, uh, the future of five years out from now. Right. Which is so hard now to predict. Right. Because of all the changes that are happening. 2025 and in some science fiction books promise things like, you know, flying cars and stuff like that. But I was also also in those books, you know, and we have reached it. Right. We are in 2025. We are full of AI and it is permeating everything that we have. So when we talk about the future, we have to kind of think past that, right? We can incorporate it, but we have to think kind of past that. And so let’s talk about the future. And since we had such an elaborate discussion on cybersecurity, right? Let’s talk about what the future of cybersecurity is going to be five years from now. What do you think, Trent? What will be the world of cybersecurity when we look into the future using our IT crystal ball?

 

Speaker 1 | 36:03.240

So to me, you know, obviously we’re going to have AI built into everything. That’s fine. But our approach to security is going to continue to evolve. It is, you know, right now we’re, you know, SASE has become or becoming the big thing with zero trust. But as you get more and more mobile devices, more and more Internet of Things devices that are running around, how are we going to secure those? And to me, it’s literally going to be about. securing them from that that device level or or the perimeter where you are mentality so it it’s no longer going to be a you know the old perimeter approach to network security is long dead right and so they’ve extended it out to you know with sassy they extended out to your device you know your computer wherever it is but they’ve been ignoring internet of things so you’re going to see Internet of Things that are going to become relational to these central computing devices. And that’s how the security is going to… The computer devices, I think, are going to become that parameter for your Internet of Things devices that are connected to the network.

 

Speaker 0 | 37:18.939

It’s such an interesting thought. I mean, the Internet of Things is… IoT is such an interesting space anyway, right? Because we tend to forget about it. Because it’s like, oh, I have a, you know, I have an Alexa or a Google Home, right? Oh, I have this, you know, this watch that needs an IP address. Oh, I have a refrigerator that checks in. I have, you know, but you just you don’t use it and think about it. It’s just works in the background. Right. And so many, so many things now are IOT. And it’s a, you know, I’m glad you brought this up. Because what other things will become IoT? And you can imagine if you take some things that are in such common use, not only do they become, you know, not only when they become IoT, they become very abundant. But also, as technology gets better, they become, you know, disposable, which is another problem, right?

 

Speaker 1 | 38:25.854

Yep. Yeah. I mean, you start going down the road of the IoT. Yeah. and I’ll use AirTags. It’s kind of a great kind of IoT, almost a scary cybersecurity thing, right? You know, the idea of the first generation AirTags and what they were able to do with them before they started locking them down was scary enough as far as what, you know, cyber stalking or, you know, stalking people using AirTags. But now, you know, they’re going to have the second generation AirTags probably this spring and their accuracy is going to be so much more. But the thing of it is, is it’s going to there’s more going to be more memory to it. There’s going to be more opportunity to take advantage of it from a from a malicious standpoint. And those are the things that people don’t think about that. They just are there. Yeah. So, yeah, we have to secure.

 

Speaker 0 | 39:14.058

I mean, there’s silly things like, you know, if you wanted to throw hacks out there. Right. We all know the common easy hack before, which was, you know. someone picks up a, uh, just, you know, throw out a bunch of, uh, USB drives and, and I, I even had, uh, um, uh, I even had a, someone on the podcast that even told me about that. They did was one time where they threw out a bunch of, uh, USB drives and just, uh, just to see who took them. Right. And it actually recorded how many people took them and stuff, not maliciously, just as a, just to verify and see who did it. Um, and, uh, and it was at a staggering amount of people took them and plugged them in. Right. Um, But with IoT, it’s even easier, right? Because… You know, you can throw let’s I mean, right now, you know, watches and stuff are expensive, like, you know what I mean? But they won’t be in the future. They’ll be throwaways. People will be replacing them very quickly and and they’ll be cheaper ones. And so you get, you know, leave a watch out on, you know, out there and somebody picks it up and starts incorporating it and it starts connecting it to their phone and bam. Right. You know, all of a sudden you can bank records and you’re done. Right. So, I mean, there’s just. small little things like that right you know uh it’s amazing to me the uh um the ability so i you know i think you’re on to something with this uh with this iot uh piece and and the next evolution of this stuff combine that with uh

 

Speaker 1 | 40:44.534

agentic ai and we’re gonna have some trouble here oh yeah very much so but you know what the thing of it is is i i’m excited for it because you know the only way that we get better is for things like that to occur that’s very true so you I’m excited for it.

 

Speaker 0 | 40:59.982

I love it. Trent is excited for the future. Nerds, I’m Michael Moore, hosting this podcast for Dissecting Popular IT Nerds. I’ve been here with Trent Heiser, Chief Information Officer at QC Supply. Trent, thank you so much for joining the program for us. I would love to have you on again if I remember.

 

Speaker 1 | 41:21.113

Thank you.

 

349- Beyond traditional perimeter security with Trent Heiser

Speaker 0 | 00:00.300

Hi, nerds. I’m Michael Moore, hosting this podcast for Dissecting Popular IT Nerds. I’m here with Trent Heiser, Chief Information Officer at QC Supply. Hey, Trent, how’s it going today?

 

Speaker 1 | 00:10.488

It’s going well. Thank you for having me.

 

Speaker 0 | 00:12.489

Yeah, very good to have you on the program. It’s time for our icebreaker segment. We call this Random Access Memories. I ask a question and then you respond with the answer that comes to your head first. So, Trent, your first question is, how do you balance your IT-related work or study with your personal or social life?

 

Speaker 1 | 00:33.367

I don’t have a personal or social life, really. So the big thing is, I end up in my computer pretty much all day and all night. And even my significant other, she’s in IT, too. So we we live around our computers.

 

Speaker 0 | 00:48.700

Well, that makes it easy, doesn’t it?

 

Speaker 1 | 00:50.562

Yep.

 

Speaker 0 | 00:52.704

So what is the most annoying or frustrating IT related myth? or misconception that you have encountered or debunked?

 

Speaker 1 | 01:01.751

Oh,

 

Speaker 0 | 01:02.512

I asked a good question there. Yeah,

 

Speaker 1 | 01:04.214

you did. So I would say one of the things that I keep coming across is the myth about Java being free still. Oh,

 

Speaker 0 | 01:16.204

interesting. Go into that one.

 

Speaker 1 | 01:18.166

Yeah. So, you know, Oracle changed, you know, when they bought Java, they changed their licensing. I think it was in 2021 or 2020, something like that. And then they weren’t, my take on it is they weren’t making enough money. So in January 2023, they changed it again. And with that, they basically opened it so they could charge you based on the number of employees you have, whether you have Java installed on all the desktops or not. People think that still Java, you can just download it because you can still go and download it. So they think it’s free, but it’s not.

 

Speaker 0 | 01:52.271

It’s not free. Java is not free. Well, and, you know, Java is interesting because it’s it’s one of those compile on the actual computer applications. And it’s interesting because it leads to a lot of processing power on the actual endpoint itself and rather on the server. So I’ve never been a fan of Java for that.

 

Speaker 1 | 02:16.262

I’ve never been a fan of Java either. And I love the fact that you have like a Zool Java, you have OpenJDK. You know, you have all these open source platforms now that are available that are going, OK, we don’t like what Oracle did with Java. So we’re going to try to make it better. And they’re trying so hard to make it better.

 

Speaker 0 | 02:35.358

They are. They are. That’s a good point. Absolutely on that. All right. Here’s your last question. What is the most fascinating or intriguing IT related fact or phenomena that you have learned or discovered? Yeah. Another stumper. Yeah. I’m getting good questions here tonight.

 

Speaker 1 | 02:56.607

Yeah, I think so. It would be…

 

Speaker 0 | 03:00.069

This is a tough one.

 

Speaker 1 | 03:01.269

Can you ask Kostya one more time here?

 

Speaker 0 | 03:03.051

Sure, yeah. He’s asking me to repeat the question like I’m on a game show. I love this. Exactly. What is the most fascinating or intriguing IT-related fact or phenomena that you’ve learned or discovered? I know. The wheels, there is literally smoke coming out of his ears right now, guys. Yeah,

 

Speaker 1 | 03:23.485

I know. It’s amazing. So, you know, I would say that it’s got to be around, it’s got to be around cybersecurity, right? And let me go a little further into that, is it’s normally about the people and cybersecurity and the incidents that are going on there. Those are the things that really… Those are the things that really surprise me and get me going on on just like when I start talking about cybersecurity, I start talking about the people aspect and awareness training. These are the things that are like basics that aren’t being done. And you see it over and over again.

 

Speaker 0 | 04:06.422

You know, that’s so true. There are so many. I come across this all the time. I end up working with a lot of businesses and a lot of different businesses. And it’s amazing to see how many businesses just completely disregard items that they should be doing that are just basic checklists.

 

Speaker 1 | 04:30.744

Basic housekeeping stuff.

 

Speaker 0 | 04:33.306

We see so much businesses that go out to get cybersecurity insurance and stuff like that. And they fill out a questionnaire. The cybersecurity insurance company will give them a something to run on their network and then they get the insurance and move on. And but they but they disregard what’s on that question. It’s on the questionnaire for a reason. Right. I mean, if you’re not training your employees about the risks about cybersecurity and what can come at them, that’s one of the worst possible ways. I mean, didn’t MGM get hacked because of a user?

 

Speaker 1 | 05:13.026

MGM got it’s actually help desk. I was just reading about this again because of something that I was working on and their help desk got it.

 

Speaker 0 | 05:22.551

Oh, my gosh.

 

Speaker 1 | 05:23.652

Because they didn’t they weren’t doing user verification when someone called to the help desk.

 

Speaker 0 | 05:28.643

See, it’s just the most basic things that end up getting them. And the fact that it was part of their IT team, it’s even worse. But it’s going to happen to everybody. You know, I’ve personally been in organizations where I’ve seen it happen on multiple occasions. You know,

 

Speaker 1 | 05:48.293

people. Yeah, I was going to bring up that, like, you know, you talked a little bit about the risk and the insurance, you know, doing the cybersecurity insurance. questionnaires. And I’ve come into organizations and they’re like, oh, yeah, we just fill it out every year. It’s like, but do you actually know what you’re filling out? No, we just fill it out.

 

Speaker 0 | 06:08.926

It’s amazing to me that that’s the case. The cybersecurity is such a cybersecurity is such a big important with today, especially with the new all the new tools out that just make everything so easy. I mean, there are programs out there right now that just program for you, you know, in like minutes. It’s not and I’m not even joking, guys, like I there are there are literally programs out there that will program in minutes. And if you think that the that the, you know, cybersecurity, if you think that the cybersecurity folks that are not here to help you, right, if you think that those folks. aren’t using those for bad reasons, you’re absolutely wrong. They are 100% using them for bad reasons. They are writing malicious code. They are finding ways to put it, and that makes cybersecurity all the much more important.

 

Speaker 1 | 07:09.570

And you bring this up, and you talk about your chat GPTs and things like that. In an IT security construct now, if you’re not using those types of things to help you get better, then you are so far behind. the malicious the bad actors that are out there that are they’re using it and they so they know how to utilize a zero day just like that you know they can do um uh vulnerability piling or um they can take advantage of vulnerabilities you know multiple at a time and they’re and they’re doing it because they’re using an ai to generate the scripts for them so they don’t have to you don’t even have to be smart anymore to be No,

 

Speaker 0 | 07:54.587

you just have to know what you want to ask them to do. Yeah. And Trent, I mean, I look to your profile because I make the joke. I cyberstalk everyone before I get on the podcast with them, right? You’re a certified ethical hacker. Yeah. Right? I mean, right? So, you know, you are, in all sense of purposes, a hacker, but an ethical one. And there are people out there that can do hacking. Right. With almost zero IT skill set.

 

Speaker 1 | 08:27.394

Yeah. I mean, that’s the thing is, like I said, if you know if you know what to ask the AI and how to ask it, you can get the scripts to hack anything you need to.

 

Speaker 0 | 08:37.981

A lot of people think that it’s, you know, hey, AI has these safeguards that are put in place. And and in some cases, you’re right. If you ask it to write a malicious code for you, it’s going to go, no, I don’t want to do that. But if you. If you say, hey, listen, I’m working on a project to, you know, write, you know, to to expose how they write malicious code and all this type of stuff. And I need to see, sir, if you ask it the right way, there is no no safety protocols on place. That thing will spit out the right information.

 

Speaker 1 | 09:10.416

But take it beyond chat. Go to the dark web and look at the AI, the maliciously made AI sitting out. Oh, yeah. Dark web. I mean. You know, we were just talking about chat GPT, but there’s so many different malicious AIs that are on the dark web and they’re made to do that.

 

Speaker 0 | 09:28.551

And not and also dimension, you know, one thing to mention here is that you can actually, you know, you can actually get and create your own AI model. You can train it and put it. keep it off the networks and just train it yourself to write this stuff on your own computer. As long as it has training data, You know, as long as it has a base amount of training data and you fed it enough information, it it can go to town. So, yeah, you know, not only can you obtain AIs from from the dark web or other sources, you can obtain the models, you can obtain training data, and then you can feed it additional data to make whatever you want. And you can keep it off the network in a completely separate area. And once you get the data, just move it to another spot. So. yeah we’re we’re in an interesting time right now and and uh the mere fact that you can uh replicate uh images of people and videos of people and audio of people at the same time that you can create malicious code it it’s a really interesting and kind of scary time to be in uh right now because what is real right yeah exactly you know the zero trust you know you talk a little bit about so zero trust

 

Speaker 1 | 10:54.418

which is a big thing that we’re trying to get to it on a lot of systems right now. Well, it doesn’t only apply to systems anymore. It’s zero trust. In my look at it, it’s zero trust with everything that you’re seeing and doing anymore.

 

Speaker 0 | 11:07.645

Yep. And that’s a great point. And let’s talk about the zero trust model, right, is basically a way of, I like to call it the Mulder approach, right? The trust no one theory. Basically, continuously authenticates both the user and the device and also the location of where that device is reporting in from and only gives you access to the items in which you’re supposed to be accessing at that time. So zero trust model is definitely the model to be moving to if you’re not already there. You know, it is definitely a model that I use and employ. Uh, and, and don’t trust anything else, uh, at the moment. But yeah, I’m glad you brought that up. It’s, um, you know, we, we hear, we hear buzzwords, right. And we hear zero trust as a buzzword. But, um, the, the reason behind, uh, zero trust, um, is because we are operating in this moment, which we cannot trust people internal to the network anymore. We can’t trust people, uh, obviously can’t trust people external to the network. Um, everybody’s operating out of everywhere. They’re all over the place. You know, they’re no longer in the place where, uh, they used to be. It used to be everyone went into an office and worked from there and then they left and went home. Right. And that’s not the case anymore. Everybody is, um, 24 seven working in different locations, different countries, different, uh, locales. And, uh, it’s hard to detect whether or not they are supposed to be working from that spot or they’re not. So zero trust model is basically taking advantage of the fact that we don’t know that. So we need to continuously verify this person is the right person. This device is the right device. And this location is the right spot that they’re supposed to be in. And they’re supposed to be accessing this certain thing. Yep. Did I break down zero trust pretty well for you?

 

Speaker 1 | 13:09.971

You did break down zero trust very well. Thank you. I hear a lot of people use a lot of different approaches to zero trust. But I, you know, it’s one of the things where like. you go into an organization and it happens more times than not where you you’re going into an organization and they’re like you know we want to go to zero trust or we want to do nist or you know whatever um you know i’m going to talk more about zero trust right now but it’s one of the things where people get into it and they’re like their approach is more of a a trust but verify an older school mentality toward it and it’s like well when you start taking people down the road of an actual zero trust They’re like, wait a second, wait a second. That seems intrusive. It’s like, no, it’s not. We’re protecting ourselves at this point.

 

Speaker 0 | 13:54.117

Very, very true. Very true. What is what is your take on zero trust and and how is it kind of affected your your team?

 

Speaker 1 | 14:08.245

So for me, zero trust, it’s not you have to break it down into the different segments. Right. So you have the zero trust network. Right. And then you have the zero trust access, which is more or can be more along the lines of identity or just an access management. And that is where you have the zero trust on that aspect of it. So you have like a privileged management system to say, OK, you can you’re going to get access because you verified who you are and you’re going to get access for 45 minutes or an hour or whatever it is. And then you have your zero trust network. which goes to the device verification every minute, right? Because we’re on a minute by minute almost in most of the zero trust stuff that you’re talking about. And so you have to kind of combine those because you’re combining zero trust of identity and zero trust of device. And if you leave out one, That’s where you can have a problem. And so it’s a constant review of the data and the auditing capabilities to make sure that the zero trust on the identity and the zero trust on the network or systems are in line.

 

Speaker 0 | 15:22.394

Yeah. And what advice would you give to our audience listening that maybe they have not yet?

 

Speaker 1 | 15:31.613

moved to zero trust or they’re looking to move to zero trust what what advice would you give them so one of the things that that i would probably look at the most when it comes to the zero trust is don’t don’t think that you’re going to get it all done in one day or you know even possibly one fiscal year um but start with something start somewhere you’ve got to start down the road of like so okay if your firewalls are coming up for a refresh start looking down the road of a sassy model that has the zero trust built in, you know, where you can do reverse proxy, you can do some of these functionalities. Or if you’re going and moving more toward cloud with your identity and things like that, you know, make sure that you’re implementing either a PIM or a PAM to help offset that and go down the road for identity zero trust. It’s not just one or the other. It’s like you kind of have to start building somewhere.

 

Speaker 0 | 16:27.531

So let’s talk about SASE. Right. These are all good, all good information. Let’s talk about SASE a bit. Explain to the audience the capabilities of SASE because it’s such an amazing tool.

 

Speaker 1 | 16:42.372

Well,

 

Speaker 0 | 16:43.052

it seems like it’s a tool to really say service, but yeah.

 

Speaker 1 | 16:46.313

Yeah, but it seems like it’s still evolving, right? You know, the idea of SASE really kind of started striking right around the pandemic, maybe just a little bit before. And. At first it was, okay, well, we’re going to put our VPN out in a virtual firewall sitting in a pop somewhere and have that VPN back to our head end, you know, our central location. Well, that was great, you know, and we started moving down that road. And then they started putting, okay, well, if we’re going to have the firewall there, we’re going to have next generation services there. So we’re going to be able to do a detection of any malicious traffic. Okay, that’s, you know, that’s all going well. Then they’re like, well, we want to push that to the device and want to make sure that the device to that remote firewall is secure. So then they start securing, okay, well, if you use just a straight VPN client, you’re not going to be able to have that level of security. But if you start doing a client that’s capable of your EDR or XDR and your host identification, you start tracking that. And then it starts. putting your device into a a um a hash and saying okay if this hash has changed in the last minute pick it out if it hasn’t it’s still allowed right and that’s that’s a really neat way of approaching it because at that point you’re not trying to have your remote service try to identify whether it’s anything changed on that computer it’s has that hash changed or has that token changed yeah so it’s a really good way to look at it and And I don’t know if that’s a really, you know, if that’s kind of explaining or answering your question.

 

Speaker 0 | 18:31.862

There’s a lot to explain with Sassy, right? There’s a lot of capabilities of it.

 

Speaker 1 | 18:35.663

Yeah, I mean, because they keep adding on to it. You know, now DLP has gotten built into it. You know, your DNS filtering has gotten built into it. So there’s so many things and they keep adding more to it. And that makes me really excited for the security of tomorrow because that’s going to continue to evolve.

 

Speaker 0 | 18:55.329

Yeah, that’s it. No, I like how you explained it, especially how you talked about, you know, you know, we’re connecting back to a location, right? Back to a, you know, like a firewall or something at a location, you know, and with SASE, that’s not necessarily the case, right? I mean, you and not at all, right? You’re, you’re actually not, you don’t have to do that anymore. So you’re not dependent on that location, which is a great option. a great option to have for as a business, right?

 

Speaker 1 | 19:28.446

And you look at how SASE has been evolving and the fact that they’re picking up all of these different SaaS providers now, right? So they’re taking their, you know, the firewall or the SASE security that you’re beginning to know and love and you’re taking it and going, okay, we want to extend that security stack all the way to our SaaS products. So, you know, your Microsoft 365, your… Google Cloud, whatever it is, they’re trying to get to the point of extending the reach all the way to those pieces. So your security is truly end to end.

 

Speaker 0 | 20:06.366

Yeah, no, I love that. It’s a great, uh, uh, it’s a great way to, uh, um, to explain it. I would deal with this a lot. So, um, uh, I think you’re explaining it pretty well. Um, you know, the cyber security is definitely a love of yours. You can tell while I’m there. Um, it was funny cause, uh, um, I, you know, everyone knows I, I, I interviewed people kind of before this as well to try to, uh, dig up some information to chat about here and make it interesting. And one of the things I wanted to segue away from cyber security for a minute. And, but I, I will segue back. I promise is that you have a love and I, and it’s a love guys, a love of budgets, right? Did I, did I? Yes.

 

Speaker 1 | 20:53.760

No, you nailed it.

 

Speaker 0 | 20:55.181

Explain to me the love of budgets. I sure, I have a fondness. I don’t have a love.

 

Speaker 1 | 21:01.606

But let’s please tell me the reason why the love of budgets is IT always gets the short end of the stick and cybersecurity even gets the shorter end of that. Right. So the thing of it is, is part of it is when you’re building your budgets and you’re having the conversations, it’s about meeting the financial officers where they are. Right. It’s they want to save money. You know, it’s not always about just explaining to them. It’s like, look, what you’re going to do, this is going to cost you money. But. You may save money someday down the road, right? It’s about putting it in terms of risk for them. And so, okay, because CFOs, they love risk. They love understanding risk, or at least they think they do. And so we talk about that. And so when we start talking about budgets, we’re talking about what type of risk tolerance do they have? What type of risk will they accept? And when you start talking about that. they start moving a little more away from the technology. Oh my God, we got to stop people from buying things and start moving toward, okay, well, you’re trying to mitigate risk. Okay, we can get behind mitigation of risk. And so that’s why I start loving budgets because look, I’m not having a fight about technology as much. I’m having a conversation with the powers that be that says, this is what we’re trying to accomplish. This is the risk we’re trying to mitigate. This is the risk we’re trying to, you know, in the case of insurance transfer. Um, and have those conversations. And that’s why I love doing it because in the end we get to have a conversation about ultimately it’s my love, which is, you know, risk and cybersecurity, but they understand it because it is a risk level.

 

Speaker 0 | 22:44.418

So I’ll take it one step further, right? Because I love the way you approach it with the risk. I would, uh, um, I would take one step further. And what I would do is I would also understand, uh, from those, uh, from those C levels, right? what their pain points are, what their issues are. Identify those pain points, hide them back to the solution that you’re trying to implement to mitigate the risk. And sometimes you’ll find that the solution for the risk mitigation will also alleviate the pain point. So for instance, I mean, here’s a silly one, right? Just a silly type of pain point. Let’s talk about CEO that goes to log in every day and has to keep switching up passwords and everything like that. Right. So you say, hey, well, you know what I want to do is I know you got all these applications that you have out here. I want to take them and I want to single sign on them, you know, back to our identity provider. Right. And that’ll make that’ll actually mitigate the risk of, you know, having these out here that don’t have. probably don’t have MFA and all this stuff. And they were going to tie it back to our identity provider, which has got strong security stuff and able to work. And it’s going to make it so you can log in with one password and that password’s secure. And it’ll reduce the amount of passwords we need to kill when somebody leaves, right? And it’ll reduce that whole risk. Now, not only have you done exactly what you said to do, which is the risk, but you’ve also given them a pain point. to reduce, right?

 

Speaker 1 | 24:23.582

Oh, you nailed that. I mean, and it’s funny you bring up single sign-on because that’s like one of the things that whenever I go in, you know, and have a conversation, not with necessarily the C-levels, but just have a conversation with managers, directors, what those level and say, look, if we can remove sign-on from, you know, say 60% of what you’re doing on a day-to-day, would that help? And it’s like, well, God, you know, that’s a huge thing. And they’re willing. you know, to your point, they’re willing to spend a little extra money to remove some of those sign ons.

 

Speaker 0 | 24:55.791

Yeah, everybody wants to make their job easier. Right. And it’s not even about making their job easier. Right. It’s about giving them back the productivity time. Right. And that’s the that’s the huge piece of it is we spend so many so much time here with. Well, actually, I’ll say it this way. Security. security objectives often align with making things easier. It didn’t used to be the case. It used to make things a lot harder. But now the security objectives actually align very well with sometimes reduced costs and also the ability to make people’s lives easier in the organization.

 

Speaker 1 | 25:36.494

Well, look at passwordless. You know, the implementation of passwordless is a perfect example of what you’re explaining there, right? Because you’re making everybody’s life a lot easier and you’re increasing their productivity and you’re actually enhancing security.

 

Speaker 0 | 25:51.116

Absolutely. Absolutely. It’s it’s remarkable. It’s remarkable to see that it’s a it didn’t always used to be the case, but it is most definitely the case now. And the alignments of reduced cost and. easeability and usability and security all coming together if you follow you know methodologies like nist and zero trust and uh and you follow the methodologies correctly and you’re put and you put them on place uh incorrectly then you will end up synergizing those three which will make everybody happy in the organization and you’ll feel a lot better because you’ll be safer yeah it’s a it’s a really really big deal And I’m glad that I’m glad that you did share your love of budgets with me so that we could have this talk. Let’s talk a little bit about a little bit about building relationships with with coworkers. And before we get into the building relationship with coworkers, I want to I want to just double check with you on something, because you had mentioned to me something that you were one of the most forgivable people that you will never meet. Right.

 

Speaker 1 | 27:08.627

Forgettable.

 

Speaker 0 | 27:09.688

Sorry, forgettable people. I said that wrong. You’re one of the most forgettable people that you will never meet, right? Is that what you said to me?

 

Speaker 1 | 27:16.032

That’s what I said, yes.

 

Speaker 0 | 27:17.233

I think me and now the audience need some actual context on this.

 

Speaker 1 | 27:25.098

So early on in my career, I was one of those people in IT that I would be working at a company for a number of years, and I would see somebody that I worked with every day for… you know, two, three years, I’d see them out in the world and they’d be like, I have no idea who you are. And I’m like, I literally talk to you every single day. And they’re like, yeah, I have no idea. And I was like, okay, well, one time I can understand, but this happened at two, three different companies. And so I got, I kind of got proud of the fact, I was like, man, I must be really forgettable. So, um, I, I’ve kind of gone down this road of I’m the most forgettable person you’ll never meet because you won’t remember meeting me.

 

Speaker 0 | 28:07.228

Wait a second. Have we had you on the podcast before? I just don’t remember.

 

Speaker 1 | 28:10.570

Right. Nope. Nope. Not at all.

 

Speaker 0 | 28:13.052

Well, when I have you on again, I’ll make sure not to remember it. So no, that’s great. Now, let me ask you a question, though. If you are one of the most forgettable people you’ll never meet. Right. How do you build relationships so well within the organization?

 

Speaker 1 | 28:29.125

See, that’s the thing is, like, I’ve always kind of wondered, like, because when I’m talking to the people that are that are my coworkers, you know. There, it’s, I’m talking to them about things that are important to them. And I think this kind of also kind of plays into why I become forgettable because I’m talking to them. Like I have a really good friend that he’s a CFO and he and I have conversations over and over again. Most of the time it’s about financial things because that’s what he likes to talk about. Sometimes he’ll ask me questions about IT things. And in the end of the day, when he goes and goes, oh, I need to, I need some IT help or I need something done for IT. He doesn’t even think about calling me. He calls somebody else. And I’m like, but why? And he’s like, well, I never thought about it. And so it’s like, look, I love having these conversations. He thinks very highly of me. I think very highly of him. But I’m not the first, you know, I’m not the IT person he thinks about, which is fine. I don’t have a problem with that.

 

Speaker 0 | 29:24.427

I just realized, by the way, you would make a great like secret agent.

 

Speaker 1 | 29:29.029

Yeah, probably.

 

Speaker 0 | 29:30.370

You just walk right in. They’d forget about you. You know, you should be a spy. I mean, that’s, that should have been your calling.

 

Speaker 1 | 29:38.373

That probably should have been. But, uh, you know, so, and that’s why I build these relationships and these relationships last. I mean, I, I have, you know, my old COO when I was at Aspen, um, he and I are still good friends and we still talk. And the C the CIO that I had at, um, company in Omaha, you know, she and I still talk. Build these relationships that are long-term that we can have conversations. What are you doing in technology? What are you doing on operation? What are you doing in financial? I like having those conversations because it means a lot. First of all, that we can have the conversations. But the other part of it is that they become more than just coworkers. They’re friends. And that’s what becomes important to me. Yeah, I can go on LinkedIn and I can have all my connections in LinkedIn. But if I… contact any one of those guys, I know that they will help me out with anything I need.

 

Speaker 0 | 30:35.290

Yeah. See, that ability to have that dependability and know that they’ve got your back while you’ve got theirs, I mean, you can’t take that away. That’s a great part about being part of a team, right, is that you’re able to have each other’s backs and be able to do whatever you need for each other. So building those partnerships, to me, is huge within an organization.

 

Speaker 1 | 31:00.660

Oh, and building it across different organizations. I mean, it’s, you know, you’re talking just the organization, but I’m sitting there looking at it and going, you know, people that I worked with 10 years ago, we’re still talking, like, usually on a weekly or every two week basis, but we still talk. I mean, that means a lot. And especially for me in IT, when, you know, IT is usually the dirty word that no one really wants to talk about. The fact that we have conversations still to this day after 10, 15 years, it means that I actually made an impact.

 

Speaker 0 | 31:34.845

Yeah, no, I think that that’s I think that’s awesome. I think that’s the way in which that’s the way in which we need to be doing it and personalizing it, in my opinion. Yeah. You know, it is a you know, I hear stories all the time from friends and stuff like that with with their IT departments. And. And the, and the stories you hear are, you know, I got off the phone, they didn’t trust me. They didn’t talk to me. They didn’t, uh, uh, do what I needed and stuff like that. And, and I kinda, you know, every time I hear that, I’m like, man, you know, they missed the mark. They missed that mark. Right. Well, they didn’t do what you said to do.

 

Speaker 1 | 32:14.388

And I, and I, I tell this to my help desk guys all the time. And I actually, I was having a conversation with my manager just before this all and about this exact thing. It’s like. have our help desk needs to take that extra time. They need to make it a personalized level. And we’re trying to fill a position in the help desk. And with that position, it’s like, okay, they’re an absolute opposite type of personality than one of the help desk people that we already have in place. But that’s what we need because personalities don’t always drive. So you need to have that contrast in personality. So that way, if someone doesn’t get along with, you know, help desk personality a they can go to help desk personality b and they they’re treated or they feel like they’re treated better and it becomes more of a personal uh approach now that’s a great uh great point um i think that uh um in

 

Speaker 0 | 33:10.549

the world that we mentioned that we’re living in right now which is full of things that are not real right and things that uh um you know that are artificially created um Having those types of genuine, I would say, genuine moments, right, with people, regardless of if they’re a team member or they’re a partner that you have or they’re a, you know, they’re somebody that you meet on the street, right? The having these meaningful moments matters. And and I think it. And it’s the thing that’s going to remind us that there are some things that are still real, very real in life. I’m going to segue off to our final segment. It’s the IT crystal ball. And this is where we discuss the future of IT, right? So we’ve been sitting here talking about the current situation. And it’s so funny because I’ve done a bunch of these and it was AI, Um, and, um, and it’s been the, uh, the constant theme, right. Right. But AI is no longer the future, right? I mean, uh, there are articles now, uh, stating that we’re about a year away from a genetic AI, right? So, um, we’re, we’re moving away from generative and moving on to the next step, uh, literally, uh, um, probably, you know, either this year or next year, which is an interesting, uh, um. theory. So, um, so, you know, that’s where we are right now. We’re currently at a generative AI, and that’s no longer, um, no longer a thing that, uh, is, is in the future. We’re going to be talking about, uh, the future of five years out from now. Right. Which is so hard now to predict. Right. Because of all the changes that are happening. 2025 and in some science fiction books promise things like, you know, flying cars and stuff like that. But I was also also in those books, you know, and we have reached it. Right. We are in 2025. We are full of AI and it is permeating everything that we have. So when we talk about the future, we have to kind of think past that, right? We can incorporate it, but we have to think kind of past that. And so let’s talk about the future. And since we had such an elaborate discussion on cybersecurity, right? Let’s talk about what the future of cybersecurity is going to be five years from now. What do you think, Trent? What will be the world of cybersecurity when we look into the future using our IT crystal ball?

 

Speaker 1 | 36:03.240

So to me, you know, obviously we’re going to have AI built into everything. That’s fine. But our approach to security is going to continue to evolve. It is, you know, right now we’re, you know, SASE has become or becoming the big thing with zero trust. But as you get more and more mobile devices, more and more Internet of Things devices that are running around, how are we going to secure those? And to me, it’s literally going to be about. securing them from that that device level or or the perimeter where you are mentality so it it’s no longer going to be a you know the old perimeter approach to network security is long dead right and so they’ve extended it out to you know with sassy they extended out to your device you know your computer wherever it is but they’ve been ignoring internet of things so you’re going to see Internet of Things that are going to become relational to these central computing devices. And that’s how the security is going to… The computer devices, I think, are going to become that parameter for your Internet of Things devices that are connected to the network.

 

Speaker 0 | 37:18.939

It’s such an interesting thought. I mean, the Internet of Things is… IoT is such an interesting space anyway, right? Because we tend to forget about it. Because it’s like, oh, I have a, you know, I have an Alexa or a Google Home, right? Oh, I have this, you know, this watch that needs an IP address. Oh, I have a refrigerator that checks in. I have, you know, but you just you don’t use it and think about it. It’s just works in the background. Right. And so many, so many things now are IOT. And it’s a, you know, I’m glad you brought this up. Because what other things will become IoT? And you can imagine if you take some things that are in such common use, not only do they become, you know, not only when they become IoT, they become very abundant. But also, as technology gets better, they become, you know, disposable, which is another problem, right?

 

Speaker 1 | 38:25.854

Yep. Yeah. I mean, you start going down the road of the IoT. Yeah. and I’ll use AirTags. It’s kind of a great kind of IoT, almost a scary cybersecurity thing, right? You know, the idea of the first generation AirTags and what they were able to do with them before they started locking them down was scary enough as far as what, you know, cyber stalking or, you know, stalking people using AirTags. But now, you know, they’re going to have the second generation AirTags probably this spring and their accuracy is going to be so much more. But the thing of it is, is it’s going to there’s more going to be more memory to it. There’s going to be more opportunity to take advantage of it from a from a malicious standpoint. And those are the things that people don’t think about that. They just are there. Yeah. So, yeah, we have to secure.

 

Speaker 0 | 39:14.058

I mean, there’s silly things like, you know, if you wanted to throw hacks out there. Right. We all know the common easy hack before, which was, you know. someone picks up a, uh, just, you know, throw out a bunch of, uh, USB drives and, and I, I even had, uh, um, uh, I even had a, someone on the podcast that even told me about that. They did was one time where they threw out a bunch of, uh, USB drives and just, uh, just to see who took them. Right. And it actually recorded how many people took them and stuff, not maliciously, just as a, just to verify and see who did it. Um, and, uh, and it was at a staggering amount of people took them and plugged them in. Right. Um, But with IoT, it’s even easier, right? Because… You know, you can throw let’s I mean, right now, you know, watches and stuff are expensive, like, you know what I mean? But they won’t be in the future. They’ll be throwaways. People will be replacing them very quickly and and they’ll be cheaper ones. And so you get, you know, leave a watch out on, you know, out there and somebody picks it up and starts incorporating it and it starts connecting it to their phone and bam. Right. You know, all of a sudden you can bank records and you’re done. Right. So, I mean, there’s just. small little things like that right you know uh it’s amazing to me the uh um the ability so i you know i think you’re on to something with this uh with this iot uh piece and and the next evolution of this stuff combine that with uh

 

Speaker 1 | 40:44.534

agentic ai and we’re gonna have some trouble here oh yeah very much so but you know what the thing of it is is i i’m excited for it because you know the only way that we get better is for things like that to occur that’s very true so you I’m excited for it.

 

Speaker 0 | 40:59.982

I love it. Trent is excited for the future. Nerds, I’m Michael Moore, hosting this podcast for Dissecting Popular IT Nerds. I’ve been here with Trent Heiser, Chief Information Officer at QC Supply. Trent, thank you so much for joining the program for us. I would love to have you on again if I remember.

 

Speaker 1 | 41:21.113

Thank you.

 

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

QR Code