Episode Cover Image

65. Pessimistic CISOs with Justin Headley

Dissecting Popular IT Nerds
Dissecting Popular IT Nerds
65. Pessimistic CISOs with Justin Headley
Loading
/

Justin Headley

Experienced IT Security and Risk Consulting Manager with a demonstrated history of working in the Accounting industry. Strong consulting professional skilled in Information Security, Cybersecurity and SOC Engagements.

Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

Pessimistic CISOs with Justin Headley

3 Key Takeaways

Episode Show Notes

The Coronavirus Episodes are Coming, but first

Let’s talk about a millennial accountant turned to Security

A real-life Cinderella story without the old CISO crones

… so clearly there must be some value in security

There must be some money worth spending

And of course, it must be left up to a Millennial

Because old dudes in security are too crotchety

They are too negative… and beat up… and paid too much

Just move them onto the next job

where they can uncle fester for 2 years

Straight up, CISOs are pessimistic people that run

money-wasting departments

So an accountant tuned security guy is the perfect match because such a person can prove what a

waste of money security is… right?

Grab your torches and pitchforks…

Who cares who clicked on the no click report

You’re a small fish anyways and no one cares

about hacking you…. just outsource the responsibility.

Transcript

Speaker 0 | 00:09.584

All right, welcome everyone back to Dissecting Popular IT Nerds. Today, we have Justin Headley on the show. And quite the anomaly here. This is something that I didn’t think was a possibility. But if I’m understanding this correctly, you are an accountant. that is in technology or in IT of some sort?

Speaker 1 | 00:32.814

Yeah, Phil, thanks for having me on. Yeah, so my background is in accounting. I’ve always had a passion for IT, kind of combining those things. And that’s what we help a lot of our small to medium-sized clients with is just, yeah, kind of solving IT, yeah.

Speaker 0 | 00:50.143

Well, I mean, first of all, I think it’s easy to be passionate about technology. Is it easy to be passionate about accounting? I mean, come on, let’s be honest. You know how many people I’ve had that are like, you know, I got into accounting because I knew I could make money and have a good job and I could do this and I could live in the city. And then I realized what I realized six months into it is that I did not want to do that. So I left and lived on an island and started surfing.

Speaker 1 | 01:16.132

There’s definitely a niche there because if you’re a number crunching guy, then yeah, that plays well. But you got to be passionate about that stuff.

Speaker 0 | 01:24.119

So. Anyways, just, you know, before we get into this, because I think we have a lot of important stuff that’s very valuable to IT leadership in general. But before we dig into that, how did you kind of fall into IT or how did you get into accounting? Maybe we start with when you grew up, what was your first computer? What was your first, you know, kind of major, I guess, love affair with technology?

Speaker 1 | 01:52.536

Probably. So I would probably still be classified as a millennial.

Speaker 0 | 01:57.277

But I would say I’m allowed to ask that I’m allowed to ask when you were born. So what’s your when were you born?

Speaker 1 | 02:03.679

I was born in 88. I’m 31 years old. So I’m probably going to get a lot of eye rolls here.

Speaker 0 | 02:08.981

You really are a millennial.

Speaker 1 | 02:10.481

Yeah, right.

Speaker 0 | 02:11.181

There’s always one. But,

Speaker 1 | 02:13.322

you know, initially for me, it was it was mobile devices. That was what. That’s what captured my attention. I know, again, what I’m doing. This is great.

Speaker 0 | 02:22.245

No, this is perfect. Mobile devices. What was your first cell? You know what? I’m going to have to start interviewing millennials. And the question is going to be, what was your first cell phone?

Speaker 1 | 02:31.329

Yeah, right. That would be an interesting question. What was it? So here, it was not a touchscreen phone to this day here, everyone. But if you remember back in the day, the Sprint kind of next cell phones. That was my first phone. It was like a little foot sprint next to a BB phone.

Speaker 0 | 02:51.202

Yeah, kind of like that. Was it like a goldish silver tan?

Speaker 1 | 02:56.204

Yeah.

Speaker 0 | 02:56.924

With the pull-out antenna? Did it have a pull-out antenna?

Speaker 1 | 02:59.365

Absolutely. They all look like construction phones or something.

Speaker 0 | 03:03.767

Yeah, that’s it. Yeah. No, that was my wife’s phone in college. And she was born in 81. I think I saw it. She’s a millennial. She’s a legit. millennial like the old like the old millennial like the okay on the older end of the spectrum what do they what i don’t know what they call like the old millennial like the anyways um so what was your first computer you must know now like oh it was a um i don’t know pentium 3 or something did you remember did you have a disk drive um i

Speaker 1 | 03:36.388

can remember my first computer it’s probably the laptop i got like end of high school first college it’s like a you I think it had like a Centrino processor in it.

Speaker 0 | 03:49.457

That’s probably like fast. This is perfect. I don’t even know what to ask you because you weren’t around for… It’s just interesting. You know what I mean? I had Pong growing up. I had Pong. I literally had Pong. You had to use a Phillips head screwdriver. to screw the, to connect it to the back of your TV.

Speaker 1 | 04:12.742

Yeah, wow.

Speaker 0 | 04:13.663

It was…

Speaker 1 | 04:15.624

I mean, I can go back to, you know, video game-wise, you know.

Speaker 0 | 04:20.767

Okay, what was the first major video game?

Speaker 1 | 04:22.107

Some original NES. I can remember playing, I was a big fan of Mike Tyson’s Punch-Out Games. That was awesome.

Speaker 0 | 04:29.992

It’s still fun.

Speaker 1 | 04:30.912

A little duck shooting. Yeah, absolutely.

Speaker 0 | 04:33.294

Okay. All right, I can see this is going almost nowhere. That’s fine. Um, so anyways, um, did you, what’d you major in, in college?

Speaker 1 | 04:43.946

So my major was in accounting. Um, again, yeah. Having to find a passion for that, but, uh, major was in accounting. And, um, again, a lot, a lot of, I had a lot of professors, uh, people say that if you do accounting, you can do anything. And it’s, it’s a cliche, but you truly can see where I’m at today.

Speaker 0 | 05:04.454

Well, why is that? Why did they say that?

Speaker 1 | 05:06.999

Well, I think from an accounting perspective, it gives you a good general base of not only how an IT company is running, but I mean, really from that perspective, it gives you a good overview of controls that should be in place, how things should be run. It’s just a good foundation, if you had to put it that way.

Speaker 0 | 05:27.419

The best education I ever had was being like a Starbucks store manager because they put you through all kinds of business classes and, you know, reading P&L and line items on P&Ls and gross margin and controllable costs and, you know, all stuff that you just don’t learn as a creative writing major.

Speaker 1 | 05:43.566

Right. That’s right. Yeah.

Speaker 0 | 05:44.687

You know, and that really helped, I think, separate me a lot when I got into it. technology sales, I guess you could say at the beginning, because I worked for a Cisco startup and it was pretty aggressive Salesforce. And I think a lot of people that don’t have that accounting background, they can’t speak to a business owner and understand what his concerns are.

Speaker 1 | 06:09.184

No, absolutely. Yeah. I think so much. Yeah.

Speaker 0 | 06:12.026

You know, it’s a numbers game at the end of the day, it’s a numbers game. But at the same time, it’s not a numbers game because we have humans running the business and we can’t just refer to humans as headcount, which, um, an accountant might refer to at some point in his career. So, um, there’s kind of that, that dual, that duality there. Um, so, so you left accounting, were you, did you have a job in college or when you first got out of college that kind of got you into it? Was that kind of how you fell into it or what was it?

Speaker 1 | 06:42.202

Yeah, absolutely. I, um, I had an internship while still in college, just doing traditional accounting. But I found it kind of a need. It was a small accounting firm, and they didn’t really have a dedicated IT person. I essentially became their help desk guy. And I never thought I could do something like that. And it just continued and played on from there.

Speaker 0 | 07:07.334

Gotcha. So one of the big themes of my show is, of course, business acumen and IT directors lack thereof business acumen or successful IT directors using business acumen skills to really kind of drive the business forward and get them out of that cost center mentality. Now you having an accounting background and being in IT at the same time, do you still look at IT as a cost center? So to speak, I mean, is it, I mean, from an accounting perspective, I guess it would be like a cost center, but But there’s so many aspects of it that can affect ROI and or really sink the business, which is what we’re going to get to here in a few seconds. But what do you think of that referring to IT as a cost center and how should it really be looked at?

Speaker 1 | 07:55.311

Yeah, when we do these audits with our IT risk assessments, so many times we’re sitting down. The people who initially hired us are from a CFO perspective. They very much have that mindset of. of IT as a call center and you know a necessary evil of doing business but we always have to remind them that even though they might be in manufacturing or in retail I’m a firm believer that every company today is an IT company you either embrace change or you get left so that’s something we it’s a continual education especially with executive expense you need to get with your IT directors you need to give them a seat at your table your board of directors, they’re a wealth of information.

Speaker 0 | 08:49.016

You have to embrace technology. So you’re almost like the knight in shining armor that can come into an organization where an IT director might not have had a voice in a long time, and you can come in as a third party and speak directly to… C-level directors and say, you need to bring in your IT guys and give them a seat at the table, because if you don’t do that, you’re creating, you’re making shadow IT decisions, you’re creating holes in security. You might be the first person I’ve spoke to that’s like an outsider that makes that happen.

Speaker 1 | 09:17.482

Yeah, we definitely act as an advocate for IT. I mean, just because, again, there’s always this disconnect between IT and executive management. What are they really doing over there? We just see this huge line item on the budget, but they kind of… Bridging that gap between IT and executive management and putting them on the same page and kind of help them gain some synergy.

Speaker 0 | 09:42.663

Because I’m always encouraging everybody to know you need to be driving that process. As an IT director, you need to be asking the questions. You need to be having a one-to-one sit-downs. You need to be asking C-level directors what the vision is of the business. How can you help solve problems, increase profits, whatever. increase efficiencies, that type of thing. Okay. So here’s, here’s the big thing. The big thing that keeps every IT director up at night, the big thing that might wake them up in the middle of the night, and the thing that is a never-ending, I don’t know what the correct metaphor, I think the metaphor is similar to the postal system. The mail will never end. And if you take a vacation, All you have done is doubled your amount of work because the mail keeps coming. And except that mail, you have no idea what’s in every single one of those envelopes. There could be like razor blades in it. Yeah, right,

Speaker 1 | 10:50.325

right.

Speaker 0 | 10:50.966

There could be, what was the scare years ago? The anthrax, you know, whatever it is. And that subject is security. I don’t like talking about security that often because, I don’t know, security. in general, for this reason, for the apps, for the reason that it just seems to constantly keep people up at night and it seems to be such a never-ending battle where it’s a one-sided thing where it’s kind of like the empire is really the rebel force and it’s kind of all backwards, right? You go in from not only an accounting perspective, but a high-level IT technology perspective and you do security audits. And what I want to talk about and what I want to ask you really is for any IT director out there that’s being kept up at night for security that, you know, kind of is lost in this world of, of this endless battle, where should they be starting? What should they be thinking? And, and maybe I guess what do you guys do when you go in? What’s the first thing that you look at?

Speaker 1 | 11:56.661

Yeah, we, we always start with, um, what I would call some of the low hanging fruit. I mean, Um, we, there’s certainly times that we can go and do these huge in-depth audits, but you know, a lot of times they’re looking for what, what are the quick hitters here? Um, the first thing I would probably say is, uh, getting proper oversight of your vendors. I think we’re continuing to, continuing to outsource things.

Speaker 0 | 12:23.641

And before we do that, and before we kind of get into the weeds here, when you say low hanging fruit, that sounds like quick wins to me, but. What does low hanging fruit really mean to you in the security space? Is it, is it the biggest holes or is it just stuff that should be like the obvious things that we hit first? And we still know that there’s still things that are going to keep you up at night.

Speaker 1 | 12:44.515

Yeah. I’m going from that perspective of the obvious things. What are people getting hit on? Those obvious holes, things we should focus it on first. Yeah.

Speaker 0 | 12:55.298

Okay. So let’s do it. So keep going. We’re talking about a vendor oversight. What does that mean?

Speaker 1 | 12:59.819

Yeah. So we’re vendor oversight, you know, as. Broadcast Society IT, we continue to outsource more services. One thing we always tell to our clients is, you know, even though you can outsource the service, you can’t outsource the responsibility. So having proper oversight, you know, so many of these breaches are happening through third parties. There’s just a lack of oversight, whether that be through the accounts that you have on Active Directory, your VPNs. just a good oversight perspective. So just whether that’s,

Speaker 0 | 13:35.065

Can you give me a couple examples? Just give me a couple examples of like, what would you say is the number one thing that people outsource that creates a vulnerability that people get hit on?

Speaker 1 | 13:46.608

Yes. I would say, you know, especially we talk about small to medium sized businesses. I mean, if it’s say an MSP, whether it’s some local it company that’s helping you with these things, you know, that would probably be. one of the number one things small and medium sized businesses could key in on.

Speaker 0 | 14:02.391

So, okay, what is the local MSP doing that’s stupid that they should be concerned about?

Speaker 1 | 14:10.898

The biggest thing we see with those is a lack of oversight on some of these vendor accounts that they’re using for access to the systems. That’s usually one of the biggest things we see right off the bat.

Speaker 0 | 14:29.440

What’s one of the vendors or what’s one of the, is it the fact that they manage multiple vendors for a customer with multiple passwords and portals? Is it, you know, give me something specific.

Speaker 1 | 14:39.906

Yeah, I mean, let’s see. You mean specific that.

Speaker 0 | 14:43.488

Like hosted exchange, like a product. I need a product. I need a vendor product without naming, you know, a name of a particular product. Is it, you know, is it O365? Is it,

Speaker 1 | 14:48.690

you know, what is it?

Speaker 0 | 14:50.071

Is it? Well,

Speaker 1 | 14:57.035

I guess. What I was really keen on there would have been these local, I would call them mom and pop IT shops. Oh. that you are just giving complete unfettered access to um just giving them keys to the kingdom just because i think it’s trusting yeah and not not really knowing it’s like you know as an auditor we always say you know trust but verify that maybe gets overused but i’m the same age can’t

Speaker 0 | 15:27.762

be too careful yeah and then i’m in a quite a few msp groups secretly watching behind the scenes and i see quite a bit of back and forth talk about my customer just did this. And in my terms and conditions, I said this, and should I have them sign a waiver saying that I’m not responsible for data loss if they do this, this and this. So then you’ve got this kind of mix of, hey, we’re outsourcing stuff to MSPs. But then we make a shadow IT decision that screws. kind of the MSP provider from their perspective, because they’re selfish of their perfect work, which we know is not always perfect. So there’s actually quite a few, there’s quite a few, I don’t know, like problems and issues there that I think we could talk about all day long. So maybe we’ll just stop there and we’ll leave it at the outsourcing of service to MSPs and the responsibility around that. What do you help them do? Write a policy? Should they write a policy about this from an internal perspective? Kind of what’s the attack plan?

Speaker 1 | 16:35.051

Yeah, policies are certainly a good thing. But I mean, to actually get teeth to something, you know, a great control you can put into place is logical access reviews. So just periodically just pulling the listing of those accounts, making sure the access that you’ve given, making sure it’s still appropriate.

Speaker 0 | 16:55.416

Okay. And for example, give me something that would change.

Speaker 1 | 17:04.178

Are you talking context out of those?

Speaker 0 | 17:06.060

I mean, are you saying like, say we gave this vendor access to this? Are you saying, hey, they’re not a vendor anymore, yet they still have access. Is that what you’re talking about?

Speaker 1 | 17:13.606

Yeah, absolutely. I mean,

Speaker 0 | 17:14.888

kind of like an employee that got fired that still has access to Salesforce.

Speaker 1 | 17:18.691

Yeah, absolutely. From a user perspective, terminated vendors. He had multiple accounts out there from vendors. Yeah.

Speaker 0 | 17:25.337

Okay. What other low-hanging fruit do we have other than vendors? What’s the next bullet point?

Speaker 1 | 17:30.998

The second thing, and this seems like it should be so obvious, but it really is, it’s education. Education of your end users is critical. I mean, you could have a fortress of IT security, but we are dealing with uneducated end users, and one click of a button could completely undo all of that that you put in place. The education of your end user is so important, whether that’s through periodic security training, social engineering, the phishing email testing.

Speaker 0 | 18:02.701

Now, I think education definitely is important. And everyone, like you said, it sounds so obvious, but, you know, maybe they don’t do it or maybe they’re using some program that sends videos out every week or they’ve got email phishing fake emails that get sent out and play tricks on end users and that type of thing and say, hey, you clicked on this and this is what could have happened if you did this. But, you know. What about, again, policy and procedures and expectations set around the education that, hey, we sent you this educational document. You said you read it. Now you’re responsible for it. Have you run into any kind of people that have done well holding people accountable to it? Because I think a lot of times I know from my own past experience working at numerous companies, I think that someone might… possibly treat the company’s cell phone, for example, just for example, the company’s cell phone or the company laptop, they might treat that differently than they would treat their own laptop at home. True or false?

Speaker 1 | 19:05.772

No, I mean, I definitely think that’s a true statement. I mean, going back to your, to the policy example, I mean, uh, we will always recommend policies as an auditor. I mean, we love policies and procedures. Um, But they kind of serve sometimes as that CYA. And I mentioned previously about giving something teeth, so actual training or not getting too odd or speak here, but putting a preventative control or a detective control in place. That’s something that a policy procedure might not could offer you.

Speaker 0 | 19:39.261

I guess at the end of the day is how do we get end users to be bought in to care about the education? Because we know it’s the, we know the old 80-20 rule. We know maybe 20% of the people are like the perfect, the perfect employee that, you know, will follow all the education, do everything. But then, you know, maybe the, maybe the bottom 20% or the other bottom 80% just kind of, you know, show up for work and, you know, depending on your company culture, I’m not accusing anyone out there of not having a company culture where we come into work and we just, you know, we wake up in the morning, we’re like, you know. so happy it’s Monday, you know? Um, but the reality is that there’s going to be people throughout the company that just don’t care that click. They just click.

Speaker 1 | 20:22.053

Yeah, that’s right.

Speaker 0 | 20:23.074

Um, what do we do about that?

Speaker 1 | 20:24.855

Yeah. And unfortunately a lot of those clickers, um, are sometimes executive management. So what do you do with that?

Speaker 0 | 20:33.261

Right. Because they’re the boss.

Speaker 1 | 20:34.890

Yeah, that’s right. But I mean, we’ve seen from our client perspective, anything from incentive reward programs, something to kind of change that perspective. And then on the opposite side of that spectrum, obviously, there’s a lot more sense to having to work with HR on things like this. But, you know, we’ve kind of seen a three-strikes-and-you’re-out. That’s a little more harsh. But if you’re putting someone’s livelihood on the line of clicking an email, you know, maybe they think price report and something like that.

Speaker 0 | 21:03.626

What’s the best incentive? Give me a good incentive reward. Let’s give back now. This is where we give back to the listeners. What’s one of the best, what’s been one of the most effective reward programs that you guys have run?

Speaker 1 | 21:16.113

I have seen, yeah, we’ve seen several clients have a lot of success with, you know, it’s small. It’s not a huge line item on your budget, but having a clean quarterly no-click report, you know. a $25 Starbucks gift card. I mean, you could, you couldn’t go better with that. And it’s, it sounds something so, so small, but again, it’s, it’s changing that, that mental mind shift to get them to think before they click.

Speaker 0 | 21:43.813

This just reminds me of something. Okay. And the reason why it reminds me of something is because I started out, Starbucks is a very interesting company. I worked for Starbucks for a long time.

Speaker 1 | 21:57.043

Yeah. You mentioned that. Yeah.

Speaker 0 | 21:58.525

And, uh, I got, I, we had this machine sale one time where we had to, we had like, I don’t know, like two or three weeks to sell all these high end espresso machines. Right. And, uh, I came up with this like elaborate plan to sell more espresso machines than anyone else. Right. I went to like Barnes and Noble. I didn’t know anything about sale. I knew nothing about sales. I bought this audio program, Zig Ziglar secrets of closing the sale. Yeah. This other dude. Tony Robbins and whoever he was, you know, awaken the giant within. It’s like, I’m a Starbucks store manager, right? And I released all these programs like, okay, here’s a close. Here’s like, what’s a close? You know, like what’s a sales close? Oh, alternative of choice. Do you want black or white? So I set up a mini Starbucks inside of Starbucks. I will get to the point here. So I set up all the machines, steamed them all up, made every barista watch every DVD, every video, learn everything about every machine. And then we… duplicated the bar, the handoff bar where you go and get your drink. Another section of the store was all the machines that you would have at home, hot and ready to go. And then everything else that you would have at Starbucks, pops, syrup, you can buy it all. You can go into Starbucks. The only thing you can’t buy that we couldn’t buy back then was white mocha. I don’t know if it’s still the same today, but that’s the only thing that Starbucks won’t sell you. Anyways, everyone that came through the line was asked, do you want your drink for free today? That’s like a demo, right? Do you want a free demo? Do you want your drink for free? Of course I want my drink for free. Great. Come on over here. Staffed an extra person, brought that person over to the Starbucks within a Starbucks, made their drink exactly the way that it was made in the store, but with the at home machine. And then at the end of that, we gave it to him for free and we said, Hey, great. You know, our machine sales coming up next week and we’re doing a pre-order because we really expect everything to be sold out like within the first couple of hours. So we need to pre-order all the machines. do you want the stainless steel or do you want the copper alternative of choice clothes? And I told the breezes, just get ready for them to say no, because these machines are all $600 and $1,200 machines. They’re going to tell you no right away. Objection. You’re going to get an objection. And I just want you to do a return on investment. I want you to then ask them, okay, no problem. But how many times a week, how many times a day a week do you come into the store? And do you have any family members that come into the store? And the number is actually quite astronomical when you think about how often people go to Starbucks and how much they spend a month. It’s a car payment. It literally is a car payment. And what we found out is that every single person, we would say to them, like, look, if you just come in half the time and you make your drink at home, it’s paid for itself within two months. Yeah. Do you want the stainless steel or do you want the copper? And they’re like, wow. And then you’ll be able to entertain and like blah, blah, blah, blah, blah, and have this right at home. And then when Starbucks is. closed, you’ll be able to make a drink, whatever it is. We were like a blip on the map. We sold some ridiculous amount of machines in three weeks. And Philip Howard, congratulations. You did so awesome. Here is your $50 gift certificate to that. that’s what that reminded me of but um and i’m not just so you know i’m not putting down the one click report at all because the one click report i would just there’s a lot to be said about just recognition in general people just want to see their name at the top of the list oh there’s no doubt yeah i’m on the one click report what the hell did you click on john what’d you click on anyways man sorry sorry for this complete side that’s a good story yeah you know take a step back in time okay so one click report any other ones that are really good i like the one click report the no click sorry the no the no click well i mean even if it’s one click i mean that’s still a lot better than what i’ve seen that one click could be a bad click uh okay so we’ve got uh taking care of vendors we’ve got education what’s the third one let’s give people three bullet points what’s the last low-hanging fruit you

Speaker 1 | 26:07.190

I would say the third one, and we see this so often, small and medium-sized companies is, as you know, more oversight of your vulnerabilities out there in your system. So, whether that’s, you know, good periodic vulnerability scanning internally, penetration testing, it’s so key and it’s something we just don’t see that often. It’s so key to have those things done. You know, you don’t, if you’re not periodically scanning, You may have things out there you don’t know about. You can’t protect something you don’t know about. So that is so key, staying on top of those vulnerabilities out there.

Speaker 0 | 26:42.291

People hate that saying, you don’t know what you don’t know. I like it. It’s kind of a mixed bag. I guess some people that hate it, I actually kind of like it. You don’t know what you don’t know. But what can they be doing then to know what they don’t know?

Speaker 1 | 26:58.261

I think from a vulnerability scanning perspective, I mean, you can get very astronomical. some expense of some of those tools, but you have to start somewhere with that. So if you don’t have a good third party passing tool in place, you know, that’s a great place to start. But even if you do, I mean, getting on board with some type of vulnerability scanning product, periodically scanning internally just to see what’s out there. So many of these we do for the first time with our clients, they are blown away. things that show up out there it’s like man i thought we shut that down or i thought this was i thought this was mitigated but it’s just not and then on the other perspective from an external perspective you know penetration testing um there’s no better way to simulate an attack or what uh what attackers are going into these days than just seeing what what holes you have outside and seeing if they’re exploitable it’s uh it’s so important to do those you know at least annually it’s probably one of the hardest

Speaker 0 | 28:03.206

Everyone, in my opinion, everyone’s in sales. And a CISO job, and in mid-market, there’s a lot of times no CISOs. A lot of times there’s no checks and balances in place. There’s no CISO and IT director. A lot of times it’s just IT director or IT manager. That’s right. And they have to do both. And there is no checks and balances. And their sale, it’s almost an impossible sale sometime because… If nothing’s happening or nothing’s happened yet, it’s hard to motivate someone to kind of like buy this security insurance, I guess, so to speak, until something does happen. What’s the best way to get someone to understand the severity of security and to want to invest in it? Or to even realize that maybe they think that they’re not a target. Maybe one of the other mistakes people make is they’re not really a target. I don’t know. Do people think that way? What do you think the biggest mistake people are making is from a C-level perspective in security?

Speaker 1 | 29:08.717

Yeah, we definitely see that. And I either think that hackers are more keen on certain industries, whether that be healthcare or worse. We fear this all the time. We’re a small fish in a big pot and dealing with so many small, media-sized businesses. This kind of goes back to the education piece of, you know, they’re not targeting one certain person. I mean, it’s a shotgun approach out there. I think getting especially sea level people on board, going again, going back to some other points there, but click rates from some of these phishing emails, that’s huge. That’s an eye opener for sea level people. These penetration testing reports. are key for C-level people. And then finally for the C-level people, it’s like news headlines. There’s nothing better than a good scare tactic from someone in our industry got hit and oh my gosh, look what they paid in our ransom.

Speaker 0 | 30:09.329

Yeah, it’s really ransomware, isn’t it? Yeah. How would you feel? This is how I would put it. Mr. CEO, very successful in your late 60s, maybe successful multimillionaire. How would you feel to know that this, I don’t know, 17 year old derelict, very smart kid is holding your company ransom for $500,000. Maybe not even that. Maybe he just wants 20 grand. He just wants 20 grand or $50,000. It happens. Right?

Speaker 1 | 30:42.426

That’s right.

Speaker 0 | 30:44.387

Give me a good story. Well, let’s scare some people. What’s the best story you got? Let’s just do a medium story. Don’t even do the best story. Let’s just do everyday occurrence. Let’s just do an everyday occurrence. It’s not a matter of if. It’s a matter of when. And this is what’s going to happen to you if you don’t do this.

Speaker 1 | 30:59.198

Okay. I’m going to need a potter to listen for a second.

Speaker 0 | 31:03.501

That’s fine.

Speaker 1 | 31:07.143

I’m thinking too about my brain dragging from a…

Speaker 0 | 31:10.822

non-disclosure standpoint which we would have a lot of details but um i gotcha i mean we all know the bank of arne erica people know the bank of arne yeah we know we know those type white you know we know the guy that you know uh is stalking the ceo’s facebook page and he’s going to the hamptons this friday and we got to email hr and i need you to pay this invoice right away before i take off with uh uh you know i don’t know susan to the hamptons can you pay this right now you

Speaker 1 | 31:38.426

But we’ve had, it’s insane how often, especially dealing with clients, we get so many of, yeah, my CFO emailed me and said, hey, I’m out here at this conference. There’s a great new product, great new tool that we have got to get ground level on. You know, where are this money? And of course, we have seen that so often. And we get the calls on the back end and say. Hey, how can we get our money back? We wired it to God knows where. It’s not coming back. I mean, it is so sad to see that. We’ve helped some of our clients on the perspective of if they have cyber insurance, that’s a whole nother story for a different day.

Speaker 0 | 32:25.654

Do banks not credit that stuff back just out of curiosity? No. Can they not reverse a charge in many cases?

Speaker 1 | 32:33.599

If they do, it hasn’t been a case where we’ve seen it.

Speaker 0 | 32:37.462

Okay.

Speaker 1 | 32:38.762

Certainly with cyber insurance, but like I said, there’s a whole different laundry list of things that obviously have to be in place or your insurance companies aren’t going to touch it.

Speaker 0 | 32:49.387

What’s better? I mean, is cyber insurance kind of a joke anyways? I mean, honestly, like what’s better, cyber insurance or better policy or better security? If you had to pick one.

Speaker 1 | 33:02.912

If I had to pick one, I’m going to. pick a you know a good internal control set of you know controls and policies and procedures cyber insurance it’s with cyber insurance it’s a there could be a huge false sense of security there i would think so i would think there’s so many outs we we’ve seen time and time again we’ve had clients that have these cyber insurance policies uh they get hit they turn around and ask can mr insurance company please reimburse me for all these costs. And the first thing they’ll turn around and say is, did you educate your employees not to call on email? Or you have policy that predictors this. And in a hundred times out of 10, they’re not going to have it. And interest company hands up and work out. And it’s a huge smack of reality in the face of these people.

Speaker 0 | 33:57.182

So what can you help other IT directors with? How can you help? other mid-market IT companies out there? What can you do for them?

Speaker 1 | 34:06.368

Just to preface here, is this a plug for services? I don’t know where you’re going here.

Speaker 0 | 34:11.551

Yeah, this is a free plug. You can do whatever you can say, whatever you want here. No, it’s fine. I’ll see you. I mean, go ahead and plug. Well, first of all, we want what you can give us for free. uh i’m not and just so you know there is no there’s no bias here i’m just asking because uh i didn’t expect us to be talking about uh security audits that much i can’t but but since i know that’s what you do since there’s no this is i know what you do feel free to plug yourself all you want someone asked the other day can i mention um i don’t know fortinet on here i was like i don’t know go ahead and okay yeah and then i’ll call fortinet later and ask them for uh maybe hey i sponsored you can you give me a hundred bucks or something but anyways um no but really you Do you do anything for free? And everyone knows nothing comes for free. Let’s be honest, right? It’s more like a free demo or something like that. But yeah, this is your opportunity to tell me what do you do and what can you do for IT directors to make their life easier and to help maybe sell upper management on the value of security.

Speaker 1 | 35:13.456

I think the first thing you mentioned, Free, I mean, we partner with several interest companies that if you are curious about cyber interest coverage and whether you have it or if you don’t, if you have a policy and you’re just like, you know, where would I stand if I got hit by ransomware? You can certainly send those to us. And we have, for me, completely free, have someone to review something like that. and sit down with your reviewer just to see if there are any holes or gaps. You know, from our perspective, you know, we deal with things like we are a full-service accounting firm, but within our group, the security risk control group, you know, we do anything from cyber risk assessments. And if that’s basing yourself off of some kind of popular framework like a NIST or a COVID, we can certainly do that. From a perspective of kind of getting your C-level people on board, you know, we’ve We’ve certainly had cases where, sorry, I just lost my train of thought there. We’ve had cases where it’s like C-level people want to be on board, but they need kind of spurring along. So we can have those conversations to kind of help them realize what the benefit of getting them on board and using our reports to kind of leverage that.

Speaker 0 | 36:33.282

Give me a little bit of an idea of what a security assessment can entail. And I don’t know even how much like a security assessment can go for, because I don’t know, this isn’t my ball. This just isn’t my wheelhouse. My wheelhouse is replacing old phone systems and purchasing internet services and, you know, specific, very specific security products like email phishing and stuff like that. And I know how to do, I mean, I have people that do audits on public facing IP schemes and stuff like that, but But from your perspective, just a general security audit, what can someone expect and why should they do it?

Speaker 1 | 37:10.838

So, I mean, from a general perspective, this usually entails about four to six weeks of your time. You know, we start with a general request list. If needed, we’ll come on site, do vulnerability scans to get you a good level overview. But we just sit down over the course of a day or two and just completely walk through all of the controls that you have in place. The most common one we do is over the COVID framework, if you’re familiar with this. It’s public bias, other kind of IT best practice organizations. But, you know, we walk through anything from your IT structure, your strategy. Does IT have a seat at the table with your C-level people? We look at change management, the changes that you have in place. Do you have a formal SDLC process, policies and procedures? We look at your patching. Is there a good process there? We talked about vendor management earlier, so we kind of review, where are your critical vendors? Are there any risks there? Are you doing your proper due diligence over those vendors? Another area we look at is around your system application security, so that’s dialing in the passwords, looking at all your users, and then kind of looking at your firewall. What kind of firewall do you have in place, the administrators on that, intrusion detection, prevention, all that good stuff. and then kind of a piece on your physical access as well and i think finally what we look at with the risk assessment is um is kind of how you manage your data so your backups the good information on um what’s backed up where is it back up to how often is it backed up and kind of analyzing that making sure that you have the throughput and the um the performance capabilities that you need to to back off all of your your systems as needed to vector data

Speaker 0 | 38:57.160

Gotcha. Now, are you guys, you guys don’t sell insurance, do you? You’re not like an insurance company. You’re primarily an accounting firm that has a security assessment like division or how does that work?

Speaker 1 | 39:08.768

Yeah, that’s right. We do not sell the insurance. Like I said, this is just a division of the accounting firm that just deals with security and controls. Gotcha.

Speaker 0 | 39:19.908

Okay, awesome. And you’re not making any specific suggestions for products or vendors or anything like that. You kind of main vendor agnostic from that standpoint, and you’re providing, helping people put together a, I’m assuming a security policy and strategy moving forward in the future.

Speaker 1 | 39:34.598

That’s right. Yeah. So from those areas that we look at, we’ll kind of combine that into a report and give very specific recommendations. If there’s no, because we are an accounting firm, if there’s no independence issues, we can certainly provide. But policies and procedures, there’s no need to reinvent the wheel on those things. And again, if there’s no independent procedures, you know, we have a team of people on site that can make specific product recommendations. If there’s no independence concerns to help you, help you get rolling and implement those recommendations.

Speaker 0 | 40:09.136

Gotcha. Gotcha. Now. So I guess my other question would be is what should someone expect so they aren’t kind of, you know, someone that’s looking to do something like this? Should they be budgeting for this? What can they expect to, how much should someone expect to pay for like a full blown security audit like this? Again, me, I’m talking from someone that does not do this on an everyday basis. And I do want people to know, like, look, when you go into this. This is what you can expect to pay, but you can expect to come out with a very strategic game plan and step-by-step process for implementing and feeling more secure.

Speaker 1 | 40:50.315

Oh yeah. That’s what you’re saying there.

Speaker 0 | 40:53.497

They’d be budgeting like a hundred thousand, half a million, 20,000.

Speaker 1 | 40:59.400

I guess before I say anything, I’ll preface this by saying, I mean, it’s obviously going to depend on. size of company complexity case by case basis of course yeah yeah sure um but i would say most of our small to medium-sized companies that um we do a lot of risk assessments based on like the nist csf uh 853 or something like that you know that that will typically run in the range of i’m going to go ballpark like 20 to 20 to 30 thousand dollars you know that includes a full assessment um assessment against that criteria. Seeing where you stand there, we give recommendations, you know, we can present that to C-levels and then kind of go from there.

Speaker 0 | 41:43.807

And I mean, in all reality, it takes four to six weeks. So that’s correct. Yeah. You know, you’re basically outsourcing a company that doesn’t have maybe, you know, we’re not taking on a headcount. We’re not taking on, you know, a CISO level role, but you’re outsourcing. a job that’s a month and a half or maybe $25,000, $30,000 to implement a security policy and really have kind of a game plan going forward. To me, it seems like a very good assessment considering how much you would pay a CISO month salary anyways.

Speaker 1 | 42:20.537

Yeah, that’s right. There’s no doubt. I mean, it fits.

Speaker 0 | 42:22.779

Do you like how I just flipped that? I just turned that into a latte at home. I just turned that into a latte at home. That was really good. Just a little latte at home. That’s what we’re going to name it. Anyways, Cisco’s drinking, CISO’s drinking lattes at home because they’re no longer needed. No, because we’ve got Justin. Hey, so, hey, it’s been great having you on the show. If you had any one piece of advice other than call you and get a security assessment, if you had any one piece of advice for mid-market IT directors out there, managing 200, upwards of 2,000 end users, maybe drinking from the fire hose, up late at night thinking about security? What would that be?

Speaker 1 | 43:13.203

I’d say if I had to give one piece of advice, and we see this so often, and it really is a shame, but it would be continue to work with the executives of the company. It is so hard for IT to get a seat at the table, and we’re such an advocate for that.

Speaker 0 | 43:28.984

continue to work with them because you know the sooner that they realize the importance of it i think that’s a catalyst for growth for a company man that’s going to make this show last another 45 minutes what’s um just and okay so i gotta ask one follow-up question why is it so hard in your opinion why is it so hard for it to get a seat at the table well

Speaker 1 | 43:49.913

i think like so the the um the scenario personality is it nerdiness what is it There’s certainly a disconnect. I mean, the scenario that you painted earlier, you got your 60-something-year-old CEO. That’s probably about the demographic there. They grew up on the more of maybe a traditional side of things, less technology, things running on paper. And you’ve got a, you know, it’s unfortunate, but when you paint a picture of an IT person, you think of someone hacking away at a computer down in a basement.

Speaker 0 | 44:25.859

We think of you. We think of millennials. We think of millennials. He was talking about their first device that they had.

Speaker 1 | 44:33.306

It was a mobile device.

Speaker 0 | 44:35.948

So here’s what we want to do. We want to put you in a room with Warren Buffett or Donald Trump or someone like that, and we want you to convince them. I mean, do you think Warren Buffett has do you think IT has a seat at the table?

Speaker 1 | 44:49.220

I definitely do. I mean, the guy’s a brilliant man. To me, I don’t think there’s any there’s any successful business today that doesn’t embrace technology

Speaker 0 | 44:56.840

I would love to ask him that question.

Speaker 1 | 44:58.480

That’d be great. That’d be great. Here’s productive.

Speaker 0 | 45:00.682

Yeah. My wife’s from Nebraska, from Omaha. So, you know, maybe we could just go to that McDonald’s and like, you know, get a job at McDonald’s and say, when we’re selling him his egg McMuffin every morning, we can be like, Hey, by the way,

Speaker 1 | 45:09.947

that’s right. Yeah. That’s a stop.

Speaker 0 | 45:13.689

Look, man. Hey, it’s been a fantastic having you on the show. I really appreciate it. And anyone that wants to get ahold of Justin, please feel reach, feel free to reach out to me on LinkedIn and find him as well. Justin Headley. You can find him on LinkedIn and just search Justin Headley, Warren Averitt. Am I pronouncing that right? A-V-E-R-E-T-T.

Speaker 1 | 45:38.725

Warren Averitt.

Speaker 0 | 45:39.385

Yep. Warren Averitt. Sorry. Find him, reach out to him and let him only bring, only turn down a little bit of the paranoia because that will never go away.

Speaker 1 | 45:50.173

It’s always there.

Speaker 0 | 45:52.174

Thank you, sir.

65. Pessimistic CISOs with Justin Headley

Speaker 0 | 00:09.584

All right, welcome everyone back to Dissecting Popular IT Nerds. Today, we have Justin Headley on the show. And quite the anomaly here. This is something that I didn’t think was a possibility. But if I’m understanding this correctly, you are an accountant. that is in technology or in IT of some sort?

Speaker 1 | 00:32.814

Yeah, Phil, thanks for having me on. Yeah, so my background is in accounting. I’ve always had a passion for IT, kind of combining those things. And that’s what we help a lot of our small to medium-sized clients with is just, yeah, kind of solving IT, yeah.

Speaker 0 | 00:50.143

Well, I mean, first of all, I think it’s easy to be passionate about technology. Is it easy to be passionate about accounting? I mean, come on, let’s be honest. You know how many people I’ve had that are like, you know, I got into accounting because I knew I could make money and have a good job and I could do this and I could live in the city. And then I realized what I realized six months into it is that I did not want to do that. So I left and lived on an island and started surfing.

Speaker 1 | 01:16.132

There’s definitely a niche there because if you’re a number crunching guy, then yeah, that plays well. But you got to be passionate about that stuff.

Speaker 0 | 01:24.119

So. Anyways, just, you know, before we get into this, because I think we have a lot of important stuff that’s very valuable to IT leadership in general. But before we dig into that, how did you kind of fall into IT or how did you get into accounting? Maybe we start with when you grew up, what was your first computer? What was your first, you know, kind of major, I guess, love affair with technology?

Speaker 1 | 01:52.536

Probably. So I would probably still be classified as a millennial.

Speaker 0 | 01:57.277

But I would say I’m allowed to ask that I’m allowed to ask when you were born. So what’s your when were you born?

Speaker 1 | 02:03.679

I was born in 88. I’m 31 years old. So I’m probably going to get a lot of eye rolls here.

Speaker 0 | 02:08.981

You really are a millennial.

Speaker 1 | 02:10.481

Yeah, right.

Speaker 0 | 02:11.181

There’s always one. But,

Speaker 1 | 02:13.322

you know, initially for me, it was it was mobile devices. That was what. That’s what captured my attention. I know, again, what I’m doing. This is great.

Speaker 0 | 02:22.245

No, this is perfect. Mobile devices. What was your first cell? You know what? I’m going to have to start interviewing millennials. And the question is going to be, what was your first cell phone?

Speaker 1 | 02:31.329

Yeah, right. That would be an interesting question. What was it? So here, it was not a touchscreen phone to this day here, everyone. But if you remember back in the day, the Sprint kind of next cell phones. That was my first phone. It was like a little foot sprint next to a BB phone.

Speaker 0 | 02:51.202

Yeah, kind of like that. Was it like a goldish silver tan?

Speaker 1 | 02:56.204

Yeah.

Speaker 0 | 02:56.924

With the pull-out antenna? Did it have a pull-out antenna?

Speaker 1 | 02:59.365

Absolutely. They all look like construction phones or something.

Speaker 0 | 03:03.767

Yeah, that’s it. Yeah. No, that was my wife’s phone in college. And she was born in 81. I think I saw it. She’s a millennial. She’s a legit. millennial like the old like the old millennial like the okay on the older end of the spectrum what do they what i don’t know what they call like the old millennial like the anyways um so what was your first computer you must know now like oh it was a um i don’t know pentium 3 or something did you remember did you have a disk drive um i

Speaker 1 | 03:36.388

can remember my first computer it’s probably the laptop i got like end of high school first college it’s like a you I think it had like a Centrino processor in it.

Speaker 0 | 03:49.457

That’s probably like fast. This is perfect. I don’t even know what to ask you because you weren’t around for… It’s just interesting. You know what I mean? I had Pong growing up. I had Pong. I literally had Pong. You had to use a Phillips head screwdriver. to screw the, to connect it to the back of your TV.

Speaker 1 | 04:12.742

Yeah, wow.

Speaker 0 | 04:13.663

It was…

Speaker 1 | 04:15.624

I mean, I can go back to, you know, video game-wise, you know.

Speaker 0 | 04:20.767

Okay, what was the first major video game?

Speaker 1 | 04:22.107

Some original NES. I can remember playing, I was a big fan of Mike Tyson’s Punch-Out Games. That was awesome.

Speaker 0 | 04:29.992

It’s still fun.

Speaker 1 | 04:30.912

A little duck shooting. Yeah, absolutely.

Speaker 0 | 04:33.294

Okay. All right, I can see this is going almost nowhere. That’s fine. Um, so anyways, um, did you, what’d you major in, in college?

Speaker 1 | 04:43.946

So my major was in accounting. Um, again, yeah. Having to find a passion for that, but, uh, major was in accounting. And, um, again, a lot, a lot of, I had a lot of professors, uh, people say that if you do accounting, you can do anything. And it’s, it’s a cliche, but you truly can see where I’m at today.

Speaker 0 | 05:04.454

Well, why is that? Why did they say that?

Speaker 1 | 05:06.999

Well, I think from an accounting perspective, it gives you a good general base of not only how an IT company is running, but I mean, really from that perspective, it gives you a good overview of controls that should be in place, how things should be run. It’s just a good foundation, if you had to put it that way.

Speaker 0 | 05:27.419

The best education I ever had was being like a Starbucks store manager because they put you through all kinds of business classes and, you know, reading P&L and line items on P&Ls and gross margin and controllable costs and, you know, all stuff that you just don’t learn as a creative writing major.

Speaker 1 | 05:43.566

Right. That’s right. Yeah.

Speaker 0 | 05:44.687

You know, and that really helped, I think, separate me a lot when I got into it. technology sales, I guess you could say at the beginning, because I worked for a Cisco startup and it was pretty aggressive Salesforce. And I think a lot of people that don’t have that accounting background, they can’t speak to a business owner and understand what his concerns are.

Speaker 1 | 06:09.184

No, absolutely. Yeah. I think so much. Yeah.

Speaker 0 | 06:12.026

You know, it’s a numbers game at the end of the day, it’s a numbers game. But at the same time, it’s not a numbers game because we have humans running the business and we can’t just refer to humans as headcount, which, um, an accountant might refer to at some point in his career. So, um, there’s kind of that, that dual, that duality there. Um, so, so you left accounting, were you, did you have a job in college or when you first got out of college that kind of got you into it? Was that kind of how you fell into it or what was it?

Speaker 1 | 06:42.202

Yeah, absolutely. I, um, I had an internship while still in college, just doing traditional accounting. But I found it kind of a need. It was a small accounting firm, and they didn’t really have a dedicated IT person. I essentially became their help desk guy. And I never thought I could do something like that. And it just continued and played on from there.

Speaker 0 | 07:07.334

Gotcha. So one of the big themes of my show is, of course, business acumen and IT directors lack thereof business acumen or successful IT directors using business acumen skills to really kind of drive the business forward and get them out of that cost center mentality. Now you having an accounting background and being in IT at the same time, do you still look at IT as a cost center? So to speak, I mean, is it, I mean, from an accounting perspective, I guess it would be like a cost center, but But there’s so many aspects of it that can affect ROI and or really sink the business, which is what we’re going to get to here in a few seconds. But what do you think of that referring to IT as a cost center and how should it really be looked at?

Speaker 1 | 07:55.311

Yeah, when we do these audits with our IT risk assessments, so many times we’re sitting down. The people who initially hired us are from a CFO perspective. They very much have that mindset of. of IT as a call center and you know a necessary evil of doing business but we always have to remind them that even though they might be in manufacturing or in retail I’m a firm believer that every company today is an IT company you either embrace change or you get left so that’s something we it’s a continual education especially with executive expense you need to get with your IT directors you need to give them a seat at your table your board of directors, they’re a wealth of information.

Speaker 0 | 08:49.016

You have to embrace technology. So you’re almost like the knight in shining armor that can come into an organization where an IT director might not have had a voice in a long time, and you can come in as a third party and speak directly to… C-level directors and say, you need to bring in your IT guys and give them a seat at the table, because if you don’t do that, you’re creating, you’re making shadow IT decisions, you’re creating holes in security. You might be the first person I’ve spoke to that’s like an outsider that makes that happen.

Speaker 1 | 09:17.482

Yeah, we definitely act as an advocate for IT. I mean, just because, again, there’s always this disconnect between IT and executive management. What are they really doing over there? We just see this huge line item on the budget, but they kind of… Bridging that gap between IT and executive management and putting them on the same page and kind of help them gain some synergy.

Speaker 0 | 09:42.663

Because I’m always encouraging everybody to know you need to be driving that process. As an IT director, you need to be asking the questions. You need to be having a one-to-one sit-downs. You need to be asking C-level directors what the vision is of the business. How can you help solve problems, increase profits, whatever. increase efficiencies, that type of thing. Okay. So here’s, here’s the big thing. The big thing that keeps every IT director up at night, the big thing that might wake them up in the middle of the night, and the thing that is a never-ending, I don’t know what the correct metaphor, I think the metaphor is similar to the postal system. The mail will never end. And if you take a vacation, All you have done is doubled your amount of work because the mail keeps coming. And except that mail, you have no idea what’s in every single one of those envelopes. There could be like razor blades in it. Yeah, right,

Speaker 1 | 10:50.325

right.

Speaker 0 | 10:50.966

There could be, what was the scare years ago? The anthrax, you know, whatever it is. And that subject is security. I don’t like talking about security that often because, I don’t know, security. in general, for this reason, for the apps, for the reason that it just seems to constantly keep people up at night and it seems to be such a never-ending battle where it’s a one-sided thing where it’s kind of like the empire is really the rebel force and it’s kind of all backwards, right? You go in from not only an accounting perspective, but a high-level IT technology perspective and you do security audits. And what I want to talk about and what I want to ask you really is for any IT director out there that’s being kept up at night for security that, you know, kind of is lost in this world of, of this endless battle, where should they be starting? What should they be thinking? And, and maybe I guess what do you guys do when you go in? What’s the first thing that you look at?

Speaker 1 | 11:56.661

Yeah, we, we always start with, um, what I would call some of the low hanging fruit. I mean, Um, we, there’s certainly times that we can go and do these huge in-depth audits, but you know, a lot of times they’re looking for what, what are the quick hitters here? Um, the first thing I would probably say is, uh, getting proper oversight of your vendors. I think we’re continuing to, continuing to outsource things.

Speaker 0 | 12:23.641

And before we do that, and before we kind of get into the weeds here, when you say low hanging fruit, that sounds like quick wins to me, but. What does low hanging fruit really mean to you in the security space? Is it, is it the biggest holes or is it just stuff that should be like the obvious things that we hit first? And we still know that there’s still things that are going to keep you up at night.

Speaker 1 | 12:44.515

Yeah. I’m going from that perspective of the obvious things. What are people getting hit on? Those obvious holes, things we should focus it on first. Yeah.

Speaker 0 | 12:55.298

Okay. So let’s do it. So keep going. We’re talking about a vendor oversight. What does that mean?

Speaker 1 | 12:59.819

Yeah. So we’re vendor oversight, you know, as. Broadcast Society IT, we continue to outsource more services. One thing we always tell to our clients is, you know, even though you can outsource the service, you can’t outsource the responsibility. So having proper oversight, you know, so many of these breaches are happening through third parties. There’s just a lack of oversight, whether that be through the accounts that you have on Active Directory, your VPNs. just a good oversight perspective. So just whether that’s,

Speaker 0 | 13:35.065

Can you give me a couple examples? Just give me a couple examples of like, what would you say is the number one thing that people outsource that creates a vulnerability that people get hit on?

Speaker 1 | 13:46.608

Yes. I would say, you know, especially we talk about small to medium sized businesses. I mean, if it’s say an MSP, whether it’s some local it company that’s helping you with these things, you know, that would probably be. one of the number one things small and medium sized businesses could key in on.

Speaker 0 | 14:02.391

So, okay, what is the local MSP doing that’s stupid that they should be concerned about?

Speaker 1 | 14:10.898

The biggest thing we see with those is a lack of oversight on some of these vendor accounts that they’re using for access to the systems. That’s usually one of the biggest things we see right off the bat.

Speaker 0 | 14:29.440

What’s one of the vendors or what’s one of the, is it the fact that they manage multiple vendors for a customer with multiple passwords and portals? Is it, you know, give me something specific.

Speaker 1 | 14:39.906

Yeah, I mean, let’s see. You mean specific that.

Speaker 0 | 14:43.488

Like hosted exchange, like a product. I need a product. I need a vendor product without naming, you know, a name of a particular product. Is it, you know, is it O365? Is it,

Speaker 1 | 14:48.690

you know, what is it?

Speaker 0 | 14:50.071

Is it? Well,

Speaker 1 | 14:57.035

I guess. What I was really keen on there would have been these local, I would call them mom and pop IT shops. Oh. that you are just giving complete unfettered access to um just giving them keys to the kingdom just because i think it’s trusting yeah and not not really knowing it’s like you know as an auditor we always say you know trust but verify that maybe gets overused but i’m the same age can’t

Speaker 0 | 15:27.762

be too careful yeah and then i’m in a quite a few msp groups secretly watching behind the scenes and i see quite a bit of back and forth talk about my customer just did this. And in my terms and conditions, I said this, and should I have them sign a waiver saying that I’m not responsible for data loss if they do this, this and this. So then you’ve got this kind of mix of, hey, we’re outsourcing stuff to MSPs. But then we make a shadow IT decision that screws. kind of the MSP provider from their perspective, because they’re selfish of their perfect work, which we know is not always perfect. So there’s actually quite a few, there’s quite a few, I don’t know, like problems and issues there that I think we could talk about all day long. So maybe we’ll just stop there and we’ll leave it at the outsourcing of service to MSPs and the responsibility around that. What do you help them do? Write a policy? Should they write a policy about this from an internal perspective? Kind of what’s the attack plan?

Speaker 1 | 16:35.051

Yeah, policies are certainly a good thing. But I mean, to actually get teeth to something, you know, a great control you can put into place is logical access reviews. So just periodically just pulling the listing of those accounts, making sure the access that you’ve given, making sure it’s still appropriate.

Speaker 0 | 16:55.416

Okay. And for example, give me something that would change.

Speaker 1 | 17:04.178

Are you talking context out of those?

Speaker 0 | 17:06.060

I mean, are you saying like, say we gave this vendor access to this? Are you saying, hey, they’re not a vendor anymore, yet they still have access. Is that what you’re talking about?

Speaker 1 | 17:13.606

Yeah, absolutely. I mean,

Speaker 0 | 17:14.888

kind of like an employee that got fired that still has access to Salesforce.

Speaker 1 | 17:18.691

Yeah, absolutely. From a user perspective, terminated vendors. He had multiple accounts out there from vendors. Yeah.

Speaker 0 | 17:25.337

Okay. What other low-hanging fruit do we have other than vendors? What’s the next bullet point?

Speaker 1 | 17:30.998

The second thing, and this seems like it should be so obvious, but it really is, it’s education. Education of your end users is critical. I mean, you could have a fortress of IT security, but we are dealing with uneducated end users, and one click of a button could completely undo all of that that you put in place. The education of your end user is so important, whether that’s through periodic security training, social engineering, the phishing email testing.

Speaker 0 | 18:02.701

Now, I think education definitely is important. And everyone, like you said, it sounds so obvious, but, you know, maybe they don’t do it or maybe they’re using some program that sends videos out every week or they’ve got email phishing fake emails that get sent out and play tricks on end users and that type of thing and say, hey, you clicked on this and this is what could have happened if you did this. But, you know. What about, again, policy and procedures and expectations set around the education that, hey, we sent you this educational document. You said you read it. Now you’re responsible for it. Have you run into any kind of people that have done well holding people accountable to it? Because I think a lot of times I know from my own past experience working at numerous companies, I think that someone might… possibly treat the company’s cell phone, for example, just for example, the company’s cell phone or the company laptop, they might treat that differently than they would treat their own laptop at home. True or false?

Speaker 1 | 19:05.772

No, I mean, I definitely think that’s a true statement. I mean, going back to your, to the policy example, I mean, uh, we will always recommend policies as an auditor. I mean, we love policies and procedures. Um, But they kind of serve sometimes as that CYA. And I mentioned previously about giving something teeth, so actual training or not getting too odd or speak here, but putting a preventative control or a detective control in place. That’s something that a policy procedure might not could offer you.

Speaker 0 | 19:39.261

I guess at the end of the day is how do we get end users to be bought in to care about the education? Because we know it’s the, we know the old 80-20 rule. We know maybe 20% of the people are like the perfect, the perfect employee that, you know, will follow all the education, do everything. But then, you know, maybe the, maybe the bottom 20% or the other bottom 80% just kind of, you know, show up for work and, you know, depending on your company culture, I’m not accusing anyone out there of not having a company culture where we come into work and we just, you know, we wake up in the morning, we’re like, you know. so happy it’s Monday, you know? Um, but the reality is that there’s going to be people throughout the company that just don’t care that click. They just click.

Speaker 1 | 20:22.053

Yeah, that’s right.

Speaker 0 | 20:23.074

Um, what do we do about that?

Speaker 1 | 20:24.855

Yeah. And unfortunately a lot of those clickers, um, are sometimes executive management. So what do you do with that?

Speaker 0 | 20:33.261

Right. Because they’re the boss.

Speaker 1 | 20:34.890

Yeah, that’s right. But I mean, we’ve seen from our client perspective, anything from incentive reward programs, something to kind of change that perspective. And then on the opposite side of that spectrum, obviously, there’s a lot more sense to having to work with HR on things like this. But, you know, we’ve kind of seen a three-strikes-and-you’re-out. That’s a little more harsh. But if you’re putting someone’s livelihood on the line of clicking an email, you know, maybe they think price report and something like that.

Speaker 0 | 21:03.626

What’s the best incentive? Give me a good incentive reward. Let’s give back now. This is where we give back to the listeners. What’s one of the best, what’s been one of the most effective reward programs that you guys have run?

Speaker 1 | 21:16.113

I have seen, yeah, we’ve seen several clients have a lot of success with, you know, it’s small. It’s not a huge line item on your budget, but having a clean quarterly no-click report, you know. a $25 Starbucks gift card. I mean, you could, you couldn’t go better with that. And it’s, it sounds something so, so small, but again, it’s, it’s changing that, that mental mind shift to get them to think before they click.

Speaker 0 | 21:43.813

This just reminds me of something. Okay. And the reason why it reminds me of something is because I started out, Starbucks is a very interesting company. I worked for Starbucks for a long time.

Speaker 1 | 21:57.043

Yeah. You mentioned that. Yeah.

Speaker 0 | 21:58.525

And, uh, I got, I, we had this machine sale one time where we had to, we had like, I don’t know, like two or three weeks to sell all these high end espresso machines. Right. And, uh, I came up with this like elaborate plan to sell more espresso machines than anyone else. Right. I went to like Barnes and Noble. I didn’t know anything about sale. I knew nothing about sales. I bought this audio program, Zig Ziglar secrets of closing the sale. Yeah. This other dude. Tony Robbins and whoever he was, you know, awaken the giant within. It’s like, I’m a Starbucks store manager, right? And I released all these programs like, okay, here’s a close. Here’s like, what’s a close? You know, like what’s a sales close? Oh, alternative of choice. Do you want black or white? So I set up a mini Starbucks inside of Starbucks. I will get to the point here. So I set up all the machines, steamed them all up, made every barista watch every DVD, every video, learn everything about every machine. And then we… duplicated the bar, the handoff bar where you go and get your drink. Another section of the store was all the machines that you would have at home, hot and ready to go. And then everything else that you would have at Starbucks, pops, syrup, you can buy it all. You can go into Starbucks. The only thing you can’t buy that we couldn’t buy back then was white mocha. I don’t know if it’s still the same today, but that’s the only thing that Starbucks won’t sell you. Anyways, everyone that came through the line was asked, do you want your drink for free today? That’s like a demo, right? Do you want a free demo? Do you want your drink for free? Of course I want my drink for free. Great. Come on over here. Staffed an extra person, brought that person over to the Starbucks within a Starbucks, made their drink exactly the way that it was made in the store, but with the at home machine. And then at the end of that, we gave it to him for free and we said, Hey, great. You know, our machine sales coming up next week and we’re doing a pre-order because we really expect everything to be sold out like within the first couple of hours. So we need to pre-order all the machines. do you want the stainless steel or do you want the copper alternative of choice clothes? And I told the breezes, just get ready for them to say no, because these machines are all $600 and $1,200 machines. They’re going to tell you no right away. Objection. You’re going to get an objection. And I just want you to do a return on investment. I want you to then ask them, okay, no problem. But how many times a week, how many times a day a week do you come into the store? And do you have any family members that come into the store? And the number is actually quite astronomical when you think about how often people go to Starbucks and how much they spend a month. It’s a car payment. It literally is a car payment. And what we found out is that every single person, we would say to them, like, look, if you just come in half the time and you make your drink at home, it’s paid for itself within two months. Yeah. Do you want the stainless steel or do you want the copper? And they’re like, wow. And then you’ll be able to entertain and like blah, blah, blah, blah, blah, and have this right at home. And then when Starbucks is. closed, you’ll be able to make a drink, whatever it is. We were like a blip on the map. We sold some ridiculous amount of machines in three weeks. And Philip Howard, congratulations. You did so awesome. Here is your $50 gift certificate to that. that’s what that reminded me of but um and i’m not just so you know i’m not putting down the one click report at all because the one click report i would just there’s a lot to be said about just recognition in general people just want to see their name at the top of the list oh there’s no doubt yeah i’m on the one click report what the hell did you click on john what’d you click on anyways man sorry sorry for this complete side that’s a good story yeah you know take a step back in time okay so one click report any other ones that are really good i like the one click report the no click sorry the no the no click well i mean even if it’s one click i mean that’s still a lot better than what i’ve seen that one click could be a bad click uh okay so we’ve got uh taking care of vendors we’ve got education what’s the third one let’s give people three bullet points what’s the last low-hanging fruit you

Speaker 1 | 26:07.190

I would say the third one, and we see this so often, small and medium-sized companies is, as you know, more oversight of your vulnerabilities out there in your system. So, whether that’s, you know, good periodic vulnerability scanning internally, penetration testing, it’s so key and it’s something we just don’t see that often. It’s so key to have those things done. You know, you don’t, if you’re not periodically scanning, You may have things out there you don’t know about. You can’t protect something you don’t know about. So that is so key, staying on top of those vulnerabilities out there.

Speaker 0 | 26:42.291

People hate that saying, you don’t know what you don’t know. I like it. It’s kind of a mixed bag. I guess some people that hate it, I actually kind of like it. You don’t know what you don’t know. But what can they be doing then to know what they don’t know?

Speaker 1 | 26:58.261

I think from a vulnerability scanning perspective, I mean, you can get very astronomical. some expense of some of those tools, but you have to start somewhere with that. So if you don’t have a good third party passing tool in place, you know, that’s a great place to start. But even if you do, I mean, getting on board with some type of vulnerability scanning product, periodically scanning internally just to see what’s out there. So many of these we do for the first time with our clients, they are blown away. things that show up out there it’s like man i thought we shut that down or i thought this was i thought this was mitigated but it’s just not and then on the other perspective from an external perspective you know penetration testing um there’s no better way to simulate an attack or what uh what attackers are going into these days than just seeing what what holes you have outside and seeing if they’re exploitable it’s uh it’s so important to do those you know at least annually it’s probably one of the hardest

Speaker 0 | 28:03.206

Everyone, in my opinion, everyone’s in sales. And a CISO job, and in mid-market, there’s a lot of times no CISOs. A lot of times there’s no checks and balances in place. There’s no CISO and IT director. A lot of times it’s just IT director or IT manager. That’s right. And they have to do both. And there is no checks and balances. And their sale, it’s almost an impossible sale sometime because… If nothing’s happening or nothing’s happened yet, it’s hard to motivate someone to kind of like buy this security insurance, I guess, so to speak, until something does happen. What’s the best way to get someone to understand the severity of security and to want to invest in it? Or to even realize that maybe they think that they’re not a target. Maybe one of the other mistakes people make is they’re not really a target. I don’t know. Do people think that way? What do you think the biggest mistake people are making is from a C-level perspective in security?

Speaker 1 | 29:08.717

Yeah, we definitely see that. And I either think that hackers are more keen on certain industries, whether that be healthcare or worse. We fear this all the time. We’re a small fish in a big pot and dealing with so many small, media-sized businesses. This kind of goes back to the education piece of, you know, they’re not targeting one certain person. I mean, it’s a shotgun approach out there. I think getting especially sea level people on board, going again, going back to some other points there, but click rates from some of these phishing emails, that’s huge. That’s an eye opener for sea level people. These penetration testing reports. are key for C-level people. And then finally for the C-level people, it’s like news headlines. There’s nothing better than a good scare tactic from someone in our industry got hit and oh my gosh, look what they paid in our ransom.

Speaker 0 | 30:09.329

Yeah, it’s really ransomware, isn’t it? Yeah. How would you feel? This is how I would put it. Mr. CEO, very successful in your late 60s, maybe successful multimillionaire. How would you feel to know that this, I don’t know, 17 year old derelict, very smart kid is holding your company ransom for $500,000. Maybe not even that. Maybe he just wants 20 grand. He just wants 20 grand or $50,000. It happens. Right?

Speaker 1 | 30:42.426

That’s right.

Speaker 0 | 30:44.387

Give me a good story. Well, let’s scare some people. What’s the best story you got? Let’s just do a medium story. Don’t even do the best story. Let’s just do everyday occurrence. Let’s just do an everyday occurrence. It’s not a matter of if. It’s a matter of when. And this is what’s going to happen to you if you don’t do this.

Speaker 1 | 30:59.198

Okay. I’m going to need a potter to listen for a second.

Speaker 0 | 31:03.501

That’s fine.

Speaker 1 | 31:07.143

I’m thinking too about my brain dragging from a…

Speaker 0 | 31:10.822

non-disclosure standpoint which we would have a lot of details but um i gotcha i mean we all know the bank of arne erica people know the bank of arne yeah we know we know those type white you know we know the guy that you know uh is stalking the ceo’s facebook page and he’s going to the hamptons this friday and we got to email hr and i need you to pay this invoice right away before i take off with uh uh you know i don’t know susan to the hamptons can you pay this right now you

Speaker 1 | 31:38.426

But we’ve had, it’s insane how often, especially dealing with clients, we get so many of, yeah, my CFO emailed me and said, hey, I’m out here at this conference. There’s a great new product, great new tool that we have got to get ground level on. You know, where are this money? And of course, we have seen that so often. And we get the calls on the back end and say. Hey, how can we get our money back? We wired it to God knows where. It’s not coming back. I mean, it is so sad to see that. We’ve helped some of our clients on the perspective of if they have cyber insurance, that’s a whole nother story for a different day.

Speaker 0 | 32:25.654

Do banks not credit that stuff back just out of curiosity? No. Can they not reverse a charge in many cases?

Speaker 1 | 32:33.599

If they do, it hasn’t been a case where we’ve seen it.

Speaker 0 | 32:37.462

Okay.

Speaker 1 | 32:38.762

Certainly with cyber insurance, but like I said, there’s a whole different laundry list of things that obviously have to be in place or your insurance companies aren’t going to touch it.

Speaker 0 | 32:49.387

What’s better? I mean, is cyber insurance kind of a joke anyways? I mean, honestly, like what’s better, cyber insurance or better policy or better security? If you had to pick one.

Speaker 1 | 33:02.912

If I had to pick one, I’m going to. pick a you know a good internal control set of you know controls and policies and procedures cyber insurance it’s with cyber insurance it’s a there could be a huge false sense of security there i would think so i would think there’s so many outs we we’ve seen time and time again we’ve had clients that have these cyber insurance policies uh they get hit they turn around and ask can mr insurance company please reimburse me for all these costs. And the first thing they’ll turn around and say is, did you educate your employees not to call on email? Or you have policy that predictors this. And in a hundred times out of 10, they’re not going to have it. And interest company hands up and work out. And it’s a huge smack of reality in the face of these people.

Speaker 0 | 33:57.182

So what can you help other IT directors with? How can you help? other mid-market IT companies out there? What can you do for them?

Speaker 1 | 34:06.368

Just to preface here, is this a plug for services? I don’t know where you’re going here.

Speaker 0 | 34:11.551

Yeah, this is a free plug. You can do whatever you can say, whatever you want here. No, it’s fine. I’ll see you. I mean, go ahead and plug. Well, first of all, we want what you can give us for free. uh i’m not and just so you know there is no there’s no bias here i’m just asking because uh i didn’t expect us to be talking about uh security audits that much i can’t but but since i know that’s what you do since there’s no this is i know what you do feel free to plug yourself all you want someone asked the other day can i mention um i don’t know fortinet on here i was like i don’t know go ahead and okay yeah and then i’ll call fortinet later and ask them for uh maybe hey i sponsored you can you give me a hundred bucks or something but anyways um no but really you Do you do anything for free? And everyone knows nothing comes for free. Let’s be honest, right? It’s more like a free demo or something like that. But yeah, this is your opportunity to tell me what do you do and what can you do for IT directors to make their life easier and to help maybe sell upper management on the value of security.

Speaker 1 | 35:13.456

I think the first thing you mentioned, Free, I mean, we partner with several interest companies that if you are curious about cyber interest coverage and whether you have it or if you don’t, if you have a policy and you’re just like, you know, where would I stand if I got hit by ransomware? You can certainly send those to us. And we have, for me, completely free, have someone to review something like that. and sit down with your reviewer just to see if there are any holes or gaps. You know, from our perspective, you know, we deal with things like we are a full-service accounting firm, but within our group, the security risk control group, you know, we do anything from cyber risk assessments. And if that’s basing yourself off of some kind of popular framework like a NIST or a COVID, we can certainly do that. From a perspective of kind of getting your C-level people on board, you know, we’ve We’ve certainly had cases where, sorry, I just lost my train of thought there. We’ve had cases where it’s like C-level people want to be on board, but they need kind of spurring along. So we can have those conversations to kind of help them realize what the benefit of getting them on board and using our reports to kind of leverage that.

Speaker 0 | 36:33.282

Give me a little bit of an idea of what a security assessment can entail. And I don’t know even how much like a security assessment can go for, because I don’t know, this isn’t my ball. This just isn’t my wheelhouse. My wheelhouse is replacing old phone systems and purchasing internet services and, you know, specific, very specific security products like email phishing and stuff like that. And I know how to do, I mean, I have people that do audits on public facing IP schemes and stuff like that, but But from your perspective, just a general security audit, what can someone expect and why should they do it?

Speaker 1 | 37:10.838

So, I mean, from a general perspective, this usually entails about four to six weeks of your time. You know, we start with a general request list. If needed, we’ll come on site, do vulnerability scans to get you a good level overview. But we just sit down over the course of a day or two and just completely walk through all of the controls that you have in place. The most common one we do is over the COVID framework, if you’re familiar with this. It’s public bias, other kind of IT best practice organizations. But, you know, we walk through anything from your IT structure, your strategy. Does IT have a seat at the table with your C-level people? We look at change management, the changes that you have in place. Do you have a formal SDLC process, policies and procedures? We look at your patching. Is there a good process there? We talked about vendor management earlier, so we kind of review, where are your critical vendors? Are there any risks there? Are you doing your proper due diligence over those vendors? Another area we look at is around your system application security, so that’s dialing in the passwords, looking at all your users, and then kind of looking at your firewall. What kind of firewall do you have in place, the administrators on that, intrusion detection, prevention, all that good stuff. and then kind of a piece on your physical access as well and i think finally what we look at with the risk assessment is um is kind of how you manage your data so your backups the good information on um what’s backed up where is it back up to how often is it backed up and kind of analyzing that making sure that you have the throughput and the um the performance capabilities that you need to to back off all of your your systems as needed to vector data

Speaker 0 | 38:57.160

Gotcha. Now, are you guys, you guys don’t sell insurance, do you? You’re not like an insurance company. You’re primarily an accounting firm that has a security assessment like division or how does that work?

Speaker 1 | 39:08.768

Yeah, that’s right. We do not sell the insurance. Like I said, this is just a division of the accounting firm that just deals with security and controls. Gotcha.

Speaker 0 | 39:19.908

Okay, awesome. And you’re not making any specific suggestions for products or vendors or anything like that. You kind of main vendor agnostic from that standpoint, and you’re providing, helping people put together a, I’m assuming a security policy and strategy moving forward in the future.

Speaker 1 | 39:34.598

That’s right. Yeah. So from those areas that we look at, we’ll kind of combine that into a report and give very specific recommendations. If there’s no, because we are an accounting firm, if there’s no independence issues, we can certainly provide. But policies and procedures, there’s no need to reinvent the wheel on those things. And again, if there’s no independent procedures, you know, we have a team of people on site that can make specific product recommendations. If there’s no independence concerns to help you, help you get rolling and implement those recommendations.

Speaker 0 | 40:09.136

Gotcha. Gotcha. Now. So I guess my other question would be is what should someone expect so they aren’t kind of, you know, someone that’s looking to do something like this? Should they be budgeting for this? What can they expect to, how much should someone expect to pay for like a full blown security audit like this? Again, me, I’m talking from someone that does not do this on an everyday basis. And I do want people to know, like, look, when you go into this. This is what you can expect to pay, but you can expect to come out with a very strategic game plan and step-by-step process for implementing and feeling more secure.

Speaker 1 | 40:50.315

Oh yeah. That’s what you’re saying there.

Speaker 0 | 40:53.497

They’d be budgeting like a hundred thousand, half a million, 20,000.

Speaker 1 | 40:59.400

I guess before I say anything, I’ll preface this by saying, I mean, it’s obviously going to depend on. size of company complexity case by case basis of course yeah yeah sure um but i would say most of our small to medium-sized companies that um we do a lot of risk assessments based on like the nist csf uh 853 or something like that you know that that will typically run in the range of i’m going to go ballpark like 20 to 20 to 30 thousand dollars you know that includes a full assessment um assessment against that criteria. Seeing where you stand there, we give recommendations, you know, we can present that to C-levels and then kind of go from there.

Speaker 0 | 41:43.807

And I mean, in all reality, it takes four to six weeks. So that’s correct. Yeah. You know, you’re basically outsourcing a company that doesn’t have maybe, you know, we’re not taking on a headcount. We’re not taking on, you know, a CISO level role, but you’re outsourcing. a job that’s a month and a half or maybe $25,000, $30,000 to implement a security policy and really have kind of a game plan going forward. To me, it seems like a very good assessment considering how much you would pay a CISO month salary anyways.

Speaker 1 | 42:20.537

Yeah, that’s right. There’s no doubt. I mean, it fits.

Speaker 0 | 42:22.779

Do you like how I just flipped that? I just turned that into a latte at home. I just turned that into a latte at home. That was really good. Just a little latte at home. That’s what we’re going to name it. Anyways, Cisco’s drinking, CISO’s drinking lattes at home because they’re no longer needed. No, because we’ve got Justin. Hey, so, hey, it’s been great having you on the show. If you had any one piece of advice other than call you and get a security assessment, if you had any one piece of advice for mid-market IT directors out there, managing 200, upwards of 2,000 end users, maybe drinking from the fire hose, up late at night thinking about security? What would that be?

Speaker 1 | 43:13.203

I’d say if I had to give one piece of advice, and we see this so often, and it really is a shame, but it would be continue to work with the executives of the company. It is so hard for IT to get a seat at the table, and we’re such an advocate for that.

Speaker 0 | 43:28.984

continue to work with them because you know the sooner that they realize the importance of it i think that’s a catalyst for growth for a company man that’s going to make this show last another 45 minutes what’s um just and okay so i gotta ask one follow-up question why is it so hard in your opinion why is it so hard for it to get a seat at the table well

Speaker 1 | 43:49.913

i think like so the the um the scenario personality is it nerdiness what is it There’s certainly a disconnect. I mean, the scenario that you painted earlier, you got your 60-something-year-old CEO. That’s probably about the demographic there. They grew up on the more of maybe a traditional side of things, less technology, things running on paper. And you’ve got a, you know, it’s unfortunate, but when you paint a picture of an IT person, you think of someone hacking away at a computer down in a basement.

Speaker 0 | 44:25.859

We think of you. We think of millennials. We think of millennials. He was talking about their first device that they had.

Speaker 1 | 44:33.306

It was a mobile device.

Speaker 0 | 44:35.948

So here’s what we want to do. We want to put you in a room with Warren Buffett or Donald Trump or someone like that, and we want you to convince them. I mean, do you think Warren Buffett has do you think IT has a seat at the table?

Speaker 1 | 44:49.220

I definitely do. I mean, the guy’s a brilliant man. To me, I don’t think there’s any there’s any successful business today that doesn’t embrace technology

Speaker 0 | 44:56.840

I would love to ask him that question.

Speaker 1 | 44:58.480

That’d be great. That’d be great. Here’s productive.

Speaker 0 | 45:00.682

Yeah. My wife’s from Nebraska, from Omaha. So, you know, maybe we could just go to that McDonald’s and like, you know, get a job at McDonald’s and say, when we’re selling him his egg McMuffin every morning, we can be like, Hey, by the way,

Speaker 1 | 45:09.947

that’s right. Yeah. That’s a stop.

Speaker 0 | 45:13.689

Look, man. Hey, it’s been a fantastic having you on the show. I really appreciate it. And anyone that wants to get ahold of Justin, please feel reach, feel free to reach out to me on LinkedIn and find him as well. Justin Headley. You can find him on LinkedIn and just search Justin Headley, Warren Averitt. Am I pronouncing that right? A-V-E-R-E-T-T.

Speaker 1 | 45:38.725

Warren Averitt.

Speaker 0 | 45:39.385

Yep. Warren Averitt. Sorry. Find him, reach out to him and let him only bring, only turn down a little bit of the paranoia because that will never go away.

Speaker 1 | 45:50.173

It’s always there.

Speaker 0 | 45:52.174

Thank you, sir.

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

QR Code