Is your organization equipped to handle the evolving challenges of cyber threats? Fear not, we've got you covered! In this episode, we unwrap the art of pleasant persistence and proactive cybersecurity, shedding light on its crucial role in customer engagement and small business outreach. Tim shares his invaluable insights on the internet's continuous evolution and the importance of adaptive sales approaches for diverse audiences.

As a cyber security professional, Tim works with Attack Surface Management to help defend organizations against cyber attacks. Imagine being a digital superhero, constantly on the lookout for potential threats and taking proactive measures to prevent them. That's what he does! With Attack Surface Management, he helps identify and monitor an organization's digital vulnerabilities, leaving no stone unturned in the fight against cyber crime. It's a never-ending battle, but I'm up for the fight!

Top it off with our deep-dive into the concept of 'shadow IT', brushing on both physical and digital security measures. We highlight the pivotal role of strategic partnerships with security vendors in managing risks and costs associated with data breaches or DDoS attacks. Throughout the conversation, one thing becomes abundantly clear - the need for strong client relationships that go beyond transactional interactions and foster trust. Trust us, you won't want to miss out on this enlightening conversation filled with practical insights and strategies for security industry professionals! Tune in for a captivating episode that's all about innovation, adaptation, and relationship-building in the ever-evolving world of cybersecurity.

Listen on

Spotify Amazon Music Podcast Index Podcast Addict Podchaser Pocket Casts +

Share Episode

Share on Facebook Share on Twitter Share on LinkedIn

Speaker 1: 0:04

What is security market watch? I don't want to say too much here because there's not a whole lot to say. Security market watch essentially is a bunch of professionals in the security industry. So we are sales professionals, we are engineers, we're CEOs, we're CISOs And this is sort of security industry or security after dark. It's a bunch of professionals after the day job talking about the day job, and so I hope you guys get a lot of valuable insight into all things security industry out of this episode. So, tim, the floor is yours.

Speaker 2: 0:45

All right, josh and Maggie, thank you very much for having me, and it's number one, so I feel honored about that And I'm excited to see where this podcast goes. So a little bit about me. I started my early career in the Air Force and you can see the plaques behind me. There There's Alaska and then on the other side is Hawaii. So that's a little bit of what I picked up along the way. In fact, i joined about a week before 9-11 and I remember waking up that morning and realizing the Air Force that I joined was not the Air Force that I thought I was going to join. So that was quite a shock.

Speaker 1: 1:19

Why is that?

Speaker 2: 1:20

Well, obviously, 9-11 changed some things with our US military And so you know, and all in all, I was very blessed. I was a weather forecaster, I had great assignments Hawaii and Alaska are two of them and learned a lot as a weather forecaster. And just very lucky, in fact. So 13 years in the Air Force wouldn't trade it for anything.

Speaker 1: 1:50

Awesome, and your slice or your section of the security industry is all about attack service management, and so could you describe a little bit of what your day job looks like and what you do, and what are some of the problems that you purport to solve?

Speaker 2: 2:12

Sure. So I'm a director of accounts for a firm called Halo Security. We go back about 20 years with McAfee. We're a spin-off of McAfee, so we've been doing this a long time Been with them for about four and a half years now And we really specialize in the external attack service management space. It's become quite competitive recently, over the last two years. It's becoming quite popular as security teams are looking to get a handle on everything that is internet-facing, including third party and supply chain. So when we talk about attack service, really what we're talking about is everything with a host name or an IP address. It's everything facing out, everything that the attacker can see when they're doing their reconnaissance and they're combing the internet for gaps and weaknesses within organizations. That's really what we specialize in.

Speaker 1: 3:08

All right, great Thanks for giving us a little bit of a background. And let's turn to Maggie. And I could see her over there taking notes, forgive me, I'm so old school I write everything down by hand.

Speaker 3: 3:21

Still I actually I wanted to. I have a curious question. So I kind of grew up in the ranks of DoD, recruiting specifically with Lockheed Martin, in your opinion now more than ever, and I didn't realize you had gotten into the Air Force right before 9-11, but thank you for your service. How do cybersecurity, business security as a whole, really tie in with the military and the cyber warfare that's going on in your opinion? Now, obviously I'm not looking for statistics here, but, especially as a veteran, how would you kind of relate the two and the importance right now with what's going on in the world today?

Speaker 2: 3:59

Well, today and when I was in the Air Force are different worlds, right? So when I was in the Air Force, the internet was, you could say, primitive. It's nothing like it is today for organizations where they're connected to various food parties, meaning subsidiaries, vendors, technology integration. So the internet of today is very complex, and so the organizations that I deal with every day are dealing with a low visibility, high complexity, changing environments and then often resource constraints. So the Air Force also, even then, was very keen on the users of their network to be aware of cyber threats and just common sense principles on how to protect your credentials and your personal data. But again, it's just a totally different world. So today it's kind of fun to see where the military is going with cyber warfare and what that really means and what that entails. It's exciting, definitely.

Speaker 2: 5:17

It is a fight, it is a mission, and that's probably why I gravitated to cybersecurity because I'm up for the fight.

Speaker 3: 5:24

Yeah, we're glad you're with us. Thank you, it was intense when I was there. It was the peak of the backlog for the VA. We were working all different types of governmental contracts And, like you said, it's empowering to see how far we've come. I'm excited about where we're headed, you know so yeah, changing every day.

Speaker 2: 5:43

It's a very fascinating industry to be a part of, that's for sure, absolutely.

Speaker 1: 5:50

How's the recruiting or not the recruiting? but from a personnel perspective, maggie, have you still kind of kept tabs on who the military is hiring or who Lockheed Martin and those kinds of companies are hiring, what kind of talent they're looking for? Has there been a shift that you've seen over, like the last 10 years or so?

Speaker 3: 6:15

There has been. I feel that there is so much more as far as resources go that we could tap into. I don't feel that veterans are being used to the capacity, especially from a security standpoint. With regard to business operations, i would love to see more programs created where we could take civilians and pair them together, because it's very difficult for veterans to get back into the private sector. In particular, i experienced it firsthand with clients of mine or candidates that were fresh out of the military and they're trying to get in with, you know, a larger firm or something like that, but the only experience they have is military and it's very different lingo, very different experience, but the same core values. So it has gotten better over the years.

Speaker 3: 7:05

I know that the DOD is trying to really actively work with that, but it's difficult, and so I think one of the biggest things we can say is for any recruiting firms out there to develop programs specifically for veterans and even build out a division for that, and then go to your local recruiting offices and pair with them. You know, those people are extremely connected and they're underutilized. I think they're so busy trying to get recruits for the military. Well, why don't we flip it and say, okay, well, who do you know that's getting out and how can we be better to service that? And then also go to any large organizations, enterprise wise, or even the small business, startup companies. There's a lot of veteran owned small businesses that could utilize extra help with regards to business security.

Speaker 1: 7:57

Yeah, i'm really surprised that we don't employ, or at least utilize, a lot of that talent from veterans, because it's sort of commonplace now to hire from the military, which you know. Case in point Tim came over from the military. Hey, tim, are you seeing a lot of? do you see a lot of hiring in the sales space or do you hire ever from the military? I know that a lot of people like to hire from. A lot of CISOs and security leaders love to hire from the military because of the expertise that comes in, specifically the technical expertise. But from a sales perspective, would you still prefer to hire from the military or would you prefer to hire someone with more of a business background?

Speaker 2: 8:55

Well in sales. I mean sales is for everybody right. So I would be happy to hire from the military for a sales professional if it really is what they're up to doing. So I was fortunate in that my career field was very much about developing a product with teams internationally and then presenting that product And, like a sales professional would do, in front of mission planners and commanders, to make go no go decisions. So it's weather forecasting. So I was developing products for them to make decisions on in front of rooms or over the phone or over the radio, whatever medium we needed at the time, and they were making decisions on that product And so obviously that's not. That's fairly unique even in the military right. Military is the lion's share of talent in the military. They're technical people, they're, they're rugged, they're resilient, but not necessarily those that want to stand up and persuade others or pitch a product.

Speaker 1: 10:08

How did you go from the military into sales? That's to me, that's like you're right. You know, like when you, when you think of military, i mean sales. A lot of people don't know this, but sales is a very disciplined profession. The salespeople who do well are the ones who are professional, the ones who are very disciplined. So I could see that. But it is kind of spooky going from, like the military, which is very technical, very sale, very disciplined, into a sales profession in attack service, attack surface management. So how did you make that transition?

Speaker 2: 10:53

I think I just always wanted to be successful in business, even in the military. I put myself through an undergrad in an MBA education while serving And weather does not always hit the fan So there were lots of, there was lots of dead time there for me to to be productive, whether it's studying the weather or working on my my homework, and so I was always forward thinking what's next? The Air Force was definitely a stepping stone for me to excel and make progress on a career.

Speaker 1: 11:27

Well, that just asked. I do more questions because now, you know, now I'm thinking, okay, how does somebody who wants, who loves business, get into the military? So, like, very, you know, but actually you know a lot of, i could maybe see a connection there, because some of the people that I work with in sales, they, they're very pro military, they're to your point, maggie, they're very pro veteran and they would love to see a lot more investment into our veterans. So maybe, that's you know that that's something that I'm probably going to be thinking about over the next couple of days or so is how do, how do these three very different worlds Oh you know what The business side and the military side does coexist? It's called the military industrial complex And yeah, so, yeah, maybe I'm over here thinking that it's weird, when actually it's a match made in heaven.

Speaker 2: 12:28

The Air Force in particular is very much run like a business.

Speaker 3: 12:32

Cool I was going to say one last comment. I had the privilege of working with a Marine that had just retired after 20 years of service, came out just so much fire and passion and wanted to do executive head hunting in finance And I had so much fun working with him And if he's watching here he knows who he is. But he had a really difficult time transitioning because we were not only in finance but we were surrounded by CPAs and especially Marines who were. It was very rough around the edges transition wise And I know he got frustrated and I just kept saying you know, stay focused, be yourself. It's not so much about fake it before you make it Just. People will naturally gravitate towards that And not everybody has to like you in sales And I meet so many people right out the gate like, oh man, i hate sales. I would never want to do this when I'm thinking, if you were just yourself, i think you could have a lot of fun with it. So I just wanted to comment that real quick.

Speaker 2: 13:33

Agreed, yeah, and I've always been about communication and in the military that was. My job was to communicate, was to be clear and to the point and build confidence in my audience to make it make a very important decision day after day.

Speaker 1: 13:50

So you'd probably say that your military experience is an asset.

Speaker 2: 13:55

Absolutely Sales. Yeah, yeah, very much.

Speaker 1: 13:59

Interesting. Well, you probably would have made a really good general if you wanted to stick with that, because I always think of generals as, like the chief executives, they're like, see, like you know, or VPs of the military, all business, and they probably have never fired a weapon in you know, or seen battle or fired a weapon, i'm pretty sure, but they're probably never. They're not on the front lines. All right, i'm going to stop talking about the military, because I know nothing about the military and I will embarrass myself. Okay, tim, you have I don't know if you've crafted this or it's the first time I've heard it, and I heard it out of your mouth first which is a term called pleasant persistence. So what is pleasant persistence?

Speaker 2: 14:49

It really is about finding the right amount of assertiveness. So obviously, sales requires a lot of outbound. Either you're in customer sales, where you're trying to generate that meeting to make progress on their security objectives, or it's going for new logos and they don't know who you are and you want to get in front of them and have them pay attention. So pleasant persistence was something my CEO coined years ago, referring to my ability to just be disciplined and be consistent in my outbound, in my outreach to make meetings happen. And you know, it became naturally to reach out to and, for example, with customer sales.

Speaker 2: 15:38

One of the things that has really helped me is to take really good notes. So I've had the privilege of being able to work with hundreds of customers over thousands of hours being in front of the customer with my security engineers, the experts on the technical side of our program, and to take good notes on what are their challenges, what are their objectives, what progress are we making today, what's next? And then so as I would go outbound to try to generate that next meeting or go after other customers, i knew what my customers were facing And so I could be persistent with that and I could be pleasant about it because it was always all about them, and I think the more that you can make it about them, the more successful you're going to be in garnering their respect and trust and to get their attention to make progress on what there is to do.

Speaker 1: 16:37

I've been reading up and doing some research on Loom Outreach.

Speaker 1: 16:41

So basically creating a little video, putting it and that's everything you're saying reminds me of that is make yourself personal, you know, instead of blasting out like all these automatic, the automatic blast outreach has its place.

Speaker 1: 16:57

I think it's really good marketing, a very good marketing tool, but it sounds like pleasant persistence has a little bit more of a human touch to it. Absolutely, it's like what you call in the old country I don't know what old country I'm talking about, but a little bit of charisma, a little something's not smooth and sleazy like the way that I use car salesman's perceived Not out to all my used car salesman's salesman not knocking it, but interesting like the perception is that salespeople are very like pushy and you know, and, but for you it seems like pleasant persistence is really about understanding your customer, probably about understanding your product as well. So let's tie that into attack surface management, and that's a slice of the market that's really interesting and is ramping up because the you know the problem is very simple You can't secure what you don't know you have right. So what is the value prop that you are uniquely pursuing these days?

Speaker 2: 18:20

Well, first off, it's a very proactive approach. Okay, so not everybody's up for it. In fact, if you would ask me who my challenges are in terms of my target market, it would be small business. Often, small businesses security teams will believe and say things like they're not a target because they're too small, and the three of us here know that that's just not the case. In fact, attackers will look for small businesses because they they know that small businesses think that way and there's often gaps and weaknesses that they can exploit. So it's proactive. They need to be up for it, meaning we're really addressing cyber hygiene from a perimeter-wide approach. So, again, everything with a host name and an IP address, we're helping them get a handle on those elements that attackers are looking for when they're doing their reconnaissance Things like weak ciphers and outdated certificates and JavaScript source code and form security and DNS configuration and subdomains with CNames that aren't pointing to any resources that they thought they were, and really you don't know that.

Speaker 2: 19:40

You don't know. There's probably legacy projects out there on most organizations that were built and launched and are still out there and not supposed to be. There's probably open ports out there with products and services that aren't being used anymore, or there's open ports with no products and services on them, in which case we always recommend just to turn those off. So it's about reducing exposure, right, it's about reducing that footprint. Don't be attractive to an attacker, and that can be a heavy lift, particularly for the mid-market to enterprise level organizations, where there's just so much out there. The Internet of today is just so different than it was, and now you have regulatory compliance requirements, cyber insurance requirements that are mandating now that organizations get a handle on third party and supply chain risk, and so that's fairly new. But again, it is becoming popular because it's becoming mandatory.

Speaker 3: 20:46

I think that I've been most recently getting approached by regulatory compliance firms asking for assistance. The questions that they're asking I saw my going to know how to approach because it's changing so rapidly. So you really hit a point there with that one. I also think that as we build things out, you had mentioned that pleasant persistence. I had always been taught to do professional persistence, but even that term's changed a lot.

Speaker 3: 21:17

And I think there's a lot of sales executives They go one of two ways They are too nice and then they get shut down and they don't have any type of rebuttal. Usually that's more of the newcomers, or they have rebuttals and they can be so aggressive with them And especially when you're talking to a regulatory compliance firm versus a small business, you have to talk very different langos. There's so many different types of sales approaches And I think that the mastery of that has to be you have to be open to consistently changing your approaches, writing out templates, seeing what works best for you, what doesn't. I've been a part of a sales team that all they did was pump out constant emails all the time And it was like the same thing over and over again And it just didn't get the job done on the skill that we were hoping to do. So I appreciate our thing or say I'm in agreement with you For sure.

Speaker 2: 22:12

Cool, josh. I hope that answered your question. So the bottom line is there is a lot of work for these teams to do, and it's critical that they get it done, and so the more that I can be assertive with the right amount of assertiveness and push them in a way that they find pleasant, to make progress. It's like the alternative is your dirty laundry is out there for exploitation, right, And there's a lot there.

Speaker 1: 22:47

So yeah, yeah, i mean terms like shadow IT come to mind. But we know, in the security industry, selling security is difficult because, let's say, i am a CEO of a small business, small medium business I don't have a fully built out security system or a built out system. You know, i'm profitable, life is good. Nobody that I know has been breached, right. Actually, i'll use a really good example. I live in a pretty, i don't know, say common, but like it's a well-known apartment management company in Minneapolis, right, and I was talking to my landlord about security and I said you know, you guys have a lot of my data, you have a lot of everybody else's data. You have social security numbers, you have tax information, you have income information that attackers will use. They would use that information to basically like, let's say, even your address history, right, so they can use that. And you know, famously, you forget your password. They ask where are these places that you've lived before? They have that information. Now He said to me and for the love of God, please don't use this information for evil, we will find you. So his thing was weird. We don't have any of that secure and we have computers, we have databases a lot of, but a lot of what. A lot of the records are kept in paper files, right? So the physical security apartment buildings are really good at physical security. They have locks, they have the beep in things. Just go on tiktok, look at the Karen's telling you that you can't come in and follow her. There's no tailgating because we have cameras, locks, and Karen's Physical security is good. But the digital stuff they're moving away from the paper trail to keeping things on. I mean very small hard drives, but they're hard drives nonetheless and they can be breached.

Speaker 1: 25:08

He said that the reason that they won't do anything for security as an industry, not as a one company, but a group of companies. Each of these companies might be responsible for like 5,000 doors, right, and or 5,000 apartments, and their reasoning is there's just never been a breach that they know of. I told him. I said look, there's been a breach. I'm 100% sure, like you guys aren't. You know it's not rocket science to break into this stuff Again. Please, that was not, that was not Josh. Don't say Josh said okay.

Speaker 1: 25:47

So how do you convince an entire industry? Because it's not like you're going to each player and saying this is why you need. I think that your argument for attack surface management tools is very compelling and from a security perspective, you know you're preaching to the choir. I believe you, maggie believes you right. But when you're trying to convince these individuals, who are basically looking to other individuals, they're like if one person gets breached, then they all get breached, but if they're profitable they're conservative, they do not like to spend on anything.

Speaker 1: 26:27

How do you approach companies like that? I mean, you know, short of like. Actually I'm not even going to say that There's certain things we have too much knowledge. I'm starting to think, you know, when you've dabbled in Yeah, let's not go there, we're security professionals, let's leave it there, right, and I don't want to encourage anybody to do anything but short of like knowledge of there being a breach. How do you approach these people and these leaders, who are quite sensible, they're not, they're not crazy, they're not. You know, security people try to paint them as like irresponsible and all that stuff, but they're quite responsible, knowledgeable people. How do you convince them that their way is the wrong way?

Speaker 2: 27:25

It's really great when prospects and customers want to work with us, because what we do is in the demos. we show them, we can show them everything they're connected to. We can show them those open doors and open windows. It's like a house, right? Do you keep your windows open at night? Do you go away on vacation and keep your garage door open, right?

Speaker 1: 27:45

Not anymore.

Speaker 2: 27:47

Right, that's what makes me think of my dad. So, but in the 80s, my dad had a blazer and he would just always keep his doors unlocked on his blazer because to him he was just not a target. And then, sure enough, one day in his house his blazer was wide open and he got ripped off and it wasn't much there, but still. it took years for that to happen, but it did happen. And so what's the cost of a data breach? We're about preventing that data breach and attackers.

Speaker 2: 28:18

they don't need much to take over an asset and go lateral right into your crown jewels. It could be a third party asset, a supply chain asset. It could be a weak technology in your environment. It could be an outdated certificate or a weak cipher. There's so much that they can leverage to then go direct that asset to their resources for the sub domain takeover. or they can weaponize a script and get inside your web application. They can hijack a session, take advantage of weak cookie security And then, before you know it, you're pointing to an adult site or a fishing site, or there's malware in your environment, and so it really does not take much to wreak havoc.

Speaker 2: 29:07

What's the cost of a business, even a small business if a DDoS attack takes them out for 24 hours. So you know, and many of these solutions are not that costly to be able to get a handle on this and prevent these things. I will say that a lot of these solutions out there aren't created equal And depending on your team and depending on the strategy that the the season wants to deploy it. And oftentimes it's important that that that organization have a vendor that's going to be their partner, that's going to take a strategic approach to them and is going to be willing to spend time with them to ensure that their team is comfortable and proficient with the solution and that they're able to make progress efficiently and that they have an extension of their security team with that vendor.

Speaker 3: 30:05

I want to tap into something you just said there that I think the public really needs to realize, and I know any recruiter will love me for saying what I'm about to say After I went through a lot of executive headhunting and and when I moved over into the IT sector I am not exaggerating and I was keeping my own statistics here Everything from maybe one to two years of experience, all the way up to CIO. When interviewing them comparatively and looking at what the clients are looking for, only 50% were qualified to do the jobs needed. We are already at a 3.5 million deficit on cybersecurity individuals And when you add that statistic in, the risk alone goes way up.

Speaker 2: 30:57

And.

Speaker 3: 30:57

I feel like this is something that businesses, board of directors, ceos and all of them need to really be aware of who they're trusting with this type of material. Because what was I just posted about this yesterday? It's 4.35 million is the average breach for any company right now And, like you said, it doesn't cost that much just to get that insurance and that's E? N insurance, not I N and and a good comparable that would be. Think about if you were to have no health insurance and you end up in a life threatening accident, what the financial risks alone would be. That mentality has to be there And it has to begin with hiring the right professionals asking very particular questions And a lot of the people making the hiring decisions with no disrespect to generational, but these people don't even understand the internet themselves. So they're hiring people who say they know the internet and business security and all of this, when in fact they're not hiring someone who's capable of keeping their networks and everything else secure. So I'm glad that you mentioned that.

Speaker 1: 32:10

That's a really good segue into into the question of third party risk. So what is the cost of not having good security? Yes, getting breached, you can. You can price out that data, you can estimate the cost of your data and you can run a risk analysis and all that stuff. But we're learning that if you are breached and you lose customers to another company that did not get breached, you know you're, that's a cost. How do you quantify that, that cost? And so, tim, how does attack surface management play into into this emerging risk of third party, basically third party negligence, and in the competitive landscape?

Speaker 2: 32:59

Yeah, that's. That's an easy but important question, i mean, and then in terms of the, the result I mean client acquisition cost for one is what goes, goes up if you're breached. I mean, who's going to want to do business with you, right? So attack service management. So we're looking at gaps and weaknesses throughout the perimeter. And so third party is part of that.

Speaker 2: 33:30

So you consider the Internet of yesterday. It was primitive, right? You had a server. It could have been in your closet. The web application you probably built. You knew where everything was. You weren't connected to any. You weren't connected to third parties. For the most part, you had WordPress and you had chat and help desk And you knew all about it.

Speaker 2: 33:55

Today, to be competitive, e-commerce, businesses need to integrate technologies and solutions to create that visitor experience. You can't get away with building everything and assuming that you're secure. So, and also the cloud right, we're hosting data in the cloud, aws, we're connected to Google and different technologies for advertising. We're using blog platforms. We're using technologies for help desk and for chat. We have subsidiaries, we have potential mergers and acquisitions.

Speaker 2: 34:34

What is the organization inheriting through an acquisition? What is on the perimeter? And then there's the legacy projects, those projects that, again, we're built in the past and they're still out there and nobody knows about them. So their third party, their third parties, within all of that right, there's developers that are being creative, driving business outcomes as they should, the question becoming more and more is it being built securely? What third party tools are they using? Where is the data being hosted? Does the script have the API keys in it? Is it public? Are there session tokens and other secrets that attackers could have you know would really enjoy finding within the script source code? So, again, third party is part of all of that, and so our position is if your name is on it in any way, if it was taken, over.

Speaker 2: 35:43

Yeah, if it's connected to your network in any fashion, there needs to be visibility and control over that asset, regardless of who built it, regardless of the relationship with the vendor or the technology. You just simply need visibility and control over that In real time, continuous monitoring. So, for example, subdomains are often picked up for type of squatting right to prevent attackers from taking over the brand name and building something that tarnishes the organization's brand. All of those subdomains are public and they can even be redirecting to the parent site, which is fine, But those are often the targets of attackers, who take those over when nobody's looking and redirect them to their resources, adult sites and fishing sites and what have you. So it doesn't matter. Again, third party to me means it doesn't matter who is managing it. If your name is on it in any way, you need to have visibility over it all the time.

Speaker 1: 37:01

It's compelling And even if I think it's also compelling for those who you might be working with other third parties and you want to know that you want to keep tabs on tabs but you want to kind of keep them, hold them accountable. But also myself as a vendor, i am a third party. I have to think of myself as a third party. A lot of companies I don't want to say that they're not thinking about it, but I don't hear about it as much. I hear about a lot of people thinking about their third party risk in terms of their supply chain but also neglecting the fact that they are part of a supply chain.

Speaker 2: 37:42

They're connected.

Speaker 1: 37:44

Yeah, yeah.

Speaker 2: 37:47

So that's often what we'll challenge them to do. Right is what would you do? We'll ask the customer what would you do if you found something that you were uncomfortable with, that the third party was exposing you to? And the answer we're looking for is we would call them and get them to clean it up. But you can't do that if you don't know about it right? So the first thing is visibility.

Speaker 1: 38:09

You know that's the major selling point for asset attack surface management. There are lots of tools that you sort of have to kind of really have to push a little bit extra to sell, you know, because you're trying to make the case for cybersecurity. But I think attack surface management is one of those things. Like you're right, it's a very simple calculation. Do you know what you have? No, well, how do you know that it's secure? Well, i think so. You know, probably even before pen testing, because to pen test you sort of you know pen testers may do both. They might do some attack surface management or discovery on the way to doing their pen test. But it's embarrassing, it's got to be embarrassing to find on your pen test that you've got like 30 servers that you didn't know you had.

Speaker 1: 39:02

Like it's one thing to be like you know, yeah, like we know that that person, that person was a new hire. We have to redo our onboarding processes. We have a bunch of you know we don't have the best password policy, we don't have the best access controls. Okay, great, you know. But hmm, i've got 30 servers I didn't know. You know they're connected to an entire domain that I didn't know existed. You know that's got to be embarrassing. So that's a really easy, an easy proposition there.

Speaker 1: 39:36

So if we're looking at pleasant persistence again, right, how do we? and pleasant persistence is sort of starting to sound like the alternative to scare tactics, which is, you know, i'm one of the few people who thinks of scare tactics. I think. I think it still works. I think it mostly goes by the, the, the moniker of threat hunting. You know like, okay, so what are? that's approach, risk from a threat perspective, okay, that's still scare tactics.

Speaker 1: 40:05

But pleasant persistence seems to, seems to penetrate the market more with common sense. But let's be fair, you're working with a, with a tool, and within a slice of the industry, that is, it has a very high need, right? So I'm not going to say it's easy to, to basically talk about the merits of that, of that solution, but it's. It's easy relative to not easy I don't want to say easy, but it's. It's simpler relative to some other solutions. But you will find yourself talking to really difficult people who you know, as as pleasant as you are and as persistent as you are, you're just not going to. They're just difficult, it's really hard. So are there particular verticals or particular roles or people that you that you talk to on a daily basis or weekly basis, interact with from time to time that are that pleasant, persistence, just like you just got to be that much more pleasant, darn it, and you got to be Overwhelming and with persistent huh.

Speaker 2: 41:20

Overwhelming pleasantness. Yes, yes, yeah No it doesn't work for the know it alls. It doesn't work, no. Yeah, the know it alls that come in and and they haven't answered everything, and they're fine, and they have a solution that does what we do, and whatever I mean they've, they've got it all hot tight, yeah, so what do you do?

Speaker 1: 41:44

Do you leave those? do you just leave them? do you give up? Is there? is there a time I'm not going?

Speaker 2: 41:48

to say you know, it sounds like you really got it together. Do you want to check? Do you want to take a look at your your perimeter? Because that's available, i mean, we can just turn it on, we can meet, we can walk you through what's there? Mm? hmm, including third party in third party and supply chain. What are you doing for your JavaScript source code? If there was a change to that code, would you be aware of it? What about all those things? What about all those potentials that aren't authorized, the unintentional things, elements, configurations out there that aren't authorized? Wouldn't you want to know if someone was doing something behind your back within your organization? Shadow at stuff.

Speaker 1: 42:31

Well, you scare me a little, tim. I almost went. Who's I found like that coming straight on with a scare tactic has to know it all really pipe up and say no, we got it.

Speaker 2: 42:46

Yeah, Yeah, because you're challenging them, yeah. No, we're, we're good, we've got a good firewall.

Speaker 3: 42:55

I was going to say I use a little bit different tactic and it's more of a psychological approach. I know when I reach a certain level, especially as a woman and I hope other women resonate with this one It's difficult to penetrate a very male dominated industry. Having blonde hair doesn't always help me, but I would say whenever I can tell someone thinks they know so much more than me, i'm like okay, that's completely fine. I want you to remember the words I'm about to say. You're going to remember me telling you I'll talk to you again sometime And then I leave it. One of the best mentors I ever had told me it can never mean more to you than it does to the client. And when you flip that on them it gets them thinking like well, who does she think she is? And it's, and it's, it's a, it's a, it's a, it's a, it's a, it's a, it's a, it's a, it's a, it's a magic. And then you just walk.

Speaker 3: 43:43

If someone is really going to buy into your product or your service, they have to buy into you first. So sometimes the scare tactics from a product standpoint won't work. Uh, a pen test, you know they'll. They'll tell you Oh well, i've got people doing that for me. You know this, that and the other. But I think sometimes just saying Okay, mr Narcissists, no problem, go ahead, have a nice day And I'll talk to you soon.

Speaker 3: 44:06

Not exaggerating when I say 75% of people I've had to pull that card out with, i end up getting an email or a phone call from even a two, three years later on down the road and saying you know, i should have listened to you, we had a breach, and you know, it costs us about $2 million. Oh, okay, remember how I was just offering a few, a few hundred for me to maybe make a sale with you. Yeah Well, i'm not gonna say you're right. You know they never say you're right, but it, but that's the beauty in it. So and sometimes I'll use Tim's approach, i think it's just a matter of of knowing your worth, knowing your service and, and really especially on the small business side, they, a lot of them, are working with MSPs.

Speaker 3: 44:46

Msp companies in particular, highly targeted, and I mean I had several clients of my own, and I had one in particular tell me I'm not sleeping at night because I know if something were to happen to me, a hundred of businesses could literally shut down because they'd have to close their doors. That amount of stress And I would really encourage anyone to to assist MSPs on on a very high level with their business security. And I will also say the caveat to that is there's a lot of MSPs who think they know it all. Shocker right.

Speaker 1: 45:19

Okay, let me just cut in right there. Maggie, i don't like doing this, but I will cut you off right now. I will cut in because that is the perfect example, like to what Tim was talking about MSPs. they are a third party. like I am a third party. If I'm an MSP, i've got a target on my back. Everybody knows I'm the problem. How many people are, how many companies are breached because of MSPs? And there's the artist ones to sell to because they know it all. I'm sorry, go ahead. I just had to like cut you off.

Speaker 3: 45:55

To the good reason.

Speaker 2: 45:58

I love it.

Speaker 3: 46:00

And you know what else I'll say. Some of my favorite clients are MSPs. They're real people. They're it's usually kind of like the mixture of a good old boys club, but like real humans meets, like Uber geniuses, you know, and a lot of them are very passionate. You get more passionate with MSPs because they are quite literally held to the fire 24 seven, whereas you know another company. That's an enterprise level. We got an MSP looking over us. Well, that's first take. You know, but I'll just cut me off. I'm used to it.

Speaker 3: 46:36

But also I'm saying what everybody's thinking.

Speaker 2: 46:38

It's the second part.

Speaker 1: 46:39

You definitely are.

Speaker 2: 46:41

Don't you want a second set of eyes on the MSP? Are you entrusting them fully to keep you secure from a breach?

Speaker 3: 46:49

You do know how many MSP clients I had. That literally I would say Okay, I understand your services. What are you doing from a cybersecurity standpoint? Well, and they wouldn't have an actual plan, let alone a backup plan. And when I was, I mean, this was years ago. Things have changed quite a bit, But even the big, the big ones, they have a hard time really assimilating that on an enterprise level or even a governmental scale. You know there's governmental contractors getting fired because they are not fulfilling compliance regulations, And so it's. It's something that programs in college or certification programs need to focus on how to keep MSPs secured much better. I think that's a big thing.

Speaker 2: 47:42

Yeah, and then the question I always have to add to that is what assets are they not looking at? Where are the gaps? Do you have one place that you can go to, where you can see everything you're connected to and the risk correlated to those assets?

Speaker 3: 47:58

Absolutely.

Speaker 1: 48:00

I'm not going to lie, maggie. If I were single and someone approached me and I was just like it's a hard no, i was just like no, no, no, sorry, i'm not interested. But if she looked me dead in the eye and said, mark my words.

Speaker 2: 48:23

A few years from now.

Speaker 1: 48:24

Yeah, you're the only one who's All of this is?

Speaker 3: 48:27

fruition, and this is something I always I tell. I've trained female sales professionals. This It's like dating We don't know everything. It's a nice ebb and flow, but we'll see how it goes, because there's lots of options and I just leave it at that.

Speaker 1: 48:46

That's no gear.

Speaker 3: 48:47

It's not being cocky from an ego standpoint, it's just knowing. I think a lot of men underestimate a woman's intuition. We're gifted with it for a reason, and you really could utilize it a little bit better.

Speaker 1: 49:03

I see now why there hasn't been a lot of women in sales. It's because we're terrified. Y'all know the tactics, y'all know how to do the thing, because that is the women's intuition. I think, in the boardroom, in a customer call, in an investor's call, you just have a different perspective and a different way of looking at things and it works.

Speaker 3: 49:31

I will admit to you and oh God, I hope this doesn't come down. Don't say Maggie says, But I have quite literally walked out of huge meetings with multi-million-dollar investors sitting at a table. The egos are flying, The cuss words are flying, We're talking. It's like a poker game. I just stand up and walk out. They all look around like what did we say? It's like what are you doing here? Why am I?

Speaker 3: 50:02

here If you don't want my opinion or you don't want to hear what I'm saying from a woman aspect, then why did you even invite me to take notes? I don't think so.

Speaker 1: 50:09

I never would have even thought of that.

Speaker 3: 50:14

It's like a would you sit at a table having dinner with people that, quite frankly not necessarily offending you, but you know you're just not connecting. Why would you waste your time? Excuse me, i'm here to make money too. I got to go. If you're going to waste my time, I'm going to go sit with some other people that are actually going to listen to me and give me the platform to talk. So thanks for having me over with Josh, by the way.

Speaker 1: 50:37

And that's what it's like. well, that's what it's like in dating too. You've said five things in the last five minutes that I just never would have thought about. I just never would have thought that that's the approach. But if I was like if a girl liked me and I didn't like her, and we were sitting in a coffee shop and I was like talking, ranting, cussing, doing whatever, and she just got up and walked out, I'd be like what's wrong with me? I'd be up at three in the morning thinking about. she said she's going to see me again, And I don't think so, but she seemed pretty confident. So three years later we'd be married.

Speaker 3: 51:19

Well, i think it's a matter of putting egos aside, respecting one another skill set. You know, tim and I we've really connected from a sales perspective and I kind of want to segue a little bit into strategic account management, the different things that come along with that, but pairing skills on different basis. So I'm much more of an eye in the sky, operational oversight type of sales professional. Tim is more on the technical nitty gritty. I mean, he's already got me sold within the first minute that he's talking. I'm like what is that term? I don't even know what's on it When you speak in layman terms and I'm not afraid to ask that.

Speaker 3: 51:58

But on the flip side of that, sometimes you get someone that's an 80 year old business owner who doesn't even want to use the internet, literally especially in Midwest America, shout out to the heart of America And you got to talk layman terms and say, hey, do you want to lose $30,000? No, yes, okay. Well then maybe you might want to take a look at this contract. I mean, you know, you got to be able to talk the lingo and sometimes pull out that dating card. You know, so to speak. And I would also say do it from a very integrity filled professional aspect.

Speaker 1: 52:30

Yeah, if I try to do it it would come off creepy, correct. It wouldn't come off as professional. Yeah, it wouldn't come off as professional, and you know I'd probably botch it, but all right, so meeting out for that before we Yes, please, part here is that women can say things that I can't say.

Speaker 2: 52:49

They can get away with saying things Like what Tim Like what. You know what I'm saying.

Speaker 1: 52:57

Yeah, yeah, i can't say it either. So what do we what? What did we talk about?

Speaker 3: 53:04

Oh, that's a rabbit hole in it of itself.

Speaker 1: 53:06

Yeah, yeah, yeah, no, i agree, i agree.

Speaker 3: 53:09

I want to kind of touch on what you just said, Tim.

Speaker 1: 53:12

So let's talk a little bit about Please, maggie, you say it because neither of them. I'm going for it. I'm going for it, oh, I'm going for it.

Speaker 3: 53:18

So let's talk a little bit about strategic account management. You had mentioned something and I loved the term gourmet experience. I, in a little bit less classier way, i used to refer to it Do you want Burger King or fast food, or would you like a filet mignon? Right, yeah, they're, both are going to feed you, but there's just a different level of quality. So what do you mean by that? Tell us a little bit through that and how that would even tie in with being a strategic account manager in their mentality.

Speaker 2: 53:52

Yeah. So there really needs to be a fit between the organization, the vendor and the client to be strategic. And the analogy that I like to share is fast food versus gourmet. So 80%, let's just say, of a business they're serving fast food, meaning it's transactional And the customers that's what they came for. So in a drive through they're in line, they want hot fast food, they want to pay and get out. They don't need to talk to you, they don't want to talk to you, they just want your product and they want to move on. 80% of the business could be that And that is hugely profitable. There's nothing wrong with that model. But there are probably 20% who really want the white glove approach And they want a gourmet meal. They want the filet mignon, they want to come in, they want to experience the filet mignon, they want to cruise the menu, they want the great service from the wait staff, they want to talk with you, they want to meet the chef, they want that gourmet experience. And that is also an exceptional model for things like retention.

Speaker 2: 55:10

We know that strategic accounts that are managed well. With a program where we're building an account plan with that customer, we retain them, they expand, we get to enjoy higher gross margin And leading up to those lagging indicators you could call profit and more revenue a lagging indicator. Leading up to that, you're building the account plan. You're getting great feedback on your solution. Likely, your product team is changing your product based on that feedback, based on that relationship. So it goes from transactional that's the fast food to a great relationship.

Speaker 2: 55:54

You could call that a preferred supplier. The next level would be a solutions partner to where you actually have a plan in place around the solution, to where you're making progress on their objectives around that plan. They're giving good feedback on your solution. You're adapting your solution for them. And then there's the pinnacle, which would be like a marriage between the client and the vendor. That's trusted advisor. They're invested in you and you're invested in them. And that's a relationship between a client and an investor that's built to last and built in a way to where you're both co-creating value and you're both enjoying that value.

Speaker 3: 56:39

Perfect answer. I love that. I think that one of the hardest things some sales executives have to learn the hard way is retention. And it's hard sometimes from a humanistic standpoint because we change as people. What Every other year, every five years, you know and if your client goes? okay, basic example Let's say your client goes through a divorce or loses a parent and their life has radically changed as far as their family, their friends, whatever, And something like that can truly impact a relationship with their vendors. They might have a different take on the world, how they do business, what their goals are. Another hard thing to overcome is when you have a really good relationship with someone and you call in and next thing you know, rug gets pulled out. Oh, you know what? They actually left the company a month ago. Well, that, right there should tell you. Number one if you really have a relationship with a client, they're going to call you before they leave and say, hey, heads up.

Speaker 3: 57:41

I'm going to be leaving the organization. But that takes a lot of that equal given back and forth with the value added piece too.

Speaker 2: 57:51

Yeah, and is the vendor connected to the C-suite?

Speaker 3: 57:54

Correct.

Speaker 2: 57:55

Right, it can't be just one engineer To be strategic. You really need to get the C-suites involved And then the vendor organization really needs to have a program around strategic account management for that to work, so that the SAM, the strategic account manager, can effectively go internally and mobilize their resources. There needs to be integration, absolutely Without the organization, for that to really work. But it's proving to be really worth it And as the landscape becomes more competitive and as cybersecurity becomes more complex, there really is a lot to be gained by SAM programs by building those relationships to where it really is built on trust and value, so that they can go the distance with each other.

Speaker 3: 58:50

I agree, because they're myself Thank you.

Speaker 1: 58:53

Yeah, that's a really good way to close out. Great, thank you both. Thank you so much, tim, for joining us on episode number one. Again, i am your host. Yes, thank you so much. How do you end these things?

Speaker 3: 59:09

I have one thing For anyone that stayed with us this long we appreciate you watching. Thank you so much. We hope that you really got some value from what we've discussed here. We're trying to really think outside of the box with our topics And we appreciate any feedback, and also our next episode is going to be featuring the CIO for the city of Las Vegas. We're going to be tackling a very brand new industry from maybe what's talked about as much, i think, and so we're really excited to having him on and we hope that you join us. Thanks, tim, great Thanks Josh. Thank you guys.

Speaker 1: 59:43

Thanks, maggie. Oh and Tim, if people want to get ahold of you, what's the best way?

Speaker 2: 59:48

Connect on LinkedIn. All right, Tim-scanlon SCAN-LIN on LinkedIn.

Speaker 1: 59:56

And you can find me on LinkedIn as well, or you can email me at josh at brooningcom. Maggie, do you want to be reached? How can people reach you?

Speaker 3: 1:00:06

They'll find me on LinkedIn. Same thing. You see my name right there, maggie Dillon. Hi, nice to meet you. Send me a connection invite. I'd love to make friends.

Speaker 1: 1:00:14

All right, great Thanks everybody. Thank you, bye, bye.

Security Market Watch

SMW #1: Strategy vs. Pleasant Persistence Ft. Cyber Sales Guru Tim Scanlin

Listen to this podcast on