Mastering Risk Management Podcast

MRM Episode 87 - John Charles, SVP ISSQUARED: IT Security and AI Insights

Anthony Wilson

Send us a text

What if your career trajectory could change with an unexpected gift? Join us for a thought-provoking conversation with John Charles, the Senior Vice President at ISSQUARED Inc, as he recounts his unique journey from receiving an IBM PC from his parents to shaping the field of IT security and identity management. 

From the discipline of the United States Marine Corps to impactful roles at AT&T and Microsoft, John shares how these experiences laid the foundation for his work at ISSQUARED, a company now navigating the complexities of managing access for devices, applications, and data.

Ever wondered how actionable roadmaps can revolutionise IT security? In our discussion, John reveals the power of interactive reporting and how it can lead to immediate corrections and flexible budgeting, helping IT departments become more business-savvy. 

We also tackle the future of artificial intelligence, the critical need for private cloud solutions, and effective data management. Tune in to discover how these insights could be vital for insurers assessing risk and the importance of maintaining momentum through dedicated project management. 

This episode is packed with invaluable lessons for anyone navigating the fast-evolving landscape of IT security and AI. Enjoy!

ISSQUARED® Inc. | IT Consulting, Managed IT Services, Cybersecurity and Communications (issquaredinc.com)

Contact ABM Risk Partnership to optimise your risk management approach:

  • email us: info@abmrisk.com.au
  • Tweet us at @4RiskCme
  • Visit our LinkedIn page https://www.linkedin.com/company/18394064/admin/

Thanks for listening to the show and please keep your guest suggestions coming!

Anthony Wilson:

Well, welcome back to the Mastering Risk Management Podcast. I'm Anthony Wilson. Great to have your company again and your ears for another fascinating interview on the program. So today we have John Charles and John is the Senior Vice President at IS Squared Now, interesting name. We might delve into what that name is all about a little bit later. John's customer facing role is that of a strategic senior IT architect that works with customers upper-level management in strategic planning and problem solving. This entails how to utilise technology to meet their business requirements faster, cheaper and maintaining a future vision. John's internal role at IS Squared is as the head of R&D, managing product development, research on emerging technologies and complex IT problem solving.

Anthony Wilson:

John started his IT career as a young developer coding in C++. That's probably something historical we'll ask about as well. John then branched out to network engineering and security and completed the circle with system integration on IoT systems in the manufacturing place. John also holds a bachelor's degree in computer science from Cornell University, where he graduated magna cum laude, which I think means with high distinction. So, john, welcome to the program.

Anthony Wilson:

Thank you, anthony. The program, thank you,

Anthony Wilson:

anthony, great to have you here and a very interesting bio, and it sounds like lots of things to explore there, including the IS squared name, but we'll come back to that. So, john, tell us about your career journey. So how did you go from sitting in high school or grade school, or whatever school it was, and deciding to get into information technology?

John Charles:

Oh, it's a very interesting road. I actually was not planning to be in the IT realm In high school. I was thinking about electrical engineering as a major, but before that I was a normal teenager. So I believe it started way back before I actually decided what my major was going to be. As a young guy I wanted a video game and I asked my parents real nicely, I've gotten some good grades can you buy me a video game? Don't know if my parents thought that was a joke or they just have a very peculiar sense of humor, but they bought me an IBM PC instead. So a friend of my mother's was a programmer for the financial industry and she looked at me and said what's the problem? Write one. If you want a video game, go write one. And I proceeded the next couple of years of just copying video games that were on the market, trying to reproduce them, and that's how I got into programming.

Anthony Wilson:

Yeah right.

John Charles:

Anybody that's studied electrical engineering. They understand that an entry-level electrical engineer is a programmer.

John Charles:

There is no electrical engineering into it. So I kind of kept on to IT realm and it kind of switched off. So from there I went into programming. After college I did a stint in United States Marine Corps During. That time is probably where I became more interested in the IT realm, seeing where things were going and how maybe not as modernized as I thought the real world was. So that led me more into the network engineering and the security realm of my background. After my tours in Marine Corps I ended up working for AT&T internally in their business management division IT business management where I was happily exposed to a lot of more advanced networking.

John Charles:

There are early phases of the internet high capacity, high bandwidth and with that came all the strategic planning to be introduced, with all the planners, the architects that were saying, oh, it's not what's here now, it's where we have to be in two years. So that changed kind of what I was always focused on. So it's great to have the technology now. I was always interested in what's coming From. Then I did a stint with Microsoft as a Microsoft consultant for a while and then I worked for some biopharma companies where I was put in a challenging task of modernizing their manufacturing facilities which gave me that experience in the IoT realm. So that leads me to today. So a couple of buddies of mine decided that we were going to branch out, take our knowledge and start an internet security company, and that was the formation of IS2. You quote on, is2 does have a meaning behind the name. So it was information security, information infrastructure, so I-S-I-S. So we happily didn't pick ISIS at one point that was on the list.

Anthony Wilson:

That could have been a marketing disaster.

John Charles:

That would have definitely been a disaster.

Anthony Wilson:

Oh, that's great. So a very varied path in your career and lots of experience along the way, by the sounds of it.

John Charles:

I definitely didn't take a straight road.

Anthony Wilson:

Yeah, which is frequently the way with the guests that I speak to. You know they experience a lot of different things along the journey, which is great, that's great. Thank you for sharing your path. So tell us a little bit about IS Squared. What's the scope of the works and what sort of services do they offer those sorts of things?

John Charles:

So, in the beginning IS Squared we were formed as an identity boutique shop, so we managed identities back in the days with directory structures, and so forth. We managed complex ADs with mergers and acquisitions and so forth and then we kind of got known as the identity experts, both from Microsoft World and later on with different security vendors. So that's pretty much the core of it. We built a good practice about web consulting as well as a managed service practice.

Anthony Wilson:

Okay, so your speciality, if I understand it correctly, is the identity of people accessing systems and access levels and those sort of things. Is that correct?

John Charles:

That's how it started. Now we fast forward. Today, identity is everything, so you think it's not only the person's access. Now it's your device, your computer's access, it's your cell phone's access, it is the application's access to even access your data.

Anthony Wilson:

Right.

John Charles:

So it's become a lot more complex. It's not as straightforward as just thinking about individuals anymore.

Anthony Wilson:

Yeah, no, clearly I hadn't thought about that perspective either. So access, and I guess, to the organization's network systems, to the data, all of that Stuff that has to be protected, yeah, correct.

John Charles:

So we also specialize in certificate-based access now. So we've kind of shifted and once again moving kind of what's in the future when we're going to move away from passwords, what's more secure, trying to stay two steps in front of the bad guys.

Anthony Wilson:

Yeah, yeah, absolutely. So what is that? You've thrown out the bait and I've bitten? What is in the future? You know ahead of passwords and all of that stuff that we go through now with multi-factor authentication and those sorts of things. What are some of the things that the future holds, do you think?

John Charles:

Well, if you think about it as an individual, we've tried to fix things with the multi-factor, with RSA tokens and so forth. If you start thinking about identity in that whole holistic view now, how do you give a device a password? How do you give a new application a password? It gets more complex. However, you can input a certificate into almost most devices network devices, personal devices so allowing people to bring their own device BYOD, and that's more secure. The certificate's harder to break, so if it's generated from the banking or a financial institute, it's not like it is a public certificate. For it to be valid, it had to come from that organization. So that kind of eliminates the man in the middle watching you and trying to find new ways of capturing your credentials. So we see that certificates are also easily revoked. So think about it how fast you can recover or cut off the links. It's faster, it's a faster means.

Anthony Wilson:

So if a device is stolen a phone, a mobile phone, for instance, or a laptop, or whatever, else you report it and you revoke the certificate and you don't have to worry about it. Okay, that's very interesting. And how does that affect individual identity as well?

John Charles:

So now you think about what's the easiest way to tie that or grant a person a certificate. Eventually a person is going to generate their certificate to identify them as them and then actually give that as maybe a secondary authentication to their bank, to their school. So you authenticate one way from the organization and then a second way back to make sure both sides of that authentication is the actual person.

Anthony Wilson:

Yeah, okay Interesting Some ideas.

John Charles:

Yeah, so Some ideas yeah.

Anthony Wilson:

So that is fascinating. So I guess a double-barreled question here, john. So what does a typical ISSquared customer need or look for and what is the problem they're typically looking for? And then the second part to that is what would a typical engagement look like for guys. What does a project look like? How does it start, those sort of things?

John Charles:

So we're a very unique boutique company. We have very high-end Fortune 100 companies and very medium-sized large companies. So we kind of delve in from two kind of entities when it comes to security and maturity. So I'll handle like a mid-sized large company and then we'll talk about like enterprise From a mid-sized company. When I say a mid-sized, I'm kind of talking about still, they have a couple of tens of thousands of employees. Possibly they are trying to make sure they're more secure.

John Charles:

So get to that Okay, come in here, make sure that you can assess what we had and make sure it's the best that we can. So we do a lot of initial engagement with just coming in and doing an assessment. They'll say, okay, we want to do a network upgrade and this is what we're planning. We're like well, let's stop. Before we give you any ideas, let's make sure you have a strong footing of where you are right now. And that's typically how most of those engagements start From the enterprise. On the different side they are totally probably a little more mature, they know exactly what they have and the problem is they probably have too many pieces of the puzzle mixed around and don't know how to put them together.

Anthony Wilson:

Right.

John Charles:

And you'll find out a lot with security tools integrating with business applications.

Anthony Wilson:

Yeah, and is that like a legacy issue, that over time the enterprise has grown, they've got more bits of software and bits of kit and then they build another layer of security onto it and it becomes a bit of a jumble?

John Charles:

That's one of them. But if you think about it, if you talk about and this may be legacy talk about having like Active Directory be legacy, talk about having active directory in your organization. And now you have a bunch of SaaS-based business applications. You still have to link those together for single sign-on, make sure the tokens work, so forth, that they're working seamlessly for the business. So those connections also need to be planned out and configured. Sometimes we do A lot of times we actually build custom connectors to make sure that the user experience is more seamless or more secure. You're not sending out passwords on both ends or anything, things like that.

Anthony Wilson:

Right right.

John Charles:

So the engagements are similar but kind of different on how we implement. Similar but kind of different on how we implement One's more planning and help walking them through, and the other one's more integration and making sure everything works good collectively. Yeah, okay.

Anthony Wilson:

That's good, thank you, and I'm hoping the answer is 90% of clients are being proactive in thinking about their security environment and how they could improve it, or, you know, or be on some sort of continuous improvement journey. But is there the case where some clients have just had an incident, or they've just had a near miss and you know, they've had a bit of a fright and they're now saying, oh, by golly, guys, we need some help. Is that the case?

John Charles:

I would say about a year and a half ago, maybe 18 months ago. That was probably more of the case.

Anthony Wilson:

Right.

John Charles:

I would say now they're more secure, aware, and there's two things driving especially the mid-sized large companies. It is they are becoming more aware of compliance and they're becoming more aware of their certifications. So whether they want to make sure that their clients are asking vendors to make sure that they are SOC 2 compliant, so forth, and that's kind of driving their security. Another big driving factor, whether it's midsize large enterprise, is insurance. The insurance cybersecurity is driving security awareness. They want to make sure I mean typically you didn't have insurance questionnaires saying, okay, show me that you have multi-factor installed, you have protect physical security on your data centers, you have protect physical security on your data centers. These are valid questions that every organization is getting these days.

Anthony Wilson:

Yeah, that's a really good point, john. Thank you for bringing that up and just having a few of our clients going through the process of filling out that cybersecurity renewal form, yeah, there's some white faces, let me say, as they sit there and the blood drains away and they think, oh, my goodness, how do I answer that?

John Charles:

It's become more aware that finance, accounting, or that side of the back office business, is becoming very friendly with IT. They're like hi, I need you to help me answer this.

Anthony Wilson:

Yeah, you're right, there's some strange new bedfellows, as they say, as they work together to work through that. But listen, it's a good thing, I think broadly, for uh end consumers to know that organizations are absolutely taking this seriously. Yes, and it's a good outcome for insurers as well. So if they benefit, then then you know clients benefit with better premium and those sort of things as well, because the market's been pretty tight, as we've seen.

John Charles:

Yes, definitely.

Anthony Wilson:

Yeah, so that's good. We can get clients that are proactive and you know, and we're moving away from clients that are responding what does a typical engagement looks like? You start with a bit of an assessment of their current state. Is it normal that this looks like a you know, massive project that's going to take 12 months to put all the elements in and people are scratching their heads and saying, oh my God, this is going to take forever? Or can the uplift I suppose you'd call it to get to a happy place in terms of their security, environment or posture? Can that be done relatively quickly? What sort of length does a typical project take and what does it look like?

John Charles:

So our typical assessment and we have network assessments, we have your cloud assessment, we can have your internal infrastructure assessment Either of those we try to keep them within like two to three weeks so that we can get them a response and they get a good footing. We like to be interactive so we don't just take a report, give it to them like there you go. It's more of okay, we want to present what we found so that one, you can say, oh no, you missed a piece and we can correct it. And then, two, give them kind of options.

John Charles:

I mean, the worst thing is for an IT director to say, oh yeah, we just paid for the assessment and his manager wants to see it. He has no way of responding options. A roadmap timeframes is better for him. It makes him look like he's well-prepared for his environment as well as saying, okay, from a budgeting standpoint, we are looking at this. So kind of, tell me what I can do now and what we need to get done at a stage so he's more prepared. It's actually getting your IT side of the house more business savvy.

Anthony Wilson:

Right and I gather that the report roadmap prioritizes sort of you know urgent, do now. You know important, do soon and you know nice to have, do later type stuff. Does it give it that sort of prioritization?

John Charles:

Yes, and it also gives them flexibility on spending. So, okay, we're tight right now. However, we can get this done, and this may also be good on the insurance side, because that roadmap can flow into there. Talking to the insurance agent saying, okay, here's our roadmap on security. These are all outlined for the next two to three years, and they're happy with their premiums too, and then, typically, off of that, that gives them the opportunity of saying, okay, based on your expertise, we would like to work with you on these projects. Do you mind either being the architect or a consultant on these projects? These will handle in-house, these will do externally. It gives them all that flexibility do externally.

Anthony Wilson:

It gives them all that flexibility and you can provide a service from hey, here's the report. Good luck, see you later. Right through to project managing the whole thing, I gather exactly yeah, oh no, that's great, that's great. Um left field one, J john for you. Has ISS isquared ever been engaged by insurers to make an assessment of somebody before they take on a risk?

John Charles:

Actually. No, that's actually a very good idea. We've never actually took it from that side before. We've taken it from financial but not from any insurers.

Anthony Wilson:

Yeah, just a thought that just occurred to me. It's a good way for them to self-assess, I suppose.

John Charles:

It makes sense. I mean, you have financial institutes that want an assessment done to make sure that it's viable to loan this money or work with this company. It makes sense.

Anthony Wilson:

Yeah, no, it's just a thought that could be a service that you could provide definitely.

John Charles:

Thank you yeah yeah, that's fine.

Anthony Wilson:

No, that's good. So is is in a project that goes over a period of time. So you know, if there's a fair bit of work to do and those sort of things, is there a risk that the organization loses a bit of that focus or the urgency, and is there a way to keep them engaged or keep them on the straight and narrow, as it were, to rectify any security issues?

John Charles:

That is a very big problem and we've actually implemented a project management office within our company, which we for these types of engagement. We always say we would like to put a PM on the project to make sure or help you keep track, and sometimes it is just they are busy resources and things get put to the side and come at the last minute and it's like, oh, where's the status on this?

Anthony Wilson:

now that's good. That's good, yeah, because obviously organizations have a lot of stuff on their plate and things can drift or other things can take priority and be good to help them keep a bit of focus or at least keep momentum.

John Charles:

Nothing worse than something stopping and trying to restart it again and it is famous for doing a lot of things at one time.

Anthony Wilson:

Yeah absolutely, john. Tell me and I'm not sure if you can answer this or you've come across it live, as it were but what about artificial intelligence in this space? Is there something that organisations now need to think about differently because of AI? Is there potential gaps now in enterprise or organizational security postures that they're just not aware of? With AI coming on? Is there something that you're contemplating in that space?

John Charles:

That's actually a very large discussion. One of the products that we offer is a hosting solution, a private cloud, and after, or actually during, covid, a lot of customers wanted some kind of edge solution where their computes weren't totally internally in their data centers but wasn't totally on the public cloud that has branched out. When you think about AI and now that they're talking about where to keep their data Right is definitely the meat and potatoes of everything. It can expand, it can take on that big blast, but sometimes you want the same kind of flexibility in a more controlled manner.

Anthony Wilson:

Right.

John Charles:

And so we definitely see that we have a couple of customers that have been asking to see more of the private cloud solutions, how they're going to model this, and then the other one is definitely asking more about the data. How do we manage my data? How do I do my data engineering? How do I do my data analytics? I know the big buzz, but I want to say, yes, we are moving towards AI, but I don't know how. So it's a little more of okay, let's kind of make sure we get all your requirements and give you a practical way of showing this. I mean, the good thing about AI is it's been around a while. The reason we're talking so much lately is we're fortunate or maybe not fortunate that we have hardware that can actually spit those answers out relatively quickly now. So we've definitely jumped up the curve and we're having fast response and we're even moving faster because of it. It's just going to be exponential from now on.

Anthony Wilson:

Yeah, absolutely. It's amazing how quickly it's progressing. But there you go, modern times. It's progressing, but there you go, modern times. Yes, john, just before I let you go, just one question I like to ask all my guests, and that is if a young person was contemplating getting into this field, even IT more broadly, I think it's pretty clear that getting into IT is not a bad general choice. But getting into IT is like saying, well, getting into medicine, there's so many different areas and different fields, um, but you know, if a young person listening was contemplating getting into it, or it security specifically, or something like that, what sort of advice would you give them as they contemplate entering the field?

John Charles:

I would definitely say IT security is a good jumping start. However, that ocean is very big, so maybe remember to take sidesteps and learn smaller skill sets like network and basic networking. So knowing that, maybe understanding, taking some database classes so that you understand where the data flows. So I would definitely recommend them branching out, not just focusing dead on what they believe they want to do, because those take so many pieces to put the whole thing together. They may actually find out the. I want to specialize in this small particular area and this is where I like it. I can work on this night and day and never be worried, and it pays very well. The second one is a kind of a side off. I would say while you're doing your IT, maybe take a business class Because, like I said, it is now being talked to more from, like the backend business management. Understanding what they need helps you design, understand, protect better. Yeah.

Anthony Wilson:

Yeah, it's. It is a very broad church, isn't it? And I think well, it's reflected in your career journey you know lots of different experiences in different organizations and comes together or culminates in you know your expertise in your current business. So that's no, that's great advice. Thank you for that. Well, john, listen, really appreciate your time today and you spending the time with us and sharing your knowledge and experience with the audience. It's much appreciated. If people want to get in touch with IS Squared, how do they do that? What's the address they need to go to?

John Charles:

That would be wwwissquaredinccom.

Anthony Wilson:

Excellent ISsquaredinccom. Well, I'll put that in the show notes as well. So, once again, thank you, J john, much appreciated. So, once again, thank you, J john, much appreciated.

Anthony Wilson:

Thank you for having me!

Anthony Wilson:

Excellent. Well listeners. That was John Charles generously sharing his experiences in IT security and those of the work that he and the team do at IS Squared. Hope you found that very interesting I certainly did and lots of things to consider there for all enterprises and organizations. This stuff isn't going away. You've got to get on top of it, and you might as well do it well with the help of experts. So don't forget to look up IS Squared Inc as a potential partner or someone that can give you the advice that you may need in that space. Thanks again for listening to the program today. This has been Mastering Risk Management. I'm Anthony Wilson and it's been great to have you along again, so we will talk soon. Cheers.