Transcript – Warner Moore on VCISO Tips

what’s up welcome we’re missing golden but the show must go on right yeah it’s funny it’s like wait who’s the guy who’s going to run his mouth at the beginning of the show no doubt no doubt we miss we miss you Tim he’s in the car so I’m sure he is but uh y yeah no doubt um so great episode great guest today Warner um thank you for joining us uh what we usually do is we go around the horn just talk a little bit about um where you’re from and kind of like what you know what your business is doing now so um I’ll let you go first and we’ll Jesse and I will go yeah sounds great uh pleasure to be here a shame um Tim to couldn’t make it but uh I’m sure he’ll be here in uh in presence my backgrounds that really attacking cyber security I founded a cam Force nearly six years ago to help healtech companies with cyber security strategy and in my deep career helping build businesso business software as a service companies and early days of the internet before that really just saw the challenges of how to do modern cyber security and modern organizations and how to really position those companies in a way that they’re stakeholders uh customers Market um and really understand how they’re doing security better in many ways so that’s really what gamma force is all about we are uh more a tech company really than we are a services company and act as our client security organization as if they were to hire a full-time Cale and a supporting team and get it instantly yeah nice I I hear that all the time you know investors right like if you’re a SAS company you don’t want to be a Service Company you want to be a a tech company so I don’t know if you’re thinking about an exit someday but we all are right Jesse yeah yeah it’s inter interesting I I I have the benefit of the perspective of now having done both and for a long time I I maybe glamorize product companies and what I’ve found since then is that it’s a grassy screener situation half the typ prodct companies are like man we want to service this business or vice versa I I think there’s a lot of value in both cases and my mindset is as long as we’re doing good work and helping people along the way it’s winning yeah awesome it’s awesome Jesse why don’t you go okay um yeah you all know me I’m Jesse Miller founder of power PSA and the power grid which is a a system and Community where we teach msps how to build efficient VC so programs our goal with that is to create a revolution of prosperity and quality in the vcso industry at large I’m happy to be here and looking forward to talking to Warner and kind of geeking out over uh what we would consider long in the tooth uh VC so professionals as we both are yeah awesome uh so I’m Tim Sher uh the team Tim uh that that’s a little quieter usually right Jesse um but uh I you know I worked in big company security for a couple years uh came into the channel as a GRC vendor and I agree like the vendor world is being a product is is not easy um it’s uh it’s infinite leverage but it it works both ways so uh generating cash and and you know trying to get a successful software company off the ground is not easy but um I uh you know I’m doing a couple things now uh a little bit of EO work uh so I’d love to hear you know all these recommendations from YouTube guys on in your experience and what you’re building um I have an interesting kind of individual security High net worth um investors I have it’s called an investor only laptop and I call a vault book which is you know trying to pack a lot of that big company security into a into a Chromebook uh it’s a friction I would I would say it’s not too friction of an experience but I’ve got a couple senior citizens using it and they’re and they’re getting by so uh keeping them safe and I’m you know one baby boomer at a time and one kind of Rich investor so Warren we should catch up on that sometimes but um yeah no you know we we were talking in the green room and we’d love to kind of just hear a lot about you know you’ve got 20 25 years experience cyber security um you know I guess maybe talk about the evolution and eventually we’ll get kind of your your convictions on where where things are going and where yeah yeah i’ love I’d love to hear yeah we were hearing something with your audio Tim I don’t know what cut out there but um yeah yeah I think I think for me it’s just interesting I love to hear kind of the uh the Genesis story so I would guess when did you know you wanted to be in cyber security like how did that and how did that materialize you know it’s interesting I I don’t tell this story much I well back in the olden days early days of the internet um it was really just where a lot of smart folks were nerding out and I I liked that uh most of uh internet Technologies didn’t have security and the little bit that they did it was broken for the more technical folks in the group just for example I I remember when Linux didn’t have Shadow password files so it meant the hash was accessible to anyone on the servers right that’s just to illustrate it so in these multi-user systems where you had an account you could just take that password file and brute force it it’s not today rainbow table’s infinite compute but is still back then it was rather trivial to get access to passwords that’s when we introduced Shadow password files and stuff like that so the hashes weren’t accessible but getting pretty nerdy the the thing is right I I have these multi-user Unix servers and I hardened this Linux server and I challenged the best folks I knew uh from a security skill perspective um attacker skills and uh no one ever did manage to compromise it I went so far as to give them a local user account and that’s just to really illustrate uh some of the foundation of what got me into security but admittedly I was really passionate about tech Innovation and the application of modern Technologies to change the way we think the way we do things in the world right distributed computing so in a lot of ways I I was chasing where we were driving change with technology and security was always a part of that but I I think it was maybe about 10 years ago where I in my career I kept on being pushed towards cyber security as a primary focused and I I thought it honestly and day like you know why not why not and I went all in and never looked back oh that’s aw awesome I we it’s funny the more we talk I feel like the more we share some some background there it was a similar thing for me is I’m like no I really like doing what I’m doing right now like building infrastructure um but I’ll tell you one thing you’ll laugh about is I remember um there was a we need to get a password for something and um this person wouldn’t give the password out it was a an outgoing vender who is um you know uh trying to force be punitive with the client right and so they said well you can pay and we’ll log into the system via telnet with an outside port and set the system up and I said oh via telnet okay no problem set up a a a um a bridge between the router and the system captured that password and uh said goodbye to that it vendor so it’s funny to think about those were the things we were doing prior to uh being in security just you know and that was more just to get things done right you did security as a byproduct of your job because you needed it to make sure that you had to get things done and so uh yeah it was similar about in 2014 so just about 10 years ago is when I was tapped to build a security vcso practice for the organization I was working in and again uh kind of went Kicking and Screaming but it’s interesting once you get into it I think as you said somebody who has a passion for technology and a passion for changing the way that uh we we work through technology security is the probably one of the bleeding edges you can be on to do that especially today and I think that dovetails nicely into what we’re talking about is using it as a business enabler because I think traditionally we’ve seen security as a zero some game between profit and speed of the business right so I’d love to hear about what got you into vciso services from security and from uh just regular technology what what was what was the kind of the Tipping Point when you said yeah I want to build a vcell company yeah I mean none of us wake up right and like want to do security like Tim the other guy who’s not here is always like he has his nickname doctor no right so if you work in a big company you deal with these friction kind of like people you’re like what’s up with these guys like why are they you know why are they so tough um but over time like the risk management aspect of it I you know I’m sure we’ll go there as well Jesse like I that’s the part of it like how much is enough how much do I need to do is is the kind of part of the of security that caught like that got me in into it like further and the fact that it’s like I posted something yesterday Warner like data doubles every six to seven months how come security budgets aren’t doubling like right so it’s it’s still you know I’m there’s they’ve got to increase every year at some double digit rates so yeah yeah well on the budget increase thing I I think that’s a whole value prop proposition discussion and whole different discussion uh well I I’ll talk about uh what you said before Jesse from two angles one a personal perspective and two the business side of things and more from a a personal perspective I I’ve been interested in a higher level work for a while there was a certain point after relearning the many gations and evolutions of the Technologies we use I I got tired of relearning the same things with a slightly different angle on it it it was less Noel to me and when I was observing where there was an opportunity to be more strategic I I was seeing security uh getting elevated in the organization whereas even in tech companies technical team members are sometimes looked at as a more tactical function and I I’d Advocate and say that’s a a mistake especially in a technology organization and that’s less common in technology organizations and part why focused there but security had a lot of opportunity to help Drive the organizational strategy and that was attractive to me then on on the business side well having helped build a few B2B SAS companies across different Industries fintech healthtech insure Tech after the uh insure Tech play helped a company get from concept to growth mode I I was considering what was next and my thing was I didn’t want to create another another me2 product and crowded Market with a muted value proposition so I’m like okay what what can I do that’s higher value and I was looking to focus more in pure cyber security or pure technology at the time and uh well that that was the predeliction to gamma force and we’re here now six years later that’s awesome and Warner I was reading deeper on your profi profile and I love the you know you’re involved heavily and I gu the Ohio call it like Tech ecosystem right like incubating and and helping out some like young Founders you know telling them about some of your successes and failures uh so um you know I I’d love to hear kind of uh you know said gamma force and I forget what it’s called Uh the the name of your like accelerator kind of like tech tech group in there but how did how do you you mentioned in your profile like you guys work together or um you know how how you know just I guess what’s the connection there well I I really think of my life professional life as three different pillars the first is the for-profit pillar gamma force and then you know there’s the pay forward pillar which is more supporting the entrepreneurial ecosystem collaborating with VC helping out an accelerators mentoring and and and Advising entrepreneurs um that’s just work I’m passionate about and think it’s important and then the third is the nonprofit pillar uh I founded a 501c3 nonprofit Tech Community Coalition some years back and our mission is to enable the tech and startup communities through charity and education and we do that through fiscal sponsorship as well as supporting the 50 plus active Tech and startup Community groups here in the Columbus region and that uh realizes through a couple activities that we do to cross-pollinate the community we do an annual Tech Community holiday party where all the groups come together hang out and learn from each other and then we have an annual Tech Community Summer Fest where we throw a party for the city love music food trucks build awareness of all the things we’re doing and that’s coming up on August 10th yeah that’s that’s fantastic I love the whole Community Building aspect and I think that people like yourself that are fostering those initiatives and kind of being intentional about doing that um are leading the way for I think the next generation of the way that we see that business is done so that that’s really cool um you know when you were talking one thing I wanted to ask you and I’m sure that many of our audience uh is thinking is um could you could you put your finger on or talk about why you think that gamma Force has been so successful and been able to succeed as a vcso practice um going on you said it’s your you’re in year SE seven now you’ve been six years that’s I mean that’s early right for SBC Sals go so I’d love to hear maybe your take on why you think it’s been so successful for you up to this point yeah I I think that really just ties into focusing on creating value for our client and all stakeholders our team as well um if the team doesn’t want the clients don’t win it’s all uh complimentary a flywheel of sorts yeah and that that’s pretty abstract right but we actually do security strategy she work we’re not just running down a framework arbitrarily and um telling our clients want to do just because we’re putting the executive hat on and helping them as a peer but with the Deep expertise in the cyber security profession and yeah we operate and think like I would joining a company is a full-time C so how does that how does that start Warner like that kind of that first interaction um is there usually some kind of catalyst that they call you or I guess you know what’s your first question usually meeting a you know new a new executive of a of of a you know mediumsized business well uh why often they have some initial thoughts themselves so I understand what their thoughts are and then bu on that what are they trying to achieve in the business are they trying to scale it are they trying to get it to a point and flip it um what’s their Market uh are they B2B are they healthc care are they fintech Financial whatever uh what are the business drivers for doing that and what are they doing in their organizations business via product that aligned to that or are there things we can do differently to reduce risk or to reduce unnecessary expense right um because if we’re healthtech and we don’t have protected health information do we really need to be hippoc compliant I I’d say hard no right but where’s that line for investment if at all I I think as Security Professionals we are often like to be arbitrary it’s like oh this scan says you have five critical vulnerabilities and two high fix it I don’t care it’s my marketing site leave me alone right yeah it’s it’s that’s you know I had my own thoughts on this and some things you said kind of perked my ears up and why I wanted to ask this question is you were talking about what do I want to do next you know do I want to be have a muted value prop and be in a crowded market and what’s my total addressable market and thinking about all those things and what you just expounded on you know sitting down with the executive and saying well why am I here why did you take this meeting and letting them tell you why and what their expectations are from this conversation what they want to get out of it it’s a good way to um break the ice too and get people smiling a little bit so I think you’re you’re dead on there is what are the goals for the program and how can I not for the program what are the goals for the business and where does security fit into that and how does it enable that so um I appreciate that you kind of going a little level deeper on that and I think I’d love to hear more MSP start talking to their clients that way whether it’s about security or not right um and having those types of conversations of course it does mean you know you’ve had kind of a in the trenches education right building these SAS companies on on that kind of value prop and having to build that so you know it may take some learning and it forces us to get out of our comfort zone I think um and whether it’s you know taking a couple classes um reading some books and understanding how to improve our business business and then applying that to our clients I think is super powerful so I appreciate you talking about that the um I I guess the next step right like really setting expectations with the client how do you you know how do you set kind of the ground rules in terms of like roles and responsibilities and kind of it’s a team sport right I mean how do you with that all you know how do you get them to kind of embrace it Empower you Empower you know certain people on the team to you know do things or right um get to kind of like the road map that you’re setting pretty early it short answer is it depends right every organization is different um the team composition the team experience the needs um the the big thing though is that we’re working together collaboratively and uh most frequently uh the person in the organization who’s responsible for cyber security doesn’t need to be and they they have many other responsibilities so we can take that off their plate but a key thing is we’re not hyper tactical right we don’t do support uh we don’t manage their technology uh and we don’t want to now we can help them build capabilities and if they have skill gaps for good reason right does it make sense to hire a full-time security engineer in many cases not well we we can help put that stuff in place but we’re not going to be doing all their day-to-day maintenance activities and the really most important part though is for us to work collaboratively as a team now from that point it’s always a negotiation not a negotiation in the maybe traditional context to fight until someone wins with an upper hand more just a shared understanding about who’s doing what and why yeah so I I guess what I was getting on is looking at the clients that you you thought were really successful right like they basically picked up what you were dropping and ran with it versus the ones that are kind of like oh yeah like and this would probably fall in that regulatory camp like this regulator is like knocking on our door you know fix it and you feel like you’re you’re kind of like trying to attack the problem at different angles but they’re you know they’re as you said like you’re giving recommendations like you’re not necessarily getting on the ground level and and implementing so we do implement we just don’t to support and yeah so I mean are there things that kind of like you you found are like I said that they just kind of grasp really quickly and um you’re able to kind of be the Catalyst for change uh pretty quickly well some of these things are well the foundation behind it is are are they a good fit I if they don’t want to prioritize the things we’re talking about there’s probably a good reason for that and usually I I spend the time to identify that upfront if there are not business justifications for the work we’re doing it’s not unusual for me to suggest they limit their investment in cyber security at this at that time until the circumstance changes so I don’t want to work with or sell people things that they don’t need and that don’t add value in their organizations so assume assume those things are align because if we’re working with them they are and then from that point forward it’s really just how do we build these capabilities in the OR organization so they’re sustainable aligned to what the team and organization is capable of now and we help with the other stuff or figure out a way to do it right and maybe they do need a mssp and we can uh find someone to help with that and that’s true of any other category but on the higher level security program side I I think having control owners is important uh so building that capability in the organization as opposed to a security Silo of a service provider or even an in-house security leader where they leave and the program falls apart that’s not building a security program that’s just uh doing a job right so we build the security program in the organization through control owners and I I have different illustrations like that on the engineering side so it’s not about um I’m forgetting the jargon support standards or the it’s not about that it’s just about understanding where we add the most value where their team can come in and maybe we need to help build a process so they can support it or we often do work with it msps we don’t many of our clients already have them because if they’re at a c certain scale they have that tactical need and we work with the msps to take care of some of those things so it really just depends right yeah it’s you know it’s interesting um one thing I wanted to to dig into here um and I gotta have a couple thoughts swimming around so we’re just going to start with this one is um when you set out to build gamma forest and do the vcso services was it the intention one to have this architecture implementation team or did that kind of materialize based on need from your clients and you’re like hey we’d rather have some control over the way these things are getting implemented or was it a combination of both I’m interested to hear about the strategy and kind of the the development of that piece of the business yeah I I think the philosophy behind the business has been fairly consistent um our our mission of changing cyber security to be more strategic and drive meaningful value that’s been true the whole time uh and we are intentional about how we do that it there are many things we could have done along the way that would have been new business right right we could do support but we choose not to we’re not a sock don’t want to be a sock um the the thing is I think it’s so important to listen to the market listen to the customer and if our customers didn’t have that need we wouldn’t be doing it right now it just so happens it’s aligned to what we want to do on Mission yeah and I like hanging out with really smart folks I want to have engineer years on the team yeah so that’s part of it too but if those things weren’t aligned we wouldn’t be doing it yeah yeah no that that’s and I think that’s to me it sounds like you know a couple of things stick out is number one you’re still having fun in your business right you’re you’re saying I like I want to be around smart people I want to talk smart stuff and we’re going to provide value for our customers so this is all aligned why wouldn’t we do this right and listening to uh both The Head and the Heart a little bit there which I love that and I think that’s how you keep things fresh right um you know and then secondly walking away from Bad Business I mean come on that’s great how many times do we feel like we just want to take this deal because it’s money and but we’re you know and we know it’s a bad idea right but uh getting disciplined about an ICP um I think is important there as well and so you touched on that um so interestingly enough that leads me to what I wanted to ask do you guys focus on like SAS companies because of your background there or do you find that you’ve found other clients that are good fits for you and have that kind of U teamwork approach to the program that’s uh correct we really lean into Health Tech that’s our core market and we do work in Tech too because it it’s a fit for what we can do and we’re not going to turn it away if it’s a fit but um Health Tech is where we’re focusing yeah yeah I see the same thing similarly um and those organizations is there’s a there’s a blend of innovation that’s happening as well as regulatory burden and so they’re not being pushed Along by the regulation they’re trying to stay ahead of it in most of those organizations so I think that’s a good environment uh to be in you know uh most of them don’t right wara like you said Hippa you know maybe they’re not holding customer data or not like right right the sodian of it um maybe they’re chasing like a sock too just because they’re like a heal Tech I don’t know yeah well we look at the the the change Healthcare breach that just happened right that’s that would be one where that that probably affected a lot of those Health tech companies but um it’s a different kind of environment uh there so yeah it’s interesting folks in the field like to poke at smaller businesses right and my more controversial take is smaller businesses are more secure than the big companies spoking fun of them right U right I’ve not encountered a healthcare industry company that was really good at security if we take a holistic View and for good reason hip is privacy focused right it doesn’t have a bunch of security requirements built in but Healthcare is really good at privacy in fact the best I’ve seen across companies because they have to be by law right but the thing is modern companies can be exceptional at security because they’re not trying to move past decades Legacy craft right doing the right thing from the start is easier and modern capabilities uh in practices tend to be more secure by default automated code deployment through a production Pipeline with security inflection points along the way the only way to change production I’ll tell you what is way more secure than the 20page paper that needed a signature that I I knew of companies doing many years ago I’m sure there are still companies out there that do that sad to say I’ve not seen it I hope not but I wouldn’t be surprised yeah yeah it’s interesting you do a lot of like you’re doing a lot of uh you know you’re working with Deb teams and SE Ops and uh de SEC Ops right like in terms of you know branching and all you get repositories and and there’s a secured by Design and right like and I’m not sure if it’s you know you probably have a mix of cloud native and open source but I think that’s you know as you said like they’re they’re on top of their game compared to um United Healthcare you know H name your HMO right yeah yeah I it’s it’s interesting you know just thinking about uh you know as the first MSP that I built that vcso program for 10 years ago thinking about our kind of trajectory there and you’re in this weird spot where you have all these Legacy clients you haven’t been doing this and you’re trying to bring them along but half of them are not that good fit like you said Warner where they don’t want to do security or they want to just do the bare minimum to meet regulatory requirements right so I mean I’ve had clients I think msps need to get that these these things in place at a bare minimum to risk assess their clients and protect themselves right obviously they’re kind contracts should but you know taking a risk assessment and actually showing a client um here’s all your gaps here’s where we think you need to improve and customize to you right you said based on your business and what’s important to you here’s what we think you need to do and then letting them make a decision so I think uh you know obviously new business you want to focus on clients that are aligned but then I think current business and Legacy clients it’s like well we we’ve shown you the risks and you can choose what you want to do with those risks and you might not do the the things that we think are the right things to do but at the end of the day we have to say our job is to present the risk to the business and let the business make the decisions and then document that and be ready to pick up the pieces when if it does fall apart right so uh did you I mean obviously you were building net new but how do you handle that where you get into a situation where you feel that there is you know maybe negligence being done on the part of the client and you have to accept that right how do how does that do you you know I think as all as um technical people at heart we really want to do the right thing and we like logic so it’s logically the right thing to do so why aren’t you doing it right so how do you how do you uh politically combat that in an organization where are some techniques people can use are we talking more the MSP angle or maybe internal security organization or more cont yeah I think I’m just looking for when you’re in a client in a VC so engagement or in a risk engagement and you and you have a list of recommendations that they need to do but the leadership team is either wanly ignoring it or just doesn’t have time or is not invested what are some ways that you get people to get invested as part of that it’s funny to think I I just have so few situations where that’s the case it seems like he’s nailing his ICP Jesse you know right so it’s like I kind of you know getting exactly what I wanted yeah go ahead if we’re being hired and paid to help with these things and the things we’re saying aren’t connecting I I’m I’m wondering where the disconnect is there right yeah if we’re trying to solve a problem our client doesn’t want solved what are we doing and there might be more of a Phil philosophical issue there but I I I’ll play the game and so if we’re in that space I if uh I I think a really good example is maybe batch management right um yeah say the average MSP we’re probably responsible for patch management and if we are not able to do our jobs we have to be vocal about that and yeah the implications of patch management is your computers might be broken into you might have a ransomware attack or maybe uh accessing a website on the internet will allow somebody to get into the data on your computer so having that conversation well maybe that workstation doesn’t have any data we care about right sure steal it sure lock it down there’s limited business impact right then fine who cares uh but maybe we want to patch it eventually so why don’t they want to patch right and let’s talk about that and let’s solve that problem if they don’t want to patch at all well I again I ask the question why are we here yeah or if we have a reason to be there but they don’t want to patch well maybe we need to revisit the delineation of responsibilities there’s a certain point where duty of care comes into play if I’m a see so in an organization and I don’t feel like the shared accountability and the executive team is aligned to our duty of care and I have a little more responsibility because the security title well that’s a career decision point do I want to hang out for a couple years knowing that as an officer in the company I can’t execute my duty of care I probably wouldn’t that’s a privileged position but if we are in an ex an executive role that is part of it yeah yeah couldn’t agree more and I I think you you said something I was hoping Hing you would touch on is kind of the uh the ability to call things out for what they are and be Resolute yet um amicable and the way we’re doing that and uh be okay with the decision and be okay then walking away right so that you have to you have to have all of those things be true and be willing to uh cut the cord on a bad client or a bad job uh to make sure that you’re staying ethical in what you’re doing so I love I love that you said that um the thing is if we have a bunch of ego in the game right with our client like what are we doing yeah computer right right well that that’s what I was getting at right is I think sometimes egoo does play a part in the in us getting frustrated about it um and I’m speak and I’m speaking as a former as a recovering uh you know as a recovering egomaniac sophomoric hot shot right when I was a super technical guy right I had to relearn throughout the course of my career how you really get things done and I had somebody say something to me one time that was just it sticks with me as long it’s been sticking with me my whole career and he said if you really want to win you got to redefine what winning looks like right and that’s that was poignant because winning doesn’t look like getting your way winning looks like moving people along and making them better right and so if we how do we move our client along and make it better we remove ego from the from the decision and we say again here’s the risk here’s what we think you should do you have to make a decision and then be okay with that decision and say okay we’re going to live to fight another day and we’ll talk about this next week right and I one thing I will say is that I think documenting that is powerful and I think that’s where I’ve seen in this kind of limbo of trying to bring clients that maybe weren’t concerned about security along and do the right thing is in a program documenting things and people knowing that it’s going to go down on paper that they made that decision of no it’s actually uh psychologically an incentive to do the right thing right so if you say okay I’m not going to do all this stuff I don’t care and it’s going to be documented well when the breach happens it’s on your plate right and so it goes back to what you’re talking about the the executives being responsible um whatever you may think about solar winds whether he did or he didn’t misrepresent uh the security posture right we don’t want to be in that situation ever and so I think it’s important to stick to your guns in a in a right way and in an EMP an empathetic way to make those kinds of uh conversations happen right well I I like sorry T go ahead yeah I was just I love where this is going because you’re talking about this you talked about due care and you and you’re starting to see like regulatory entities like the SEC like kind of charge the ceso but at some point like are you an internal ceso are you an external one does it matter is there legal e right like as you said some of it’s documented so I guess where do all these pieces fall and at what point Warner are you you kind of have to pick up and say like I resign right like I’m not taking that kind of responsibility or I’m not being I’m not being compensated for the risk probably so I don’t know you know well I I love this topic I’m glad it came up um security is an organizational responsibility not in the generic awareness program sent the most senior executive team is accountable for duty of care the team as a whole the officers in the company are responsible for duty of care as say it’s a CIO or ciso I I don’t care what the title is if a a single executive allows themselves to assume full accountability through the way the organization is operating that’s a complete myth uh the CFO shouldn’t be responsible individually for security the security person shouldn’t be ceso shouldn’t be individually responsible for finance but the team as a whole is accountable for both of those things yeah it’s the bottom line so now there’s some Nuance there legally and so on but that’s how I treat security governance in the organizations I work with so if I’m aiso that’s how I think of it now now there’s some debates here and there and some different angles on it but that’s my take and I think it as legs I and then secondly externally right I I and we have executive level security experience I I’ve personally built over seven security indor privacy programs I I’ve been a chief security officer and the so it’s not not just me attacking VC so on my name right so when that’s part of the qualification if a client wants to hire us because they’re trying to transfer risk we cannot be accountable for their security program in that sense we can share responsibility for it the officers and their organization are accountable for security now we’re not going to have them sign paperwork and debate back and forth and sometimes there’s a period of time in which the executive team has to be educated I’ve had protracted conversations with founders of companies where they’re like really am I why should I care about this they’re the officer in the company so at no point what I want our clients to think that we are serving as the focal point for their duty of care but we will work with them to get the right governance in place and share responsibility as a SEO but we’re not going to be accountable in that sense I think that’s I mean this is an important conversation right now because there’s yeah at the end of the day just it’s like liability and we’ve we’ve had lawyers on the show kind of talking about what’s your MSA and right like so keep yeah having having having hallway conversations with other cesos who have served in large capacities and organizations not to name names but they’re they’re like number one for for an organization to really think that the SEC is going to allow them to name a vciso as their security officer hold them some sort of responsibility it’s literally not going to happen so companies doing that it’s just it’s not hold up number one but again no they shouldn’t be but I I mean I’ve had people ask right so it’s like no you can’t that’s like I I serve where I was getting to is this role serves in an advisory capacity think of it as like a consiliary right like I’m serving you as your advisor to make the right security decisions and I’m providing you with clear and concise data on the ramifications of those decisions but then it’s the organization’s job and the executive team’s job to make take that data look at the business risk and make a decision based on it and that’s where the responsibility the demarcation of it is and so I think this is important to have these conversations as you talk to clients and as this service grows in demand because there’s going to be on both sides Miss education right you’re going to have clients who aren’t educated and be like this standard said we need to have a someone responsible for security so we’re going to hire that out well no that’s that’s not how it works right you want to transfer risk I I know a bunch of insurance carriers let’s talk to that’s right but yeah I mean those are the types of uh those are the types of conceptions and it goes back to what you said talking about the why like why am I here oh we need to transfer risk we need somebody responsible for security well I can’t help you with that what I can help you do is become more resilient and you know help you use it in your business help you use it as a differentiator help you go after new business help you do all these value ads to your organization with security oh while be more resilient but at the end of the day you own the risk and that’s not transferable by hiring a consultant right so I think this is an important conversation to have with clients and as you mentioned start talking about that why and flush these things out ahead of time yeah no I think a lot of the misconceptions are from Enterprise Jesse in terms of cesos being scapegoats right like for these breaches like oh the ceso was fired and it’s like well well we let ourselves be scapegoats right yeah right I I’ve heard I’ve heard murmurs of uh is hiring multiple VC cells and security companies to try and somehow access their security and cyber insurance coverage so oh we can get more cyber insurance coverage by hiring this guy he’s got five million hiring that guy he’s got you know three million hiring this girl she’s got five million um but it’s that’s again not going to hold up but it’s somehow like we’re just all convin singing Kumbaya and convincing ourselves it’s going to be all right like obviously that’s not the organization you want to work in but I’ve heard of these kinds of hair brain strategies right so it’s just interesting to think about and again it goes back to education and being upfront with what you’re getting and not getting and being okay if we don’t get a sale because the client is you know has some misconceptions so you know is that four to six figure annual contract value worth a seven or eight figure lawsuit right I’d suggest not I would say yeah I would think those numbers don’t add up right but it’s funny I mean the sec’s behavior like suing a like security operations guy like what was the guy’s compensation relative to CEO yeah right yeah yeah that whole thing is a debacle I don’t I honestly don’t touch I don’t have an opinion on that because there yeah you know do Frank and whatever like C you know back in 2009 right they switched so the CEOs have to sign every accounting financial statements right I don’t know why they they let him off the hook here so security Charter should be signed CEO right yeah CEO is ultimately accountable right but I’d suggest a well organized and government organization that accountability is shared but yeah CEO can be like oh crap not my fault yeah it’s not a luxury of the position sorry I don’t I don’t know cyber so this is not my fault well you’re supposed to at some point um right J you and you must advise I mean you must have a Playbook here right because like your clients are channel right most of our msps they’re playing kind of man in the middle a little bit well yeah I mean I think there’s some ways to get the organization integrated and obviously right I’m not going to plug myself but this is what we teach msps to do um is create some of that education and build that into our processes I think a good it’s it’s you know what I talk about is that connective tissue right is all the way from marketing to sales to implementation to Service delivery and then to account management that should all have a story for the customer and it should all be connected right I think I see a lot of organizations that are siloed so I’ll get off my high horse about that but what I mean by that is that when you come into a client the the sales process should have talked about what Warner was talking about right and saying we’re the adviser right then when that gets handed off the implementation should pick that up and say okay we’re the adviser we need to do these five things we need to talk to your Executives we need to understand what system support revenue and that’s how we’re driving what security you should have not the CIS said you need malware protection right like we what Systems Support revenue and how exposed are those that’s what we should be digging into and again systems to do that on a repeatable way so that you can have GRC analysts doing doing data Gathering have your higher paid vcos doing the analysis and the customer interaction on that right you build a whole process around that to be able to deliver it repeatedly um where you’re having those execu itive level um Arbiters so to speak Warner right um interpreting that data and then delivering it to the customer and helping them make decisions so I think by doing that you get through the implementation and have the organization very aligned right now you have a Playbook you’re executing that okay um things adjust things change we’re meeting with the executive team we’re helping them build that governance process we’re encouraging the audit committee right to actually talk about cyber risk in their in the board meeting to meet and starting to move that up and down through the lines in the organization and then on the back end with account management it’s the virtuous circle like can we help the client with some architecture stuff we see they need a push right it’s not selling them it’s creating um our skills and our abilities to help the client out for the things that they need to do and so I you know that is a holistic um system I think is the way that you can really facilitate having the client involved and being aligned with them from a business value ad perspective and that’s how I see it with a good with a good MSA with a good Ms yes with some good contracts stating all of that on the back end so well like contracts contracts are important right everyone should operate professionally but I will push back a little on the context of uh signing off and this I don’t like internal contracts in companies it it silos and creates friction say we have a large scale company where we have internal billing and contracts for internal Services that’s an illustration of it so yeah I I think if we have gotten so far and I don’t care if it’s an internal security organization or a service provider where every tactical thing we talk about has to have more formal sign off we should probably be considering the health of the relationship or the fit of the relationship yeah because yeah that that’s not a great way to work and it’s going to reduce the value we bring to the table yeah I I agree with that yeah and I’m not saying that like hey you got to sign this waiver that you didn’t accept our recommendations I mean I’ve seen msps that do that and those that don’t we decided not to do that when we were building our program it was more of our you know yes you have a contract that protects you but it’s more of a a gentleman’s not a gentleman’s agreement but in that what what I meant by putting it down on paper is just it forces someone to confront their decision they can’t just handwave it away right so you know you’re saying hey we had minutes for this meeting and we made these decisions like these are the decisions that were made right and it’s not to like say haha I got you it’s just more to say people actually forced to a decision and you know I and I maybe you have seen this probably in your previous uh Journeys within organizations is you know sometimes EX tives want to want to kind of keep it a little bit murky so they don’t really have to make that decision when you can pin that decision down typically the right decision gets to gets made so that that is what I was referring to with that yeah makes sense and not not picking on you just clarifying context um I I in some of my seeso circles more than once I I’ve heard of people printing out a one or two pager and putting it it in front of a peer to sign and like okay let’s step back and res we’ve just created an adversar adversarial relationship now yeah no I mean I was really just referring to like getting away from that like you’re not going to transfer risk here just in the channel like because because Jesse’s dealing with MSP to you know third parties SMB so um we only have a couple minutes left what we usually do is just closing thoughts um you know I I I would also ask you know if you I think we’ve heard a lot of closing thoughts but kind of where you think things are going and um you know I always I always like to ask like what’s your one unorthodox opinion of like cyber security or something like that so H all right I’ll go first that’s fine orth unorthodox I’ll go unorthodox first because every I I I get crucified on this for social media constantly so I’ll say every MSP should have a VC so program and uh that doesn’t mean you should just call somebody a VC so and delivered it means you should educate upskill and uh get with this new wave of risk management that we need to start delivering to our clients so maybe it’s not that unorthodox unorthodox after all um my takeaway is you know ICP is is King in a lot of ways I mean I love that one of Warner things Warner said is he’s been super successful because he make sure the clients a right fit do we know it’s a right fit client for us have we identified that and are we actively um eliminating that in our meetings in Discovery and marketing process right so that’s my takeaway you know I’ve been really love this conversation Warner and um appreciate you coming on yeah you’re up goe I’ll take them both in one narrative unorthodox and uh where I see us going I I think we have unusual opportunity right now as Security leaders and many organizations the ceso has been elevating and not buried a couple levels down in the reporting structure so uh up here in the executive team uh boards are taking more interest I think many of us are still very tactical and Technical and if we’re just screaming about the things that are trying to get us and not taking the time to understand our businesses and how we can not only enable the business as a member of the team but do so in a way with our unique expertise in cyber security we’re missing the table I see too many obstructionist security organizations still where they are slowing down the business in ways that go so far as to destroy value I worry that if we don’t change that quickly enough we will lose that seed at the table we used to complain about not having the seat now we have the seat but we need to act strategically as a member of the executive team to keep it and if we’re not operating that way we probably shouldn’t be there in the first place so I it’s a challenge for all of us in the field I I think we have opportunities to elevate the value we’re adding as cyber Security Professionals but I know we can do it yeah so I I’ll kind of Follow That narrative too Warner I think the board you know as you said like are you are they are cyber security or at least an IT person getting representation on most kind of executive boards at the Fortune 500 I think the answer is till now no and I think um I think that’ll change quickly in the next like year two three years um where there’ll be significant representation when digital call it digitalization of businesses is you know it’s incredible how much you’re relying on it and now you’re going to rely on cyber security so I don’t know are they going to take the accountancy are they’re going to take the lawyer seat right like you kind of have like an accountant a lawyer like the 80-year-old former CEO of like a you know whatever right so um I think that board composition is going to change dramatically um I think cyber security Focus will change dramatically as you said there’s been a lot of misconceptions a lot of misunderstandings of kind of what it is and why you need it but um as people kind of grasp and take stock of how much of their business is technology or digital uh I think they’ll come around so um awesome well uh that’s about it we’re g to give a minute back here uh thanks for joining everyone and Warner uh awesome insights and I I really appreciate it you as well Jesse you know the Dr VC so himself um so next week is uh an interesting topic we’re gonna we’re gonna we’re going to do a role play and you you’ve been on Robert Gillette before uh Jesse so we’re going to role play selling to a small business um we got some good insights and some of my questions were kind of a little leading to Warner just to get a little homework for next week so um but uh yeah enjoy the weekend and uh we’re uh we’re out of here been a pleasure thank you all thanks everybody thank you audience take care take care absolutely here we go subscribe now