March 30, 2020

In this world of remote work that we’ve found ourselves in, there are likely a lot of companies that are looking around and wondering if they’ve got the right staff.

With a fully remote workforce comes a lot of new challenges in the IT space, and if you’re a smaller company, you may not be in the space to bring on a full time CIO, but you still need the governance and expertise of a CIO.

Cue the virtual CIO. 

And there are a lot of managed IT service companies that offer some level of virtual CIO support. 

That’s why on this episode of The Virtual CISO Podcast, we sat down with Darek Hahn, President & CEO at VelocIT, to discuss: 

  • The role of the CIO vs the CTO
  • What makes a good virtual CIO
  • When you know you need one
  • The difference between a virtual CIO and a traditional MSP consultant

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

John Verry (00:06):

You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no-BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:26):

Hey there, and welcome to another episode of The Virtual CISO Podcast. I’m your host, the erudite John Verry, and with me as always, the agent J to my agent K, Jeremy Sporn. Hey Jeremy.

Jeremy Sporn (00:37):

Hey and hello everyone. Agent K, appreciate you recruiting me for this critical mission.

John Verry (00:43):

No worries. So what’d you think about the podcast? What’d you think of the conversation I had with Darek?

Jeremy Sporn (00:50):

We started this podcast so business leaders could gain the knowledge, perspective, and really the language to speak about information security at that level that would allow them to communicate what we call from the server room to the board room. This is what Darek does every single day. His whole goal is to bridge that gap between business needs and technology needs. So just super cool guy to have on the show.

John Verry (01:14):

Yeah. What really impressed me was his ability to communicate things concisely.

Jeremy Sporn (01:20):

Very well said. What I love about him is his simplicity in attacking and really, I use the word attacking purposely, attacking the need for businesses to drive technology, for the business needs to drive the technology needs.

John Verry (01:34):

Yeah, absolutely.

Jeremy Sporn (01:35):

Really, I got to ask you a question, because you’re a practitioner that started a business selling a service that you know how to perform, and he’s a guy who started a business in which he was originally a customer of. Do you think he has a bit of an advantage over you, knowing what he wants from his own business because he was there already?

John Verry (01:59):

Tune in, next week’s episode when John actually has an answer to that question. That’s a really hard question to answer and a really good question. I would say he definitely has some advantage in terms of the fact that he truly understands what it is that he’s trying to deliver. I can think of some disadvantages as well, but like I said, we’ll tease that for next week.

Jeremy Sporn (02:17):

First time I’ve ever heard John not have a well-thought-out answer in three seconds. So we’ll leave that alone. Look, all in all, people are going to love what he has to say. He absolutely blew my mind on what he thinks are the most important attributes of a successful CIO. I can’t wait for people to hear it.

John Verry (02:36):

Agreed. Awesome. With no further ado, let’s get to the show.

John Verry (02:44):

Darek, thanks for joining us. How are you today?

Darek Hahn (02:45):

I’m great, how are you?

John Verry (02:47):

I’m awesome. So let’s start super simple. Introduce yourself. Tell us a brief amount about yourself and a little bit about VelocIT, which we can clearly see up there in the corner of the screen. Well-played. Good marketing is here. Your marketing guy is going to be happy with you. Very strategic [inaudible 00:03:03] shirts but I can’t see you. I can’t see your shirt.

Darek Hahn (03:05):

It’s all over me.

John Verry (03:06):

It’s okay you don’t need the shirt.

Darek Hahn (03:07):

[crosstalk 00:03:08].

John Verry (03:09):


Darek Hahn (03:11):

It’s VelocIT. I love that start, because we always have that joke with people. Is it pronounced VelocIT or VelocIT, and I’m like, are we having a conversation about IT? That’s what I want.

John Verry (03:24):

I’ve always called you velociraptor, but that’s neither good or bad.

Darek Hahn (03:27):

Yeah, that’s our mascot. I need to get him on the wall, right?

John Verry (03:29):

There you go.

Darek Hahn (03:30):

Wait, wait.

John Verry (03:31):

Now that’s what could have been on the wall.

Darek Hahn (03:31):

Wait, wait.

John Verry (03:32):


Darek Hahn (03:35):

He should be talking to you and not me. [crosstalk 00:03:37]

John Verry (03:37):

He should have been sitting on your shoulder.

Darek Hahn (03:39):

Actually, I have one on my head shots. I got him on my shoulder when I had a headshot.

John Verry (03:42):

No, you should keep him there like a parrot.

Darek Hahn (03:45):


John Verry (03:47):

Listen, I apologize, but we don’t have enough time now for your introduction.

Darek Hahn (03:50):

Okay. Moving on.

John Verry (03:53):

Come on.

Darek Hahn (03:55):

My name, Darek Hahn, obviously. I’m CEO of VelocIT. We are a managed service provider, traditional IT support company that really trying to bring a different mindset to the market, where it’s focused on IT leadership, IT strategy, planning, structure, making sure IT is aligned with the business versus just IT for IT’s sake. I’m really driven by the technology. We want it driven by the business, so we engage with our clients in a completely different way. We drive our relationship through an IT roadmap and a strategic plan, and we ask our clients to allow us to have a conversation about their business and where they want to go from a business standpoint and then look at the technology solutions after that.

John Verry (04:37):

Yeah, you couldn’t have done a better introduction, aligned with why we specifically wanted to have you on the podcast, was because of the fact that your virtual CIO offering is one of those things which aligns with what we do, which was virtual CISO, which of course is the name of the podcast. So Darek, before we get down to business, we have this tradition we always like to ask people. What’s your drink of choice?

Darek Hahn (05:01):

I’m going to be boring. Mine is iced tea.

John Verry (05:04):

All right. Slow down, Darek, slow down. Sugar, non-sugar?

Darek Hahn (05:11):

Actually, no sugar.

John Verry (05:12):

No sugar, all right. Little lemon?

Darek Hahn (05:15):

I wrote a little note to myself. This is my wife’s instructions, no soda in the [crosstalk 00:05:21]. I might get a little crazy. If I’m adventurous, then I put a little sparkling water with some cranberry juice in it.

John Verry (05:26):

Do you take a black Ceylon? I mean, did we [inaudible 00:05:29]? All right, so you’re a tea guy. Let’s go tea. You go black Ceylon, you go a orange pekoe, a little green?

Darek Hahn (05:36):

I’m a simple guy.

John Verry (05:37):

All right.

Darek Hahn (05:37):

Plain old iced tea.

John Verry (05:39):

All right. Ice? No ice?

Darek Hahn (05:43):

I had my allotment for my alcohol consumption in my 20s.

John Verry (05:46):


Darek Hahn (05:46):

And it was a good idea that I just stop.

John Verry (05:48):

You know what? I think I could learn something from you. All right, so let’s get back to the real reason that we invited you on the show. You touched this a little bit. I find it very interesting, this concept of a virtual CIO. How would you, if I asked you just the question, what is a virtual CIO?

Darek Hahn (06:06):

I would start with the question is what is the CIO? I think too many people don’t even know what a CIO is.

John Verry (06:11):


Darek Hahn (06:11):

To me, a CIO is a business person, not a technical person. We have too many technical people acting as CIOs who drive things because it’s technical, not because it’s a business solution. The best CIOs I’ve met are ones with MBAs that really understand the finance behind it, understand the business need, and can really drive things from a business perspective. When you look at it that way, in my industry, it’s somewhat saddening because what I see is a lot of people using the VCIO term that don’t know what a CIO is and so they throw an account manager into a client, and that person’s job is to sell them more stuff.

John Verry (06:48):


Darek Hahn (06:49):

And it’s not really being a business liaison, a business guide. How does what we’re going to do technology-wise help the business either from an efficiency standpoint or from revenue generation standpoint. I mean, those two should be the most important things you talk about when you talk about new IT solutions. What are they doing for-

John Verry (07:09):


Darek Hahn (07:09):

Go ahead.

John Verry (07:09):

Yeah, so a quick question for you there. That’s an interesting perspective and I like it. How does the technology come into play? Would you say that the CIO is the person who is responsible from on the business side, and then a CTO or somebody of that nature is responsible for figuring out based on what the CIO is trying to accomplish, how we’re going to accomplish that, what technologies we’re going to implement in what order, that kind of stuff?

Darek Hahn (07:31):

I think it can. It’s an interesting dilemma that I think titles get really screwy because CTO can be a lot of different things, right?

John Verry (07:38):

Mm-hmm (affirmative).

Darek Hahn (07:38):

Depending on the business. I have a client right now that’s a manufacturing company in the biotech space that has a CTO, but he’s a technology person in the bio space, not the traditional IT tech [inaudible 00:07:51] space, but I do think the CIO needs to be delivering a plan, roadmap. We need to do these things to help the business move forward. I don’t really care what the solution is, because there’s tons of solution out there for everything.

Darek Hahn (08:03):

So a CTO, director of technology, somebody who’s more in the technical space should take that and say, “We’re going to implement a new ELN or a laboratory notebook solution. Now let me go investigate three or four different solutions and figure out which one works the best for our business and fits within what the CIO wanted.”

John Verry (08:21):


Darek Hahn (08:21):

So a small-

John Verry (08:21):

[crosstalk 00:08:27]. Go ahead. [crosstalk 00:08:26].

Darek Hahn (08:21):

I would say the small companies I tend to do, we do an IT roadmap that includes, say it’s third quarter we’re going to implement an ELN solution. We will then start to have the discussion from a technical standpoint, what are the ones that match what the client wants? They’re looking at it from a use case, not from a what’s the technology case. They could care less for most part, and that’s where we’re trying to divide the line between the two.

John Verry (08:53):

So it sounds if you’re saying, correct me if I’m wrong, that the CIO translates the business need and vision into an actionable technology plan and then someone else, and IT director, CTO, whatever we label that person, translates the IT plan into implemented technologies set or stack.

Darek Hahn (09:15):

Agree, agreed.

John Verry (09:16):

Okay. Cool. Cool. It’s interesting, because it leads into one of the questions that I had for you, and I think you’ve largely answered it, but I’ll ask it anyway and make sure I’m not putting words in your mouth. How is a virtual CIO different than a conventional MSP consultant? Like someone who comes in as an MSP and says, “Hey, you’ve got these issues,” and they’ll talk to the COO or CFO and they’re not happy with the IT implementation, not that you’ve ever heard that, right?

Darek Hahn (09:46):


John Verry (09:49):

There’s always a first time for everything, right?

Darek Hahn (09:51):

Yeah. Can you send me a hundred more of those?

John Verry (09:55):

You’d be retired by now if you had a hundred more of those, or spending time on your yacht, or your office would be on your yacht and I’d see an island in the background [crosstalk 00:10:05]. But you see these MSP consultants that go in and sort of do that. How would you differentiate that idea and how would you help someone who is listening to this who’s saying, “Hey, this sounds like a pretty good idea. How do they differentiate the VCIO versus that MSP consultant that comes in and pitches something?”

Darek Hahn (10:29):

I would say for me it goes back to the CIO as a true business partner. I think there’s a lot of MSPs that are not selling that, they’re selling account management. What I’m really into is how do you … If I was in someone else’s shoes and walking into this and which is what I did, we bought the company three years ago with this in mind, I want to have the business conversation with the client. So I talk to my clients all the time about how we’re running our business. We talk about finance. We talk about process and procedure. We talk about we don’t have production, but we talk about how we manage ticketing and how we manage moving people around, and so there’s a conversation that’s really business centered, so if somebody wants to get into this space, they want to be that trusted advisor in the CIO kind of mindset, they needed to be talking about a business. They needed to be talking about the financials. They needed to be talking about how the company is trying to succeed. What’s their bottom line? Are they making 20% profits, 30% profit? Getting an understanding of the business, what they’re trying to accomplish, makes such a big difference in what you offer for a solution.

Darek Hahn (11:36):

I’ll give you a simple example. I have had a conversation with a manufacturing company that came to us and said they wanted to move to Office 365, I said, “Why?” And they said, “Well, because everybody is.” I said, “Okay, well let’s just talk about you and then we’ll talk about the solution.” We started talking about it, and they want to spend the least amount of money on technology. I mean, literally, they want to spend the least amount of money they could possibly spend on technology because they’re a production facility that doesn’t need technology on the floor. They’re just using it for accounting and a few other places. I said, “For you, Google may be a better solution. It’s cheap.” They were like, “What do you mean it’s cheaper?” I’m like, “This is the part of the conversation that nobody has with them, because they want to sell them Microsoft. Everybody’s heard about Microsoft. Not that Microsoft is bad, but it may not be the right solution for your business.”

John Verry (12:23):


Darek Hahn (12:23):

To me, that’s the conversation.

John Verry (12:25):

Gotcha. So realistically, if I’m a SMB owner or CFO or COO, those conversations are going to sound very different, because most people walking in and they’re pitching a solution that they happen to carry in their bag. Even if they carry two, it’s going to be one of those two. Where you’re coming, it sounds like from a different perspective. Quick question for you. So in terms of your background, are you a former business guy, a former CFO, CIO, CTO, owner of business, because you are taking a different approach and I wonder how much of that comes from your background?

Darek Hahn (13:04):

I’ve spent my whole career in startups, so I’ve hired the IT people. I typically was in operations, everything from facilities is where I started. I moved into production, had IT reporting to me. What else did I have? I’ve done some of the accounting side of the business. I’ve been mostly on the operational side. I grew up in a family-owned business for 30 years, so I’ve watched a family-owned business and watched small businesses being run, and I’ve always dreamed of owning my own business. We bought the company after [inaudible 00:13:36] the other business, having experienced this.

John Verry (13:39):


Darek Hahn (13:39):

And by experiencing the frustration of being on the other side of the IT world, wanting somebody to give me better solutions and better conversations and got a lot of IT jargon.

John Verry (13:52):

Right. Not only a lot of IT jargon, unfortunately, a lot of salesmanship, you know?

Darek Hahn (13:58):


John Verry (13:58):

I think of that consultative approach is ends up in a win-win. So when does an SMB know that they need a virtual CIO? If someone’s listening to this, what’s the pain point or what’s the realization point where they say, “Wow, I need to take a different approach”?

Darek Hahn (14:19):

I need to take … I would turn that question around on you and say, when do they not need one? I have a two-person company that we have a plan for. I think it’s really about the partnership they have with whoever they’re working with. When you need to bring somebody in house, we have a client right now that we’re working with to bring somebody in house. They’re probably not going to be a CIO, but they’re going to be a director level, but they’re at a point where they’re 150 people or so, and they’re starting to really look at technology from a larger scale. They need more IT governance on how they manage new projects and new stuff coming in, so they’re more an administrative role. We’re still going to be handling a lot of their technology on the backend, but I think every company should have an IT plan.

Darek Hahn (14:59):

You have a strategic plan. People have financial plans, but they don’t have an IT plan, which is one of the biggest spins for most companies.

John Verry (15:05):


Darek Hahn (15:06):

Part of my thing would be if you don’t have a partner that’s helping you in that area, you really should find one.

John Verry (15:11):

Yeah. So that’s interesting. It’s funny, I’m sitting listening, and it really, the parallels between what you do and what we do is exactly the same way. I mean, the first question that I always ask when I get onto a call where someone might be interested in virtual CISO is we need a plan. So either we’re going to come in and we’re going to develop the plan before we do anything and then we’ll execute the plan together, or you have the remnants or at least a short-term plan that’s critical that we can execute on and then when we get to the end of that plan, then we’ll re-up the plan or tune the plan or create a new plan. So yeah, I think we end up in the same kind of places.

Darek Hahn (15:46):


John Verry (15:50):

From your perspective, what are the attributes of a good CIO, someone who’s going to really help an organization? I think I kind of know your answer based on where you’ve been, but again, I don’t want to assume for you.

Darek Hahn (16:03):

Yeah, I think it starts with the business first. Do they love business? Are they fascinated by how business operates? I mean, I would start there, but if I was interviewing somebody from my company as a CIO, I would be looking for some IT. Are you interested in the whole business, not just the technology piece of the business?If we’re a manufacturing company, are you fascinated with manufacturing and how it works and how it can make it more efficient and those kind of things using technology, that’s great, but then they should be data driven. They should trust numbers. Too many people in the IT world want to do it by their brain and their opinion.

Darek Hahn (16:36):

And then the most important [inaudible 00:16:39] can they manage up? CIOs really have to manage up. They have to communicate with the board of directors, with the C-levels, the C-suite. Can they communicate at a level that those people will to understand versus at the jargon level? I think those are the most important things. Maybe there’s a piece of it that’s educator. Are they a really good educator, communicator? That’s probably a big key of it, because it’s a weakness in IT in general, is the whole communication area. But to me, a really good-quality CIO has financial background, communicates well, and loves the business, loves understanding the business.

John Verry (17:17):

So that’s really interesting, because I would think that if I asked that question to a hundred people, I don’t think too many of them would came up with the same answer you did. In fact-

Darek Hahn (17:28):

Probably not.

John Verry (17:28):

… I would venture a guess and say 95% of them would have not mentioned three-quarters of what you mentioned. I mean-

Darek Hahn (17:36):

[crosstalk 00:17:36] not wrong, it’s they’re wrong.

John Verry (17:38):

You know what, there is safety when going with the herd, but-

Darek Hahn (17:42):

[crosstalk 00:00:17:43].

John Verry (17:43):

But I have to admit, I have to admit, you made a compelling argument, because I think it was interesting to me, and correct me if I’m wrong, I don’t think you at any point in there mentioned technical competency. And I think if you asked the average person, like, “Hey, we’re going to hire a CIO. What’s the single-most important attribute?” I think most people would say technically competent, right?

Darek Hahn (18:03):

Yeah. [crosstalk 00:18:06]

John Verry (18:05):

That’s very interesting.

Darek Hahn (18:07):

I would argue that if you’re hiring a CIO to be technically compliment, competent, they’re going to end up being in the weeds all day, because they’re going to love that technology and they’re going to be loving … There’s a difference between technically competent from a how do you fix something and how do you get in and do things to being technically competent when you understand how things work. But yeah, those are two different things. So the understanding of technology in a general sense and how it works and how things interact with each other, I think is extremely important. And that’s [crosstalk 00:18:40].

John Verry (18:37):

So That’s-

Darek Hahn (18:37):

Go ahead.

John Verry (18:41):

Yeah, that’s really interesting, because I think you’ve explained the worst CISOs, chief information security officers, that I’ve ever met, because they are people that love the technology. They love the bits and bytes, they love the security. They love to keep current on the latest technological trends and things of that nature. And I think what ends up happening with those people is they get focused on technological implementations to problems that they yet don’t know that they have, and they become technology collectors and they implement … You can always tell them when you ask them what their information security strategy is, it’s a product strategy. Oh, we use this and this and this. Is there an analogy to that in a CIO? Like if I walk in and I hear a guy talk about a product strategy as an information security strategy, I think to myself, “Okay, this isn’t the right guy.” Is there the same parallel when you walk in and somebody tells you their IT strategy in terms of their technologies that they’ve implemented and all the products they buy?

Darek Hahn (19:43):

We’re somewhat lucky. We don’t work with many CIOs, because their companies are typically small businesses and they don’t have CIOs. But I will say from a CFO, COO standpoint or even CEO, they tend to talk that way, “Well we’re a Microsoft shop, so you need to be able to do Microsoft,” or, “We’re going to Amazon cloud. You have to be able to do Amazon cloud.” There’s not a strategy in that. It’s a technology, it’s a product suite. So it is a conversation that I think has to change. I think we’re too focused on the product suite and we’re not focused enough on what is it doing for the business.

John Verry (20:19):

So here’s an interesting question for you, and I’m curious as an MSP what your answer is to this. One of the things that I think is a challenge in our industry right now is everybody wants to be a security company and everybody wants to sell security because everybody needs it. Everyone is being asked about it. There’s a lot of money to be made and everything else. So what happens is we find that a lot of organizations who have an IT service provider, that IT service provider becomes their information security provider as well, and very often is providing not only IT strategy but information security strategy. To me, that represents a risk. From your perspective, what are your thoughts on that challenge?

Darek Hahn (20:57):

We’ve made it very clear that we will never be a cyber auditing, cybersecurity firm, because we think those things should be separate. Just like in accounting, there’s the people who do the doing every day and there’s an auditor that comes in and audit them. We think there should be somebody auditing us. If you don’t have somebody auditing us or your provider, you’re putting yourself to your point at risk. I mean, the risk is you’ve got the fox watching the henhouse, right?

John Verry (21:20):

Mm-hmm (affirmative).

Darek Hahn (21:23):

And if we’re really confident in what we do and competent in what we do, we shouldn’t be worried about somebody coming in and doing an assessment on us. I think it’s something that’ll probably over time will come out within our industry, that there will be a dividing line, there will be an auditing function and there will be a doing function. But to me there should be a dividing line between there. We have shipped with companies like yourself and others that can come in and do that and be independent and they should meet with our clients and they should have an independent contract with our clients and we should trust that they’re going to help us be better.

John Verry (21:57):

Yeah, it is interesting. I mean, I don’t envy the people that we work for, because you and I, we both work for the same types of organizations. Most of them are between 10 and 1,000 or 10 and 5,000 people, right?

Darek Hahn (22:10):


John Verry (22:10):

And there is a simplicity to having a single throat to choke or one partner that you trust and, “Oh, you’re already doing this,” and there is such a fine line. Where does the line of IT implementation end and information security start? We have end point protection, okay, well, and then an IT service provider is doing NOC monitoring because you got to know up/down on server. Well, we can get the security logs there, too. It is infinite shades of gray, you know?

Darek Hahn (22:38):


John Verry (22:39):

I really do. I feel bad for organizations that they’re just trying to keep their business’s doors open and running and grow their companies, and having to wrestle with multiple providers makes that a little bit harder. It is an interesting challenge. And like you said, it’ll be interesting to see how it shakes out, because we’ve seen some bad things where people have been too over-reliant on a single entity to do everything.

Darek Hahn (23:01):

Yeah. I go back to the accounting function. The reason there’s all these accounting rules and auditing in place is because people do bad things, you’re dealing with money. IT is getting to that realm. It’s a lot of money that’s involved, a lot of data. There’s a lot of way you could take over a company, and if you’re putting that all in one basket, that’s pretty dangerous. Yeah.

John Verry (23:24):

Yeah. So it’s the old trust but verify, right?

Darek Hahn (23:27):

Yeah, and I think people, maybe I’m a little more humble than some of my counterparts in this industry, but I feel like I should not be worried about you or somebody else in your industry coming and checking on us.

John Verry (23:40):

I don’t think that’s humble. I actually think it’s the opposite of humble. I think it’s super confident.

Darek Hahn (23:49):

Oh, okay, confident.

John Verry (23:50):

Borderline arrogant, Darek. I got [crosstalk 00:23:53]. I’m rarely in a conversation-

Darek Hahn (23:55):

I don’t think anybody’s ever called me arrogant. I’m going to have to [crosstalk 00:23:59].

John Verry (23:57):

I don’t think I’ve ever been in a conversation with somebody who would challenge me from an arrogance perspective. I mean, usually I’m the most arrogant person in every conversation.

Darek Hahn (24:08):

Well, and I don’t think it is that you won’t find faults in us.

John Verry (24:11):

No, listen.

Darek Hahn (24:13):

We will have areas where we’ve fallen down. I would rather somebody checked us and made sure we were right, doing it right and we correct it, than to ignore it and hide it, which is the danger, right?

John Verry (24:23):


Darek Hahn (24:24):

If I’m doing auditing and I’m doing your services, it’s really easy for me to go, “Yeah, we’ll get to that next month or next week or next year,” and just hide it from you, the client, and then you’re in danger. You’re in risk.

John Verry (24:36):

Great. And then you’re Enron.

Darek Hahn (24:38):

Yep. [crosstalk 00:00:24:41].

John Verry (24:40):

Okay. All right. So-

Darek Hahn (24:42):

Mission statements [inaudible 00:00:24:43].

John Verry (24:44):

Yeah. I know what that looks like over there.

Darek Hahn (24:44):

Do no harm.

John Verry (24:46):

Can you imagine some of those poor people?

Darek Hahn (24:48):


John Verry (24:50):

I always love to ask this question. It’s interesting. Usually I ask it about a CISO, but I’ll ask it to you about a CIO.

Darek Hahn (24:55):


John Verry (24:56):

In respect to the fact that you are.

Darek Hahn (24:58):

[inaudible 00:24:59].

John Verry (24:59):

So if I asked you, I now have a picture of who you think a good or bad CIO might be, but I’m going to ask you to take a fictional character or some real person, Mike Dick. I named some crazy person that you think would make either an amazing or a horrible CIO and why.

Darek Hahn (25:16):

There’s so many people I could name, but what popped into my head when I heard this question, and I hate to say this, but do you remember Nick Burns?

John Verry (25:24):

Nick Burns? No.

Darek Hahn (25:26):

He was an SNL character in the ’90s, I think it was the ’90s.

John Verry (25:29):

Oh, he was the IT guy, was he?

Darek Hahn (25:34):

He was a horrible CIO would be that guy who walks in and says … He would just fix whatever’s going on and walk away. It’s the lack of communication, the arrogance, the, you don’t know anything about IT. That-

John Verry (25:47):

The use of all the buzz words, I mean.

Darek Hahn (25:49):

Oh, yeah. Every acronym you could imagine just to keep people at a distance and keep them from ever actually engaging with what the heck you’re doing.

John Verry (25:58):

Right. So it’s that IT bullying, right?

Darek Hahn (26:01):

Yeah, yeah.

John Verry (26:02):

Yeah, yeah, and listening to you talk, I can see that, because it seems to me like you put an inordinate amount of emphasis on the importance of communication from a technology perspective. And again, I think that’s an interesting perspective, and one that I don’t think most people, even if we talked about what are the attributes are of an individual who would make a great CIO, and you were talking with an HR recruiter about that, again, I don’t know that because people think of it as a technology field, I don’t think right away they’re going to be thinking about these soft business skills, the communication skills, leadership skills, that I think you’re talking about. So that’s really interesting.

Darek Hahn (26:39):

I also think … Can I add to that?

John Verry (26:40):

Of course.

Darek Hahn (26:43):

The CEO, the COO, and the CFO who don’t have technical skills, looking for somebody to save them. They think, “I need a savior who understands technology,” so they’re going to look for the technical person rather than they need somebody who can educate them, who can talk to them in their language, who can help them understand what they’re trying to do in technology and help them understand the risk they’re at. I think it’s a psychology thing that … I do this presentation every once in a while around the history of IT. It’s not the ENIAC computer to the next computer, to the next computer. It’s really the evolution of the IT department. If you think about it, accounting’s been around forever. Sales and marketing have been around forever. HR has even been around forever. IT has only been around for 40 years as a department.

John Verry (27:31):

And there’s been so much change in that 40 years, right?

Darek Hahn (27:34):


John Verry (27:34):

To think about, it went from mainframes with just a few people having access to data to where we are now.

Darek Hahn (27:44):

Yeah. I mean phones. I mean, you now have phones everywhere on everybody’s network. I mean, you couldn’t pick up a phone in the old days.

John Verry (27:49):

Yeah, I mean, and then you go to the mobility and now and that’ll be another subject for another day. But then you go to IOT and it’s just, and your head starts to explode when you start thinking about how it’s changed in those 40 years.

Darek Hahn (28:03):

And as a business owner, how do you get your hands around that if you don’t have somebody that can help educate you in a simplistic way? Because you don’t need to know that the bits and bytes. You need to understand in a general way how things work.

John Verry (28:15):

That’s really interesting, and I think you’re absolutely right, because increasingly I’m seeing these conferences and events that are geared towards very simplistic-oriented education. So as an example, I spoke at an event yesterday on privacy, and afterwards I could not believe the number of people because I had mentioned something about blockchain, and how many people are coming up and just have no idea what it is, how it works, and just the idea of just saying to someone like, “Blockchain is not as complicated as you think about it. It’s really just, you know what a database is.” “Yeah, I know what a database is.” “Imagine a database that instead of being private is now public and imagine that database there is replicated. You’re using peer-to-peer networking, so multiple instances so that it becomes immutable. It becomes uneditable without people.” “That’s what blockchain is?” “Yeah.” they’re like, “Oh my God, wow.”

John Verry (29:07):

So anyway, I got off the subject. I apologize about that.

Darek Hahn (29:11):

Okay. Just about [inaudible 00:29:10]. I have the same conversation about the cloud all the time.

John Verry (29:13):

Yeah. All right, so go ahead. I didn’t mean to cut you off.

Darek Hahn (29:18):

I was just going to say. There is no such thing as a cloud, but …

John Verry (29:20):

Yeah, exactly. Exactly. Exactly. There is no such thing as a cloud, but yet there’s probably nothing more significant than the cloud at the same point.

Darek Hahn (29:29):


John Verry (29:30):

Which is probably a good point to cut off that part of that conversation.

Darek Hahn (29:31):


John Verry (29:34):

Listen, you talk every day to the same kind of people that I’m talking to every day, because as a virtual CISO, we’re engaging with the management team, we’re engaging with legal counsel and people of that nature. Same kind of people that you’re chatting with. So what do you think would be an interesting topic for another episode of this podcast?

Darek Hahn (29:53):

You probably brought it up a few times, is communication. In the IT world, communication skills and the IT professional. That’s what I was thinking of. Something like that, where really it’s a problem in our industry where we don’t communicate, and this is communication with outside of our industry. We don’t do a great job of educating just in simple conversations, not only at an event like you were at where you’re educating somebody, a larger scale of a group of people, but even just one-on-one conversations. I hear it from my guys. I constantly have to tell them in a conversation with an end user, you don’t use acronyms. They may or may not understand what they are. At least you ask the question, do you know what an IP address is? If you don’t, then explain it to them and help educate them so they understand. I just think communication skills in our industry is one of those things that could be an interesting topic to delve into.

John Verry (30:42):

Yeah, very interesting. Cool. You continue to surprise me, Darek.

Darek Hahn (30:45):

[crosstalk 00:30:48].

John Verry (30:47):

And I actually think that’s a good thing.

Darek Hahn (30:50):


John Verry (30:51):

So before we say farewell, how can folks get in contact with you? What’s the best mechanisms to get in touch with you if they wanted to chat and potentially find out about what you guys do?

Darek Hahn (31:03):

So either by phone, 609-642-1337. That’s my direct line. Or they can email me at dhahn, H-A-H-N, at v, V as in Victor, dash MSP, managed service provider, dot com.

John Verry (31:19):

Excellent. Anything else?

Darek Hahn (31:20):

I’m good.

John Verry (31:22):

I’m good as well.

Darek Hahn (31:23):

Great time.

John Verry (31:23):

This was actually a really … You took it a lot of places I didn’t expect you to go, and I super enjoyed the conversation, so thanks. I appreciate it.

Darek Hahn (31:31):

I did too. Thanks.

John Verry (31:33):

You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected], and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.