Information security is a well easily fallen into.
There is so much on the market.
So many things to consider.
It’s hard to determine what you actually need, and sometimes companies tend to just grab everything in sight to assure themselves that they are on point…
Or not do enough for fear of wasting time and money on the wrong solutions.
There are plenty of ideas, platforms, papers, and regulations to keep in mind, but sometimes, less really is more.
What we talked about:
- Real-world strategies around consolidation
- Analyzing valuable streamlining on a case by base basis
- Digging through vendor options (and how to get the most out of them)
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
John Verry (00:06):
You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.
John Verry (00:26):
Hey there, and welcome to another episode of The Virtual CISO Podcast. I’m your host, John Verry, and with me as always, the rigs to my Murtaugh, Jeremy Sporn. Hey, Jeremy.
Jeremy Sporn (00:35):
John, are you getting told for this shit?
John Verry (00:39):
Does make me… I’m trying to remember which one was Mel Glover… oh, Danny Glover, I mean, Mel Gibson.
Jeremy Sporn (00:45):
Yeah, Mel Glover, let’s go with that.
John Verry (00:49):
[inaudible 00:00:49] my Mel Glover or Danny Murtaugh?
Jeremy Sporn (00:52):
You’re mixing up way too many names. You’re not even close.
John Verry (00:57):
So, let’s just say I rarely mix up things and information, [inaudible 00:01:00] I just did there. Otherwise we’re going to lose a lot of listeners. So, with no further sidetracking, what’d you think about my conversation with Jose?
Jeremy Sporn (01:08):
It was really cool to get Jose’s perspective on this concept of how to do more with less in IT and security, mainly because he’s a sales director for a successful MSP and he’s helping his customers solve this exact problem every single day.
John Verry (01:25):
Yeah. I mean, I think, especially now, as we’re still in the midst of this coronavirus impact, doing more with less is important. It’s also interesting to me that in our conversation was that there were almost always a direct parallel to the ways you can accomplish the same things, doing more with less in the field of information security as well.
Jeremy Sporn (01:45):
Yeah, I completely agree. And Jose himself has worked his way up the ranks in his career, so he’s been the one that has worked directly with clients often, making recommendations on technology, to phase-in/phase-out, negotiating with vendors, responding directly to customer challenges. He’s really earned his stripes and that real world experience really shows through.
John Verry (02:08):
Yeah, agreed. Anything else before we get to the show?
Jeremy Sporn (02:11):
Yeah. If you’re looking to maintain or even increase your IT and security capabilities while reducing that cost effort time notch, this conversation is for you. John and Jose talked through real-life examples where they have helped organizations get more bang for their buck. Stick around to see how you can apply these same concepts to your organization.
John Verry (02:32):
Sounds good. Thanks. And with no further ado, let’s get to the show.
John Verry (02:39):
Jose, thanks for coming on. How are you?
Jose Ciriaco (02:41):
Good. Good. Thanks for having me. Really, really excited to be here.
John Verry (02:45):
Cool. So I always like to start super simple, so let’s do that. Tell us a little bit about who you are and what is it you do.
Jose Ciriaco (02:53):
Great. Let me start there. Actually, I [crosstalk 00:02:57]…
John Verry (02:58):
Jose Ciriaco (02:58):
Yeah, [crosstalk 00:02:59] to a large Hispanic family in the Bronx, New York. And yeah. So, it all started back then. So, yeah. I’m a New Yorker. I was born and raised in tri-state area. Originally from the Bronx and now live in lovely New Jersey. And I’m the Director of Sales for Tekscape. Tekscape is a managed services, IT managed services provider based out of midtown Manhattan, which is a very interesting place to be these days as well. Been with the company for about seven years, going on seven years, and we’ve grown a lot since. So, I’m really happy to have grown with them. Leading the charge with solutions around infrastructure, networking, public cloud solutions, as well as, believe it or not, we still install switches and routers and firewalls and all the nice things that put a network together.
John Verry (03:58):
All right. Listen, I mean, we still need connectivity. Even if everything’s in the cloud, you still need to be able to get to the cloud, right?
Jose Ciriaco (04:05):
That’s right. The cloud is just somebody else’s computer, so you got to connect it somehow.
John Verry (04:09):
Well said. Well said. And in full disclosure, Tekscape is somebody that Pivot Point has had the good fortune to work with. We think that they’re pretty damn good. They’re on our trusted list of people. If anybody says, “Hey, can you point us to a good managed services provider?” They definitely fit into that category.
Jose Ciriaco (04:29):
Appreciate that. It’s been a really good relationship, so far.
John Verry (04:33):
Cool. So in terms of… I always like to also start with a little personalization. So, what’s your drink of choice?
Jose Ciriaco (04:43):
I am, as you can probably tell by the high quality video, I am a beer guy. Therefore, the gut comes with it. That’s just an added bonus [crosstalk 00:04:53].
John Verry (04:53):
[crosstalk 00:04:53] you’re sitting down, basically. [crosstalk 00:04:55].
Jose Ciriaco (04:55):
Exactly. Yeah. You don’t want to see it. And I’m not ready to wear a suit again. [crosstalk 00:05:00]. So, my favorite beer is Innis & Gunn. Innis & Gunn is a Scottish beer. Actually, they brew it. They put it in a whiskey barrel, and age it for a year or however long they do it. And just, the flavor, it’s like a meal in a bottle.
John Verry (05:19):
I’m not happy with you right now because I’m a huge bourbon barrel-aged beer drinker. And if you go to my fridge right now, I’ve got three or four different ones. I’ve got a Ten FIDY bourbon barrel-aged, I’ve got Goose Island, I’ve got, ah, them all. And it’s so funny because I’ve seen Innis & Gunn many times and it’s, if I recall correctly, Innis & Gunn is a ale that’s bourbon barrel-aged, right? Because most of the stuff I drink is porters and stouts that are bourbon barrel-aged, is that right?
Jose Ciriaco (05:52):
It’s an ale, yeah. Yeah. [crosstalk 00:05:54]-
John Verry (05:54):
Jose Ciriaco (05:55):
… but the flavor, I don’t know, it throws you off because it doesn’t… it almost tastes like an IPA, to a certain degree, because it tastes a little hop-ier than you’d expect.
John Verry (06:10):
That is surprising. Because normally, what happens is a lot of that hop characteristic gets kind of mellowed out of it a little by the caramels and the butters that you get out of the bourbon barrel. So is that a bourbon barrel-aged or is that just like an Irish whiskey-aged? Because there will be a difference between the two.
Jose Ciriaco (06:27):
And so, Irish, it’s like a whiskey-aged.
John Verry (06:30):
Okay. Yes, that’s why you do keep a lot of that hop characteristic. All right. I have to try that. So now, we’ll have to have a follow-up podcast just so I can tell you what I think of the beer.
Jose Ciriaco (06:38):
Yeah. I need a review. I fell in love with it at a steakhouse. I found it in a steakhouse in midtown, Uncle Jack’s, and it won me over. One sip and I was done.
John Verry (06:53):
So, we asked you to come on because we’re both fighting the same battle these days, I think, as are most of the people that are probably listening to this, is that in this era of coronavirus, increasingly, we’re trying to do more with less. So, the idea was to have you on because you guys had some very, I thought, clever and good ideas about that. So, let’s start with that is you’re working with hundreds of organizations, helping them do more with less. What are some of the strategies that you’re employing to help them?
Jose Ciriaco (07:24):
So, a couple of the things that have come up that I think are just kind of real-world, straightforward strategies are around consolidation. So, gathering all the services that you say you need as a business within the area of IT and sort of going down the line and scrutinizing everything. So that’s something that we’re helping customers do across the board. Similar, it’s basically like the accounts you keep at home. I had somebody comment to me that they were killing, as soon as the pandemic hit and essential businesses were shut down, or nonessential businesses were shut down, you had folks even canceling their Spotify accounts or what-have-you. Just kind of getting down to bare essentials.
Jose Ciriaco (08:14):
Well, it’s a similar approach. But from a technology perspective, you have to have a lot of planning involved. So you have to kind of know what your end state is going to look like. You can’t just arbitrarily start cutting services because you deem it nonessential in the now, or cutting expenses. For instance, we have a customer right now that we’re working on a data center consolidation project for them. And so basically, it’s effectively getting rid of a footprint, but the slowly discovered as we’re doing the planning that some of the services that they have there are more necessary than they ever expected. So, there’s no fast way to rip the bandaid, you have to really take the time to plan out where you’re going to have services live and shrink the footprint as best you can.
John Verry (09:12):
Mm-hmm (affirmative). So that’s, that idea of consolidation at, let’s say, an IT infrastructure level, correct?
Jose Ciriaco (09:19):
Mm-hmm (affirmative), at the IT infrastructure, and you can take it to the application as well. I mean, it’s really about finding efficiencies and lowering the overall spend through those efficiencies.
John Verry (09:34):
Got you. So might that be something like collapsing two clouds into one, might that be moving from a on-prem or co-located or hosted infrastructure, it includes all of those types of analyses?
Jose Ciriaco (09:51):
Absolutely. One thing that I found was also really integral in trying to bring costs down, because again, the cost savings, or the motivation that we found is very much saving someone’s job. It’s saving the cash flow for payroll, et cetera. So, strategically, you’re saying, okay, if this means that I’ll be able to not lose productivity, then let’s look at every layer, inclusive of the application layer. And so one other strategy that was part of it was vendor consolidation. So, typically, you don’t want to put all your eggs in one basket, but when the services are disparate enough, I found that it’s pretty safe to do. For instance, this is a shameless plug, but Tekscape happens to be a strong Microsoft partner, right? And we have a hosted voice platform as well.
Jose Ciriaco (10:48):
Now those are two hosting, let’s say, managing your mailbox just through Office 365 or an Azure Instance and virtual appliances, and having your voice, you wouldn’t even think of maximizing savings by consolidating them to one vendor, but they’re far enough apart that you know what? Microsoft isn’t going anywhere, and it’s hosted outside of the vendor, but the vendor can leverage the relationship and bring those two together for argument’s sake to drive more savings to the bottom line. Does that make sense?
John Verry (11:21):
Right. Yeah, it makes total sense. And just for the record, we did consolidate completely way before this whole corona thing, but we consolidated on Microsoft platform, including voice years ago. And I got to tell you, it was one of the best decisions we ever made. I mean, there is value to consolidation. So we see it as well on our side of the fence, right? You live on the managed services provider, we live on that advisory and assessment side. But I do think there’s value in either side of our fence too. There’s a concept of let’s deploy best-in-class, and then there’s another concept of single throat to choke.
John Verry (11:57):
And the idea that we originally started our life with using Skype and using a third party voice provider, and we had challenges with, sometimes, the videoconference wouldn’t link up with the audio, dialing from the phone. And we’d call up the provider, and I won’t name them by name, and they would say, “That’s not our fault. It’s Microsoft’s.” And then we call Microsoft and say, “It’s those damn guys, they don’t know what they’re doing.” So I do think that there’s some value there as well. And then the secondary thing, I think, is that there’s hard and soft cost to managing vendors. So less vendor is equals less level of effort, less cost if you’re doing vendor risk management. And then I think you also have the potential if you do it well of getting that synergistic effect of one plus one equals three. [crosstalk 00:12:45]-
Jose Ciriaco (12:44):
John Verry (12:45):
… with systems thinking where we can break a system down into discreet elements. And if you look at systems thinking, and I’ve got Tekscape doing something and I got Pivot Point doing, I got someone else doing something, the challenge is you do have best of breed and you’ve got this idea of this focus, but you could lose an end-to-end holistic view of what’s going on. A good example is years ago, we were involved in a project where we were doing a smart grade infrastructure assessment, and they chose to actually segment out who did which piece. So we did the smart thermostat, another vendor did the smart meter on the outside of the house. [crosstalk 00:13:19]-
Jose Ciriaco (13:19):
John Verry (13:20):
… compromised the smart meter. And we didn’t… excuse me, the smart thermostat. We didn’t do the smart meter. They looked at the smart meter and said the smart meter’s great, does everything you’re supposed to do. It actually did, but they didn’t realize the type of an attack we could do inside on the thermostat and then [crosstalk 00:13:36]-
Jose Ciriaco (13:36):
John Verry (13:36):
… these malicious commands upstream through the meter and hit the DMS, which could cause problems, of course, an outage [crosstalk 00:13:43]-
Jose Ciriaco (13:43):
John Verry (13:43):
… for utility. So I do think there’s this value, like you’re talking about, of this consolidation. I think it goes beyond just a cost value, I think it becomes a management of that, and even potentially, a value to the business, right?
Jose Ciriaco (13:57):
Absolutely. And I agree with you to the point at which you have to almost look beyond the bill, right? And it’s not just dollars and cents, but it’s also time and the time savings. One of my sales guys happened to mention to me that as a sales strategy goes, “Hey, boss. We should really be focusing on remote teleworker because everybody’s remote. It’s not office-centric any longer,” et cetera, et cetera. I said, “Yeah, that’s fine.” But at this point in the game, if you can function remotely, you already figured that out. You’re either doing it or you’re not, or on the path there. That ship has sailed.
Jose Ciriaco (14:42):
So let’s look beyond the obvious and look for these little incremental improvements to create value. And so you had mentioned the Microsoft consolidation that you did. We did something similar to a London-based PR firm where, this was before COVID as well, where just by way of building the call control behind Microsoft, they eliminated all hard phones, which eliminated all the hardware support costs that were part of the footprint. Now this is 26 offices around the world. I mean, it’s a big nut.
John Verry (15:22):
Jose Ciriaco (15:25):
Their smart net through the Cisco support was $120,000 a year. And so, I mean, multimillion dollar firm, not that big of a deal on the budget, but you know what? That five-year ROI is a nice half a million dollars back in their pocket, and it is somebody’s job.
John Verry (15:45):
Right. And the other thing which is interesting too is that when you talk about consolidating vendors, there’s an interesting thing that I see and I see it with you guys at Tekscape and some other people we work with is that I think the best vendors are building ecosystems, and that they’re building ecosystems that benefit their clients. So when I say single vendor, I don’t necessarily mean that there’s only one vendor. In a weird way, an ecosystem is kind of blending the best of both, right? That single vendor approach with the best in breed approach, right? So someone like yourself, you’re going to the market and you’re saying, “Hey, we’re going to partner with Microsoft,” or, “We’re going to partner with Dell,” I apologize. I don’t know if Dell’s a partner of yours or not, but you [crosstalk 00:16:28]…
Jose Ciriaco (16:28):
John Verry (16:28):
Okay, good. I’m glad that I used somebody that you do. [inaudible 00:16:32]. We’re going to have to roll back the [inaudible 00:16:33] at that point.
Jose Ciriaco (16:33):
John Verry (16:39):
But even partnering Pivot Point, right? It gives you this ability. And so from a end client’s perspective, they can have a single vendor that represents many vendors, represents an ecosystem, which I think is another huge benefit to somebody right now that’s trying to find a way to do more or the same with less, right?
Jose Ciriaco (16:58):
Absolutely. And that’s why I brought up the phone because one of the other points that I think we had chatted about was question everything physical, anything and everything that you can touch, that has blinking lights, just question it. Can it be virtualized? Can it be put into a more accessible solution? Whether it be, again, can I just spin up the same appliance in the cloud, whatever it is. Just question everything on the physical side, and that’s been helpful to customers as well.
John Verry (17:32):
Got you. I know when we were chatting about in preparation for the podcast, you talked about a second strategy that you guys have employed. That’s this idea of automation and/or process improvement, process re-engineering. Can you talk a little bit about that?
Jose Ciriaco (17:46):
Yeah. It’s actually something that I like to use customer examples, just real world companies. We target companies between 50, 500 that serves sweet spot, but we have [crosstalk 00:18:01]…
John Verry (18:01):
Okay. 50 and 500 employees?
Jose Ciriaco (18:02):
Employees, rather, yeah. And so that’s very SMB, very real world. Your listeners are really in that pocket, I would say. And so we’re a good example of that. We’re less than 500 folks at Tekscape. So once the pandemic hit and once the shutdown happened, we chose to focus inside and look at what operational efficiencies we can create. One of the strategies that worked pretty well was just widening folks’ scope. You don’t have the commute any longer, or we were typically not a fully virtual company, we do have physical offices in three locations, but winning back that time and repurposing some folks that maybe aren’t going to be as busy, for instance, our procurement department. Our procurement folks aren’t shipping a heck of a lot of boxes during the global shutdown, right, where logistics just become super challenging.
Jose Ciriaco (19:03):
So grabbing some of those cycles and finding ways to create some automation within just the sales funnel and the sales channel, that was an improvement. And also, better analytics and reporting for our customers was another serve net improvement that was put into play now. The reason I mentioned the automation and operational efficiencies is that again, we accomplish more with less people because we did lose a couple of folks after we went into shutdown, a couple of folks who were not essential to the business. So we did have less staff to deal with the day-to-day problems in certain areas, and obviously, that wasn’t in the engineering. We’re actually hiring engineers. But we had some administrative support that was no longer going to be with the company, so how do you continue to be productive, how do you create automatic, automated ways to accomplish the same task.
Jose Ciriaco (20:03):
So it took a little bit of investment in getting some developers onboard to using some BI tools, creating some better reporting, like I’ve mentioned, but now, it runs itself. And now, it just takes one person where typically, it would be a team of three to accomplish the same goal. So it’s really about taking the time to really look internally at every piece of your operation to maximize what you can do with very little. And I know it sounds super Captain Obvious, really, but I’ve seen the net effect and it’s amazing what you can accomplish in a down economy where people are worried about having a job.
John Verry (20:49):
So you said you didn’t want to be Captain Obvious, I actually couldn’t disagree with you more because I think very often, that’s exactly what we need to be. Because I think sometimes, we, especially in these times of stress and challenge, we tend to lose perspective a little bit. And I think one of the things we’ve done a good job of, and I’ve seen some of our clients do a good job of at this point in time, is take advantage of this time to do exactly what you were talking about. Re-look at some of these processes and figure out, how do I automate this, or there’s another term I like to use called operationalization. How do we operationalize something we’re trying to do.
John Verry (21:23):
So I’ll give you a good example. We have a client that’s ISO 27001 certified. They’re a great firm. They do video teleconferencing services, manage white glove stuff, they do, what would you call it, telemedicine in a really elegant way. What they did during this time is that they looked at the way that they were running their ISO 27001 management system and took a little of the time, broke it down into some processes and actually used their helpdesk ticketing system to operationalize that, to automate that. So now, there’s, let’s say, 48 things that need to happen during the year, those tickets are going to trigger every year at the right week, right month, right quarter, to make that happen automatically.
John Verry (22:06):
We did the same thing with our ISO 27001 management system using Wrike. We use a project management tool. So we actually converted our project manager… excuse me, our ISO 27001 management system into a Wrike project plan, which means that it’s just going to happen, right? And if it doesn’t happen, everybody knows and you’ve got mechanisms to keep it afloat. So I think what this type of stuff that you’re talking about doing is really important. And I do think it isn’t a Captain Obvious, it’s a smart thing to do.
John Verry (22:33):
I think another thing that we see people are doing, I don’t know if you’re seeing the same thing, and I think you actually used the same term that I’m about to use earlier, the concept of nice to have versus need to have?
Jose Ciriaco (22:44):
John Verry (22:45):
Right? I think you do need to start to begin to look at this and say, look, we want to do your pen test for you. But if the pen test is a nice to have, it’s like, hey, I want to make sure we’re secure, well, maybe it can slide a little bit, right? Versus if it’s a payment card industry, data security standard mandated pen test, it really can’t, right? You’re going to lose that ability to process your credit cards. Same thing on your side. Do you see people starting to make that or are you helping clients kind of understand what’s the we should do this versus that we absolutely need to do this?
Jose Ciriaco (23:20):
Excellent question because that’s another piece of the decision-making process that we try to be influential on, and yes, offer guidance as to it’s not so much, in IT, we like to geek out on the next cool thing, right? Ah, wouldn’t this be cool if we can just introduce AI into your environment, right? Ah, great. Now, you can speak to endpoints and then have some sort of output. Wouldn’t it be great? Well, who cares. As much as I’d love to put cool knobs into folks’ environments or into their infrastructure, whether it be for communications or just systems in the cloud, it doesn’t add value to guide someone to something that is very obvious that they don’t need, or try to give the impression that it’s critical, right, just for the sake of the project, just to keep a project moving.
Jose Ciriaco (24:15):
So one thing that we’re actually trying to help folks to do is to actually take an assessment of the environment. So, actually, it’s a free service and just offering it out. It’s basically an investment of our time with, we call them pre-sales engineers, right? Some specialize in collaboration, other ones in cloud services, and so forth. And then sort of put the picture together because a lot of… historically, I haven’t seen an IT department do a really tremendous job with documentation in general. Documentation is one of those things that, yeah, yeah, we’re going to do it, boss. Yeah. [crosstalk 00:24:59]…
John Verry (25:00):
Never done. Never walked into an environment that said, “Sorry, we have too much documentation of what we do here.”
Jose Ciriaco (25:05):
Exactly. And it was funny, I ran an infrastructure for a hedge fund for a while and I had a team of six folks, and that was the always I’m going to get to it item in terms of having the bible run book. And so what we’re offering is basically that. Let’s put together high level and sort of look at the spectrum with you, look at from all the way up the layers, minus the application assessment per se, but as high as we can go in terms of looking at every layer of your infrastructure, and let’s see what really is important. And one of the last things that we’ve strived to do as well that I encourage everybody to look for, when you’re working with folks like ourselves, there’s an MSP, a security specialist, a specialization shop or specialized shop, rather…
John Verry (26:05):
Easy for you to say.
Jose Ciriaco (26:07):
Yeah, [inaudible 00:26:08]. I think I started too early. So…
John Verry (26:11):
I think the Innis & Gunn should’ve waited until after [crosstalk 00:26:15].
Jose Ciriaco (26:16):
I think so too. I’m drinking water and trying to get it out of my system before I slip the tongue here. But anyway, it’s just, and I think it’s something that we’re going to talk about either way, finance everything. Literally go OpEx on everything. And if you’re working with a partner or with any technology partner that doesn’t have some measure of an option or a vehicle for you to conserve your cash flow, then find another one. Find someone that will work with you on the business level. Yes, they have IT expertise and they understand your problem and they claim they can fix it, but you also need that business partner that understands your situation and is going to be not just empathetic or a shoulder to cry on, but be able to implement things in a way that’s going to be supportive of your current situation.
John Verry (27:13):
Right. And it’s funny, because you can do that in a way which is win-win. One of our core values is win-win. And a lot of our clients are struggling for dollars, like a lot of people are. So what we’re always looking for is ways to be win-win. So as an example, so ISO 27001 precertification, helping clients get certified. It’s expensive proposition, that might cost $80,000 in year one, but in year two and year three, they don’t need to spend very much. Let’s say it’s $20,000, might even be less that, but let’s say it’s $20,000, so we end up with a three-year cost of $120,000. So what we’ll do is we’ll say to a client, “Instead of giving us 80, 20, 20, we know times are tough right now, let’s go on a three-year plan and you’ll give us 40, 40, 40.”
John Verry (27:55):
$3,000 a month basically for three years. So what it does is by making a long-term commitment to us, you’re saying to us, “Hey, Pivot Point, we want to work with you.” We get it. Okay. What we’re doing is we’re time shifting money and helping you. So it kind of becomes a win-win situation. So, I agree. Do you see Dell doing it, right? I was just on Dell’s website and [inaudible 00:28:12] laptop. They’re 0% for 18, over 12 months or 18 months on a lot of their equipment right now.
Jose Ciriaco (28:18):
Yeah. I mean, Cisco’s doing it. We actually have a partner called GreatAmerica, which we use to finance our own projects. Yeah, zero all the way. They’re like free money. Terms where you’re not cutting a check for that first year, that’s a new interesting program that kicked in right after the pandemic really took hold, that’s your Cisco capital finance. And strategically, you can really leverage the market when it comes to financing dollars and amortizing your overall project spend. And they’ll throw any… Dell will… you can buy paperclips and they’ll finance it. They honestly don’t care if it has anything to do with Dell equipment or not. And they’re flexible with the mix of man hours to product, right? You can play with those numbers.
Jose Ciriaco (29:13):
So again, I would encourage your audience to really scrutinize the partner that you’re with or, obviously, call me, and we’ll figure out a way to…
John Verry (29:22):
No, I like your term partner, because I think that’s what it is. I mean, we’re all partnering with each other at a time where we’re all struggling. And look, I mean, in a partnership, it’s got to go both ways, right? If it’s not mutually beneficial, it’s not a partnership. If you’re looking to exploit the third party, if it’s win-lose, don’t bother, right? In the long run, that’s only going to hurt you, but find somebody that’s willing to work with you on a win-win basis, who understands, empathizes, understands where you’re at. Yeah, I like your thought.
John Verry (29:46):
One other thing you talked in a conversation you and I had a couple weeks ago was the idea of virtualizing, fractional resourcing, using third parties effectively when maybe some of the people listening have already gotten to a point where they had to let people go and now they’re shorthanded, right? So talk a little bit about some effective strategies for that situation.
Jose Ciriaco (30:07):
Right. So, in essence, I mean, we’ve even done some of it internally, but we offer help in that area, which is I don’t want to turn this into a commercial, but Tekscape typically hasn’t been the body shop type where we’ll just have consultants come, rent a tech and they just come out and fix your mouse and then bill them by the hour. Not typically. But what we have done is we’ve been leveraged to be additional hand for firms who have shrunk their IT staff. So we’ll supplement on a retainer on a regularly scheduled, very sort of disciplined schedule with a consistent FTE from Tekscape. So in essence, being an extension of their team.
Jose Ciriaco (30:54):
So I would recommend to your audience to, number one, if you’re shorthanded right now, using companies like, obviously, like Tekscape, Pivot Point, going into Upwork and getting, identifying the task or identifying the set of tasks or the area of your business that really needs attention. And then building a program out of it, break it down into projects, so those initiatives into these micro projects. And then, really, just finding a way to delegate to contractor, and negotiate. Always negotiate the hourly rates. I’m happy to negotiate with anyone, depending on the skillset that you’re going to need of the engineer or the person who’s going to help you.
Jose Ciriaco (31:46):
I think that, that, overall, strategically, you can have that control fixed cost, you can set your budget, come in and out, keep productivity high, get what you need done, done, and not have to overburden yourself with, because as managers, I think sometimes, I tend to feel like I have to do everything, right? I have to get involved and do everything. But breaking those pieces up is only going to take one thing. Understand the project or the problem to the best of your ability. That way, when you propose it to a contractor, you have a good basic understanding. And I know that, that sounds a little hooky, but I had to kick off a project, a database… I’ll admit it. I had to run reports to run commissions for my sales team, okay?
Jose Ciriaco (32:40):
And I have this database in Azure that holds effectively all my billings and everything that I needed to make it so. I was going to go in… we’re part of a network of partners throughout the country, so I have access to other application developers, IT folks and what-have-you, peers. And so I was going to go into the pool and try to contract for this one job that I need, I don’t have the skillset in-house, I don’t have an in-house SQL guy. The funny thing is that before I could even approach it, I needed to spend a couple weekends learning and understanding both the application that I wanted to render the reports and get a baseline understanding of the SQL database that I’m going to be tagging.
Jose Ciriaco (33:32):
So, understanding how I’m going to connect to it, understanding get commands, just understanding enough to be dangerous and then I was able to sort of intelligently to the contractor. So I think part of the overall is, yes, identify your problem, fill in the gaps with contractors, negotiate your rates, always negotiate your rates, but understand enough not be [crosstalk 00:34:00]…
John Verry (34:00):
[crosstalk 00:34:00]. Yeah, you can use that word. I think most of the people heard it once or twice.
Jose Ciriaco (34:07):
Once or twice, not during this call. This is the sanitized version.
John Verry (34:12):
So, something you said I think is really, really powerful there, and I want to just double down on it, is you said something which I really love, which is when you look at someone’s job, it’s a series of projects. And it’s hard to outsource a job, but it’s not hard to outsource projects with specific achievable [crosstalk 00:34:30].
Jose Ciriaco (34:29):
Outcomes. Mm-hmm (affirmative).
John Verry (34:30):
Yeah, outcomes, good word. So what I would suggest is, is that if you’ve got a job that used to be done somebody, what are the three or four outcomes that you were looking for? What are the three projects that need to be done? So as an example, if you lost somebody that was heading up your information security, you need your risk assessment updated, you need to conduct a gap assessment, you need a gap remediation plan, you need a project manager to make sure that, that project gets executed, right? Those are very easily outsourced. Outsourcing a job is difficult. Outsourcing discreet projects isn’t. So I think that’s really valuable what you said.
John Verry (35:06):
And I think it speaks to another thing, which is that when you get into those strategic advisory roles, if you’re in a reduced dollars and cents world, in most organizations, there’s not 40-plus hours worth of that type of work. Building the plan that needs to be executed, that’s a lot of work. But once the plan’s there, just keeping the plan tuned and operating, you don’t need that high, super skill level. So this idea of leveraging a virtual CISO or a virtual chief privacy officer and a virtual security team, is another great example, or a virtual IT team is another great example, because if you think about it, to run an IT shop, you need different skillsets, right? You need somebody who knows Office, you need somebody who knows active directory, identity management, you need someone who understands network security, someone who understands cloud security, someone who understands logging and monitoring.
John Verry (35:54):
And you can’t afford to hire all those people, but you can hire an IT managed services provider that can provide all of those skillsets for probably less than the cost of a single full-time employee. And we do the same thing-
Jose Ciriaco (36:07):
John Verry (36:07):
… on the security side, right? You need business continuity, you need Linux security, you need application security, you need network security, you need someone who can help you get ISO-certified or deal with SOC 2 or DFS 500 or some standard, some compliance requirement, same idea. So I think that virtual team concept also plays well here.
Jose Ciriaco (36:26):
Yeah. And you buy the bench, you don’t have to put your eggs into one individual who’s going to be magically be able to somehow get everything together for you. Buying that bench is invaluable to me.
John Verry (36:42):
So I’m going to throw one other crazy idea, because it goes absolutely contrary to everything that the whole purpose of this podcast was for, but I think it’s something that’s worth bringing. All right? So the idea of the podcast was how can we do more with less, how can we spend less. I do think there’s one other interest I think I have seen a couple people do, and honestly, at Pivot Point, we’re trying to do the same thing. So when this all hit, a lot of people are like, “Oh, come back, marketing. Come back, sales. Come back this, come back that.” We’ve been looking to think, where can I make strategic investment right now because in my opinion, I saw this in the 2008 slowdown, there’s got to be a lot of the weak people in your industry that disappear.
John Verry (37:21):
I don’t care if it’s a managed service provider, an advisor, an assessment firm like us, you could be a software-as-a-service firm, you could be a manufacturing, there’s a lot of companies that are going to go out of business, and I don’t know when the recovery’s going to take [crosstalk 00:37:32]…
Jose Ciriaco (37:32):
That P, P, Ps running out.
John Verry (37:34):
That’s right. So when does the recovery happen unfold? Does it happen Q3, Q4, Q1, Q2 next year? Whenever it is, I do think that I don’t want to… I think people should be thinking about strategic investments now that will pay off in massively on the backside of this, right?
Jose Ciriaco (37:54):
Absolutely. I couldn’t agree with you more. In fact, our strategic investment is really cut into two things, people and capacity. So, we happen to have our own private cloud as well that we offer up. Again, I don’t compete with Azure and AWS and all those, it’s sort of a hybrid approach into special situation type solution. The point is that, so we’re just expecting to need the capacity. You’re going to need to be able to host, we’re going to need to expand because in ’08, we actually had the best quarter. Q1 of ’09 was probably one of the best quarters in the history of the company. So, typically…
John Verry (38:40):
Wow. In the height of. I mean, that was-
Jose Ciriaco (38:42):
That was the height of it, yeah.
John Verry (38:43):
… approaching the height of the recession.
Jose Ciriaco (38:46):
Yeah. It’s insane because, I don’t want to sound and I honestly don’t want to sound like we’re bragging, but we’re fortunate enough to be in the types of industries where the needs are just going to be there. And actually, not that we’re recession-proof, but unless you’re selling widgets, which nobody’s buying today, and you offer a service that has value and is necessary to do business, I mean, I don’t see how that strategic investment doesn’t come your way. So I would encourage your audience to…
John Verry (39:24):
Right. If you’re not retail or if you’re not travel, I mean, look, there’s some industries right now that you just have to feel sorry for.
Jose Ciriaco (39:30):
Oh, I lost…
John Verry (39:32):
I have a client that’s in the travel industry that’s at 97% reduction of revenue, and there’s nothing they can… I mean, you can’t make a strategic investment there. But I do think you’re right, I think in so many industries, I think you got to think twice that maybe strategic investment is the right thing to do, not a scale back. But, all right, cool. It’s interesting that you kind of think the same way that we do. All right. So I think we beat the hell out of this pretty good. You agree?
Jose Ciriaco (39:59):
Yeah, yeah. I mean, I wanted to just comment that there was… I can’t emphasize enough the OpEx model and to your audience to, really, my peers, folks in the infrastructure, they’re resellers, they’re effectively high paid Amazon guys, a lot of them. So to your point, a lot of them aren’t going to be around because again, the days of buying a data center or cooling and power and connectivity and architecting that to the SMB is over.
John Verry (40:41):
Over. It’s over.
Jose Ciriaco (40:42):
It’s been over for some time, but now, this sort of solidifies it that it’s a cloud first approach. So I really challenge your audience to talk to the partner that you have today. Talk to them about how they can be a better partner and help you reserve cash for those strategic investments. Think OpEx all the way. Forget capital investment of any kind and reserve cash. If you go in to make an investment in your infrastructure, find a partner who can work with you to stretch those dollars as best you can.
Jose Ciriaco (41:22):
I had a retailer that as soon as this hit, I paused their billing and basically, indefinitely. And they’re still theoretically a client, but they sell sunglasses at the mall, and they’re a national chain. It’s like, okay, there’s nothing to talk about here. But again, go back to whoever you’re working with, and if not, find somebody new to identify the ways that you can… to really extend that conversation to how I can get my business fluid. Keep the lights on and move forward as flexibly as possible. And if they’re not flexible, kick them out.
John Verry (42:07):
Right. Right. You expect that the same thing out of a painting contractor, wouldn’t you?
Jose Ciriaco (42:15):
I hate you. Call’s over. You knew you had to bring it up. I still haven’t done it. Jeremy, cut that out.
John Verry (42:30):
First time I met Jose, it was about three weeks ago. We were on [crosstalk 00:42:33] basement. He’s like, “No, my wife had to put up some paint patches.” I’m like, “You better have that done by the podcast,” and he didn’t. So I promised I was going to zing him, and I did. So.
Jose Ciriaco (42:45):
I actually have a picture of my kids that I was going to put right in that spot. It covers it exactly. I’m not kidding you. This is literally, I had this photo and it’s just long enough to put over there, but it would look so awkward and you would know exactly [crosstalk 00:43:05]… you’d call it out anyway.
John Verry (43:07):
I would’ve say, “What are you hiding behind that? Can you take that picture?” I would’ve busted your [inaudible 00:43:11] one way or the other. You knew it was coming. [crosstalk 00:43:13]. You handled it well.
John Verry (43:15):
All right. So we beat the hell out of this topic. I think we did a good job. I think we came up with some good ideas here. So, one thing we always like to ask to have a little fun, you’re in our space, so give me a fictional character or maybe somebody in the real world who you think would make either and absolutely horrible or an absolutely amazing CISO, and why do you think so.
Jose Ciriaco (43:34):
So, and I got the question in advance, so I am lucky enough to have…
John Verry (43:40):
Surprise people with that one, that’s all [crosstalk 00:43:42].
Jose Ciriaco (43:42):
Yeah. So this is not spontaneous in any way right now. I’m going to tell you. I thought long and hard, and somebody that I’ve been listening to lately, just because I’m trying to move some money around myself and just trying to not [crosstalk 00:43:56]…
John Verry (43:56):
Not lose money.
Jose Ciriaco (43:56):
Yeah, not lose money, which, I mean, as of today, all losses were erased from what I saw. It’s just whatever.
John Verry (44:06):
Amazing. [crosstalk 00:44:08].
Jose Ciriaco (44:07):
Yeah. It’ll pop. So, Charlie Munger, I love listening to this guy. He reminds me of the grandpa I never met, or something. So, he’s one of the partners at Berkshire Hathaway, and his investment approach is very common sense but he’s also flexible enough to change his strategy. So as CISO, policy and/or things security are in your hands, so you have to have some measure of flexibility. You can’t just apply the same, or have the same approach across the board. So I think that a personality like that would be ideal. And over-analyzing the data without just letting it tell you the story is… one of his approaches is, really, he’s always commenting on how these really smart guys from Stanford come out and they really try to build these algorithms that are going to be the magic bullet and predict the market.
Jose Ciriaco (45:11):
All the analytics in the world dumped into some super computer is going to give you the magic [inaudible 00:45:17] that’s going to give you all the answers. Yet his approach is very much like the conventional wisdom approach. So, if there’s smoke, there’s fire. If it walks like a duck, the whole thing. So I think that approach to security posture, to policy, to the layers of the Swiss cheese that you’re going to layer upon layer to give you that nice, solid no holes, no patches, I think that approach would be amazing if you had him in a position like that.
John Verry (45:55):
Yeah. So two things there. So first off, I agree with you, by the way. And I’m not surprised though, if you think about it. Buffett, and he’s a brilliant guy and I’ve read his book, he’s about risk management. And information security is about risk management. So, I mean, they’re financial risk management gurus. So why wouldn’t you be able to apply the same risk management concepts to information security, right? It’s about identifying threats to your portfolio or identifying threats to your digital portfolio, right? And then managing those risks. So, no disagreement there. The second thing is, is that I just have a little concern about hiring a 96-year-old CISO. [crosstalk 00:46:35].
Jose Ciriaco (46:35):
[crosstalk 00:46:35]. Yeah…
John Verry (46:37):
I mean, we can’t count on him being with us for too many more years.
Jose Ciriaco (46:42):
Well, that’s where documentation comes into play. And there you go.
John Verry (46:46):
We need a backup plan. We need a good second.
Jose Ciriaco (46:48):
John Verry (46:50):
All right. So, last question. So, you chat all the time with the same kind of people we do, business leaders, people in IT leadership, people in information security leadership. Any ideas for some interesting topics for a future episode?
Jose Ciriaco (47:06):
Well, I really would love to… I download blog content all the time and I know a lot of times, it’s just a marketing pitch, but there are little nuggets of really good information in this scheme they’re in. And you and I talked about listening to some podcasts that we have in common, that we listen to as well. So, I would get a lot of value out of a policy episode, just something around setting up an IT security policy. So I’m the new CIO, CTO. I’ve inherited this team of knuckleheads that I’m looking at and I’m sort of looking at the grand picture and I got to take it in. What’s the starting point for me that’s sort of the easy hits? Sort of the easy checklist type items. Let’s kind of go down the road.
Jose Ciriaco (48:01):
Also, the remote workforce is the standard now. Now, everybody that can be remote will be remote. If not, we’ll go back to an office-centric. Whatever it be, but the remote teleworker is now a solid, solid portion of the workforce. Period. It’s grown and it’s not going to shrink [crosstalk 00:48:25].
John Verry (48:24):
No. Well, the genie’s not going back in the bottle, right?
Jose Ciriaco (48:28):
Correct. And so, security around that individual, that element of your…
John Verry (48:38):
Yeah. How do you ensure that the same security controls that were in place, I mean, realistically, we should be in a world where it shouldn’t matter where someone works from, the same basic security treatments occur no matter where they are. [crosstalk 00:48:51]…
Jose Ciriaco (48:52):
John Verry (48:52):
Yeah. So in a weird way, that’s almost, we have a planned episode on zero trust, and in a sense, zero trust has a lot of those principles. There’s a little more to managing remote workforce than just a zero trust model, but I think fundamentally, you’re right. It’s in that same domain, if you will, that same grouping. So, too excellent and it’s actually interesting. On the policy strategies, that’s a really interesting question because policy drives standard, and standard drives procedure. And policies are 80% common, 90% common across every company. Standards are 60% or 50%, and then procedures are 20% or 25%. So there’s actually a complexity to something very, very simple that you talked about, but I don’t think we’ve ever really talked about that in a more formal way. And I think that would be an actually really good episode. So, thanks for those. Both good. Thanks.
Jose Ciriaco (49:43):
Yeah. Thank you. No, and I’d love the perspective type conversation because my side of the story, so to speak, just gives you that slight turn. You look at and kind of see things from a slightly different angle, and yeah, what he said, yeah, sure. I should’ve thought of that, but just seeing it in a slightly different angle could change your strategy completely. And so I think that having a conversation around, particularly around the virtual workforce and how big brother you want to get on them, how medieval you want to get on their asses, I really want to understand from somebody who’s got that level of paranoia. What layers do you put in place to…
John Verry (50:41):
Yeah. I’ve got a client that’s a law firm, and law firms have never traditionally been work-from-home, and they’re in this work-from-home world. And yeah, the level of paranoia that a law firm that’s handling inordinate amounts of personally identifiable information date on behalf of registered investment advisors of financial services firms, yeah, there’s a really good perspective to be had there and to talk about. So, good topic.
John Verry (51:05):
So before I bid you ado, if folks want to get in touch with you and Tekscape, what’s the best way to do that?
Jose Ciriaco (51:12):
Right. So, I mean, I don’t know that anybody uses a phone anymore, but it’s (855) TEKSCAPE. That’s pretty easy to dial, so you can dial and speak to one of our representatives. Call now. And we’ve got tekscape.com that’ll get you right to a Contact Us button. We’ve got a little bot there that’ll ask you what do you want and how can we fix your problem. And my email is jciriaco, J-C-I-R-I-A-C-O at tekscape, T-E-K-S-C-A-P-E dot com. I can actually still say it, so I guess I didn’t [crosstalk 00:51:48]-
John Verry (51:48):
Jose Ciriaco (51:49):
… overdo it with the Innis & Gunn.
John Verry (51:50):
Yeah. If you had gone for four instead of three before the podcast, we would’ve [crosstalk 00:51:54].
Jose Ciriaco (51:54):
John Verry (51:54):
All right. Jose, man, thank you. I genuinely appreciate you coming on the show.
Jose Ciriaco (52:00):
No, thank you so much for having me. This was a lot of fun, and look forward to chatting with you again.
John Verry (52:06):
You’ve been listening to The Virtual CISO Podcast. As you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.