BizTech BizTech Podcasts

Ep. 105 Shocking Security Sales Blunders: Help Your Customers Quickly! with Jake Weaver of Lumen

February 21, 2024

Subscribe to the Next Level BizTech podcast, so you don’t miss an episode!
Amazon Music | Apple Podcasts | Listen on Spotify | Watch on YouTube

Come along as we talk to the new best friend you didn’t know you needed with Jake Weaver, Advanced Solutions Consultant from Lumen. As we talk Security Sales Blunders, Jake walks us through the vast security product portfolio of Lumen. We cover everything from Virtual CISO & SOC to Managed Detection and response, Incident Response, and everything in between. And the great thing is….You have access to all these offerings right now in the Lumen portfolio! Don’t miss and Jake covers quite the wide array of offerings!

Welcome to the podcast designed to fuel your success selling technology solutions. I’m your host, JoshLupresto SVP of Sales Engineering atTelarus and this is Next Level BizTech.

Hey, everybody, welcome back. We are on we’re talking security today, more specifically, shocking security sales blunders help your customer quickly. Because it’s urgent. And with that, we have the international man of mystery fromLumen Jake Weaver, Advanced Solutions consultant. Jake, thanks for coming on, man. Welcome. Thanks for having me, Josh. Appreciate it. Jake, I want to know first, and all the listeners want to know about any crazy windy backstory or linear path that you’ve had. But walk us through that. What’s your path to get to where you’re at now?

Oh, gosh, well, I’ve always really kind of considered myself kind of a nerd, right? Never really admitted it, but got into working for Quest in my early 20s, doing central office work, wiring things up, really enjoyed that, but wanted more out of it. And ended up getting into a sales gig during kind of the refi boom, working for Wells Fargo way back in the day, really enjoyed sales, cutting my teeth in sales. Although kind of on the back end of that refi boom there, I got kind of tired of telling folks, Hey, you know what, your house isn’t worth quite what you thought it was, and started jumping around to different sales gigs, trying to figure out what I enjoyed, and kind of missed the technology world a little bit. And then the opportunity came to work for a C-LEC here in the Twin Cities, and worked for a small C-LEC for a couple years, kind of got back into telco, got back into what I missed, right? That kind of designing and connecting the dots for people. Then I ended up taking a job with CenturyLink back in 2011, and been with CenturyLink, now Loom, and ever since, and became an Advanced Solutions Consultant about five years ago, really working to help our partners understand kind of the broader portfolio of Loom and outside of just the speeds and feeds, and really helping folks with their security and infrastructure needs. And so it’s been fun, right? I love it. Yeah, I think, you know, we go back, geez, we go back to Loom and to CenturyLink to Quest to US West, right? So it’s been cool to see all these evolutions over time. And I know there is a plethora of people in our portfolio from the partner side listening to this, that they absolutely know Loomin is this massive global network company. But I would argue here, to prop you up for a second, you have been an absolute game changer for us, for our team, for our partners, to open up this idea of what Loomin really offers from an Advanced Solutions perspective. So help us understand a little bit, we’re going to get into products here in a little bit. But help us understand kind of what your role is all about and really what you’ve helped shape with some of those products, you know, security and even cloud. Sure, sure. So what my role has really been to try to do is try to take the fact that we have, like you mentioned, this giant network, right? That’s really the the shim that allows us to get in and apply these broader services and solutions for our customers, right, whether it’s infrastructure, getting into their applications, their data, helping them figure out what’s the right home for those applications, having that what I refer to as a design the dots conversation. But you’re not really going to have a design the dots conversation without having a secure the dots conversation. So being able to come in and talk to yourself and your team, and really sit there and go, hey, what’s your customer struggling with there? At the end of the day, customers are looking to be more effective and efficient at generating revenue. That’s apps and data that do that, right? So helping them find the right home for those applications, their data, secure those connecting the dots, well, we’ve got that down pat. That’s, that’s really what we’re trying to do at the end of the day. And it doesn’t really, we have a broad breadth of tools and different OEMs and such that we can tap for those different solutions that we need to bring the bear to help check those boxes for the customer. But it’s just really trying to come in and understand the challenges and goals that everybody’s having. And that’s, that’s been the fun part. That’s been where we’ve really been able to move the needle from a from a product perspective internally is just list taking the feedback that we hear, that I get from working with your teams and some of our other partners out there. What are customers struggling with? And what do we need to bring to the market to help fill those those challenges for them and address those.

So as you look forward here, 2024, any, any initial thoughts on we’re gonna talk blunders and all this good stuff here, just a second. But any thoughts on how businesses are going to look at security in 2024? We got a lot of moving parts out there. Anything different? Are you gonna argue that we say double down on some of the things that we’ve talked about frameworks and whatnot? I think there’s going to be a continued doubling down. But there’s also going to be a kind of a right sizing that needs to happen for a lot of customers due to vendor fatigue, tool fatigue out there, right? There’s a lot of different OEMs out there that are coming to market every day with new, new this, that and whatever. And by the time somebody gets something stood up, a new tool, a new service, a new solution, there’s already technical debt around that. So a right sizing around some of those vendors, what do we need that’s going to move the needle the most with maybe probably the limited staff that they already have. The continuing trend that I see outside of the technical debt that I’m alluding to is the human debt. It’s really hard to find and retain people to manage all these tools and environments, whether it’s security or infrastructure. So I think it’s going to be kind of more of the same, but with a focus on kind of really right sizing and making sure that there are the right people in place to help manage all those tools. Yeah, I love it. Yeah, still seems like it’s still a massive shortage out there. So yeah, I love the call out on people that is not getting any better. We hope that we hope the kids in grade school that are graduating and going to college soon will help fill some of those gaps. But we’re a few years away. So I’m hopeful. They got to embrace their inner nerdiness and right, right under the market. Nerds win out in the end, just right. He wonders. Nerds always win. Okay, let’s talk about let’s talk about some security mistakes. So from a sales perspective, any common security sales mistakes, slip ups that that you see sellers out there making? And how do we address these?

Um, I think the most common we’ll call them slip ups that I see is treating things to transactionally, and not having a more holistic conversation around what’s going on. Yes, we can bring in a tool, we can sell a widget. But what is that really going to do? What is that actually protecting? We need to make sure that we’re asking questions about who are who are your people? Where are the people? What are your processes in place? Do you have the right processes to support these tools? Do you have the right documentation? Do you have runbooks put together? If somebody up gets a new cert on their resume, ups and leaves, can you plant another button that seat, hand them the runbook, and they can just get get going, right? So not asking those questions and just transaction transacting and selling a tool or a license. You’re not really doing anybody a whole lot of favors, you’re just putting a Lego and in the box, and not really helping give the instructions on how to use that Lego how that best supports their organization, how it elevates their security posture. So asking some maybe linear questions to get kind of upstream and downstream of maybe what you’re initially trying to talk to talk about and try to sell. I mean, if it’s a firewall, what are we protecting? Who’s who’s on the other side of that? Where’s that traffic going? Do we need to enable different do we need to get into a sassy conversation because that firewall service needs to be protecting a remote workforce?

We need to go we need to ask those follow up questions so that we better understand the context of the customer customers environment, not just conduct a transaction. Fair. All right, let’s let’s talk about we’re gonna spend a little bit of time here. Let’s talk about I call this section lumen product awareness. I believe that people should know more about all of the great products that you have, and they should know more about you. By the way, if you guys haven’t reached out to Jake, you’re missing out. He responds at all hours of the night. It’s really phenomenal. And he hates sleep. And he loves advanced solutions. No, but but Jake, Jake’s a stud. And you’ve been really, you’ve been really

helpful for us to help a lot of people distill down the products in the portfolio. And everybody knows that I love OEMs. So I’m going to call out a bunch of lumen products that I know. And then I’m going to leave it to you to start to talk about what are some of the OEMs here? What are these tool sets? How are we selling these things like that? So we can spend it, we spend a good amount of time here. So let’s see, we’ve got virtual CISO. So we’ve got virtual chief security officer, we’ve got virtual SOC, security operations center. We’ve got compliance, readiness assessments. We’ve got all these things around sassy to your point, right? The evolution of SD-WAN and convergence around security. I’m running out of fingers here. We’ve got incident response. Oh, crap. What do I do? Somebody’s attacking me. We’ve got managed EDR and point detection and response. We’ve got a I lost count. But last one, vulnerability assessments. So where do you want to start with that? Do you want to start with some of the virtual stuff? Talk about offerings? So I’m going to start with OEMs. I’ll leave it to you. So all those fall within our professional security services group. We’ve got a really deep bunch of nerds that have expertise in a lot of different OEMs, right? Whether it’s Netscopes and Palo Alto’s. You’ve got your EDRs, your MDRs. I mean, pick your alphabet soup, right? That bench of security nerds

can come in and really manage takeover management, alleviating that vendor fatigue that I mentioned before, can come in around, as I was saying, Netscope, Fortinet, Palo Alto, VMware. Really, any tool out there that’s kind of up and to the right in a magic quadrant, we’ve got the expertise to come in and wrap our arms around. Some of those will provide the licensing for others. We don’t want to be resellers. We want to come in and just wrap our arms around. And really give a customer’s environment kind of that big bear hug from Lumen and help them get to a better place, right? So when it comes to Vsoc and Managed Sim Services, those are all Lumen resources internally.

So that’s, again, I’ll reference that deep bench of nerds, right? We’ve got roughly 300 folks in our professional security services group that they all kind of divvy up

what products and services that, whether it’s EDR, whether it’s managing MFA and single sign on, whether it’s managing SASE and walking in and taking over different OEMs that check the SASE boxes. We can really bring a lot of that to bear. The cool thing is that, and you and I have talked about this, you’ve had customers reach out to you where customers struggling to manage XYZ OEM,

and they’re having trouble hiring enough people that have the expertise to do it. And you’ve shot me a text message at 10 o’clock at night and my wife’s gone, “Really? Is it Josh again?” Oh, yes, dear. But you’ll ask, “Hey, can Lumen walk in and take over management of this? Are customers’ hairs on fire trying to take care of it themselves?” And more often than not, again, if it’s kind of, we’ll call it an OEM that’s up and to the right in a various kind of analyst quadrant. Yeah, odds are we can. And that team does more than just walk in and take over things, right? They can provide those technical assessments. They can perform those pen tests and vulnerability scans, help customers figure out where the gaps are in their digital environment. And come in and do a framework assessment looking through customers’ world through whether it’s NIST or PCI or CMMC, really to try to figure out, “Hey, do they have the appropriate checks and balances in place? Do they have the right documentation in place?” If an auditor were to come in today, would they get flushed or would they get a big shiny gold star on their helmet? So it’s a Swiss army knife of nerds that I lean on really heavily. And I used to consider myself pretty nerdy. No. Super nerds. Yeah, I love it. These guys are doing way more binary math than you and I will ever do. 100% between those guys and our Black Lotus Labs team.

Yeah, no, it’s, I mean, that’s what it takes. If you think about this, if you go back to any of the previous episodes, right, we’ve had other episodes where we’ve talked about running the math on a sock, you know, because there is the customer debacle of, “Well, I’ll just do this myself.”

And maybe five, 10 years ago, maybe that worked and we all weren’t wise enough to know that that was a bad idea, but the world was less scary. The attack surfaces were different. There wasn’t as many bad guys for profit and, you know, things have just changed. And so when you look at these staffing shortages, you just look at a couple of these first ones here, virtual CISO. CISOs need help. I mean, this is just all about augmentation. Maybe somebody that’s doing IT is doing security 20, 30% of the time and they’re the CISO. They still need help, right? Not saying that they’re not the experts by any means, but they need help. And we run the math on how many people and the cost to try to do a sock yourself versus have that outsourced.

And I don’t want to look at logs all the time. I don’t want to make sure that I didn’t miss something, right? Like, I’m not that big of a nerd. I mean, some of the headlines these days, folks are going, folks are seeing some serious legal penalties for some faux pas, we’ll say. But I mean, socks aren’t cheap. I mean, you need what, six people roughly on average to staff 24, 7, 365.

And those aren’t cheap hourly rates that those employees are going to require. So, you figure 10 grand a piece times six, 60 grand a month. Those dollars go a long way. Yeah, we can do a lot for 60 grand a month. I mean, there’s a lot of offer there. And I think that’s what people need to remember is that you’re not just getting generally, you’re not renting one person, you have a team.

So you have some resiliency there, big time resiliency there.

Maybe you just need them to fill gaps, right? I mean, maybe you can staff eight to five, but you can’t get the overnights, you can’t get weekends. We’ve had many customers come to us asking for off-peak hours to fill those gaps.

Nobody wants to work overnight in a sock. No, no, I guess we will. No, no, no, not me. Let’s talk about, let’s shift gears on mistakes.

Let’s talk about the end customers. You know, what are some of the things that you see? I mean, you get to talk to a lot of customers, right, in these opportunities.

The tunes have changed over the years, but here we are, you know, rolling into 2024. What are some of these mistakes that you see customers make throughout this process?

The common one that I still see a lot is not picking a framework to go with. If you’re in a regulated industry like banking or healthcare, one’s kind of forced on you, whether it’s HIPAA or PCI. But if you don’t sit in one of those verticals that has a regulatory standard that you need to comply with, the need for just that framework to align yourself with, to give you kind of that north star, that benchmark to grade yourself against and make sure you’re covering all your bases, something like a Nest or a CMMC.

It’s surprising how often I see an organization that hasn’t really aligned to one. The other piece of that puzzle is the documentation.

Having documented methods and procedures is a big gap that we see out there a lot. It’s relatively easy to go out and get a bunch of tools. That’s kind of the easy part, right? It’s documenting how to use them, who uses them, who do you call when this happens. And having that, as I mentioned before, having that in place so that if you do have that turnover, it’s easy to fill those gaps. It’s easy to fit a new body in there. And if you go back and look at some of the recon about these big breaches, how the Department of Human and Health, HHR, HHS, comes after everybody, they look at and they go after people that have chose to do nothing. It’s not about every environment needs to be epically perfect. It’s about we knew there were issues, we were working to address them, and we had a plan.

Good stuff.

Okay, let’s talk about an actual deal. So you see a lot of opportunities. You see a lot of different things from partners. You talk to a lot of different customers. Walk us through an opportunity that got brought to you. What were you told the problem was? What did the tech stack look like, and then what did you end up putting in place?

A frequent, a lot of the deals that come our way because of our heritage and being a giant ISP, right, we see a lot of opportunities for DDoS services. That’s really core. It’s really part of our muscle memory as a giant network provider to be able to apply those services.

Often we’ll have somebody reach out that has either a strong digital presence, whether it’s retail, e-commerce, things of that nature, or we actually see a lot of call centers.

So a lot of call center environments that are leveraging VoIP services, well, if that circuit starts getting attacked, that call center can’t operate, right?

Those hourly employees are still collecting that hourly salary, but they can’t conduct business. They can’t serve customers. They can’t generate revenue. There’s branding implications.

So that’s been actually a significant uptick in opportunities, specifically around DDoS.

I’d say another frequent one that comes to mind is walking in and taking over SIM services. We have a lot of customers that will go out and, as I mentioned before, have gone out and bought these tools, these platforms, and they really don’t have the expertise on how to manage them. They’re not easy tools. They’re complicated. They require a lot of resources, both human and technical.

And we’ll have a partner where we’ll reach out and customers are really stubbing their toe, managing Splunk or QRadar. And what can Lumen do to help?

Well, we can come in and either we’ll call it time and materials, we’ll come in and help get everything tuned up, right? We’ll manage the platform, make sure the blinky lights are working right, make sure that we’re ingesting the right log feeds to provide the right visibility into what’s going on so we can quickly identify when bad things are happening. But we can also layer on the eyes on glass, right? So not just managing the platform and letting the customer be the eyes on glass, we can be the eyes on glass as well so that we can let the customer know, “Hey, this is what’s happening. This is what’s going on. Here’s what’s going bump in the night.” And then what will often happen is we’ll kind of hand over the reins to the customer and they’ll start doing incident response. I think that’s a very common opportunity that gets brought to bear as well. That’s good. All right. Final couple of thoughts here. Let’s talk future, looking out.

Any products on the horizon or any changes in the market that you want people to be aware of from a Lumen perspective or just things in the market that you think are coming, right? And Jake’s crystal ball that Lumen is poised to help with in maybe things that we didn’t talk about yet.

I think we’re going to see more and more application layer protections getting embedded into our network capabilities, right? Being able to have kind of maybe call it more of a digital buying experience to kind of couple with that network service that our customers are already leveraging us for.

So if we’ve already got the circuit in place, that circuit, as I mentioned before, can be that shim to help apply different security services and bring those consumables to the customer’s fingertips a lot easier, right?

So I think we’re going to see more of that, we’ll call it cloudifying, security tools, making them easy to consume. And again, using that circuit is that shim to apply those.

So that’s, I don’t have any insight into it. I’m not in our product group, but I like to try to nudge them and give them the elbow and tell them what I want, what I’m hearing.

That’s what I want. And I think we’ll get there.

Awesome. All right, final question as we wrap this up. So for the partners out there, they’re listening, our eyes have been open to see the goodness that is Lumen’s advanced solution section. What are the best tips that you can give them to help them walk down a conversation track with their customers, right? How do they continue to open that up and tee those up?

Really just ask a lot of open ended questions that get people talking about where could they, how are they going to detect a breach? How do they know when something’s going bump in the night? How would they know if a bad actor got in? Really asking kind of that question is usually going to get somebody going, I don’t know, I’d have to check my logs or I’d have to check with our security team.

Well, checking more and more organizations are trying to get into some automation like a sim or a SOAR platform, but so many are still doing things manually, especially in the SMB space. Because sometimes with a sim, the cookie jar might be a little bit high on the shelf. So they’re still doing things very manually. So asking folks, again, how would you know if you had a breach?

What would you do? What are the steps that you would take? Again, is that documented? Do you have that written down? When was the last time that you did any kind of vulnerability assessment to understand what your gaps might be? We do an awful lot of those to help baseline where customers are today and figure out and plot a course of what they need to do to really start checking boxes and elevate their security posture.

I am out of questions. We covered a lot of stuff. We covered a lot of products. We covered a lot of processes. We said nerd a lot because we believe in the nerds and we love the nerds. So Jake, thanks so much for coming on, man. Really appreciate it. Absolutely, brother. Anytime. Happy to. All right. Okay, everybody, that wraps us up for today. We’ve got Jake Weaver, Advanced Solutions, Salt and Bloomin. We’re talking security sales blunders and how to help your customers quickly. Until next time, I’m Josh Lupresto from SVP and Sales Engineering at Telarus