This week we continue to explore Security and Virtual CISO, with special guest Paul Robinson,of IGI.
Transcript below is auto-generated, some errors may be present.
Josh Lupresto (00:02):
Welcome to the podcast that is designed to fuel your success in selling technology solutions. I’m your host, Josh Lupresto, SVP of sales engineering at Telarus. And this is Next Level Biztech. Hey everybody. Welcome back. I’m your host, Josh Lupresto SVP of sales engineering here at Telarus, and this is the Next Level Biztech podcast. Today. We are talking security, but more importantly, we are talking about virtual CISO chief information security officer. And today we have the pleasure of being joined by my good friend, Paul Robinson, who is VP of national sales at IGI cyber security. Paul, welcome on my man,
Paul Robinson (00:56):
Josh, thank you so much. Just looking forward to having our normal conversations and sharing it to the masses. Really excited for this man.
Josh Lupresto (01:04):
So I, I want everybody to get to know Paul any, anything cool you have about, you know, your background or weird or normal or whatever? I, I always love hearing how people got into the roles, we’re gonna get into who IGI is and what your role is. But, but how about getting here? Were you always security? Did you switch, you know, what’s the story?
Paul Robinson (01:25):
Oh man. It, it is a weird story. So I’m gonna shock a lot of people that are listening to this at Nomi. My start actually started with telecom and selling WebEx and conference call services back in the early two thousands. When you call on fortune 100 companies and they’d say, yeah, we’re never gonna use WebEx. We’re gonna put people on planes for the rest of our duration here. And lo and behold everything had changed. So did that for a while and then went into healthcare. Healthcare management for a couple of years, kind of got bogged down with that. I’m like, nah, I like technology. I like, you know, telecom and things of that nature. So joined a company locally here in Rochester and within a week they said, Hey, we’re changing the whole business model to cybersecurity. And this is in October of 2009.
Paul Robinson (02:13):
So I was like yeah, I, I know a little bit about antivirus that’s on my computer and TJ max, that was the big reach that had just come out recently. Somebody’s, I don’t know. They’re excited about my story back there, but <laugh> but so TJ Maxx just came out, so that was kind of mainstream news and, and whatever. So I was like, okay, take a, take a switch. And it’s been history ever since. Cybersecurity has allowed me to meet some of the, the world’s greatest cybersecurity minds and world’s greatest risk minds. And it was a weird path to get here, but I feel, you know, for the last 14 years, I’ve, I’ve found what my career calling is and that’s to use cybersecurity and risk risk services to help out people
Josh Lupresto (03:00):
Love it. I, I love that very rarely is there just this linear path. And I think that teaches you so much too, right? You just, you learn it the hard way. And you know that you wanna do something in your general area, but you don’t really know what always your general area is. So I love to, to hear somebody that landed on something different. That’s awesome. Yeah.
Paul Robinson (03:20):
We inherently, we all wanna be great at something like, I think that’s inherent in all of us and, and whether it is, you know, being a garbage man or being in cybersecurity or being a doc, like we just have that innate thing of just wanting to be great at something and to latch onto something and have a purpose. And that’s how cybersecurity fell for me.
Josh Lupresto (03:38):
So let’s jump in then current role VP of national sales at IGI I wanna preface with IGI was one of the very early security providers of Telarus. And it’s been awesome to, to work with you as you guys have grown as we’ve grown and it really just mutually leaned in. And, and so you guys have been hugely beneficial in our security strategy. Talk to me a little bit about, you know, your role and then if somebody’s never heard of IGI who is IGI.
Paul Robinson (04:07):
Yeah. So, so my role is kind of, it’s kind of simple. Don’t let the title fool you. It it’s to help IGI grow revenue and marketplace awareness of the, of the services that we do you know, to Twitter, if you may call it that not to give any free press to them, but to, to kind of condense what we do is we help organizations solve problems as it pertains to cyber security and risk. And the beauty of IGI is that we have a portfolio of services and solutions that we can provide. The challenge in cyber security is you have a lot of point products. So, you know, and not to knock the point products that are important, but when you have point product discussions, a lot of the conversation is centered around that, or I have the freedom and my team has the freedom to have discussions with organizations and partners is to have the ability to talk holistically about their business process and program. This is a business excellence issue. I learned that from a, a senior level cybersecurity person at IBM. And it stuck with me my whole career is that, you know, people get caught up in the bits and the bites and the zeros and the ones of cybersecurity, but really what we’re trying to do is to build process, get that in place, to keep our customers safe and also our employees safe as well.
Josh Lupresto (05:21):
Now the impetus for today is virtual CISO. And, and, you know, for, for anybody that isn’t familiar, right, this is a role that companies may or may not have. And, you know, they, they, to your point, they may have bought a bunch of security point solutions and thought that that was good enough. The reality is a lot of these organizations that we find just need guidance. I need help. Did I, did I buy the right thing? Did I, is this solution working? What should I be doing? I need to be compliant here. How do I do that? So there’s a lot of things that encompass in that. And I think you guys have kind of coined this CISO team thing to where it isn’t just that you get one person. So I wanna, I want to talk a little bit about that, that virtual CISO, that CISO team, what have you seen? What have you learned that, that that’s been the most valuable for this, that, that our partners can take back and then help as they’re having and trying to have new conversations with security with our customers?
Paul Robinson (06:16):
Yeah. So let’s go back to let’s take the V or the team out. Let’s talk about CISO real quickly. And the industry has done a terrible job of quantifying what a chief information security officer is, and we’ve made it a whole bunch of things that it really isn’t, where we start out foundationally is, is a C level executive has to drive the vision and the purpose of the department they’re in charge. So think of like a COO or a CMO, or, you know, a chief legal officer or whatever, you know, they are setting the course for the organization based on their department. The analogy that I use is, you know, think of a manufacturing firm and you think of the shop floor, three shifts going on, people hang, you know, banging on nails and having things go on the assembly line. You don’t see the COO on the assembly line, putting widgets into devices or sweeping the floor.
Paul Robinson (07:10):
They’re up in their proverbial ivory tower pouring over what operations needs to be like, how can we be profitable? How can we keep our organization safe? How can we be the best at what we do? And that’s really the role of the CISO. It’s changed a lot recently to where not recently, but it’s, it’s just been like, well, my CISO should tune a firewal, or my CISO should do security awareness training. And that’s where you’re seeing a lot of CISOs burn out. I, I read an article in Forbes the other day they pulled, I think a hundred CISOs 46% of them are, are planning their exit strategy completely from the industry within the next 12 to 18 months. And it’s because they’re getting bogged down by the minutia stuff. They, they are more executive level facing people and they want to get back to that.
Paul Robinson (07:59):
So the way that IGI was able to kind of coin this phrase team as a service is when we’re going up against competition and things of that nature and say, well, you get a VCISO with that. But what does that really mean? When we say CISO team as a service, we’re bringing in a whole team with the team lead on top of it. So our CISO team that we have that, that sets the executive course, the business course for the organization. These are people that have been in business for 15 to 20 years doing executive level strategic guidance. So fortune 100 banks that they’ve worked for top 10 healthcare, that they work for the big four consulting. So we’re bringing someone that could do the executive level analysis assessment if you wear the organization. And then when they have their plan of action, they then disperse this along to their team.
Paul Robinson (08:48):
So we have two teams, we have a strategic team that’s gonna help write your policies and procedures, test your incident response plan, do your awareness training. Then we have our tactical team, our more technical team. That’s gonna do penetration testing, vulnerability assessment, work with our node, wear solution, our vulnerability management tool, and go from that perspective. So it’s a compelling you know, case that we give an organization to say, Hey, we could bring you a team in this way for a fraction of the cost of one person and what they would cost. So just to give you a quick, quick outline, medium salary right now, let’s pick on California, cuz it’s a little higher, medium salary is about 325,000. And that’s not including wraparound fees for insurance, things of that nature. We’re coming in at a fraction that costs with a team to help the organization chart their way to become more cyberresilient we want to focus in on it where cyber resiliency, no one, I don’t care if you’re a solution or a product can come in and say, we’re gonna make you a hundred percent secure. It doesn’t exist. Doesn’t exist in the physical world. Doesn’t exist in a virtual world, but we wanna build you to a resilient state to where you can attest for things from a compliance perspective. And then God forbid, if something were to happen you could be up in operational as quick as possible surviving an attack.
Josh Lupresto (10:07):
I wanna go into a couple of those points that you just made. I think it was kind of a, a, a trifecta you know, you, you brought a sta about, you know, 40, some percent of the CISOs are planning their exit from burnout. We, we know the other stats that flow out there about how much a, you know, your average breach costs and organization. We know the bad guys are in there over a hundred days. So we know these stats. The, the important thing I think that just keeps getting worse and worse and, you know, call it great resignation piling on top of that we were already talking about a staffing shortage to begin with. So not only is there a, a massive deficit of hiring pool for these companies to find them when they find them, they don’t last. I mean, what, what’s your average tenure for a CISO? Is it two years, 18?
Paul Robinson (10:54):
12 to 18 months. But, and the key thing is this is that it’s not so much burnout from “I’m exhausted”, but it’s burnout from playing internal politics. So a CISO is going in again, they are an executive level person they’re going into cause change resistance is always huge at the security level. So they’re, they’re done after 12 or 18 months of banging their head against the walls. They’re like, okay, I’ll find someone else maybe to do this and I’m out. Yeah. Like I can’t
Josh Lupresto (11:24):
Do it. Yeah. I mean, you, you add that in and you add the fact that you’re coming in at, you know besides the fact that you can’t find these people when you find them, can you afford them as the other question? And, and some of these organizations can certainly not afford the 300, 400, 500 whatever thousand dollars price tag. Then you have that you have a team wrapped around of expertise. You’ve got some resiliency there, augmented by your services. There’s a lot of there’s a lot of value in that. Certainly. So I, I wanna lead us in then to the next piece here where, you know, we talk about how IGI stays in front of these things and, you know, we can take this R and D we can take it wherever, but you know, another service that, that we’re familiar with that you guys offer is the incident response side of things. So to do that, obviously you have to stay in front of what’s going on out there and you and I talk about bad guys and bad stuff. And just when we think we’ve seen it all, here’s the new one. So talk to me a little bit about how IGI stays in front of that to help people that are maybe not quite aware.
Paul Robinson (12:21):
Yeah. We have a couple of different avenues of that. So the beauty about IGI and why I like it here, love it here is because we’re all security purists. So we are scouring news articles all the time, not just, you know, the mainstream news, but we have some backend news channels that we get, and we’re always consistently sharing articles. So services is share is sharing with sales. Sales is sharing with services. We actually have something that might be of, of value to the partners. We’ve actually started a a real time news feed slack channel that is available for any partner, any agent that wants to join us. So you you’ll see a lot of organizations, that’ll say, Hey, this is this week’s Roundup of cyber security incidents. It’s outdated in a week. You know, it, it really is outdated in a week.
Paul Robinson (13:11):
And these major issues that come up like log 4J was one of them, you know, someone would put out a weekly brief about log 4J and the news completely split script the next week. So it’s like antiquated and it makes you look bad. So this channel is manned by folks here at IGI, and it’s also community driven as well. So people find articles and they share ’em, but we’re doing real time. Information shares on this slack channel, again, you know, reach out to Josh, reach out to myself. We’ll get you involved in this channel. And it’s really important to have that, because that then gives you the confidence. When you talk to your, your client base to say, Hey, I just saw this today. I thought of you, what are your thoughts on this? How would your organization become resilient against an attack like this, or a data leakage like that?
Josh Lupresto (13:58):
You know, it’s a good point too, and I’d certainly encourage anybody to get a hold of you to get on that, to get, to get up to that up to date insight you know, it’s, it’s kind of the similar track of when we talk about security, we talked about this on the last cloud podcast, we talked about Dr. You know, an overcoming objections with customers when you’re talking to, to try to push a Dr. Strategy or, or look at a Dr. Product. It was, Hey, Mr. And Mrs. Customer do you have a backup plan? Do you have a backup, you know, whatever for DRES. Yeah, I do. And a lot of people wouldn’t know where to take it from there they go. Oh, I, I gotta, I gotta push back. I guess there’s nothing I can do that. And it isn’t as much of a polite you know, walk away as it can be.
Josh Lupresto (14:40):
That’s great. I’m excited. Most people don’t have a plan. Kudos to you for, for putting that plan in place. I’m, I’m curious when you tested that backup methodology and when you attempted to recover how quickly did you come back online and did it meet the expectations of what the C level thought it was? I think you can kind of lend that same strategy to security. And maybe this, this is what we take into the, into the next film where we talk about an example, because I know you you’ve seen it. I’ve seen it where we walk into the customer’s environment and we’re, we’ve been told, Hey, you just, they just need this one thing. Just talk to em, real quick about this thing. And we, we could put a proposal together and done deal, and then we get in there and we discover, and we just find, oh my gosh, you don’t have this, you don’t have this, you don’t have that. So you, we know, obviously it, it, it comes from a place of caring and we don’t wanna see another breach, but we also have to instill some factor of this is a really big deal. So I, I would love to hear an example where you guys have kind of come in. What were you told the, the, the problem was, what did you end up finding? And then what was the end result? What services or products did you put in place to help?
Paul Robinson (15:49):
Yeah, so we had a, we actually had a CISO task client come join us in quarter one of this year. And they had a CISO for many years that retired and left. While we were talking with them, you know, it was, it was said to us, Hey, everything’s in place. We have multiple compliances that we need to adhere to we’re compliant and everything. We just want something to bridge our gap between, you know, him leaving and then us hiring somebody else. And then when they realized how much the other person was gonna cost we provided a tremendous value to them in that they were able to use our CISO team as a service solution, hire a junior analyst. I wouldn’t call her junior, but you know, less than a CISO and still had money left over fast forward three months later, they experienced one of the most vicious ransomware attacks that I’ve ever seen.
Paul Robinson (16:44):
Wow. It was business stopping. They were not operational weeks. No money was coming in. They had to feel 12 hours a day for two weeks of calls from angry customers. Why didn’t you take care of my data? But why can’t, you know, my production is now lost. It’s just had this nasty ripple effect down to legacy servers being impacted and not being able to be fixed and where we came in with our CISO team as a service is we bought, if we, we brought stability you know, I think back to nine 11, I’m a New York city kid. So nine 11 resonates very closely with me. And I remember watching the news that day and just being so upset. And so like, what’s gonna happen next. And I don’t know if people are dead that I know.
Paul Robinson (17:38):
And Dan rather came on the TV and he just said, these two words, he said, steady, steady. And that’s what our CISO team was able to bring to the situation, because now it’s not, not the it manager that’s you know, trying to figure this out. It’s not the network engineer now we’re at the C level. Now we’re at people that are like, we have a multimillion dollar business that could potentially fold within hours if we don’t fix this. And our team came in and we were able to do things IGI related and non IGI related. So that’s the value I wanna provide to your partners and to your agents, to the layers community as well, is that we think outside of the box, so there’s certain things that we don’t do. So we’re not a legal service. We don’t have lawyers on retainer here, but I know some of the best cyber lawyers in the, in the globe that can come in and it can make legal sense of this.
Paul Robinson (18:32):
Hey, bring them in. Let’s go. 10 minutes. I had a lawyer on the call and we’re just now putting the legalities around this, protecting the environment from a legal perspective our guys were able to they’re no ladies, so I’m just making sure I, you know, I said, guys, these were, these were guys that were working on it. They were able to construct documents, construct responses, take calls as well to help stem the tide. And they’re gonna be back in operation very quickly. That’s the value that we provide. And that’s why, you know, when we talk to agents and partners and we’re like, well, I need a pen testing quote, we’re, we’re not quick to give that pen testing, quote out just to give it out. We wanna know what’s going on. We, we wanna be able to provide value holistically to the business to be able to help them out and, you know, to, to say, Hey, you know, my team helped save the multimillion dollar business because of the way that we acted and the solutions that we were able to implement again, IGI and non IGI.
Paul Robinson (19:39):
It’s huge, man. It really is a huge thing to be able to to say that you do very powerful statement that kind of takes it to the next level of discussions that you have with with clients.
Josh Lupresto (19:53):
Good. I mean, you’re honestly, you’re saving jobs at that point. That’s huge, good
Paul Robinson (19:56):
Stuff. Pay yeah. Paychecks. You know, this is a multi-generational business. You know, we’ve had other other ones before where the CEO was crying at the table because it was fourth generation waste management company. And they were within 45 minutes of not being able to be recoverable from a financial perspective. Yeah. And, you know, we saved them too. And that’s, it, it it’s deeper, it’s it, it speaks to the internal value of it. You know, I didn’t grow up in business. My dad ran a, a homeless drug addicted ministry in Brooklyn for 20 years. So I’m not road scholar, I’m not MBA. You know, it, my, my heart is benevolence. And when you can see how you can help people inside of that and kind of have human factor to it, it it’s, it’s very rewarding, very rewarding.
Josh Lupresto (20:48):
And I, I think, you know, you bring up a good point. I think when partners get an ask or, or the idea of this pen test comes up, I think a light should go on for everybody of, you know, that, that example we’ve all seen of the iceberg. You know, one, one eighth of the iceberg is above the water. The rest is done below. I think we’ve found with security that it’s, it’s very similar. So you should get really excited when you get that ask and be willing to kind of uncover it and, and go a little layer deep. And, and I think there’s so much value to add. Just, just like you mentioned. Yeah.
Paul Robinson (21:19):
And it’s like going, it’s like me going to the doctor and saying, Hey, you know, I’ve had this weird pain chest that I’ve, you know, it’s weird, you know just give me, you know, a prescription for nitroglycerin and I’ll be on my way. It’s like, well, no, you need to pause there. You need to run some tests. We need to understand what’s really going on. And maybe it is something as simple as a pill, or it could be something as big as, you know, quadruple bypass. Okay. But you can’t know that to your point of the iceberg. You can’t know that until you go to the crux of the business and understand exactly what it is that’s going on.
Josh Lupresto (21:54):
Great example. So as we get to the last couple questions here so let’s, let’s say that I’m a partner and I’m listening to this and I’m maybe I, I, I’ve just dabbled in security a little bit. Maybe I haven’t gone into security, maybe I’m doing cloud or contact center network or, or SDWAN or whatever. What’s your, what’s Paul’s advice here of, of how you, how you segue that conversation. If you’re in that partner’s shoes.
Paul Robinson (22:21):
Well, I, I say this, and I’ll give a shout out to Kimberly Moore, because this is a, a phrase that we coin. If you’re not having the conversation with your client, someone else’s back to the matter you know, I’ve had partners and agents come up to me and say that they’ve lost multimillion, not multimillion you know, six figure, we’ll say six figure cyber security deals. And I said, well, how how’d that happen? It’s like, well, they didn’t know we did security. And so you’re leaving money on the table. With that what, what I encourage, you know, agents and partners to think about is let’s, let’s look at this logically. So think about your five biggest customers that you have, think about what you sold, but in the past context of your SDWAN circuits whatever, when you sell someone a technology and you don’t give cybersecurity cred to it, you’re introducing a vulnerability to that business.
Paul Robinson (23:20):
It’s just the way that it is. You know, if I add a door to my house and I don’t put a lock on it and there’s no security on my door, that’s a vulnerability now, someone can come in. So I, so one of the easiest ways to engage is, is to go back to your biggest customers and say, or, or any customer, I shouldn’t say biggest any customer. Yeah. Go back and say, Hey, we worked on these three projects in the last 12 months. We haven’t really had a discussion around the cybersecurity strategy around these technologies that we’ve sold you. We wanna make sure that we, you know, we, we maximize your investment. We protect your investment. Let’s talk about ways that we can, we can secure it. And that might be IGI that might not be IGI.
Paul Robinson (24:02):
You have a ton of great solutions in your portfolio, but again, to encourage them to have that conversation with them. And it’s also, you know, let’s be a little bit selfish here for the agents and partner. It’s protecting your investments as well. Yeah. Cause if you have $15,000 of MRC going, going in and out of, you know, in and out of the door and an organization is brought to its knees by a cyber attack and they shut down, they can’t pay you the $15,000. It’s, it’s gone. The business is gone. So it’s a little bit, you know, it’s a little bit selfish, but, but it, it’s also important for the partners to understand. I need to protect my investments as well. I need to protect myself as well. So by bringing cybersecurity solutions in a way that’s professional and meaningful to the business, not just shotgunning.
Paul Robinson (24:48):
Hey, did you hear about, you know, Equifax or did you hear about, you know, all these, you know, don’t, don’t do that, but really mindfully think of your business that you’re talking to and think of ways that they need to be protected. If you can’t come up with any information, find me, find Josh, find Jeff, find the whole team, and we’ll provide you with the information to go to the table with to say, Hey you know, I thought I thought of you today. I, I, I wanna see if you’re able to understand what this could mean to the business. And if you, you know, if you need help, I’m here to help. You got a whole army of people behind me to help you.
Josh Lupresto (25:22):
Great points. Let’s go final thought here. So I think security is one of those that evolves so quick, just like everything else. We always talk about evolve so quick, but the security threat landscape seems to always change. And the, the, the tools, the way we combat them always change. So there’s a lot of things we’ve, we’ve talked about on the SDWAN and, and side of things, CASBY, SASE, the, the edge, you know, customers trying to get less latency, moving their applications off prem, you know, all these good things. And, and the, and couple that with the bad guys, staying 16 steps in front of us all. So your thoughts on what to look for over the next 12, 24 months trends upcoming staying the same final thought.
Paul Robinson (26:07):
Yeah. So the trends the way that I see it is it is kind of multi multi-factored. So no pun intended when you’re seeing inflation go that the way that it is when you’re seeing reduction of work staff, the way that it is when you see the geopolitical turmoil that we’re in military turmoil, that we’re in the attackers are gonna use that as a conduit to increase the attacks that are, that are on our businesses. So you figure, if you have 46% of CISOs quitting, that’s not good criminals know that they know that people’s defenses are gonna be down. If we see inflation going up and companies having to cut costs and saying, okay, security is the first thing that’s gonna get the red, you know, the red XX from it criminals know that as well. So they’re gonna come after that.
Paul Robinson (27:00):
You know, and, and, and just sheer, sheer apathy by organizations not all organizations, but a lot of organizations are just like, ah, it’s gonna happen. Like, okay, you know, great. That just makes our target easier for us. So, you know, how do you combat that from a an agent and partner perspective? It’s very important to talk about the business piece of it you know, use the example that I gave, Hey, you know, let’s say your organization was shut down for 38 days, and you had no way to produce goods or services that you provide. How would you be able to respond to that? You know, if we have one situation, one time where the company had to actually Sue their biggest client, because they couldn’t decide who was a conduit for an ACH fire transfer and their, and the legal guidance they got from internal council was okay, you gotta Sue ’em. So you Sue your biggest client, go to your company and say, Hey, can you afford to Sue your biggest client? It’s really keeping it simple and thinking from a business mindset, and this really separates the goods from the greats. It’s, it’s a phrase that I started to use. You know, you can be good at, at, at being good agent or good partner, but if you’re gonna be great, the more you know about that business intrinsically the better it’s gonna serve you and the better it’s gonna serve your clients as well.
Josh Lupresto (28:25):
Love it. And we’re wrapping on that. I appreciate it, Paul, thanks so much for coming on the show today, man.
Paul Robinson (28:31):
Appreciate you, buddy. My best, everybody out there. Take care.
Josh Lupresto (28:35):
All right, everybody that wraps us up for today. Paul Robinson, VP of national sales from IGI cybersecurity. I’m your host wrapping up security and virtual CISO. Josh Lupresto, SVP of sales engineering at Telarus. And this is the Next Level BizTech podcast until next time.