Tune in as we learn how Jason Stein went from theology to bartending and ultimately landed on Security! Hear him discuss the key issues facing most customers right now in security and what you can do to get in front of them.
Transcript of episode can be found below.
Josh Lupresto (00:01):
Welcome to the podcast that is designed to fuel your success in selling technology solutions. I’m your host, Josh Lupresto, SVP of Sales Engineering at Telarus. And this is Next Level BizTech.
Josh Lupresto (00:19):
Welcome!Excited to be back. We are here it is season two. It, you know, we’re, we’re diving in, we’ve got so much technology to talk about, but today we’re kicking it off with managed services and we’re talking about something near and dear. The technology landscape has changed and we got a talent shortage out there. This manifests itself everywhere, but today specifically, we’re talking about security. So we’re back kicking off season two with the man, the myth, the legend. Jason Stein, head of the security practice at Telarus. Jason, thanks for agreeing to come back again.
Jason Stein (00:52):
Thanks for having me. What’s going on?
Josh Lupresto (00:55):
Oh, we live the dream. Man, where do we, where do we kick this off? So if anybody goes back and listens to season one, we talked about your background where you thought you were gonna be a practicing theologian and then you maybe were a bartender. So you gotta go back and listen to that story. We’re not gonna give it away again. Today we’re gonna talk a little bit about what’s the problem, How did we get here, Why is this such a big deal?
Jason Stein (01:24):
So when you think about the talent shortage, it’s massive in the industry right now. There’s just not enough resources that are focused on security. Security’s kind of become a hot topic over the last 10 years since I think the target compromise. And so we’ve tried to escalate and get people accelerated into the security world, but there’s just not enough people. So there’s 2.7 million jobs available. So by the time he finally finds somebody, that guy’s got 10 other job offers. So if he doesn’t like the vision, the direction, the budget, he’s just gonna leave. Or he is gonna implement all of his security measures and then go to the next organization. So we see a lot of companies not sure what to do. So they’re coming to us and we’re actually helping them with a virtual chief security officer. We’re coming in with a SOC approach, a security operation center, and giving them a team of people that are experts that you don’t have to worry about turnover. If you do find one security person, chances are you can’t staff at 24 by seven, cuz you need six to nine to even remotely be able to function properly.
Josh Lupresto (02:27):
Well, it seems like if, if we look at, since the last time we’ve talked, right, it’s been a little while and, and it seems like, you know, the security people were hard to find before. I mean, we can’t even find people now. Customers can’t find people to manage an end device, endpoint security, the soc, the sim, any of that stuff. What has anything changed that has made you more optimistic that this talent shortage is gonna magically fix itself in the next 12 to 18 months? Or what’s your perspective there?
Jason Stein (02:55):
Well, if you think about it, the technology just keeps changing as fast as we get, get people ramped up on the current technology, it changes overnight. 75% of CIO CTOs and CISOs say they want new innovative technology to help protect their organization. So how are you gonna get new innovative technology and yet find somebody who’s up to speed on that new technology? So it, I’m optimistic that people will get caught up to the technology that we have today, but here in two years, think about all the technology that’s changed over the last three years with zero Trust and sassy and protecting on the edge, and then MDR and now XDR. It’s just constantly evolving. And so I think we’re gonna continue to see that trend. So I don’t know if anybody’s gonna never not need the resources that we have to stay up on, you know, what the new latest security measures are.
Josh Lupresto (03:47):
So there’s no rainbows and unicorns answers here. My my six year old thinks there’s always rainbows and unicorns, but it doesn’t feel like that’s here. It feels like we have a lot of room to help pot
Jason Stein (03:56):
Of gold at the end of the rainbow
Josh Lupresto (03:57):
<Laugh>. Yeah, it’s, I like that. That’s much better. Partners like the gold <laugh>. So let’s talk about what are, what are we doing, What is Telarus doing to help? I mean, you’re out there, you’re training, you’re teaching, you’re educating, you’re helping partners build this practice. What do you feel that we’re doing to help that, Right, From the education perspective, what are you seeing be successful in that?
Jason Stein (04:21):
Yeah, first off, we’re trying to make sure that partners don’t get intimidated by the conversation of security. Make it a business conversation just like you would anything else. A lot of the cio, CTOs and CISOs out there are still a little bit older than what people would think, you know, so they’re in their forties and they weren’t necessarily in the trenches when it was more than just a firewall and maybe an antivirus. So they still need help. You know, we have an incredible depth of talent when it comes to engineers that can jump on calls. So I think encouraging partners to have that business conversation, then stop the conversation and say, let’s bring in one of the amazing resources that we have at Telarus three CISSPs and one CISM and, and say, let’s whiteboard your environment. Let’s talk about where your gaps are, and then let’s recommend best practices. Still, it says that 50% of organizations follow trends that their peers in the industry are doing. So to have somebody come in and for free whiteboard your environment and then make recommendations what other industry, you know, similarities organizations are doing, then I think that’s resonating right now for, for partners and their clients.
Josh Lupresto (05:32):
So let’s, let’s parlay that into trends a little bit. The last few of these discovery calls we’ve done and, and a few of these customer environments agnostic to security, whether we’re talking cloud or we’re talking contact center or whatever. It seems like still whenever we come in and the expectation is we’re just gonna talk about this one thing, it always expands. And we, we’ve come into a lot of these recently. Are you, you, are you still seeing that as a trend? Are there other trends that you are seeing that partners should be aware of when having deeper security conversations and figuring out what customers need?
Jason Stein (06:06):
Well, first off, when you think about all initiatives that clients have for 2022, I’m encouraging partners to say, Hey, how does security play a role in how you’re gonna choose the supplier that you’re looking to move forward with to protect your organization when it comes to this discipline or, or new initiative that you have. So I think, you know, making sure that people have that relevant conversation, security’s gonna be a part of everything. We’re trying to wrap security more around unified communications. We’re trying to wrap it more around mobility and IoT. We’re making sure that cloud actually is a security component, whether it’s infrastructure or disaster recovery, business continuity, backups and desktop as a ServiceNow. Security’s got a heavy footprint within that. And even when we talk to Kobe Phillips, our practice leader for cloud, he talks about how relevant security is for all of those.
Jason Stein (07:00):
So then when you think about security in general, we’re trying to make sure we have best of breed technologies in the the stack. Do we have all the best providers? Do we have all the right things? What’s missing from the portfolio? What are C-level decision makers in IT looking for that we’re not talking about today? And so we’re constantly trying to make sure we stay up on the latest technology, but we need to go wider and deeper. So we’ll start with a small footprint, getting somebody to have that initial conversation and then we’ll, we’ll start to peel back the ender and say, you know, what is your IT staff look like? How many people are dedicated to security? What do you have in place today? And then make more recommendations. And so a lot of times we’ll come in with a 5,000, $5,000 a month customer and ends up being a $20,000 a month deal, which is still the price of one IT security resource. So it’s a win, but yet you’re getting better technology, better visibility and more people to shore up your environment.
Josh Lupresto (07:52):
Speaking of trends, we, we started talking about this last year from an insurance perspective that, that seemed like it was influencing a lot of what people did, but nobody really understood how impactful it was and how they needed to consider it. How have you seen customers pay more attention to that over the last 12 months? How has that impacted their decisions of what they buy, what projects they work on, what they realize they need help, just I guess overall, right? Just answer that however.
Jason Stein (08:25):
So insurance is interesting. It’s a necessary part of doing businesses within certain industries. And there’s a lot of requirements. We’re seeing premiums go up, up to 400% sometimes more. And, and organizations can’t afford that. So then the countermeasure is to do all these requirements while all these requirements are burdensome to their staff. And so we’re trying to help come in with a, the right resources to take some of that burden off their plate and help them be able to renew their policy. But it, it, we get probably 10 to 15 requests a week from clients who can’t even qualify for the policy or don’t know where to go for the policy. So we’re in discussions to try and make that happen, but there’s a lot of legal things that, you know, you need to kind of sift through to make sure that we’re advising people the right way, making sure that we’re, you know, not liable from any of that, but making solid, solid recommendations.
Jason Stein (09:17):
You’re gonna see insurance is just gonna continue to be necessary part, but then we see Lloyds of London say, maybe we shouldn’t offer policies anymore. Maybe that’s not in the best interest. And then the policies are broken up different. So a million dollar policy, when you had a breach used to pay a million dollars, now it’s broken into chunks, it’s $250,000 for network intrusion, $250,000 for ransomware. Well, the chances of you having all four of those is gonna be small. So now your million dollar policy only pays out a fraction, but yet you’re paying a ridiculous amount to get the policy itself. And then we’re seeing some states come out and say, you’re no longer allowed to pay if you were to be ransomed because it’s a, it’s an act of funding terrorism. that’s crazz!
Josh Lupresto (09:58):
There’s a, there’s a, oh, by the way, we don’t pay if it’s, if this is the nation state event, is that, is that for real?
Jason Stein (10:04):
Yeah, there’s already one state that’s done at North Carolina and we’re seeing a couple other states say that they may follow suit. What’s that gonna do to cryptocurrency? Are, are we gonna see the federal government coming layer on top? That’s gonna mean that people are going to have to put more emphasis on secur securing their environments because there’s no safety net. You’re now a trapeze artist without a net,
Josh Lupresto (10:26):
Right? And you just have to hope the bad guy that hits you doesn’t have mal intentions from a nation state. So <laugh>,
Jason Stein (10:32):
Josh Lupresto (10:33):
A lot of fingers and toes are crossed. But it, it, it underscores the idea that we can’t just do this because insurance is now requiring us to, we have to do this because this is the right thing to do. So I feel like, you know, that’s our, our duty, it’s our responsibility to help these customers see all of that. So while we don’t intentionally say, Boy, we’d love to sell you 25 things, I’m sure that’d be nice, but that’d be really hard. And you probably don’t have the budget. But the reality is you need to be thinking about these five things. You’ve, you’ve come to us with one thing I need help redefining my Azure AD environment. And then we find out and ask about this piece of infrastructure. What are you doing for identity? What are you doing for endpoint? Well, we’re working on that.
Josh Lupresto (11:16):
Okay. insurance is gonna dictate that you work on that a little faster. So maybe let’s, let’s just call out what are you seeing common threads? Cause we, you, you and I have been on these threads where we see a lot of these insurance applications of customers saying, I need to do this. Where do I, where do I even start? Because these things are 20, 30 pages long and you, you can’t fumble your way through it like you could in the beginning, right? What, what used to be enter in your own information here is now a checkbox. Choose the right answer. Right? Don’t pick the wrong one. So what’s the, what’s the three, four things that you’re seeing people just can’t get away from ignoring anymore?
Jason Stein (11:53):
It’s interesting. So we have that QSA which gives, you know, 25 ish questions. Now what we’re seeing is a QSA is being developed by the insurance providers to say, where are you at from a maturity level? And depending on what they, what they answer, they’re either qualifying or they’re not. The first thing, first and foremost is the, the, the security awareness training for your employees. Employees are where we’re seeing the biggest threat because 80 ish percent of all breaches last year were human error, whether it be an employee clicking on something malicious or, you know, patching not being done properly. So that’s first and foremost. And then they’re saying, you know what? Edr endpoint detection response is not enough. A SIM is not enough. You need to have a SOC. Well, it’s, we already talked about the talent shortage, so how are you gonna be able to implement that without outsourcing it?
Jason Stein (12:45):
So now we’re seeing that a lot of organizations are coming to us and saying, What do you have in place that you can help us when it comes to a security operation center and giving us eyes on glass there. And then the interesting thing is, whether it be backups or disaster recovery, people just don’t have those policies and procedures in place to restore it. It’s, if it’s not the main IT decision maker, everybody else doesn’t know what to do. And when a threat comes in, they look at each other and go, That’s new. What do we do with that? I don’t know. You wanna take us down better? Who go first? Yeah, who, who’s gonna help us with that? So it’s crazy because they think that just because they get these security measures, the ones they get past are the ones that they need to react on, and they don’t know what to do the first steps to do it.
Jason Stein (13:27):
So we’re seeing insurance providers say, you need to have incident response plans. If something’s breached, here’s what you’re gonna do. And everyone needs to be on the same page and they’re just not. So you think about you know, a big threat that happened in the news recently, September 15th was Uber, Uber gets compromised by somebody calling into their, their their, their call center and asking for his password to be re reset <laugh>. And they said, No, no, no, no, no. Sure, I’ll reset your password. Next thing you know, somebody gets in, steals all their data admin ads. It’s absolutely ridiculous. So every employee wasn’t on the same page. 90% of ’em were 10% not. And so it’s just a, a numbers game at that point.
Josh Lupresto (14:15):
Love it. So I mean, it’s, it’s real, right? These are examples, but if, if the big boys are going through this, the Ubers of the world, there’s still so much room for us to help s and p mid-market, all of the above. Nobody is you know, nobody is immune to this.
Jason Stein (14:32):
Yeah. We talked about 31 million companies identify as being SMB in the United States, 250 employees with less and 52% don’t have a cyber security person. What does that mean? They’re going somewhere. They’re, if they’re not having the conversation with our partners, they’re having the conversation with Avar or an MSP, it’s just not with us. And so we need to make sure that that conversation’s being had by us.
Josh Lupresto (14:54):
So any, I mean, I, I, I gave an example earlier, but any examples that you want to talk about where you know, you helped on, you were engaged in or you saw that, that were beneficial or eye opening that you feel, man, if I, if, if we helped in this one, there’s gotta be a lot more like that, that our partners can help uncover Anything you wanna call out into the weeds there?
Jason Stein (15:14):
Yeah. We had a company that had 250 employees jumped on the call and we said, How many people are on your IT staff? And, and she said, four. And I said, Oh, okay. I go, How many are dedicated to security? And she said well, we, we all kind of wear hats on security, but no, no real security person. And we thought, you know, how much money do you have budgeted for security? And they said, not very much. And then we said, Is your CFO gonna prove additional headcount? No, we’re set with our headcount. And you just saw the amount of data that they had and the limited resources, and they had nothing in place. We talked about their technology and they were using Sonic Wall along with Bit Defender and then Malware Bites. And we thought, okay so when’s the last time you had a baseline where we could actually see a vulnerability assessment? And they said, Oh, well we do it once a year. We did it a year ago. So, you know, bat stuff was already living in their environment. Yeah, they’re just not aware of it. They don’t have good technology and they’re spending money on inferior products. So we just said, Look, let’s get the baseline, do the, the assessment and then let’s make some recommendations on improving your overall security posture. But think about it, that’s a common 250 employee Oh yeah. Company. And there’s 31 million of those across the United States, and they just don’t have enough people.
Josh Lupresto (16:34):
Yeah. It’s funny how much you uncover after just a couple of the first questions. To your point, yes, we have tools, Yes, we have the qsa. Yes, you can have that virtual engineer kind of at your side to walk through some of these inaugural conversations, but if you don’t want to go through that alone, if you need our help on those, we, we do that all day long, right? Our, our world lives and breathes in discovery calls. That’s what we’re passionate about. Maybe let’s go here, Final thoughts. As we look forward, you know, over the next six months, 12 months, anything, is cyber insurance gonna be the thing? Is the talent shortages gonna remain to be the thing? Is there new technology that we should be aware of? What’s, what’s on your purview to pay attention for the next year?
Jason Stein (17:15):
Yeah, I think what we need to do first is help clients with SOC getting that security operations center in place, whether it be a managed detection and response to layer on top of their endpoint, or whether it be a sim looking at their logs, soc that’s huge. Cyber insurance is definitely gonna be the trend. I think we’re, we’re seeing more around the IoT space, protecting mobility and iot and ot, you know, the protection of, of hardware assets and, and hardening that. And so I think those are gonna be massive focuses for our organization. And then figuring out what else is missing, what’s resonating with clients, but the, the shortage in staff, which to your whole point on this podcast is, is super relevant and we need to make sure that we’re giving people all the necessary support and help that they’re just not getting today.
Jason Stein (18:05):
So I think that for the most part is going to be the, the focus. We’re still gonna see a lot on email security sassy to protect the edge. You know I think zero trust in, in following a framework of some sort are still super important. You know, think about all those people Christmases coming up and, and you, you go and you get this blueprint on how to build a bike for your kid and, and then you have five bolts left over and you’re like, Oh, that’s gonna build character <laugh> <laugh>. But imagine if you didn’t have, yeah, the instruction manual, how many bolts would be left over? And so I think it’s giving people the tools and, and the support so that they have the right manual to follow so that they can protect their organizations properly. Fair.
Josh Lupresto (18:47):
Okay. Well, I believe that brings us to the end. Jason, I appreciate you coming on. Thanks so much, man.
Jason Stein (18:52):
Thanks for having me. Appreciate it.
Josh Lupresto (18:54):
All right, everybody that wraps us up. I think we’ve answered the question how do we solve the massive talent in the, the issue there, the shortage in security and in tech. And the reality is we just have to help the customers recognize that the talent is hard to find. But through the economies of scale, we’ve got ways to get there. We’ve just gotta identify, do they realize and see what those problems are and help them uncover and figure out what they are. So Jason Stein, VP of the security practice, ATT Telarus wraps us up for today. I’m your host, Josh Lupresto, SVP of Sales Engineering at Telarus, and this is the Next Level BizTech podcast.