Building a Successful Cybersecurity Career | Seizing Opportunities and Always Learning

Welcome to the Security Cocktail Hour. I'm Joe Patti. I'm Adam Roth. Adam Roth, how is Staten Island doing on this glorious morning?

You know what? At least it's not Long Island. Thank God. Oh, that's harsh. Who wouldn't want to live in Long Island? Come on.

Go ahead, I'm sorry. Dude, our guest is from Long Island and the first thing you do on the show is insult him. That's so incredibly clever. Okay, today we have a friend of both Adam and myself, and a longtime security veteran, Gurinder Bhati. Gurinder, how you doing?

I'm doing all right, and Adam's a little, you know, digs here. I'm used to a typical Adam, so I definitely didn't miss those.

Yeah, well he's definitely not an AI imposter, that's for sure. You're impossible to recreate, Adam. It's all you. I'm one of a kind. That's right. And if you're enjoying our little banter and everything, everyone, please, if you're watching us on YouTube, like and subscribe. If you're listening on Spotify or another podcasting platform, please follow us, like us, send us comments. We'd love to hear from you, and we're really trying to build our audience, and it really helps us. So thank you in advance. And we're working hard here. And you know, today, we're actually doing this in the morning. It's coffee time. That's the drink today. We got coffee and you know, I take mine, I take high test. What about you? I know Van was probably drinking some sissy stuff. What do you got, Gurinder?

I got a black, yeah, for sure. So I'm a black coffee drinker. Awesome.

There you go. Nice. If I may point out- Unicorn latte stuff. What?

If I may point out, I made a dig at Long Island because I can't afford it. That's why I'm in Staten Island.

It wasn't like this when I first moved here, so maybe you're onto something.

Well, Gurinder, you're doing good, and you have an interesting distinction. You're blessed to have known both me and Adam. I'm blessed?

Yes.

Now, we're always looking for guests and people we know, cool people to have on, and Adam goes, you know, I know this guy, you should have him on, he's really cool. Gurinder bought him. I used to work with him and I thought, wait a minute, I know him. We worked together too, way back when you had more hair and mine was a lot darker back then.

I don't know if I had a hair style, so that might have been a distinction there for sure.

I do remember you had an interesting hairstyle. You were definitely, so we were working in a place with like all guys, I guess, in their mid thirties or forties and Gurinder was the junior guy and you were hip. You had the hippest lid out of everyone, if I remember correctly.

I definitely took some liberties. Let's just keep it.

In a way, Gurinder's kind of celebrity. He was on TV also.

Oh, that's right. That's right. What was that about again?

That was an interesting thing. You know, this is back in the days, maybe 10, 12 years ago, when I guess security wasn't as upfront and prescient with everybody. So it was very kind of like, you know, tailored or kind of a niche place. Basically, I was working with a colleague, and Adam and I were at the same place. And this guy comes up to me and says, hey, you know, NBC News needs to do a segment on the threats or the dangers of public Wi-Fi. And they want to have somebody. Can you do it? I ended up, like, sure, you know, I'll do that. And it was an interesting one because it ended up being like a full-blown, you know, like, dedicated news segment they did with the news anchor. And we went and kind of rehearsed it one time, then secondarily. And I tried to play it up, right? I did the whole, like, you know, wore, like, a white hat or a gray hat or something just to kind of play the persona.

You wore an actual white hat. Oh, that's great.

Thinking back on it, I'm like, yeah, if my 40-something-year-old self would look back on it and be like... What, like, low-budget TV show did we produce this with? Because it was so much acting in there, it was crazy. But it was fun times.

Yeah, but that was legit. And you know what? Having been on a real news broadcast, I suppose you have more professional media experience than we do.

Yeah, if that's a claim to fame, I certainly like to throw it in everybody's face anytime they say they've been on XYZ. I'm like, yeah, I've been on NBC when they was something to be on NBC.

Yeah, I think we still have to see if we can find that clip, right?

It's in the archive somewhere. Yeah, I certainly lost it. But if there's anybody who has it, it'd be cool to see it.

I tried. I went looking for it. And I think we've got to call the station or something. You're right. It's in the archive somewhere. They must have it.

If they have it. I don't know how much data they had there required to keep back or something like that. But let's see.

Well, I don't think it's like tax records, but I think they pretty much keep everything they put on the air just to have, I guess.

Because you never know, maybe 20 years from now. you know, Gorinda's the president of the United States and they start searching for Gorinda and they say, oh my god, he did this white hat episode on NBC.

I know, I was promoting public life by hatting or something like that.

The internet never forgets.

It doesn't. Adam, it was right by Bryant Park. So we used to work, you know, in Newtown and it was right next to Bryant Park and that's where we kind of did that whole thing, so.

That's great, yeah. But I just want to point out one thing. The equipment that that Gurinder used, he kind of coaxed me or forced me to buy it for him, so.

Yeah, that's when Adam was a little generous with his wallet, with his corporate card, and I was like, why not get in the fun, you know? So definitely, Adam, thanks for that.

Oh, with his corporate card. I was going to say, you never buy me any equipment or anything, so yeah.

Joe, I was spending $20,000 a month on my corporate card. I would work on equipment for like your buddies or what? No, I had a buy. I was buying 10, 12, 13 iPads at any one time. Do you remember that?

Yeah, because we were rolling out our applications on this, right?

Yeah, so I was bought and I was paying for the and then my boss would say, Oh, yeah, put the data center on your on your on your corporate card. So yeah, so the monthly data center costs were going to my corporate card.

Okay, just so everyone knows, and we're going to talk a little bit about, you know, IT procurement and stuff. I mean, not a lot, just, we're not going to bore you to death, but you know, normally, you know, when corporations buy things, they have like a procurement department and they do bank transfers and there's paperwork. You don't usually put like your whole IT budget on a credit card, unless you're running a small podcast. We, we, we, we did.

I don't think you should build on layaway. Like, Hey, you just don't.

What did I do? I'm sorry. I missed that part.

I said, I wonder if you paid the data center bills on layaway or something.

No, I didn't. But, you know, we were an interesting company back then. And, you know, we were bought, obviously, by a multi-billion dollar company multiple times. So they must have done something right.

Yeah, I think we had good people, honestly, in general. I remember looking back on some of the folks and I think that's kind of been the theme for a while is that when we all started in security, you kind of had to have your wits about you. You kind of had to have, you know, the understanding of the fundamentals and to perform your job and not saying a lot of people now necessarily don't have that, what you may call it, you know, not security, but just from a skills-based perspective, right? And that goes to show a lot of where there's a shortage, right? So everybody's, hey, you know how to type, let's make you an admin of something. Because again, there's people who are necessary from a labor side. But back then, I think it was almost, hey, you had to earn your stripes to get into security, or you had to earn your stripes to get into networking, et cetera. So, you know, those folks were reliable. And I think, you know, a lot of the places that Joe, you and I worked as well, I mean, you knew that folks knew their stuff and, you know, they were going to go ahead and get the job done, which is, which is interesting, which is a good thing.

Yeah, well, you were, you were really fortunate. You know, we talked about, you know, when we worked together, which got us probably 15 years or more ago, it was quite a while ago. But I remember when you were just a little security pup. No, but you were young. You were the junior guy in like a group that did a lot of firewall admin. And I mean, you, for a youngish guy, got like the real old school sort of upbringing. And you were lucky because you were in a group of guys. And it was all guys, sorry, ladies at the time. who were just superstars, who were just really good, and they trained you the old-fashioned way. They really taught you everything, gave you stuff, knew how to stretch you, give you a challenge without letting you drop the ball, although I think you got an interesting story or two about some of those things.

It was interesting because, so the way I got into that was I was interning during my college years, and then after I graduated from college, just by sheer happenstance or coincidence or something, one of the folks in the firewall team abruptly decides, hey, I don't want to work anymore. I want to go pursue education across the world somewhere else. So literally just blink of an eye.

So you were already interning with the group. Exactly. And then right when you got out of college, a slot opened up, basically.

Yeah, but it was not even, hey, this might happen. Because there was no budget or anything. And this was, I think, if you remember, this was around 0304 when things were getting kind of tight for organizations in general.

The post.com meltdown, if anyone realizes that, things were tight then too.

So for Gurinder, that's like a field promotion when you're in the military at war. Somebody gets killed, they're like, oh, you're up.

Private, you're an officer now.

It was funny because I was, I mean, being the young person there, I definitely had some self-doubt, saying, you know, can I do this job? But they're like, well, you've been doing it for like six months, just very underpaid. Kind of stepped me right in, but I think I had good... I had good mentors, I had good folks that taught me and I think eventually the biggest thing was just attrition. I mean I went from having this one line of business that was you know supposed to be my duty or my administration domain to literally you know we went from I think a team of like 15-17 folks that were manning all these firewalls to maybe four in about a matter of three, four years. And then eventually, you know, you didn't have people to rely on. So you had to kind of troubleshoot, you had to kind of learn on your own, you had to kind of break and build and fix. So definitely earned my stripes there.

Which is very similar, Gwendolyn, to what we did, right? When you were working in the same place as I was, There was very few people, and you had to sink or swim, and that was the whole attitude all the time in our organization. If I remember correctly, you were architecting or designing. We were moving data centers like we were changing shirts, and we were moving offices like every time there was an acquisition.

close that office merge that over there or we're moving downtown to this office we're moving over here we were moving offices once a year sometimes it was yeah it was i think definitely but but i think again we were prepared for that to an extent and that was the job right now i think we have different types of capabilities you know responsibilities even from the enterprise side hey you know and there's a lot more siloed stuff because just the domain's grown so big So now you can't really be that master or even a jack of all trades because you just can't scale out. But at that time it was a little easier and because it was part of their day to day. So building, racking, stacking, configuring, that was just normal operations.

Yeah, well, it's interesting, you know, a lot of people, the question we always get is, how do I get into security? And we always say, well, or at least I always say, you know, well, the new thinking is, well, you can get a course, you can get a degree, you go to a boot camp, you do all this stuff, you know, the old school way. was, well, you're in IT and you become an expert in a couple of things or learn a bunch of stuff, and then you start doing security. And the way a lot of people used to get pulled in security or when they were there, and even in IT in general, the way you would get promoted and accelerated was not because you were so wonderful or because you had this on your resume, you had all this training. It was very often because you were there. and they need someone to do this job. And they're like, who's got time? You, you're free. I don't know this. Learn it, do it, figure it out. And there's, I think that's, I think that still occurs to a certain extent, but not like it used to. Things used to be a lot crazy.

I'll let you a little secret, Joe, from the people I know and the people I interact with. And even currently, it's constantly, it's constantly got to keep on learning. And you have to keep on, especially, and we've had these discussions, especially in this market, You gotta reinvent yourself constantly. If you're working, like for example, Gurinder, where he currently works, I'm sure he had to reinvent himself a little bit, right? We have to constantly learn new skills in order for us to succeed and thrive. It isn't like you have a job today and you decide to move to another job that's exactly the same. There's no exactly the same jobs anymore. Now it's like, well, we need somebody who knows AWS that can speak fluent Cantonese and can also you know uh... connect uh... token record what talking to me are you kidding me so it gets dispirited

Yeah, but the crazy thing is, and this is why I like the whole thing about recruiting and hiring is broken, is because like, you know, now, especially with, you know, jobs being so tight today, this would take us in August of 24. You see these job descriptions, like you say, where they want the unicorn who can do this and this and this, who can have all these crazy things that you got to check every box before the recruiter will even talk to you and everything. But the truth is that once you get in that job, or once they hire someone or whatever, within a couple months, you're gonna be thrown into a whole bunch of stuff that you would, just because you're there, because there's a need, or because you're growing, that, you know, on paper, you'd never get hired for. It's just so insane, you know?

Have you guys ever seen this meme? I think it's accurate. It's of a job description or job requirement. And it says like, you know, senior XYZ person required must have 12 years experience in Kubernetes. And then yeah, Kubernetes was founded 10 years ago, 10 years ago. Yeah.

Well, that totally.

Yeah, I saw it. I see every once in a while people are on LinkedIn and they're posting like, need somebody that has 20 something years in cybersecurity. And then it says at the bottom, junior position. Entry level and I'm like get the hell out of here. But I think this is why Garenda you I and Joe you Joe and I Like this is why I think there's a similarity between all of us every single one of us has been asked to sink or swim things are always thrown at us and it's very It is I think there's two different types of people in that field and watch people and get insulted by this There are people that do their job, and they try to do their job every single day, and there are people who constantly thrive to learn new skills in the fear of that imposter syndrome, and the fear that we don't know what we're supposed to know, but meanwhile, we might know more than we actually think we know. I don't know if that sounds right, but that's what people are doing these days.

Yeah, I think I tend to agree. And I think one of the lessons that I've learned in just my career has been the, you know, really try to focus or try to build your skill sets, not necessarily on a pertinent, like a specific skill. Obviously, you have to kind of you know, keep it keep in line with what the industry trends are and what the market demands, but also try to be, you know, as moldable as adaptable, right? If you're kind of rigid in terms of, hey, I know, you know, XYZ type of technology or some protocol, etc. You know, there's a chance that that might not be in flux or in flight, you know, down the line. So, kind of making sure, hey, are you, how easy it is, if you've got a challenge thrown at you, how easy is it to adopt, right? How easy is it to kind of, you know, navigate those waters? And you see some of that in general day to day, right? Like, if you just looking at like the CrowdStrike, that stuff that happened last week. I think my biggest takeaway there was, well, how, you know, forget the technology part and forget exactly what happened. what security companies, what organizations were successful in pivoting, right? What organizations were successful in reacting to that, right? So in terms of, you know, were they able to execute their playbooks? Were they able to identify, you know, what needs to be done, right? And that goes into terms of, again, practice and also being able to adapt. And if you're like, hey, I haven't practiced this scenario, I haven't done this or I don't know, then you were part of that five point something billion dollar, you know, loss or monetary impact.

Well, you're well, you're right. You know, it's interesting. I mean, in security, we talk about incident response and the CrowdStrike thing where, you know, CrowdStrike tanked, bricked, you know, millions and millions of machines. That actually wasn t a security incident. That was really an IT problem that security software solved. But, you know, you re absolutely right. And we talk about an incident response where I go, you know, like Mike Tyson said, everyone s got a plan until they get punched in the face and they realize what they re doing, you know. I don t think there were many people who had a plan out there in the IT world and who practiced or anticipated that all of their PCs, all of their window machines would die instantly. And you got to figure it out. I mean, that's it.

I got two things to say here. One, when Grindr and I were working together, we actually had a big outage in midtown Manhattan due to power. And it's funny. Yeah, I remember. Do you remember? Yeah. So my boss at the time says, What do we do? How do we recover? What I end up doing is calling the telco, the carrier, and then actually pointing our main number towards... I'm not saying this is the best thing you could have done, but it was the quickest thing I could have done. I pointed the PRI, I pointed the main number to a Google voice number, and I had people answering the Google voice numbers on their phones. And the point I'm making is, I'm not saying I'm so great, but you can't always go by a playbook. Playbooks don't always work. You need to adapt and overcome sometimes. You need to find ways and pivot, and those are the people that succeed, and there's a lot of people out there, like me, that will pivot and find interesting ways of doing things. So you can have a playbook, but you can't plan for everything. And the second thing I'll tell you is a guy in my boxing gym, he was in real estate, and he was doing, I think, Trading and he finally said I'm fed up. I'm getting out of it and he pivoted. I didn't realize this. He's a Java programmer Yeah, I said, why did you move from real estate and you know trading stock and stuff to that? He goes because it's a real Java programming is actually a marketable transferable skill where I can move from company to company. The other one I can't. I was like, oh my god.

Sounds like he lost his shirt too.

Maybe. He's still driving a nice car. But the point I'm making is that is where you need to be when you're in IT or cyber security. You need to be able to pivot, not just relying on a playbook, but relying on your skills and your attitude and your perseverance and your assertiveness. to move into those other areas.

And I think a lot of that also comes with experience, right? I'll never forget this story, Adam. This was, we needed to swap out firewalls. Remember Nokias and checkpoints, Joe? Yeah, yeah, yeah. Back in the days as well. So it was basically you had to swap out these older models for these beefier models. And we did this, I built them out in my little cubicle and tested them out and made sure everything works. And then, And then, uh, uh, you know, we had a scheduled cutover. So we take the firewalls and, uh, let's see the data center. I think it was in Jersey. It was me and my, my, my manager and, and we, um, so we, we started doing this. And again, you know, I had done this million times, literally like I, I, I, I built out more firewalls than, than, you know, most people. And it was supposed to be a routine, you know, swap out, right? You swap it out, you do the configurations and et cetera. And it.

Yeah. And everyone's swapping out is our fancy word for replacing old stuff.

Thanks. Um, so we were, you know, it was, you know, we cable it and we do everything, but you know, it has multiple, uh, I remember interfaces on it. And I think a couple of interfaces were not working and, and I am, literally we're spending so much time just hey is the routing in place is is it overlapping networks is it some patch level that needs to be done like this was again it's supposed to be a a one hour uh you know job whatever we were there you know we started like eight o'clock we were there till like two in the morning or one in the morning or something and my manager he's like we tried everything he's like oh it might be a bad cable so Mind you, this cable was already in the old ones, right? So last thing is not working. He was literally working on the firewalls. We're gonna swap out. He takes a brand new cable. He puts it in and starts working and. And I'm like dumbfounded because, you know, I'm not there yet. I'm kind of, you know, still learning my ropes, but it goes back to my point of having experience, right? I think, you know, he had been through some of this where he's like, oh, these are things I can try. And kind of like, again, to your point, Adam, right, not going by the book, but pivoting out to say, let me try something out of the box and kind of work there. And I'll definitely never forget.

Well, you know, also one of the other things experienced teachers, regardless of the field, regardless of it's even security of it is, you know, don't make any assumptions. Like the thing that you think is solid and okay. That might be, that might be the thing.

We joke around a lot about us on the internet and on LinkedIn about when we do, when we interview people and we talk about the OSI layers, But the funny part is we don't need to know the OSI layers intricately, but we need to understand the basics of it. And I'm not trying to be funny here, because I actually had the same issue. We need to start at the lowest level, the physical layer. Did we change out the cable just for the hell of it? I was doing some work, and I do a lot of work in businesses. And one of the businesses happened to be a Chinese restaurant. And the reason why I say Chinese restaurant is because It's just, there's a lot of grease around there, right? And I'm not disparaging, I like Chinese food, but what ended up happening was I removed the connector.

You're gonna get us in so much trouble.

Or sponsorship.

Every restaurant kitchen has grease. This happened to be a Chinese restaurant.

Okay, so let's back out, let's back out. Let's start again, let's start again. So I was in a restaurant and I realized, yeah, I was in a restaurant and I realized once I removed the cable from a MiFi, you know, I had to move it and change it, the route of the cable. And when I put it back, it wasn't working. And I'm like, how can it not be working? It ends up being that the connectors were no longer good once I removed it. So I had to change, Change out a layer one and it changes a cable but that goes to show you right if you look if you go back to basics you go back to you know is the cable good is There a light showing the connectivity and just because there's a light showing the connectivity Doesn't mean that the cable still good, which is why sometimes it's nice to have a little $10,000 fluke monitor a fluke monitor, which nobody has just checking for connectivity doesn't always mean it's good. Yes So sometimes going back to basics, Corinthian, you're right. Starting at the beginning and seeing if that works. And I've learned that lesson too. For sure, for sure.

So Gurinder, you know, it's interesting. We're talking about a lot of stuff that kind of goes back to a little earlier in your career. And, you know, it's true that a new career, when you're in security, you know, you got to change. There's a lot of new things coming along. Like now we've all got to learn AI. We had to learn the cloud a few years ago. But I want to give everyone a feel that there are different roles too. Like what we're talking about is what's often called the practitioner side, the defender side. When you're putting the systems in, you're putting in the firewalls, you're putting in all the stuff that protects the EDR, all the alphabet soup of acronyms that we have. But there's another side too. There's the vendor side, the side of the people that sell the stuff. And even though it's the same equipment, the role and how you deal with it is a little different. It's a little different skill set. And you made a career change, not in terms of going into a different industry, but into going into a different side, because you're more on the sales side now and on the vendor side, right?

Yeah, yeah. No, it was an interesting decision on my part. Again, I've been a practitioner on the enterprise side for my entire career. Just a few years back, I had implemented some project and then the vendor had asked me to speak at their security conference. I now go speaking there and that turned into, hey, did you ever think about transitioning to the other side? And again, I had never done so because I always... I just never did. But it was interesting because I still had my own reservations in terms of what that would entail, moving into the vendor side of the house. Am I really going to be getting into the weeds of things? Am I really going to be doing security hands-on type of thing or is it going to be more just sales and pitching the value proposition, but I think it's been a really fantastic decision. One of the things that I learned quite a bit is the importance of trying to communicate whatever solution it is that you're representing. it's very unique because I can absolutely see my, you know, I can see the other side. I sat on the other side of the chair, right? As an enterprise practitioner and a customer is as a customer, you have a million priorities, right? You have so many different competing priorities. You have, you know, you know, different types of budgets, you have different types of stakeholders, etc. So as a vendor, you're like, hey, my thing is the most important thing in the world. But my understanding that that is not may not always be the case for your buyer or your customer, your prospect. So kind of communicating that value is so important, right? It's not just about the bells and whistles and the features that you kind of represent, your solution represents. It's about, you know, What problem are you trying to solve? How are you trying to help the business? And how are you trying to drive the business forward for that organization? And I think that is really, really something I enjoy doing. And it kind of helped me expand my wings a little bit more and expand my skill set in terms of Well, let's talk about, you know, what the end state should look like. Let's talk about, you know, what you're driving towards and then see how, you know, whatever solution that we're looking at is going to is going to deliver value there. So that's been it's been a wonderful journey so far. And again, I definitely like to have those conversations. And I think I made the right choice. But at the same time, I'm also glad that I'm not too far removed from, you know, actually proving out use cases or, you know, working on the technical, you know, intricacies of making sure that whatever solution it is, it actually works in a customer's environment in an organization. So I think I got to get the best of both worlds.

Okay. Well, why don't you explain, explain to people, because you know, a lot of people who are not necessarily it listening that you, that you're part of the sales team, but you're not the sales rep, the sales person, and you're still a technical person.

Just so you know, I'm actually in the same exact position as Corinda. I'm on the sales side and I am technical and I do work and perform Uh, installations and then work with clients. So even though Grinder probably is in a semi different position, It's very interesting to be on that side.

Joe, you bring up a good point in terms of, you know, what does that, I guess, process look like, right? And again, I try to stay away from, you know, the sales reps and the account reps, et cetera. Because again, to me, they are far more skilled at being able to have those conversations and navigate those waters from a sales cycle perspective. So I don't necessarily get too involved in that. But, you know, the whole concept of, you know, procuring an opportunity, you know, kind of qualifying that opportunity, kind of bringing that person to the table to say, hey, let's have a conversation with our technical people to understand what your use cases and pain points are. And, you know, that's kind of where I get involved in is right, they kind of do some of that discovery, you know, understanding, you know, where or what, what, you know, do the customers realize one of the things that I've noticed is, is once you get to get the customers talking or prospects talking, you know, they may come to the table with one thing, hey, I have this use case, or I have this pain point. But then when you kind of get them, you know, open up that conversation, because one of the benefits that I have is I talked to a lot of different people. So I see a lot of different, you know, environments, organizations, deployments, scenarios, and all that stuff. So being able to bring in all that knowledge to say, hey, have you thought about this? Have you thought about this type of threat model? Or have you thought about this type of scenario that perhaps one of your competitors or somebody in your industry is undergoing? It helps them kind of open up their minds into thinking about, well, I didn't think about that, right? Let's dive down that hole too in terms of how your solution or a solution can work there. So I think that's where, again, I kind of get to flex my muscle a little bit is having those in-depth conversations around, you know, what are your pain points, right? What are you looking to do to drive the business value? And how are you kind of, you know, what are the obstacles you're facing there? And then, you know, educating them on, hey, how is XYZ solution helping with that, right? How's XYZ solution? And one of the things that I'm kind of, I'm experiencing just because the industry I'm in now and the technology that I represent now is, it's challenging getting people to think about security in a very, in sort of a new way, right? Going back to what Adam was saying, you know, as much as we like to talk about, you know, the fundamentals of, you know, OSI model and et cetera, technology is advancing, right? Threats are, are a lot different than what they were back in, let's say, a couple of decades ago. So these modern threats have to require different types of solutions, right? You can't just go in and plug everything with a firewall, or you can't just go in and, let's say, do a password reset, and that's going to save a lot of your problems. So having organizations or customers or prospects think about security in sort of a different manner, it doesn't always end up being successful. But when that light goes on, you're like, ah, get it now. Now you can genuinely have that conversation around why this solution makes sense for you.

So, you know, Gwendolyn, you know, it's kind of, you know, funny, right? You know, I popped in and out from being on the client side to the vendor side, and I'm back on the vendor side now. And I get called into meetings where we need to reassure our clients about security and about, you know, how this will integrate within their networks. So it's interesting, right? Clients always have these reservations or concerns. And it doesn't matter what product it is. It doesn't matter really who is presenting it. Clients have their concerns. And they rely on your expertise and my expertise and Joe's expertise to provide solutions that make them feel confident that they're going to be OK. I mean, that makes sense, right, Gurinder?

No, absolutely. We definitely, you know, as, as I say, on the vendor side, or even from somebody who's a, maybe you can call it a security SME, right? Being able to offer, you know, guidance on what we've seen, what industry best practices look like, because again, it's all about, to me, it's all about, you know, the exposure. A lot of times organization, you sit in a single organization, you kind of don't know everything else that's happening outside, right? So learning what practices are, what success looks like, or what successful implementations look like, and how they help to deliver value to X, Y, Z businesses. I think that that is a value add that, you know, you really can't necessarily quantify through a product. But that's where, you know, you have people like, you know, resellers, right? You have, you know, industries coming up like implementers, right? Because those are the people that get relied on, that middleman that organizations don't necessarily have access to directly.

A good reseller is not just the middleman. You know, it actually in my career, it took me a while to warm up to So I think a little bit of it was because of arrogance, because we're a big enough company, we can deal right with the vendor, we don't need a middleman. But you know, I eventually learned that another word for the reseller is a VAR, a value-added reseller. who are adding value are the ones who are good. And I've talked about it before. Like you said, you know, there's a vendor or reseller. They work with so many different people. They see so many different things and they see so many different options for how things can help you. And they get to know you and they're like, you know what, you know, a good one will say like, you know, for you, for your business, these products are good. These other ones, they're great, but maybe they're better for other people. And you should be focusing on this one.

So that and that's funny you bring that up Joe, right when you and I were working, um together you know, we we've had a lot of uh bars or resellers or whatever you want to call them and When I think back to when we brought some of these in and we were working with certain products you know your your mind starts to wonder like Why is why are we bringing these people and I can do this? but I also realize that sometimes we need to transfer the risk and transfer that time to the vendor, to the reseller, to help us bring this project to fruition. So you can't let your ego get in the way, and there are times when my ego was there, like, I can do this easily, I don't know why we're doing this, but then I realized we have somebody who does this all the time, they have the expertise, and I can use my time better on other tasks and other projects. So sometimes it's good to bring in like a grinder or somebody else of that nature because that's what they do all day long.

Yeah, I agree with that.

Yeah, and you know, it's interesting. This gets a little bit into, you know, explaining the IT world, you know, IT people and especially security people and especially technical people. They can be a little arrogant sometimes and sometimes say like, I know this better than anyone or I understand this. I don't need anyone to explain this to you. And this sales guy is just trying to sell me this like a used car. But Adam, you're right. You've got to drop the ego a little bit and say, these are the people who You know, they are trying to sell it, but they know it well and they've seen the situations where it works and they've maybe thought of seeing and thought of some things where the stuff can help you that you didn't notice. So that is the good for the people who do it. Well, it's really valuable.

And I looked at it after the fact when we were working with a certain vendor and I'm like, wow, this is a teachable moment where I'm not paying for it. I'm learning so much from watching this individual, this company from doing the work. that I have now gained knowledge, didn't have to pay for a class, and I'm learning on the job with my company's time. It's not to be obnoxious saying, yeah, my company's doing this for free for me. It really is a mutual thing that the company is bringing in resources to do the work and for me to learn, and there's no cost to me. So sometimes it's really good.

I think what Adam, you said earlier, I think to me that's above and all the biggest value or the reason for it, which is the risk mitigation and the security assurance. I had a project that I was doing around Office 365 implementation. a while ago. And, you know, the whole concept was, you know, do it in your lab environment and QA and stuff, and then you roll it out to production. And I did it in QA or in our lab environment, you know, with my eyes closed, but our management would absolutely not let me do this in production, right? Because they say, hey, we need to have be able to transfer risk, right? We need to be able to have In case something goes wrong, right, we need to be able to have somebody behind and say, that person or that organization is liable. So from that perspective, I think understanding the importance of using a third party that has a contractual binding to the responsibility of, you know, what happens if something goes wrong, what happens to, you know, you know, making it right, as you may say, right, I think that's as a security leader or even as a business leader, above anything else, that's what you're looking for, is that ability to say, hey, if something were to go wrong, right, whose responsibility is it, and am I covered for that?

And being on the client side, we've had clients that drove us to use third parties in order to integrate. So sometimes it's beyond our control. An organization says, look, we want to be a client of yours, But if we're a client of yours, you need to implement these security or these applications or these products in order for us to feel confident to do business with you. But we want you to use a vendor to do it because they have the expertise. And sometimes you have no control over it. And Joe, a lot of that was on you as well, right?

Well, you get different mixes and yeah, on the buyer side, on the procurement side, when you're buying this stuff, you know, sometimes you have situations. Well, one of the key things is that eventually when you buy something, it gets handed over to you. And we have talked about this before too. You got to make sure that your people can run it. That it's something that you have the people to do it, that they have the skills, and that they've gotten the training either formally or from the vendor or from the reseller or whoever, so that you can operate the thing. So that's kind of the end state. But then you also have, okay, who's going to build it? Who's going to put this thing in place? Not just buying it, but who's going to put it in place? And with that, whether it's you know, the vendor doing it, whether it's a reseller, whether it's a consultant, whether it's some mix of it, you do need to make sure that it's going to be done correctly. that your people are trained correctly one way or another. And also, as you were saying, Adam, that the expectations are really clear because that all works really well and has to work really well and you need to manage that. But one of the things you need to manage against is making sure that all goes well and that the responsibilities and and expectations are clear because when it doesn't, and you have all these people involved, you know, potentially three or four parties, the bad scenario is when you start having finger pointing, when people are not taking accountability and not getting things done. And, you know, very often I talk about, yeah, and security, a lot of us managers, a lot of what we do is not actually security. That's one of the big things there. Yeah, we can put in this big huge system and do all this thing But you know making sure that all these parties that you have the right parties on it that they're working together With the right expectations and accountability that can be Really tricky super important and and this is why people are moving towards MSPs and MSSPs They want service providers.

Yes, I do this for you. Yeah, they want service providers to do it for you because one it transfers a risk to alleviates the funding Individuals on your organization and allows It's just sometimes economically more viable, but sometimes due to security concerns and other issues you want to bring it in-house There's so many mixes of why you do things in-house and why you do things with third parties and why you do things with vendors It really it really depends on your individual use case. There's no template. There's no cookie-cut it you really have to as a manager As a person in leadership, you gotta figure out the right thing if it's not being dictated to you. Sometimes it is dictated to you because the vendor, I'm sorry, the vendor even might dictate to you, you have to use our service in order to buy our product. So everything's different.

Definitely, yeah, there's no, Adam, to your point, there's no run book for any of this. It's, you know, you kinda have to go different use case by use case.

Well, I guess that keeps life interesting because, Kiranjur, I'm sure you know, we talk about the happy world of this is great. We provide value and we do all this. I'm sure you've got a few stories of when things have been a little bit rocky here and there. Yeah. The job isn't easy. You make it sound so easy, but it's not always.

No, no, it's not. And I think it goes back to a couple of things, right? One is, From a vendor side, you don't have the option to say, hey, you know, you need to adapt to us, right? It's always about, well, how can this, you know, solution be implemented in what your environment is, because your environment is a lot bigger and more difficult to change than, you know, let's say my solution, right? So I think the challenge that I see a lot of times as well, we have legacy technology, we have mainframes, we have, you know, different types of operations or even business processes that we absolutely cannot shift, right? So trying to understand how do you solution for those when, let's be honest, right? Most vendors and most, you know, cybersecurity companies, they typically roll out products for modern, you know, modern environments or modern stacks. So having to kind of, you know, come across where, you know, it might be an issue there, but then, you know, even if you take it away from the technology side, it could also be a personality issue, right? Again, convincing somebody when they have a million different priorities going on or a limited budget, that your solution is what is needed. I think that is, That is challenging, it's fun, but you know, it's not 100% success rate, right? And that's important to... to, I think, you know, always, the thing I take away from that is always, you know, there's always a, okay, maybe not now, right, but do you understand, right? And let's revisit this conversation when you think there might be a use case or there might be a need for this type of implementation. And, you know, that comes and goes, but it's not always 100% success for sure.

Well, I'll tell you what you're talking about right there is what the absolute best sales team, sales rep, sales engineers, you know, do. It's like they say, you know, our goal is to get the right solution to you. We have something great. What if it's not? But if ours isn't right to you, you know, right for you, we're not going to push it to you. But let's stay in touch because you've taken the long view, you know, taking the long. Customers love that so much. Those are the most valuable things. And I can tell people. It may sound all muffy-duffy and touchy-feely. It pays off. I've had, you know, relationships where something hasn't been right for me, but eventually I've gone back because those people keep up the relationship and have treated us right. So it works.

Grinder brought up an interesting point. I want to just touch on that. There are times that organizations don't want an individual involved, and that's why they bring in a third party. He didn't directly allude to that, but like, oh, We need to implement this. There's no way XYZ is going to be doing this for us. Go get an external party, bring them in, let's interview them and see whether or not they're capable of doing it. Because we don't trust this person, and even though we have to employ them, we don't necessarily have to use them for this. It's true though. Each one of us has been in that situation where we had to deal with somebody like that.

Absolutely. And I'll admit to when I was, you know, on the enterprise side, right, I had, you know, not necessarily the best experience with certain individuals, and I didn't see them being able to deliver success in my environment, for whatever reason, it doesn't necessarily need to be anything personal, right? So I think those sometimes those things are and but those, Those discussions and those conversations are just as important as the technical feasibility of the solution. Is this person going to be able to work in this environment? Is this person going to be able to take orders? Is this person going to be able to execute on time and prioritize accordingly? All these things are things you need to consider when you're evaluating not just a solution, but also the people implementing that solution.

I was going to say, you know, the crazy stuff pops into my head. I'm watching too much Star Trek lately, but kind of the theme that it seems like we're getting to, Gurinder, like what you're saying, it's just as Spock said, logic is the beginning of wisdom. It's like, you know, the technical stuff and the technology is kind of the beginning of success. There's so much more that goes into it to be successful.

And I'm not saying that the person in the situation is a bad person, like you were saying, Joe. I'm saying sometimes to like, it might be a reliability issue for certain technologies. It might be like, this person is great doing this, but don't let them do that. It doesn't mean that the person's not liked. It just means that for whatever reason, that skill set, that individual does not mesh with that other technology. And it could be personality, it could be attitude, it could be that the person's just a really good person, and we need them to concentrate on something else.

Or maybe they need to be trained. And you know, it's someone on your staff who's not ready to do it and you need someone to bring them along. I mean, Joel, like you said, learning, you know, Gurinder, you were talking about having to learn more and do more stuff. And well, yes. And you can do a lot of self-study and everything. Sometimes when you're getting these specific products, it's like I said, it's not something you can buy at the, you know, at Best Buy and try it out. You need the company to help your people along to learn it.

It's funny, we used to be able to go on Amazon and learn about firewalls. Now, all these firewall companies, a lot of them, all the technology, all that stuff is proprietary and you have to actually take their classes in order to learn it. Again, no knock against anybody, any vendor, any manufacturer, but it was a little bit easier back in the day. You go on a website, you buy a book, you learn. But what is easier these days is that when you do learn these technologies, you can virtualize it instead of having to buy a $5,000 firewall, a $6,000 device. A lot of virtualization has actually improved that capability of learning it too.

Yeah. Yeah, I think so. I agree with that.

Well, we have been talking for quite a while. Gurinder, thanks for spending a lot of your morning with us here. We would normally say, you know, this is when I like to say it's time for last call, but since we're on coffee, I guess it's time for us to get up and get another cup of coffee. Because I know I'm out.

Well done.

So Gurinder, you have any final thoughts? Anything else you want to put out there?

Thanks for having you guys it's great to connect with everybody and you guys I know it's a you know It's a small world, especially, you know, the IT world small the cyber security world is even smaller and it's I'm sure you know, we'll always run into each other once in a while, but You know I think it's an interesting time we're in, in terms of the space and how it's moving. You know, again, keeping up with new technologies or, you know, learning and trying to, you know, keep that continuous learning mindset is really, really important for all of us, not just for our personal careers, but also to do our job well, right? And I think that's something that, you know, we all have to kind of take forward. But again, thanks for having me and enjoy the rest of your weekend.

I'll say this as we're getting out of here. The one thing we need to remember is it's not a candy store. You can't walk in and eat every single candy. We all want to learn so much. We all want to be so valuable and so knowledgeable. But there are times when we have to put ourselves in check and say, wait, I can't learn every technology. I got to focus on certain technologies. And that's the delineation point where we need to also be. What do we need to focus on? And then as we look as our careers progress, and maybe we wanna move somewhere else, then we say, oh, I gotta learn this technology. It's not easy. It's not easy being that SME on everything, and we can't be the SME on everything. We have to focus.

That's right. It's a big, complicated world out there of security, just like the rest of the world. But Gurinder, thanks so much for joining. This has been a lot of fun. As always, it's great seeing you.

All right, guys. Gurinder, it's been amazing getting back together with you and looking forward to the next podcast with you.

Yeah, absolutely.

All right. Take care, guys. All right. Thanks for listening, everyone. We'll see you soon.

Bye.