The Art of Selecting and Owning Your Security Projects

How's it going? everyone, and welcome back to another security unfiltered mentorship episode. So today we are going to be talking about something or a topic that I'm very familiar with. It really helps you separate yourself from the crowd. It separates you from everyone else at the company honestly separates you from everyone else in the industry if you do it right, and what that is is selling internally at your company. So what do I mean by that? What is it right? You know, as a security professional and I do post my title on LinkedIn and everything like that I don't post the company. If I did post the company, i would probably be getting a lot more messages than I already get. But you know, just with the title, i get a lot of vendors reaching out trying to sell me everything that you can imagine for a security product Tools that are very well known, tools that are not very well known. A lot of the times, vendors are guessing at what we may need in the environment and they're just kind of throwing a dart at a dart board and seeing what sticks, what doesn't and going from there. So what does this have to tie in with it? You know, really it's difficult sometimes to weed through all the random products that are out there And I am lucky enough to have a network with, you know ARKON, which is a partner reseller for a lot of different companies that does the vetting of these. You know solutions on the market gives me a rundown on what you know may fit best within the environment And from there, you know, i'm able to make my own assessment. But I think we should even take a few steps back right. As a security person in the environment, you know the environment better than most. Obviously you know your first 30, 60, 90 days at a company. You're not going to know the environment that well, but you will eventually, and when you do you can start looking at the environment as a whole, start picking apart and seeing. You know, maybe there's a solution that's up for renewal that doesn't really do a great job, and maybe you know of another solution on the market that could be a fit that could actually help the environment and whatnot. Or maybe you're lacking a tool completely. Maybe you have a you know, web application firewall gap in your environment and you need to fill that gap with the right tool that really fits your environment perfectly. So taking that need and then potentially reaching out to your network or even reaching out to the top players in the area. You know, a quick Google search will tell you. You know all the time, every time, you know who is the big players in the space. Just say you know web application firewalls, for instance. Right, cloudflare, fastly, akamai, you know, these are almost household names right in security. Everyone knows who they are. But let's say that you're looking for a WAF right, what would I do to sell this internally? So the very first thing, i need to actually talk to someone I cloudflare, just using that as an example. Right, i would need to talk to someone at cloudflare. I would probably need to talk to someone that knows the solution and the offering really well, which could be my, you know, leveraging my, my own network that I've already built up through Arkhan, or talking to other people that I know that already own the product and talking about. You know the ins and outs of the solution, right, so I can figure out if it works best for my environment before I ever even get on the first call. So then you know, i'm getting on this call right with the, with the vendor, whichever vendor that might be, and I'm presenting them a problem in the environment. And you know, to be completely honest, this is just me, right, there isn't anyone else on the call. No one else in my organization at this point knows that I'm doing any sort of thing like this. Right, it's not like it's being heavily publicized, you know. And so I'm getting on the call by myself and I'm talking to the vendor, right, and they're probably going to go through some slides, show me different things, ask me if I think that it could work in the environment. I'll give my feedback And then it's time to actually start selling internally. So how do you do this? You know, earlier out of my career I thought this was fairly difficult. But you know, earlier in the year I did talk about building a network, building a bombproof network, i think there's, there's two parts to it. There may even be a third episode That's about building a network. That wasn't, you know, in that same title, whatnot. But you should already have a network at this point. When you're selling something internally, you need to be leveraging your network. You need to be leveraging your internal network at the company. You need to be leveraging your external network at other companies You know and key people that you actually trust With. You know the sort of knowledge, right, like, do I actually trust their expertise in application, web application viral, right? That is definitely something to keep in mind and always be aware of. So, with that said, you know where do we go from here, and so it really does kind of vary With where you go from here. You know, you, you would probably want to, you know, bring it up to your direct manager first, obviously, and say, hey, you know, we have a gap in this area. Is there a project at play that I don't know about, that you know is coming up, or anything like that. If they say, no, great, maybe it's an opportunity to start a project and Get this thing kicked off and maybe you can own it because you identified the gap first, or maybe you're the one that brought it to their attention first and You should have some ownership in it. You know, and it from there it's about it's not necessarily about playing internal politics, okay, which it could come off as sounding like that. How I do it. I'm very, very open, very honest. You know, and You got to approach it from a place of you're doing a fact-finding mission, right, you're just trying to figure out what's going on in the environment. You think that there's an issue in one place Maybe you confirmed it with the architects Before you even talk to your manager and be like, hey, is this what I'm seeing, because this is what it looks like to me, you know, or is there something else going on here that I don't know about? Doing those things will prepare you to actually sell it internally to your management, because your management will then have to go and pitch it, you know, upwards to the CISO at some point, get approval for the funding. You know, do the project and that whole thing right. But let's talk about why do this? why even, why even go out of your way and try and do this? You know, and this has been, this has been difficult for me at times, i'll be honest, because I have sold products internally before at companies that would greatly help That company, that environment, several teams within the company. You know I've sold it properly. I've sold it to the CISO, the CIO, my manager, right, it really just came down to one person Denying it because they didn't want to admit that their solution that they chose 10 years ago Was not working to the standard that the organization needed. And so You know this can be a very disappointing process, right, because you're gonna put a lot of time into it. You're gonna put a lot of effort into it, you're gonna learn a whole lot more about the product than you ever would have before. But you do this because it separates you from everyone else. You know, just plain and simple, not everyone is going to be looking at the security stack as a whole and saying what areas are we lacking in, what areas can we fill? What's the best solution to fill that gap? And that last question is probably actually the most difficult, you know. I'll give you an example. At A previous role, i was looking at a cloud security platform management solution Fantastic, long name, right And so I was looking at all the different top tier solutions on the market at that time, and at that time, the company that I was at was in the big three clouds They were in AWS, azure and GCP and so we greatly needed This tool, because there was only two people that was responsible for the security of three clouds, and if anyone you know knows anything about cloud security One club, learning one cloud is like learning a different language, because they literally use different words for everything The the different words will do different things across platforms, right. So you may have, you know one word that sounds similar, you know, to Azure, right, but they're doing two totally different things, and so you're literally stuck learning three different languages And learning the infrastructure, learning how things are configured, how things are done differently in each cloud, the nuances between each cloud Um, it's a headache, it's, it's tough, it's actually really hard. I do not recommend it. And so we really needed this solution, because there's only two of us, and so we evaluated all the top solutions for probably four weeks. That's just. You know all of the solutions, probably three or four solutions for four weeks. At the end of the fifth week, we would probably choose a winner of the POC and whatnot, and so one of the deciding factors in me choosing the right product was our team size. Like I said, we're, we were a team of two, right, and so we needed a product that wouldn't inundate us with a whole bunch of alerts that will never get through. We also don't need something that will take, you know, six, eight, 12 months to set up. We just don't have that time. You know, we are a lean and mean team that works, you know, through issues and problems very rapidly. We need to be very agile not to reference the agile framework, because that's just give give people a headache on here, right? But you know it's a different work environment when there's two people managing three clouds and you're just responding to fire after fire, putting things out, resolving issues, configuring things correctly, trying to catch up with the development work, ensuring that everyone is developing properly and not putting things in the wrong place, making sure that you know everything is set up and configured how it should be. While doing that, you can't be deploying a tool, and so you really. We really needed a very low lift solution that could be run by one person if needed, right, that wouldn't produce a huge amount of alerts. So that means that there has to be some sort of internal logic to that. You know, alerting mechanism and the solution that prevents it from inundating you with alerts, right, and so we we ended up choosing a solution that was up and coming. You know it's a less well known solution, for sure, and we chose that solution because we are a team of two And it took precisely 30 minutes to set up and deploy the solution. And on top of that, and, by the way, we had about 50 different AWS accounts And we only, you know, took us about 30 minutes to set up all of AWS, which is insane, because if you look at other solutions like dome nine or cloud guard, as it's referred to, as now those solutions, those solutions take a very long time. Most of my POC probably 90% of my POC time for cloud guard and these other, you know, larger solutions was setting it up. You know, another, another area that I thought was key was that there was extremely little configuration that was needed And it didn't generate a huge amount of alerts. It only told me about the stuff that I really need to pay attention to in the environment, and that was extremely important, right? Because, like I said, we're a team of two And so we need to literally get an alert, know that it is a valid alert, that it's something that we should be paying attention to, react to it and move on. That's that's really. It's it's pretty key, you know, and all of the other solutions that we looked at, that we, you know, talk to or whatnot, all of them basically said that we would need a team of four to run their solution And it would take, on average, 12 to 18 months to fully configure the solution. And once it's fully configured, you're probably going to have a whole bunch of alerts that you now have to figure out how to weed through and create a whole bunch of custom rules for, and from there you're going to be doing tweaking and tuning for the rest of the lifetime of that solution in your environment. That's that's really what it is right For these other solutions right. And so at bigger companies, that's not a problem at all, because they'll have a whole team of people you know eight, 10, 12 people working on this one tool, doing this one thing, and so they can absolutely do it, they can absolutely manage that solution with ease. But for my given situation, there was no way, no way at all that we could have done that. It would have taken us four years to get the thing fully configured I mean literally, because it's just two people. And so that's how we made our decision to go with this other, less known solution that ended up being a better solution. Now why do I take you through all of that right? It shows you how it sets you apart. You know, immediately I took ownership of this problem in our environment. It wasn't my responsibility to really take ownership of it, but I took ownership of it. Right, because I'm the cloud security person. We don't have a management tool for the cloud. We need a unified platform for it, we need a project for it, and so I immediately owned this entire process. I brought it up to my management, my management and myself brought it up to the CISO. The CISO approved, we got a budget for it, we're off to the races. All of that is taking initiative. I identified the, the lacking area in the environment, and, and then I took ownership. I didn't just identify the area and then point a finger and say, hey, someone else should take care of this. I identified a gap and then I said, hey, i'm taking this over. If it's approved like, i own it, i run it, i'll choose everyone for the POC and we'll make a decision as a team, you know. So it shows taking initiative, it shows taking ownership, and Once we get through those two things, you're also going to gain a whole lot of experience, a whole lot of knowledge and, you know, maybe even more importantly, you're gonna become more well known within the environment Because you're gonna be working with a lot of different people. Your manager and their manager will likely refer to you now in other, you know, executive level meetings and calls, because they're saying like, hey, we have this new project, you need to get ready. You need to, you know, get your teams ready for it. This is the point of contact and they're gonna bring up your name. So that is just something that you should absolutely, you know, keep in mind and whatnot, like when you're you're doing this, right, because you're gonna get more well known within the environment And that is only going to help you. As long as you use that, that notoriety correctly, it'll definitely benefit you. So, you know, all of these things combined really work to set you apart. You know, and That that's key, right, because you need to be able to set yourself apart from everyone else in your environment. You know, it's not enough to set yourself apart from everyone else when you're applying for a job, right, you absolutely have to do that, because why? Why hire, you know, a cookie cutter Person that you can hire, you know, 10 other people and get the same results? right? The reason why you would hire someone is because they provide something that the rest of the candidates don't. And this Same exact thing works internally at companies. The next time that there's a promotion available, the next time that You know. Let's just say you want to get promoted to be an architect, right, and now the opportunity is available. You have a really good case as to why you should be getting that job right. Because you took initiative, you took ownership. You analyze the environment, saw that there is a gap, made the right call on the solution, deployed the solution and then, even you know, provided support, training to the rest of the organization, provided documentation. You had to sell it to your manager, to his manager and or their manager, and to the CISO, whoever that might be. Maybe you even had to go a step further and sell it to the CIO. Maybe you had to go a step further and create the slides for your CISO to sell it to the board, because maybe you know your company has a requirement If it costs X amount of dollars, you have to get board approval and all this other stuff right. And You know your job is Not just to point the finger and say, hey, we have a problem here. Your job in this situation is to take full ownership and See it through to the end. You know when I was choosing this CSPM solution towards the end of the process, when I was actually, you know, choose. When I chose the solution, when we were pitching it and it got approved, my CISO was going to have to present slides on it to the board. So the first thing that I did was I actually offered to put the slides together for him. Now, these slides, i mean, i've never had to present to a board before. I've never had to create slides for the board before. I have no clue what I'm doing, but I used all of my internal resources to get the job done And after about 20 revisions of this slide deck I mean I'm not even kidding you It took probably three or four weeks to get these slides done, not that they weren't done already, but you know, it's literally 20 revisions, like I'm, it's not even an overstatement. But after 20 revisions, we were finally comfortable enough to give it to our CISO to present to the board. And with all of that, though, it just shows you right, like in this situation, i took an, i took the initiative, i took ownership, i saw it through end to end. That's the big piece, right? Not everyone can say that they did that. Not everyone on the market can say that they identified a gap. Explain what the gap was, why it stood out to you why it made sense to prioritize that that risk to the environment over other risks to the environment. What were other risks? And then going through this entire process, right, of learning the technology, selling it internally to the right people at the right time And that is key being able to actually sell that solution to the right people at the right time. You know I'll give you an example, right? So when I was trying to sell this CSPM solution internally that I had chosen through the POC, you know part of it was actually selling it to my CISO. So I chose the solution, my manager agreed with it, his manager agreed with it, and then it was time for the CISO And my manager's manager basically had to gauge if my CISO was in the right mindset or the right mood to be able to handle a discussion like that. And so the meeting actually got delayed one or two times because he just wasn't in a good space that day, right, and they didn't want to kill the project because he was having an off day. And you know I had put in a lot of work already into this thing. So timing is everything Right. And then you also being able to sell it internally, hey, why do we need the solution? Right? What was the gap that I saw? Because these people probably saw it as well, already knew about it. What were the solutions? What was the criteria that I was basing everything off of? And then what was the final results? Right, like, there's a lot of different classes out there. Probably there's a whole lot of different articles about how to talk to executives and whatnot. I have learned keeping it short, simple and sweet is probably the best route that you should take. I think my presentation to the CISO was under 10 slides And I think it was my like. My actual presenting of the solutions was probably done in 15 minutes, like, at most, probably 15 minutes, and then the rest of the time. You know, we discussed it, we discussed next steps and everything else like that. Now, just because it gets through that CISO approval doesn't mean that your job is done, right? I said end to end ownership of this entire process. So now you're going to get experience with negotiating quotes, negotiating with the vendor, learning how to actually do that, learning when to push back, what areas to push back on, how to actually get the real numbers from these vendors, and things like that. That's experience that you're not going to get, other than doing it. You know, like, that's something that you know is definitely an art form, almost right, of how to negotiate someone down a million dollars, right, um, you know, i'll give you an example One of the quotes that we got for this CSPM solution I think the first quote was like 1.4 million dollars. We negotiated them down to like over a million dollar discount, right, um. Well, when I say we, i actually say me. Um, i was able to actually get them down, you know, a considerable amount, so that it fit within our budget. Um, because we greatly, desperately, needed a solution in the environment and this other solution, you know, was just the right solution for our environment. Um, and so you're going to get experience with that as well, and you're going to get experience in probably 10 other different ways that I'm not even mentioning right now. You're going to learn how to talk to executives. You're going to learn how to present to executives. You're going to learn the ins and outs of the process. You know, every company has a different procurement process. It has different timeframes with it and different people need to be engaged, different teams need to be engaged at different times. Um, all these different things, right, and you don't learn any of that unless you actually do it and go through it, you know. So, again, you know doing something like this choosing a solution, identifying that gap and choosing a solution and then selling it internally and saying, hey, you know, i want some time or your approval to look at this, this solution, a little bit further and going from there right And owning it, taking that ownership. You know, i recommend everyone that reads the book extreme ownership by Jaco Willink. Um, it's a fantastic book and it really shows you that there's very few excuses out there. Whether you succeed or fail is all up to you. Whether you are successful is complete, is almost completely in your hands. You should have, you know, foreseen different things. You should have adjusted different things, and he really goes through it. Um, agnazium, to make sure that the readers understand. You know the roles and responsibilities that someone may have and what they can do within those roles, and you know times to push the boundaries and things like that. Right, all of those things, all those skills that you learn, although all those soft skills are extremely valuable and they're not going to just pay off in the workplace, right, in the office, right, it's going to pay off in a lot of different areas of life. You know you're going to learn how to negotiate the price of a home down more, right. You're going to learn how to negotiate the price of a car down more. You're going to learn how to, you know, take initiative in different relationships and different areas of your life. You know, and that's what everything really comes down to, right, where you spend your time, where you spend your effort. You know that is where your life is going to go and grow. So with that, you know, i really appreciate you guys hanging in there. I completely actually forgot that last week that I didn't have an episode lined up for the mentorship side of things, so I really apologize for that Quick note. You know I definitely have some major updates and upgrades coming to the Patreon. I think it's going to be really great. It's really going to build a community around setting goals, achieving those goals and growing, you know, in our careers together. So with that, guys, i appreciate you listening and I'll see you on the next episode.