The Making of a Cybersecurity Titan and the Rise of Virtual Compliance

1 00:00:00
Speaker 1: How's it going, justin?

00:00:01
It's great to finally get you on the podcast.

00:00:04
We've definitely been working on planning this thing for quite

00:00:07
a while now, so I'm really excited for our conversation.

00:00:11
Speaker 2: Yeah, thank you.

00:00:11
I'm excited to be here.

00:00:13
Speaker 1: Yeah, absolutely so, justin.

00:00:16
I start everyone off with giving their background right,

00:00:21
like how you got an IET, how you got into security, that sort of

00:00:24
thing.

00:00:24
And the reason why I do that is because there's a portion of my

00:00:27
audience that could be getting into security for the very first

00:00:31
time or trying to get into IET for the first time, and I think

00:00:34
it's always helpful to hear everyone's story and maybe it'll

00:00:38
match up with someone and they can say, oh, if he did it, maybe

00:00:41
it's possible for me.

00:00:43
Speaker 2: Yeah for sure.

00:00:44
Yeah, definitely.

00:00:45
I can give you a little bit of background on how I kind of got

00:00:47
to where I am today.

00:00:48
So after I graduated college I moved to New York City and I

00:00:52
started working.

00:00:52
I had a degree, I wanted to work in technology and I started

00:00:56
working for a company here in New York that did software

00:00:59
licensing.

00:00:59
This was back in not to age myself back in 2002.

00:01:02
We were selling a lot of Microsoft licensing to big

00:01:06
businesses.

00:01:07
So I got a lot of exposure to IET and to a lot of large

00:01:10
businesses primarily based here in New York, the IET departments

00:01:13
, and how they work and how they operate, and so I did that for

00:01:17
a few years.

00:01:18
And then I actually left that job for a small period of time

00:01:21
where I went to go work in film, because I lived in New York

00:01:24
City and I was young and I wanted a job at the law school

00:01:27
at that point in time.

00:01:28
So I left to go work in film for a while, which was great too

00:01:32
, and I think back on how it all kind of played together with

00:01:35
where I am today, because I learned a lot of things about

00:01:37
like my work ethic and when you work for a film company in New

00:01:40
York City there's a million people ready to take their jobs,

00:01:42
so you always kind of have to be on your end game all the time

00:01:45
, and it also by working in film .

00:01:48
I was surrounded by a lot of different celebrities and really

00:01:51
people that I viewed at that point in my life as being like

00:01:54
really prestigious, important people, and I realized by

00:01:57
working with them that they're just people like me and there's

00:01:59
no reason why I should idolize them, and so that helped me when

00:02:02
I started Rometic as well, because that gave me confidence

00:02:04
to be able to do that.

00:02:05
But I ended up working in film for a few years and then I

00:02:09
really decided that it started to get a little bit older and I

00:02:12
was like, hey, no, maybe I don't really care so much about

00:02:14
having the cool job in New York City and I'll tell you more

00:02:17
about something that I'm going to be good at and so I left film

00:02:21
.

00:02:21
I also didn't want to move to Los Angeles, which was kind of

00:02:23
the next logical step for me that I stayed in film.

00:02:26
So I left film and I went back and I worked for some consulting

00:02:29
companies here in New York doing consulting work, tech

00:02:33
consulting work, and one of the companies that I worked for, I

00:02:38
ended up doing a large penetration test.

00:02:42
I was primarily providing cybersecurity services through

00:02:45
these other consulting companies that I was working with, and I

00:02:49
ended up doing a penetration test for a large, prestigious

00:02:52
law firm here in New York City and we did a really good job

00:02:56
working with them.

00:02:56
We were able to hack them a bunch of different ways, which

00:02:59
was good for us.

00:03:00
I don't know if that was necessarily good for them, but

00:03:02
it was good for us and they were .

00:03:05
They their CIO at that point in time was pretty impressed with

00:03:08
the work that we did, and so he had asked me because I had had a

00:03:12
longstanding relationship with this law firm through just my

00:03:15
various years of working in IT in New York, and he had told me

00:03:18
that he knows that I wanted to start my own business and that I

00:03:21
wanted to start my own cybersecurity firm, because I

00:03:22
talked to him about it before and he said that he's happy to

00:03:27
refer me because of the good work we did for them.

00:03:28
He's happy to refer me into one of their customers, but the

00:03:30
only way he's going to do that is if I start my own business,

00:03:33
and so he kind of allowed me to start my own business.

00:03:36
Turns out, they ended up referring me into one of their

00:03:39
clients.

00:03:39
Keep in mind, this is a really prestigious New York City based

00:03:42
law firm, so their clients are also very prestigious type of

00:03:45
customers as well.

00:03:45
They referred me into one of the for NDA.

00:03:49
I can't tell you who the customer is, but they referred

00:03:52
me into a really prestigious kind of wealth management

00:03:55
company and we ended up doing a pen test for them as well.

00:03:59
And then we found a bunch of different ways as well and that

00:04:03
slowly kind of snowballed into working with a lot of high

00:04:06
network type of companies here in New York City.

00:04:09
So from really 2015 till like 2017, 18, we were really just

00:04:16
doing kind of pen testing work for high network type of

00:04:19
companies.

00:04:21
And then I wanted to really kind of even out my workflow and I

00:04:24
wanted to provide security services to smaller companies

00:04:27
because I could relate to them more frankly.

00:04:29
I'm still considering myself a startup, but I was a startup

00:04:32
definitely at that point in time and so I wanted to work with

00:04:35
SaaS based companies because I just kind of thought of that as

00:04:38
being the future of technology.

00:04:39
It was cool doing these big pen tests, but we were working on a

00:04:41
lot of legacy tech, and so I wanted to work with more

00:04:44
innovative new cloud based tech, and so I started working with a

00:04:47
lot of startups.

00:04:48
I realized there was a huge hole in the market for people

00:04:51
that had security expertise, especially in the cloud space,

00:04:54
at this point in time, and so I realized there was a huge

00:04:57
opportunity for me to capitalize on that and to really kind of

00:05:00
build out a whole lot of services around cloud security,

00:05:03
and I started to do.

00:05:06
That was in like 2017, we had 20 clients and now we have over

00:05:10
600.

00:05:11
So it's been.

00:05:13
I think I made the right decision.

00:05:20
Speaker 1: Man, that's really fascinating.

00:05:21
There's a lot to unpack there.

00:05:23
It's interesting you bring up film I've actually never had

00:05:29
anyone on that went to the film industry and then into back into

00:05:33
IT or into IT in any capacity.

00:05:36
Right, A cousin of mine, he actually did some work in film

00:05:43
and LA and he worked on Thor, worked on the Spiderman movies

00:05:49
and a couple other movies and it was all with Disney and he said

00:05:54
that he'll never work for Disney again.

00:06:00
So he decided to move to Pittsburgh and teach theater

00:06:04
after that.

00:06:06
Speaker 2: Nice, yeah, I think.

00:06:09
Like I said, I think when I decided to work in film again, I

00:06:12
was in New York City.

00:06:13
I was in the 20s at that point in time and I think the

00:06:16
periodies were just a little bit different.

00:06:17
I didn't go to school for film.

00:06:20
It wasn't like I was claiming I'm being a filmmaker, like I

00:06:23
love documentaries, but I never had the desire to really make

00:06:25
them.

00:06:27
I did it for the wrong reasons.

00:06:28
I did it because I wanted to be surrounded by cool people,

00:06:31
because all my friends had cool jobs and I wanted a cool job too

00:06:34
, and selling like for self licensing isn't necessarily the

00:06:37
coolest job.

00:06:38
So, yeah, I went into it for that reason and then I worked

00:06:41
there for a while and, like I said, it taught me a lot.

00:06:43
It taught me a lot about work ethic.

00:06:45
It taught me, boosted by confidence, to be around these

00:06:48
people and realized that they're people who I once idolized, but

00:06:51
they're really just now.

00:06:52
They're just people like me and you and everyone else.

00:06:54
And so I think, like I did take a lot from working in film and

00:06:59
I was able to leverage that and apply that to how I do work now

00:07:03
at Remetic, being the CEO of this company.

00:07:06
I don't know that I would have had the confidence to

00:07:08
necessarily start this company had I not worked in film and put

00:07:11
myself in those situations or really even have the confidence

00:07:14
to always go up to a lot of.

00:07:15
We work with a lot of other companies big companies we work

00:07:18
with, partner with some startups and some bigger companies to

00:07:21
meet with the executives at these companies and deliver my

00:07:23
message with confidence.

00:07:24
I don't know that I would have been able to do that had I not

00:07:27
had that experience in film, because it really taught me that

00:07:30
, like people are just people, no matter what their title or

00:07:36
whatever they are, they're all.

00:07:37
We're all people.

00:07:37
We all have insecurities.

00:07:39
We all have like the same thing going on in our lives typically

00:07:42
.

00:07:44
Speaker 1: Yeah, it's.

00:07:45
You know, having I don't know if that is necessarily like

00:07:50
imposter syndrome or, you know just anxiety with talking to

00:07:55
someone that you see, you know as beyond you or whatever it is.

00:07:58
I remember when I started this podcast, you know I was talking

00:08:03
to a friend.

00:08:03
I'm like I have no business talking to.

00:08:05
You know, these CEOs and these founders and these guys that you

00:08:09
know hack airplanes midair with them on it, like I have no

00:08:13
business talking to these people .

00:08:14
Like how am I even going to?

00:08:15
You know, do this conversation?

00:08:18
Like it was a?

00:08:19
I was talking to the CISO of some large company, you know,

00:08:23
and my friend just kind of broke it down to really simple terms.

00:08:27
He's like well, you know, when he gets hurt, do you think he

00:08:31
like bleeds another color or is it red, like you, you know?

00:08:35
Is he?

00:08:35
Is he from this planet, you know?

00:08:37
And you know obviously all of those questions are yes, and

00:08:42
he's like well then, you have nothing to worry about.

00:08:43
He's just another person, you know, like he has a journey just

00:08:46
like you, and you just have to remember that you're just two

00:08:50
people having a conversation and I think that that that skill,

00:08:56
you know, really helped me going forward, right, because now I

00:08:59
feel like I can honestly, you know, talk to anyone, have a

00:09:02
conversation with anyone it doesn't matter what industry

00:09:05
they're in or you know their expertise or anything like that

00:09:08
and you know, obviously that helps me with the podcast, but

00:09:12
it helps me overall, right, because when I go into you know

00:09:17
interviews or I meet new people at conferences or whatever you

00:09:21
know.

00:09:21
It's a lot, it's a lot easier, in my opinion, to have those

00:09:24
conversations.

00:09:25
I feel like I'm a little bit more pleasant to talk to you

00:09:28
after that.

00:09:31
Speaker 2: For sure.

00:09:31
I think it helps me deliver my message with confidence because

00:09:35
I don't second guess myself as much.

00:09:37
I know what.

00:09:38
As long as I know what I'm talking about, I'll be

00:09:41
articulate about it and I'll deliver it with clarity and with

00:09:43
confidence.

00:09:44
And I think that that's something that I got from big

00:09:47
around these people again who I once idolized, and realizing

00:09:50
that like, oh, they are just like me and some of them

00:09:54
probably have more insecurities than me, or just everyone has

00:09:57
their own issues and so like, why should I, why should I view

00:10:00
them any differently?

00:10:00
And it really, it really.

00:10:02
I think I mean obviously, a lot of working in the tech and all

00:10:06
that stuff that I've done and technology really kind of helped

00:10:08
to get me here and gave me sort of the technological skills to

00:10:12
be able to do what I do today.

00:10:13
But I think that it's a good thing that I did work in film,

00:10:16
because it definitely gave me the ability to communicate well

00:10:19
and have confidence going into most of the interactions and

00:10:22
engagements that I do now as the CEO of a company.

00:10:27
Speaker 1: So when you were doing pen tests, for you know

00:10:31
these, these very powerful customers, you know, I mean I

00:10:36
guess that's probably a good way of saying it and I've actually

00:10:40
worked on the other end of that, where I worked for a large

00:10:43
wealth management firm here here in Chicago.

00:10:47
I mean, everyone knows I'm in Chicago now, so they can, they

00:10:50
can go Google it.

00:10:51
But you know, it was interesting how we approached

00:10:56
pentests and how we kind of tried to influence, like, the

00:11:01
opinion of the pentester and things like that.

00:11:04
And you know, yeah, you know me personally, I feel I was very

00:11:10
uncomfortable being in that room , right, because I I am not

00:11:15
someone who's gonna tell the pentester, oh, you should look

00:11:17
over here and not here, right?

00:11:19
Or you should, you know, try and authenticate via this method

00:11:23
and not this.

00:11:23
That's not my job, right, like it's the pentester's job to get

00:11:28
in.

00:11:28
It's not my job to tell them where to look.

00:11:32
Speaker 2: You know I mean, then obviously they were doing

00:11:35
something right, so you don't need to tell them how to do it,

00:11:38
if they were able to get in well , that that's.

00:11:42
Speaker 1: That's part of the problem, right?

00:11:44
So Our firm would put so many restrictions around them that

00:11:49
they wouldn't be able to get in.

00:11:51
So then we could say, you know, in some report, a clean report,

00:11:54
oh, we pass it, you know.

00:11:55
But I'm over here and I'm like, yeah, I can tell them that into

00:12:00
the core switch in our network.

00:12:02
Like, you cannot tell me that that is secure.

00:12:06
You can't tell me our network is secure if I can just tell

00:12:09
that, right, in no authentication and oh, I now

00:12:13
have root, like now I have root and I can do whatever I want.

00:12:17
But I'm not a network guy, so I can't even.

00:12:19
You know, I don't know the Cisco syntax or anything like

00:12:22
that.

00:12:23
Right, did you ever come across something like that where you

00:12:29
know people were trying to somehow influence the results of

00:12:33
the pentester, influence how you approached it and how did

00:12:36
you?

00:12:37
How did you approach that situation?

00:12:39
Because I feel like, as a security professional, right,

00:12:42
you're kind of it's like you're tied to these industry standards

00:12:45
where you absolutely shouldn't do that.

00:12:48
But it's, it's a, it's a war internally, right, between you

00:12:54
and the organization to be like To kind of thread the needle, so

00:12:59
to speak.

00:12:59
Right, because the org may want it was a certain way, and then

00:13:03
you may know you need it another way, right?

00:13:05
So how do you?

00:13:06
How do you balance that?

00:13:08
If you've encountered that?

00:13:10
Speaker 2: Thank you for that Communication with what you're

00:13:13
going to be doing and what the expectations are of the people

00:13:16
that you're going to be Testing.

00:13:18
So if they're going to gray box it and keep it very limited

00:13:20
scope, and we'll have that communication with them.

00:13:23
But we need to be clear about like, hey, if we were a Moistus

00:13:26
adversary or a hacker, those they're not going to only focus

00:13:29
on this tiny scope, they're going to focus on your entire

00:13:31
platform.

00:13:32
So I Don't know if this is the best phrase, but it's something

00:13:35
I always tell people is no one likes to hear that their baby is

00:13:39
ugly, so no one wants to think like, oh, we built this program

00:13:43
and we thought it was great, and then we just had a company come

00:13:45
in and have kid a bunch of different ways and show us all

00:13:48
the holes in.

00:13:49
And I think that that's always.

00:13:53
Conversation changes on depending on what level of

00:13:55
person you're talking to within the organization.

00:13:57
If you're speaking to a security engineer who's

00:13:59
responsible for essentially building and maintaining that

00:14:02
security program, he may have a much different reaction than a

00:14:06
C-cell or someone that understands that if you do get

00:14:09
hacked and you do actually there's a loss of data or

00:14:13
there's a breach or something like that, understands the how.

00:14:16
The repercussions for that can be pretty detrimental, the

00:14:19
conversation switches.

00:14:20
So if you're speaking to an executive there, I'm going to

00:14:22
understand and kind of empathize with you.

00:14:25
They're going to say, yes, thank you for finding this.

00:14:27
Like I can happen with that large law firm.

00:14:29
There's the security engineering team.

00:14:31
After we left Probably didn't have a very good conversation

00:14:35
with their management team, but the management team from that

00:14:38
law firm, because we did such a good job, ended up referring us

00:14:40
into another really prestigious client.

00:14:43
So I Think when you, when you're talking about how to kind of

00:14:48
frame it, there's two ways.

00:14:49
When you, when you go to scope something out, you have to be

00:14:52
very clear about, like, what the scope is and and what they want

00:14:57
you to look for.

00:14:57
And then, if it's just a pointed part of this, you have

00:15:00
to be very clear that says fine, we're happy to do that.

00:15:02
However, like you should know that your entire tax surface is

00:15:05
at risk, it's not just this one tiny part.

00:15:07
And so if you can clearly communicate that to them and

00:15:11
they still want you to focus on just a small part, to get a

00:15:14
clean report or whatever their logic is for that, we'll do that

00:15:17
.

00:15:18
But we've done our due diligence and we've done our.

00:15:20
We've done well by telling them what the actual risk is and

00:15:24
then when you deliver the report results especially if it's

00:15:26
something where we've kind of been able to hack them a bunch

00:15:29
of different ways we typically just are very open and honest

00:15:34
about it we go back and we show them.

00:15:36
We're willing to show them.

00:15:38
One of the things that we do when we pen test is we all of

00:15:40
our pen testers are based here in the US and we actually open

00:15:44
up all set up like a slack channel or Microsoft Teams

00:15:46
channel or whatever, and as we're doing a pen test we're

00:15:49
talking to the engineers telling them this is what we found,

00:15:52
this is how we found it.

00:15:52
So they don't just wait for the report and then it's not a

00:15:55
surprise when they give it.

00:15:56
So I think that softens the blow a little bit and they

00:15:58
understand the process a little more.

00:16:00
So it's a little bit easier for us to justify it when we're

00:16:05
delivering that report and we could fill out whenever we

00:16:08
Remuting.

00:16:09
We also typically give our customers a two week window to

00:16:13
do any remediations, so they can remediate within that two week

00:16:17
window anything that we found and then we will issue not

00:16:20
another report, but we'll issue an attestation letter to that

00:16:22
report that says, hey, these were these vulnerabilities that

00:16:26
were discovered on, as reflected in the report dated, whatever

00:16:30
the data is.

00:16:30
We went back and retested those as of the state, which again

00:16:34
was never longer than two weeks, and they were all remediated

00:16:37
and are no longer found with us.

00:16:38
So there are some ways that you can kind of Help out the

00:16:42
security team by giving them that window, as long as they're

00:16:45
doing their Doing good work, by getting everything remediated

00:16:49
and doing what they need to do, we're happy to kind of go back

00:16:52
and attest to the fact that they put in the effort to fix these

00:16:54
problems.

00:16:55
Speaker 1: Hmm, you know, do you think that you ever would have

00:16:59
started the company if that exact you know didn't push you

00:17:03
towards it right, and kind of show you like hey, there's

00:17:07
another customer here.

00:17:08
You know, you could start this company for I don't know

00:17:13
thousand bucks, right, and you can make.

00:17:15
You know, I'm just I'm just throwing out, you know, yeah.

00:17:21
Speaker 2: I think they knew that I was gonna start my own

00:17:22
Company regardless, and I think that because we did, because I

00:17:25
talked to them and again I've been this is a while from I used

00:17:28
to sell Microsoft licensing to back in 2002, so I'd known these

00:17:31
guys for years, and so I think that the fact that they knew

00:17:37
that I wanted to do this and the fact that they, that I did such

00:17:40
a Great job on their pentest they were looking to kind of be

00:17:44
like, hey, we know Justin does good work.

00:17:46
We know that he did this like we know that he wants to start his

00:17:49
own company.

00:17:49
Let's help them by giving him like a platform, pick the coffin

00:17:54
, by giving them me, ultimately, one of the most what I would

00:17:58
consider still the stare, most prestigious client, but one of

00:18:02
their best clients to To do good work by them, that they, they

00:18:06
definitely sped up the process, because I remember when they

00:18:08
told me and I had to go home and make a website and get all my

00:18:11
contracts together and they can have a week, they, they sped up

00:18:16
the process, but I think it's something that I would have done

00:18:18
.

00:18:18
Actually, no, it's something I would have done regardless.

00:18:20
I probably just wouldn't have had that, that helping hand.

00:18:25
Speaker 1: Yeah, it's, it's a.

00:18:26
It's interesting, you know, when you start going down that

00:18:30
path of, like, founding a company and going, it's a

00:18:35
totally different stress, you know, like I Mean.

00:18:39
For me I guess it's a lot less stress, right, because I'm not

00:18:42
dependent on the success of the company, you know, to pay my

00:18:45
mortgage, right.

00:18:46
But it's a different kind of stress in terms of, you know,

00:18:51
kind of knowing or defeating that impersonation,

00:18:54
impersonation syndrome, right, because Now you're starting the

00:19:00
company and you're the expert, right, by default.

00:19:02
You're saying you're the expert in this space, whatever it

00:19:07
might be.

00:19:08
You know, did you face any of that when you started the

00:19:12
company or did you already kind of move past that, you know,

00:19:16
with your, your previous endeavors?

00:19:19
Speaker 2: So a little bit of both, I guess, to answer your

00:19:21
question.

00:19:22
So I think when I first started this company, I mean, I knew a

00:19:26
lot about the industry still, and I knew what I was doing.

00:19:29
I think one of the things that people get them up on, though,

00:19:32
is they if you are the CEO of a cybersecurity company and

00:19:36
someone asks you a Question, you have to be truthful.

00:19:39
If you don't know the answer to that question, say hey, I don't

00:19:41
know the answer to that question, but I'm gonna do some

00:19:43
research, or I'm gonna ask around and I'm gonna come back

00:19:45
to you and I'm gonna get you an answer and then follow through

00:19:46
on that, and then people will actually respect you more when

00:19:50
you do that, because they're gonna say, hey, like not always

00:19:53
do people follow up.

00:19:54
Sometimes people will just give a half kind of witted answer so

00:19:56
that they can sound like they know what they're talking about.

00:19:58
I think a lot of times, people can see through that.

00:20:00
So I Didn't know everything from the start, but I recognized

00:20:05
I didn't know everything from the start, and I was never gonna

00:20:07
be dishonest to my customers, so I was always honest with them

00:20:10
as the cloud security space started to evolve more and more

00:20:15
and I would be with other executives, or I would go up to

00:20:17
Silicon Valley and I knew with like these founders of like

00:20:19
these well-funded kind of like Security security companies and

00:20:24
I would meet with them.

00:20:25
And then I realized there was a point in time where I was like I

00:20:28
actually End the subject matter expert here, like I know what.

00:20:31
I thought these people are coming to me Rather than me

00:20:33
going to them, and this is someone kind of like said with

00:20:36
film, someone who I would have idolized before in this industry

00:20:39
or I would have thought of as being a subject matter expert.

00:20:41
They're actually coming to me as the subject matter expert on

00:20:45
this.

00:20:45
And so there was really a point in time where that switched.

00:20:48
So did I have imposter syndrome?

00:20:49
I didn't, because I was always honest with my customers, right,

00:20:54
I never tried to make them think that I knew something that

00:20:56
I didn't, but I was honest and told them what I didn't know,

00:21:01
something.

00:21:01
We've fallen up on that.

00:21:02
And then there was just a point in time that way I do, actually

00:21:07
, from doing this for so long and how we're going on 10 years

00:21:10
running this company, that I Actually am the subject matter

00:21:14
expert and I don't need to think of other people as being man, I

00:21:17
certainly don't feel any sort of imposter syndrome anymore.

00:21:22
Speaker 1: Yeah, it's.

00:21:22
It's interesting how being honest with your customers can

00:21:27
really alleviate a lot of that, a lot of that stress.

00:21:31
You know, I feel like it's very easy to get into a mentality of

00:21:36
you have to, you know, appo, uphold some some type of image

00:21:39
or whatever it is.

00:21:40
And I remember when I first started, you know, my consulting

00:21:44
LLC, and I had a customer that was asking me, you know, about

00:21:49
my experience around a certain you know project that they had

00:21:52
going on and Things like that.

00:21:54
And I told them very honestly like hey, I know what you're

00:21:57
talking about and everything, but I'm not the right person to

00:22:01
actually deploy, you know that that portion of the technology.

00:22:04
I understand it 100%.

00:22:06
I just don't have a technical expertise to actually do it

00:22:10
because it's very code heavy.

00:22:11
I'm not a developer to save my life, you know like there's

00:22:16
other people out there that can do this a whole lot better than

00:22:19
what I can give you.

00:22:21
And I fully expected them to not give me the contract, to not

00:22:27
accept the deal or anything like that.

00:22:29
And for some reason they accepted it.

00:22:32
And even after accepting it, I told them like, hey, I am

00:22:36
probably not the guy, and it alleviated a lot of the stress,

00:22:43
just being upfront with them and come to find out their

00:22:47
requirements were a little bit different.

00:22:49
It's a little bit lighter than what they were actually telling

00:22:52
me and when we did the discovery session we were able to hash

00:22:55
all of that out.

00:22:56
But I've always found it valuable to be very upfront and

00:23:04
even today my nine to five I'm very upfront with what my

00:23:07
limitations are in the space, because not everyone is gonna be

00:23:11
able to work in the cloud 100% with all of the different

00:23:17
services that AWS launches in a year, right Like I think.

00:23:22
Last year they launched something like 40 services.

00:23:24
How can anyone keep up with that?

00:23:28
Speaker 2: We can't, it's impossible.

00:23:29
And so I think the pressure that people feel to try to portray

00:23:33
that they're a complete subject matter expert on all of this is

00:23:37
irrelevant.

00:23:38
And I think that when I look at when I hire people or when I'm

00:23:43
working with, like, I appreciate a level of vulnerability and

00:23:47
honesty, because then again I would always go to my customers

00:23:50
and say, hey, I don't know that, but I will find out and I will

00:23:52
come back to you.

00:23:54
And then I would, I would research it, that I'd ask around

00:23:56
and I would get the right answer, and that I'd come back

00:23:57
to them, and then they would know that I was being honest

00:24:01
with them, because I wouldn't have wasted all that time to

00:24:03
figure out something and then come back to them with something

00:24:05
that wasn't true.

00:24:06
And so I find that, like you just showing a little again,

00:24:11
kind of going back to the thing I learned in film, which is that

00:24:13
we're all human, we all have vulnerabilities like we're all

00:24:16
vulnerable to something, showing that you're a human but then

00:24:20
showing that you're an honest human that cares about their

00:24:22
best interests, which is what people will really appreciate,

00:24:27
more than you trying to sound like you know what you're

00:24:29
talking about, but it comes across as disingenuous.

00:24:36
Speaker 1: Yeah, that's a very good point.

00:24:37
So you brought up previously how you identified SaaS as being

00:24:45
kind of the future at that point in time, and whatnot.

00:24:48
Are you still looking at the industry and actively looking at

00:24:54
where it's going?

00:24:55
And if you are, which I would totally assume that you are

00:24:59
where do you think it's going?

00:25:00
Where are those new security domains and areas going that

00:25:06
people should be paying attention to in the next five

00:25:09
years?

00:25:10
Speaker 2: So if you are a SaaS based company which means you've

00:25:12
probably started a company relatively recently and you're

00:25:14
not that are 20, 15 years old, I think obviously you're gonna be

00:25:20
.

00:25:20
The majority of your data will be based in the company.

00:25:22
You'll be a SaaS based company.

00:25:24
I think a lot of companies that are gonna be implementing data

00:25:26
from their end users are gonna need to give you some sort of

00:25:30
compliance standards.

00:25:31
I think that the industry is shifting quickly with a lot of

00:25:34
compliance platforms that are coming up and automating a big

00:25:37
portion of what needs to be of the compliance and controls

00:25:43
policies and procedures.

00:25:44
So I think that's a big piece in the industry.

00:25:46
You look at companies like Vantab that are out there right

00:25:48
now and they're really killing it because they're automating

00:25:50
this piece.

00:25:50
So I think that is a big piece of it.

00:25:53
I love everyone wants to talk about AI, right, that's the

00:25:57
biggest buzzword right now and can you check?

00:25:58
If you just mentioned AI in Silicon Valley, you'll find some

00:26:01
extras that are willing to give you a massive audience in the

00:26:04
industry.

00:26:04
Ai is gonna be a threat.

00:26:08
I don't.

00:26:10
Again, I feel like everyone wants to talk about it because

00:26:12
they wanna feel like they're on the map.

00:26:14
I understand it, but we don't know what those threats are

00:26:16
gonna be yet.

00:26:16
We don't know how it's going to evolve.

00:26:18
The only thing that I would say about AI is really, I'm sure

00:26:23
the threats will evolve with AI, but similar defenses that's

00:26:26
just the continual kind of way that we've continued to grow in

00:26:29
the cybersecurity industry has grown.

00:26:30
Is this?

00:26:31
Threats evolve, so do the defenses.

00:26:32
They may be growing much quicker with AI that's yet to be

00:26:37
determined but I think the defenses will continue to grow.

00:26:40
But outside of that, I mean I don't know, are we gonna have

00:26:44
chatbot hackers?

00:26:46
Maybe, but I think no one really can answer that question

00:26:49
definitively, and so, whatever anyone tries to, I kind of smart

00:26:52
, because I don't think anyone really actually knows.

00:26:54
I think they just wanna think that they know.

00:26:55
But yeah, so I mean, how AI progresses is gonna be a big

00:27:00
piece of it really.

00:27:02
And just overall cloud security, I think there's a huge, like I

00:27:06
said back when I kind of focused on primarily cloud-based

00:27:09
architecture in 2017.

00:27:10
I viewed that as being the future of technology.

00:27:13
I don't need a lot of companies that are starting up today that

00:27:16
are inputting a lot of IBM mainframes or a lot of SQL

00:27:20
servers on-prem, anything like that.

00:27:22
So I think that securing the cloud, which is a whole

00:27:25
different thing than securing an on-prem environment, is really

00:27:28
something that people need to pay attention to in the future,

00:27:31
and I can speak firsthand from saying there's a huge I don't

00:27:34
think there's a huge shortage of cybersecurity professionals in

00:27:37
the industry.

00:27:38
I think there's a shortage of people that understand cloud

00:27:40
security, because you may have worked in cybersecurity for the

00:27:44
past 30 years, but your job was really patching that one SQL

00:27:48
server in the office and that's the aspect of cybersecurity you

00:27:52
worked on.

00:27:53
When you have an architecture that's in the cloud, it's much

00:27:57
more of a high-level overview of what you're working on, because

00:27:59
a lot of the controls are already in place, because you

00:28:02
don't technically own them AWS or Google or someone else does

00:28:05
and so you have to look more around processes and stuff like

00:28:09
that.

00:28:09
So cloud security really big and really trying to find people

00:28:13
to fill that talent gap, because there's not enough there

00:28:17
right now, I think, are some things that I'm focused on

00:28:21
really, and that security is gonna be changing over the next

00:28:24
few years.

00:28:26
Speaker 1: Yeah, I actually have a friend I've known him for

00:28:31
several years at this point and I was telling him back in like

00:28:35
2017, 2018, hey, you need to get into the cloud, get the basic

00:28:40
AWS foundations, azure foundations, certification at

00:28:45
least know the vocabulary like, because everything is going into

00:28:49
the cloud and it's gonna transform how we do everything.

00:28:51
And recently he kind of put it off and everything else like

00:28:56
that right, didn't think it was that important or urgent for him

00:29:01
to do that right.

00:29:02
And so recently he got onto a phone call with the rest of his

00:29:05
team and they started talking about AWS a lot more right,

00:29:10
because their company is moving towards AWS and they're

00:29:12
providing consulting services towards customers in the cloud

00:29:17
and things like that.

00:29:18
And he said he didn't understand a single minute of

00:29:22
this hour long conversation.

00:29:24
He said it sounded like they were just talking a foreign

00:29:27
language.

00:29:27
They had words that he had never heard before or anything

00:29:31
like that, and that's very true.

00:29:33
And now I am I'm studying to actually retake or re-up my AWS

00:29:40
security cert.

00:29:41
It's insane how the vocabulary changes just from three years.

00:29:49
Three years ago I took it, passed the cert, got it.

00:29:53
I understood the majority of the content on there, obviously,

00:29:56
but there wasn't ever a vocab word, so to speak, that I didn't

00:30:01
know what it was.

00:30:01
Then I go back and I'm trying to prepare for this new exam.

00:30:07
Speaker 2: Hold me back just here.

00:30:08
Speaker 1: Yeah, it's like okay, I'm from square zero again.

00:30:12
What is going on here?

00:30:15
Did that much stuff change in the last three years that we

00:30:20
have it's literally like 100 new words that you need to know

00:30:25
what they are.

00:30:25
I'm sitting here like did I select English for the test?

00:30:31
Like, did I accidentally select German?

00:30:34
Because this is insane.

00:30:40
Speaker 2: I think that a couple things like like technology in

00:30:45
general just moves fast, but climate moves really fast.

00:30:48
I also think that when you look at the testing that you were

00:30:52
taking, I think that a lot of times the vocabulary and just

00:30:57
kind of the way that they articulate things and tests

00:31:00
they've tried to make them more than what they've used,

00:31:04
sophisticated or challenging.

00:31:05
So it may not be.

00:31:06
It may be the same test, just with different words that

00:31:09
they've just recently made up to fulfill that task.

00:31:11
But yeah, I think that it's again.

00:31:15
I love technology for all the acronyms and all the real words

00:31:18
that it has in it and what I think they're like.

00:31:21
Really, the actual changes over the past years that you've seen

00:31:26
, especially from three years ago and your certification with

00:31:29
AWS, they probably haven't dramatically changed.

00:31:31
I would say that there has been some changes.

00:31:33
Again to your point, there was 40 releases last year.

00:31:35
They do have some changes, but I would say that the majority of

00:31:38
what you're dealing with is probably the semantics in the

00:31:40
test and how they've phrased and worded things to make it more

00:31:43
confusing and even more challenging for people to find.

00:31:47
Speaker 1: You know what it is.

00:31:48
Is they added?

00:31:50
You know they didn't add that much brand new capability, right

00:31:56
?

00:31:56
What they did is they took existing capability and then

00:32:00
they delineated it even further, right?

00:32:03
So you know, cloud formation has been around for a long time.

00:32:09
Speaker 2: You know, if you don't know, just move your

00:32:11
server out of your room and then it's in the cloud.

00:32:14
Speaker 1: Yeah, if you don't know cloud formation, you're

00:32:17
probably not in AWS.

00:32:19
You don't understand.

00:32:20
You know anything in the cloud, right, okay?

00:32:23
So I got that down and now when I go and take the test, there's

00:32:26
like five or six new cloud formation dash something service

00:32:31
that does a you know a smaller component of cloud formation and

00:32:37
that's all it does.

00:32:38
But it's not like you can just look at it and know what it does

00:32:44
because you know the functionality of cloud formation

00:32:46
.

00:32:46
You know, like they have some weird lingo with it that now

00:32:50
it's like okay, I need to learn this stupid vocab word that you

00:32:55
know, does this thing that I've been doing for five years?

00:32:58
Speaker 2: You know, like I could tell them to learn more

00:33:01
about this and to do it.

00:33:02
So I think it's capitalism, yeah, yeah.

00:33:07
Speaker 1: How can we, how can we get the most from our

00:33:10
customers Exactly?

00:33:12
Or this one thing?

00:33:13
Yep, that is.

00:33:15
That's the truth.

00:33:16
It's a very good point.

00:33:18
You know, how do you, how do you recommend people learn the

00:33:21
cloud?

00:33:21
Right, and it sounds like a very straightforward answer,

00:33:27
right, but it's not that straightforward, because if you

00:33:30
go in AWS for just talking about AWS, because that's the most,

00:33:34
I'm the most familiar with AWS, right, if we're talking about

00:33:37
learning AWS, the first instinct is to go in AWS, create an

00:33:42
account, start getting up you know some infrastructure or

00:33:46
whatnot, using that quote unquote free tier right, I can't

00:33:50
tell you how many times I've started a free tier account and

00:33:53
deployed only free tier assets.

00:33:55
To find out, I had the $300 bill you know, six months later.

00:33:58
Speaker 2: Right, that's not great.

00:34:02
Speaker 1: I can't even tell you the amount of times you know.

00:34:04
Recently I guess relatively recently I've dove more into the

00:34:09
cloud guru space, right, they learn about different topics.

00:34:12
They have a sandbox environment set up right there for you.

00:34:15
You don't have to worry about getting that random.

00:34:17
You know $300, $400 bill six months down the line that you

00:34:21
didn't even know was running in the environment, right.

00:34:25
So how do you recommend people learn it best and quickest?

00:34:30
Speaker 2: So I think this is a really tough question and it's

00:34:33
something that we've struggled with at Remetic because, again,

00:34:35
this is relatively new.

00:34:36
I don't have a huge pool of talent to pick from, so we have

00:34:39
to train a lot of our staff in house and a lot of people.

00:34:42
Everyone learns differently, like I always tell everyone, and

00:34:44
one of the things I ask people during the interview is how do

00:34:46
you learn?

00:34:47
I'm a visual learner to see something or experience it.

00:34:49
It's really up to that person and how best they learn.

00:34:56
Are they going to need to, or do we need to, set up a test

00:34:59
account for them and let them play around in it and understand

00:35:02
it?

00:35:02
Do they need to just go get the standard certifications that

00:35:05
they get, because they'll just read it and retain it and

00:35:06
they'll know it?

00:35:07
Do they need to work with one of our more senior people and

00:35:10
learn off of them?

00:35:11
There's just different ways for everyone to learn and I think

00:35:15
that it's not standard across the board.

00:35:17
I wish there was like one sort of security, sort of

00:35:20
standardized testing that we could just put everyone through

00:35:23
and be like once you've graduated this, you're ready to

00:35:25
go.

00:35:26
You'll start working with Remetic customers, and it's not

00:35:29
that simple.

00:35:30
It really is something where we have to kind of customize

00:35:33
training for each one, because we also hire people that come in

00:35:35
with different levels of skill set.

00:35:37
We have to kind of customize training for each one of those

00:35:41
people.

00:35:41
That's been something for us.

00:35:43
Frankly, that's been one of the biggest issues we've had,

00:35:47
especially over, let's say, the past five years, because we've

00:35:49
gone through, ultimately, hyper growth We've been adding

00:35:53
numerous customers every single month was to find talent, train

00:35:59
talent and retain talent and keep them here.

00:36:02
We always keep people here.

00:36:03
We don't actually lose them, but find them and train them and,

00:36:06
through that training process, realize that they want to stay

00:36:08
here, they want to work in tech, and then they will.

00:36:13
I think part of it is too.

00:36:14
Everyone will learn differently , so they need to understand how

00:36:19
they learn and they have to have really a desire or interest

00:36:22
to work in technology, because then they're not going to care

00:36:28
as much, they're not going to try as hard, they're not going

00:36:30
to be as invested as if they don't care.

00:36:32
If they're like oh, I took this job because I just needed a job

00:36:35
, or this was just something that I thought paid well and it

00:36:39
wasn't necessarily like aligns with my interests, then they're

00:36:43
not going to really learn it because they're not going to

00:36:45
have a passion for it.

00:36:46
I think when we look for people that we want to bring on board

00:36:48
a Rometic and train them.

00:36:49
We want to understand that they don't how they learn, because

00:36:53
then we can customize training for them, and we want to

00:36:57
understand if they have a passion for security and

00:36:59
technology, and if they do, then we can typically bring them on

00:37:05
board and train them as they need to learn.

00:37:09
Speaker 1: Yeah, it's fascinating that you put it that

00:37:14
way, right?

00:37:15
Because I feel like a lot of companies are looking for you to

00:37:19
be the expert day one and they're kind of looking for that

00:37:23
unicorn and then they don't pay unicorn money and it's like,

00:37:28
guys, if you want me to be a unicorn and I'm not a unicorn

00:37:32
right now you need to be able to train me up to get to that

00:37:37
level.

00:37:37
And it's really refreshing to hear you say that.

00:37:40
I've actually only heard maybe one other person or executive.

00:37:46
Overall, I actually say that and practice it and that's

00:37:50
actually how I got my start in IT.

00:37:52
Overall, this guy literally took me from nothing.

00:37:57
I could spell Linux but, god forbid, I had to look at a

00:38:02
terminal.

00:38:02
I could not figure it out for the life of me.

00:38:07
And he was very patient, had great training resources around

00:38:11
me and told me hey, if I give you all these resources and you

00:38:15
still don't make it, maybe IT isn't the thing for you, but I

00:38:19
think that it is and if you keep on learning, you keep on

00:38:21
pushing yourself, you keep investigating this thing, it's

00:38:25
going to work out, and I believe that it will.

00:38:27
That's all that I needed in that situation and in that part

00:38:31
of my life to really dive in and become what I became today.

00:38:38
It's really refreshing to hear that, because there's a lot of

00:38:44
people out there that do not have that same mentality, but

00:38:47
they'll complain about the shortage in security.

00:38:51
Speaker 2: Then how are you going to fix it?

00:38:52
Are you just going to keep complaining about it and expect

00:38:54
it just to automatically change, or are you going to do

00:38:57
something to try to fix that problem for your business

00:38:59
yourself?

00:39:00
I tend to veer towards those too, because I don't know how to

00:39:06
do it.

00:39:10
Speaker 1: I used to work for a credit bureau and they had maybe

00:39:15
the best pipeline I've ever seen where they had regular IT

00:39:20
help desk people and if they expressed an interest in

00:39:25
security, there was a very specific team that they went to.

00:39:29
These are the people that are basically just IT support for

00:39:32
security situations and from there all the other teams under

00:39:38
the security umbrella would start identifying their

00:39:42
strengths, their weaknesses and they would actually actively

00:39:46
recruit and try and poach people from this team, that team's

00:39:50
manager I'm good friends with him to this day.

00:39:53
He said yeah, it's great for the people on my team, it is

00:39:59
absolutely horrible for my team because we're constantly

00:40:02
rotating people all the time I springboard for them.

00:40:07
Speaker 2: I springboard them to cybersecurity, yeah.

00:40:09
Speaker 1: He's like I'm over here with 30 people on my team

00:40:13
on a good day, next week I'm losing two people.

00:40:16
I got to replace those two people.

00:40:18
My workload doesn't end just because some other team needs

00:40:22
them, but it was a great environment, great pipeline,

00:40:28
because you could go down a rabbit hole and you could say,

00:40:33
maybe six months in.

00:40:34
Oh you know what.

00:40:35
I don't think that this thing is for me.

00:40:36
Maybe the offensive cybersecurity is more for me,

00:40:41
and there was five, six teams under the offensive side.

00:40:44
So one of them would say, okay, come and work for us for six

00:40:48
months and it's not a big deal.

00:40:50
It was a fantastic way to kind of get started in cybersecurity,

00:40:56
I felt.

00:40:57
Speaker 2: Yeah, now for the same.

00:40:59
I mean I don't.

00:41:00
I'm not as probably as big as that company was, I don't have

00:41:02
huge departments and different aspect of cyber security, but we

00:41:07
tell all of my employees that when we come, they come here and

00:41:10
we train them Like I'm part of what I forget fulfillment.

00:41:13
I'm just having employees not just having to work here to do

00:41:17
the job but develop their skills , developing them.

00:41:20
I receive the things.

00:41:21
Those are the things that make me feel proud and so when I'm

00:41:24
interviewing people to come work here, I Will frankly tell them

00:41:29
I'll be like this is the role that we have you in, but like

00:41:31
you are growing tremendously fast.

00:41:32
So I don't want you to think that you're gonna be pigeonholed

00:41:35
into this.

00:41:35
If you come here and you are also on the side doing some

00:41:39
other Learning into something else and you realize like you

00:41:41
want to be a pentester, that's someplace I can place it pretty

00:41:44
easily.

00:41:44
But if there's other aspects within the industry that you

00:41:47
want to work in and there's an opportunity for us to build out

00:41:49
a Line of business around that, we're talking about doing.

00:41:52
No, no detection response, actually as a service we're

00:41:54
gonna be adding this year.

00:41:55
So if there are people that are interested working as like a

00:41:57
sock analyst.

00:41:59
There's absolutely that opportunity to kind of grow and

00:42:01
learn with the company and so, yeah, I think it's important to

00:42:06
be able to hire people and let them know that like I want you

00:42:09
to grow, I want you to continue to grow with the company and I

00:42:11
think and it to the point you had before where you said your

00:42:14
friend was losing people all the time to get that there's always

00:42:18
churn.

00:42:19
I've recognized that from the start with Rometic and I want my

00:42:22
employees to always feel very appreciated here.

00:42:24
So we're a startup where bootstraps start up, so I don't

00:42:27
know that we, like I, can't offer equity to my employees or

00:42:30
anything like that, because it's just the company's never gonna

00:42:32
be worth on it and $50 million for them, right.

00:42:36
But I make sure that we we have really competitive salaries in

00:42:41
terms of where we're at.

00:42:41
We offer really good benefits.

00:42:43
So we do a lot of off-sites by fly the whole company together

00:42:46
and just show them that they're appreciated, because I realized

00:42:48
that, like, once you learn this skill, you will be poached

00:42:52
because there is such a shortage of talent in the industry, and

00:42:55
so I want my employees to really feel appreciated through

00:42:57
working here.

00:42:59
Speaker 1: Hmm, yeah, that's, that's extremely, extremely

00:43:03
important.

00:43:03
You know I can't tell you the amount of times that I've worked

00:43:06
for a company and, and you know , you just feel like a number,

00:43:11
you know, you just feel like, you know, no one even knows that

00:43:14
you're there and then, when layoffs are happening, you're,

00:43:17
you're really just trying to, you know, make sure that, yes,

00:43:21
you're online but you're not talking to anyone.

00:43:23
You're trying to make sure that people forget about you and you

00:43:26
know it's a, it's a mess, it's, it's not a good situation to be

00:43:30
in, and I've always felt like the companies that really excel

00:43:34
are the companies that actually Truly care about their people.

00:43:37
You know, and you can see that.

00:43:39
You know you can see that in the pay, you could see that in

00:43:43
the retirement benefits, right.

00:43:45
You could see that in the health care.

00:43:47
I've never felt more underappreciated than when I get

00:43:51
poor health care benefits, right.

00:43:54
It's like man, these guys, these guys are like, really

00:43:56
don't care.

00:43:59
Speaker 2: Because we feel the same way because of we pay for

00:44:02
employees and our employees, family and stuff.

00:44:06
So because I realized that and again, we're a huge company with

00:44:09
a ton of funding I realized that, like that said, like I

00:44:12
don't want my employees to ever have to stress out about, like

00:44:14
medical bills yeah, you have a, you have a job here and I want

00:44:18
you to be able to feel like you can focus on that and so any way

00:44:22
that I can alleviate Other stresses in your life that you

00:44:25
may have, so that you're able to focus on your job and, overall,

00:44:29
just be a happier person.

00:44:30
I want to do that and I think what I think about like health

00:44:33
care and just the entire health care industry, it's, it's.

00:44:37
I don't want anyone to have to Any of my employees to have to

00:44:41
go to the hospital and then be like home and I know a hundred

00:44:43
thousand dollars to this hospital.

00:44:44
No, I'm super stuff.

00:44:45
Like that's a stuff.

00:44:46
Yeah, if there's something I can do to make one of the

00:44:49
Romantic employees not have to deal with that, I want her

00:44:52
person.

00:44:53
Speaker 1: Yeah, I feel like.

00:44:54
I feel like we could have a whole other podcast about the

00:44:59
health care system and how you know, like how, how you can go

00:45:04
to a hospital because you're dying, right, you get the

00:45:07
life-saving treatment and then you're hit with a two hundred

00:45:10
thousand dollar bill.

00:45:11
Speaker 2: You know it's a have to be also poor because they

00:45:14
have to pay for all of their bills.

00:45:16
It seems awful, right.

00:45:17
Speaker 1: You know it's a.

00:45:18
It's not, it's not fair, that's not how this should be working.

00:45:23
You know, like my quick story, right, because I want to talk

00:45:27
about Romantic Quick side story, right, I grew up fairly poor.

00:45:32
My family was pretty poor, of course, growing up in that

00:45:35
situation, you know, you don't think you're poor, you don't

00:45:38
identify with that or anything like that, but we were Right.

00:45:42
And one day my sister got really sick.

00:45:44
She went to the hospital, found out her kidneys were failing,

00:45:47
right, she's like 12 years old at this time.

00:45:49
Immediately, you know, through, throughout, throughout,

00:45:54
everything that she goes through got a, got a kidney transplant

00:45:57
and everything like that right At the end of it is something

00:46:00
like four hundred thousand dollars.

00:46:02
How in the world could anyone ever pay for that?

00:46:06
And just to begin to feel like they, can.

00:46:09
Speaker 2: They can begin to think about even how I'm having

00:46:11
to pay back.

00:46:13
I, just to keep their kid alive you know, yeah, I also didn't

00:46:16
grow up with the with really any .

00:46:17
I wasn't poor, but I would say I was.

00:46:19
It was I didn't to your point, I didn't know that I was poor,

00:46:22
but I didn't grow up with a lot and so I and I didn't really

00:46:26
even have much until I started Romantic.

00:46:28
Honestly, I was.

00:46:29
I was very much paycheck to paycheck and Like the idea of

00:46:34
having a four hundred thousand dollar burden on of healthcare

00:46:38
burden it's just would be at that point in time for me would

00:46:41
have been so deflating that I wouldn't even have known how to

00:46:44
start to deal with that because it's like I'm never gonna get on

00:46:47
top of this.

00:46:47
So like, yeah, what, how do I even try?

00:46:49
And so, yeah, I just I think again, it's as someone who is an

00:46:55
employer, it is my responsibility.

00:46:57
Unfortunately, it's my responsibility to I have to do

00:47:02
these things for my employees because I want the best out of

00:47:05
them and I want them to appreciate their jobs and

00:47:08
appreciate working here, and so I want to make take all of those

00:47:11
sort of like things that I can control, all of the stresses

00:47:15
that I can control.

00:47:16
I want to do my best to get those out of their lives so that

00:47:19
they can focus on work and they can enjoy working here and feel

00:47:21
like they're valued.

00:47:24
Speaker 1: Absolutely, you know, let's.

00:47:26
Let's talk about Rometic, you know.

00:47:28
So let's just start.

00:47:29
You know, kind of, from the beginning, it sounds like you

00:47:32
guys offer a lot of different services that are, you know, to

00:47:36
be quite honest, pretty critical in the security space, right,

00:47:40
so let's talk about.

00:47:41
You know what you guys offer, what the areas of specialty you

00:47:46
guys offer in the industry, and things like that.

00:47:49
Speaker 2: Yeah, so when I started the company, like I said

00:47:52
, when I was working for that law firm and then they referred

00:47:54
me to their clients, so I was just doing pen testing at that

00:47:56
point in time, so it was just pen testing and we were and

00:48:00
that's still kind of the heart of who we are.

00:48:01
We divide, amazing.

00:48:03
I'm really proud of the work that we do and I was doing

00:48:07
contests for a lot of larger businesses and then I said I

00:48:10
want to kind of adopt working with smaller businesses and then

00:48:12
I want to do a lot of work with the industry.

00:48:15
We do a lot of speed test or PCI scans, things like that.

00:48:18
So there's the whole sort of like pen testing kind of aspect

00:48:23
of the business.

00:48:23
And then we do we work with a lot of like those compliance

00:48:28
platforms that I mentioned out there, because we leverage those

00:48:31
as kind of.

00:48:31
We use them for compliance and to fulfill some of the controls

00:48:35
that you need, but more times than not we use them as the

00:48:38
baseline, as like the foundation of your security program and

00:48:41
the source of truth.

00:48:41
But we leverage those platforms and then we build and manage

00:48:46
InfoSec and data privacy programs for our customers.

00:48:48
So we typically take those platforms, leverage those as the

00:48:52
baseline and the source of truth, do conduct risk

00:48:55
assessments and then, based upon the risk assessment that we've

00:48:57
conducted for our customers, we build a robust security program

00:49:01
and then we continue to manage it and that's our CISO as a

00:49:03
service offering, which is kind of it's now the biggest aspect

00:49:09
of the business.

00:49:10
But as part of that we offer PEN tests every year.

00:49:12
We work our sort of offensive security program into their

00:49:16
program, into the security program for them, and it's been

00:49:20
great.

00:49:20
I mean there's a lot of companies out there that will

00:49:22
hire us to build the program for them and then they grow and we

00:49:26
actually typically don't lose customers, even when they get

00:49:30
big enough and they hire a CISO themselves, because they still

00:49:33
need to leverage us for some of the things that if you're a CISO

00:49:36
you're probably not wanting to do an access review over quarter

00:49:39
or you don't want to go and review your policies, things

00:49:43
like that.

00:49:44
So they'll still kind of leverage us when they get to a

00:49:46
larger point for some of the more administrative stuff.

00:49:47
But yeah, the CISO as a service is really kind of the

00:49:51
foundation and the rock of our business and that's it for me,

00:49:55
allows me to have because again we're bootstrapped reoccurring

00:49:58
revenue so I can forecast the growth of the business and I can

00:50:01
scale accordingly, which is part of the reason I needed that

00:50:03
sort of monthly retainer, because the PEN test that was

00:50:06
just an up and down payment sort of thing, and so that's a big

00:50:11
piece of it.

00:50:11
And then we do other things too.

00:50:13
So if you're going to be we're not an audit firm, I don't want

00:50:16
to be an audit firm but if you want to get ISO 27, any ISO

00:50:21
complaint framework complaint, you have to do what's called an

00:50:23
internal audit, which is almost like a pre-audit, before you do

00:50:27
your audit with the certifying body to make sure that you're

00:50:29
ready to go into it.

00:50:30
And the person that does that or the company that does that

00:50:33
needs to be an independent third party.

00:50:35
So if you built the program, you can't also do the internal

00:50:38
audit because you're just auditing what you built yourself

00:50:40
, and so that's another aspect of the business that we have as

00:50:44
well.

00:50:44
So it's really kind of centered around providing all of the

00:50:48
services that you need to in terms of, like an offensive

00:50:51
security program, PEN, testing, scans, all of that stuff,

00:50:55
Coderviews, everything there around administrative and

00:50:59
operational aspects of building the program, which is kind of

00:51:01
the CISO as a service area of it as well.

00:51:03
So we combine both of those to kind of create a robust security

00:51:07
program offering for our customer.

00:51:11
Speaker 1: Wow, that is.

00:51:12
That's really fascinating.

00:51:14
It sounds like from my opinion, right.

00:51:19
It sounds like you kind of approach the virtual CISO role

00:51:23
from a different angle, or at least from an angle that I had

00:51:27
never heard of or thought of before is kind of offloading

00:51:30
those tasks to some extent.

00:51:33
That kind of every security department as a whole kind of

00:51:37
doesn't want to do like the access reviews, right, I've

00:51:41
never talked to an IAM manager or an IT manager overall and

00:51:47
heard that they want to do access reviews and that they're

00:51:49
excited for it to identify all of the misusage of roles and

00:51:55
accounts and groups in their environment.

00:51:56
Right, it's a really interesting take on it that I

00:52:02
think a lot of companies would actually benefit from a great

00:52:06
deal, right?

00:52:06
Is that what you're seeing as well?

00:52:08
How did you even think of taking that spin on it?

00:52:13
Or maybe it's just a native virtual CISO functionality or

00:52:18
feature that I just didn't know about?

00:52:21
Speaker 2: So when I decided to kind of work with smaller

00:52:23
SaaS-based businesses.

00:52:24
So again, we were just doing pentests through about 2017,

00:52:27
mostly big businesses in New York and two folds.

00:52:31
One, I wanted to work with the future of technology, which I

00:52:33
thought was cloud, which I was right.

00:52:35
And I also again since I told you I didn't come from a lot of

00:52:40
money I was doing these pentests where I would get a paycheck

00:52:43
and then there would be nothing for two months, and then I'd get

00:52:45
a paycheck and nothing for two months, and I was like I need

00:52:48
some stability in my income to continue.

00:52:51
That's how I just have to live, because I'm not used to big

00:52:54
paychecks and then peaks and valleys.

00:52:55
And so by doing that, I would go to the smaller businesses and

00:53:00
I would offer them pentests, and typically startups didn't

00:53:03
always have a lot of capital to pay for a pentest in one payment

00:53:06
, so I bought them, spread that out over like a couple months.

00:53:09
During that time period that they were paying me, they would

00:53:11
come to me for tons of other services because there was no

00:53:14
one else that could help them with this sort of stuff, and so

00:53:17
that's.

00:53:17
I kind of started to take all of that data in about what the

00:53:20
services were that all these customers were asking us for.

00:53:22
And then I realized that, like that's the program that I need

00:53:25
to build as a CISO, as a service type of program that's based

00:53:29
for these sort of cloud-based companies.

00:53:30
And so again, when you're looking at their architecture or

00:53:33
something like that, yeah, you can do, we have people that do

00:53:36
some terraforming stuff like that here.

00:53:37
But overall, a lot of the work that you're doing is more

00:53:41
administrative, because all of the controls and things you're

00:53:43
built in or you're just putting in sneak or you're putting in

00:53:47
some sort of like intrusion detection system or you're

00:53:49
monitoring that or managing that .

00:53:52
But it just became more like taking everything that everyone

00:53:56
wanted and then looking at the holes in the industry and then

00:53:59
building a program out over that .

00:54:00
So I didn't have this like early on I thought I would just

00:54:04
do pentests.

00:54:05
I didn't have this early on idea of like, okay, I'm going to

00:54:08
do CISO as a service and this is exactly what it looked like.

00:54:10
I really just looked at what the opportunities for in the

00:54:14
industry, I analyzed that and then I followed that and I built

00:54:17
programs out to make what we have today.

00:54:22
Speaker 1: Hmm, that's really fascinating.

00:54:24
It's always interesting for me to see how everything kind of

00:54:27
comes together and you know where different ideas come from.

00:54:32
Right, because it kind of also influences you know how I make

00:54:36
my own decisions and how I view different things.

00:54:39
Right, like I start to get into that mentality of, oh, maybe I

00:54:43
could dive into this a little bit more and offer it a

00:54:46
different way, and whatnot.

00:54:47
So it's always fascinating.

00:54:49
Well, justin, you know our conversation has been fantastic.

00:54:53
You know I really enjoyed talking with you today.

00:54:56
Unfortunately, we're at the top of our time here, you know, but

00:55:01
before I let you go, how about you tell my audience you know

00:55:04
where they could find you, where they could find Rometic, if

00:55:07
they wanted to reach out and learn more?

00:55:09
Speaker 2: Hey, you can.

00:55:10
Just our website is wwwrometiccom and that's

00:55:14
r-h-y-m-e-t-e-ccom.

00:55:17
Or feel free to just email me.

00:55:19
It's Justin J-u-s-t-i-nrendy r-e-n-d-e at Rometiccom, and I'm

00:55:26
happy to answer any questions or help any of your listeners in

00:55:29
any way I can.

00:55:31
Speaker 1: Awesome.

00:55:32
Well, thanks everyone.

00:55:33
I hope you enjoyed this episode .