When life threw a curveball at Justin Rende, he caught it and threw it right back, catapulting himself into the cybersecurity stratosphere. Our latest episode features the captivating tale of how a chance challenge from a CEO turned into a flourishing business, as Justin Rende CEO of Rhymetec, our esteemed guest, recounts the twists and turns from IT beginnings to cybersecurity stardom. He doesn't just tell a story—he provides a roadmap for anyone with the audacity to dream big and the versatility to thrive in the ever-changing tech landscape.
The conversation takes an insightful turn as Justin Rende unravels the art of communication within the cybersecurity arena. He dissects the delicate dance of conveying the urgency and complexity of cybersecurity to clients who may not grasp the full technical scope. We get the inside scoop on how his company's strategic approach to transparency and remediation not only eases client concerns but also fosters an environment for informed decision-making. And for those thinking of starting their own firm, Justin lays bare the crucial role industry connections play in igniting the rocket of success.
Finally, we jet set to the future, where the cloud reigns supreme, and AI looms large over Silicon Valley. Justin Rende shares his insights on the tech industry's rapid evolution, keeping us on our toes about what's to come. He also sheds light on the inventive training and retention methods employed at Rhymetec, revealing the secret sauce to cultivating a workforce that's as passionate about technology as they are skilled. Plus, we take a peek into the making of a 'Virtual CISO Program', a concept proving instrumental for businesses big and small in achieving that gold standard in security compliance. Tune in for an episode that's about the journey, the destination, and the countless lessons learned along the way.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, justin?
00:00:01
It's great to finally get you on the podcast.
00:00:04
We've definitely been working on planning this thing for quite
00:00:07
a while now, so I'm really excited for our conversation.
00:00:11
Speaker 2: Yeah, thank you.
00:00:11
I'm excited to be here.
00:00:13
Speaker 1: Yeah, absolutely so, justin.
00:00:16
I start everyone off with giving their background right,
00:00:21
like how you got an IET, how you got into security, that sort of
00:00:24
thing.
00:00:24
And the reason why I do that is because there's a portion of my
00:00:27
audience that could be getting into security for the very first
00:00:31
time or trying to get into IET for the first time, and I think
00:00:34
it's always helpful to hear everyone's story and maybe it'll
00:00:38
match up with someone and they can say, oh, if he did it, maybe
00:00:41
it's possible for me.
00:00:43
Speaker 2: Yeah for sure.
00:00:44
Yeah, definitely.
00:00:45
I can give you a little bit of background on how I kind of got
00:00:47
to where I am today.
00:00:48
So after I graduated college I moved to New York City and I
00:00:52
started working.
00:00:52
I had a degree, I wanted to work in technology and I started
00:00:56
working for a company here in New York that did software
00:00:59
licensing.
00:00:59
This was back in not to age myself back in 2002.
00:01:02
We were selling a lot of Microsoft licensing to big
00:01:06
businesses.
00:01:07
So I got a lot of exposure to IET and to a lot of large
00:01:10
businesses primarily based here in New York, the IET departments
00:01:13
, and how they work and how they operate, and so I did that for
00:01:17
a few years.
00:01:18
And then I actually left that job for a small period of time
00:01:21
where I went to go work in film, because I lived in New York
00:01:24
City and I was young and I wanted a job at the law school
00:01:27
at that point in time.
00:01:28
So I left to go work in film for a while, which was great too
00:01:32
, and I think back on how it all kind of played together with
00:01:35
where I am today, because I learned a lot of things about
00:01:37
like my work ethic and when you work for a film company in New
00:01:40
York City there's a million people ready to take their jobs,
00:01:42
so you always kind of have to be on your end game all the time
00:01:45
, and it also by working in film .
00:01:48
I was surrounded by a lot of different celebrities and really
00:01:51
people that I viewed at that point in my life as being like
00:01:54
really prestigious, important people, and I realized by
00:01:57
working with them that they're just people like me and there's
00:01:59
no reason why I should idolize them, and so that helped me when
00:02:02
I started Rometic as well, because that gave me confidence
00:02:04
to be able to do that.
00:02:05
But I ended up working in film for a few years and then I
00:02:09
really decided that it started to get a little bit older and I
00:02:12
was like, hey, no, maybe I don't really care so much about
00:02:14
having the cool job in New York City and I'll tell you more
00:02:17
about something that I'm going to be good at and so I left film
00:02:21
.
00:02:21
I also didn't want to move to Los Angeles, which was kind of
00:02:23
the next logical step for me that I stayed in film.
00:02:26
So I left film and I went back and I worked for some consulting
00:02:29
companies here in New York doing consulting work, tech
00:02:33
consulting work, and one of the companies that I worked for, I
00:02:38
ended up doing a large penetration test.
00:02:42
I was primarily providing cybersecurity services through
00:02:45
these other consulting companies that I was working with, and I
00:02:49
ended up doing a penetration test for a large, prestigious
00:02:52
law firm here in New York City and we did a really good job
00:02:56
working with them.
00:02:56
We were able to hack them a bunch of different ways, which
00:02:59
was good for us.
00:03:00
I don't know if that was necessarily good for them, but
00:03:02
it was good for us and they were .
00:03:05
They their CIO at that point in time was pretty impressed with
00:03:08
the work that we did, and so he had asked me because I had had a
00:03:12
longstanding relationship with this law firm through just my
00:03:15
various years of working in IT in New York, and he had told me
00:03:18
that he knows that I wanted to start my own business and that I
00:03:21
wanted to start my own cybersecurity firm, because I
00:03:22
talked to him about it before and he said that he's happy to
00:03:27
refer me because of the good work we did for them.
00:03:28
He's happy to refer me into one of their customers, but the
00:03:30
only way he's going to do that is if I start my own business,
00:03:33
and so he kind of allowed me to start my own business.
00:03:36
Turns out, they ended up referring me into one of their
00:03:39
clients.
00:03:39
Keep in mind, this is a really prestigious New York City based
00:03:42
law firm, so their clients are also very prestigious type of
00:03:45
customers as well.
00:03:45
They referred me into one of the for NDA.
00:03:49
I can't tell you who the customer is, but they referred
00:03:52
me into a really prestigious kind of wealth management
00:03:55
company and we ended up doing a pen test for them as well.
00:03:59
And then we found a bunch of different ways as well and that
00:04:03
slowly kind of snowballed into working with a lot of high
00:04:06
network type of companies here in New York City.
00:04:09
So from really 2015 till like 2017, 18, we were really just
00:04:16
doing kind of pen testing work for high network type of
00:04:19
companies.
00:04:21
And then I wanted to really kind of even out my workflow and I
00:04:24
wanted to provide security services to smaller companies
00:04:27
because I could relate to them more frankly.
00:04:29
I'm still considering myself a startup, but I was a startup
00:04:32
definitely at that point in time and so I wanted to work with
00:04:35
SaaS based companies because I just kind of thought of that as
00:04:38
being the future of technology.
00:04:39
It was cool doing these big pen tests, but we were working on a
00:04:41
lot of legacy tech, and so I wanted to work with more
00:04:44
innovative new cloud based tech, and so I started working with a
00:04:47
lot of startups.
00:04:48
I realized there was a huge hole in the market for people
00:04:51
that had security expertise, especially in the cloud space,
00:04:54
at this point in time, and so I realized there was a huge
00:04:57
opportunity for me to capitalize on that and to really kind of
00:05:00
build out a whole lot of services around cloud security,
00:05:03
and I started to do.
00:05:06
That was in like 2017, we had 20 clients and now we have over
00:05:10
600.
00:05:11
So it's been.
00:05:13
I think I made the right decision.
00:05:20
Speaker 1: Man, that's really fascinating.
00:05:21
There's a lot to unpack there.
00:05:23
It's interesting you bring up film I've actually never had
00:05:29
anyone on that went to the film industry and then into back into
00:05:33
IT or into IT in any capacity.
00:05:36
Right, A cousin of mine, he actually did some work in film
00:05:43
and LA and he worked on Thor, worked on the Spiderman movies
00:05:49
and a couple other movies and it was all with Disney and he said
00:05:54
that he'll never work for Disney again.
00:06:00
So he decided to move to Pittsburgh and teach theater
00:06:04
after that.
00:06:06
Speaker 2: Nice, yeah, I think.
00:06:09
Like I said, I think when I decided to work in film again, I
00:06:12
was in New York City.
00:06:13
I was in the 20s at that point in time and I think the
00:06:16
periodies were just a little bit different.
00:06:17
I didn't go to school for film.
00:06:20
It wasn't like I was claiming I'm being a filmmaker, like I
00:06:23
love documentaries, but I never had the desire to really make
00:06:25
them.
00:06:27
I did it for the wrong reasons.
00:06:28
I did it because I wanted to be surrounded by cool people,
00:06:31
because all my friends had cool jobs and I wanted a cool job too
00:06:34
, and selling like for self licensing isn't necessarily the
00:06:37
coolest job.
00:06:38
So, yeah, I went into it for that reason and then I worked
00:06:41
there for a while and, like I said, it taught me a lot.
00:06:43
It taught me a lot about work ethic.
00:06:45
It taught me, boosted by confidence, to be around these
00:06:48
people and realized that they're people who I once idolized, but
00:06:51
they're really just now.
00:06:52
They're just people like me and you and everyone else.
00:06:54
And so I think, like I did take a lot from working in film and
00:06:59
I was able to leverage that and apply that to how I do work now
00:07:03
at Remetic, being the CEO of this company.
00:07:06
I don't know that I would have had the confidence to
00:07:08
necessarily start this company had I not worked in film and put
00:07:11
myself in those situations or really even have the confidence
00:07:14
to always go up to a lot of.
00:07:15
We work with a lot of other companies big companies we work
00:07:18
with, partner with some startups and some bigger companies to
00:07:21
meet with the executives at these companies and deliver my
00:07:23
message with confidence.
00:07:24
I don't know that I would have been able to do that had I not
00:07:27
had that experience in film, because it really taught me that
00:07:30
, like people are just people, no matter what their title or
00:07:36
whatever they are, they're all.
00:07:37
We're all people.
00:07:37
We all have insecurities.
00:07:39
We all have like the same thing going on in our lives typically
00:07:42
.
00:07:44
Speaker 1: Yeah, it's.
00:07:45
You know, having I don't know if that is necessarily like
00:07:50
imposter syndrome or, you know just anxiety with talking to
00:07:55
someone that you see, you know as beyond you or whatever it is.
00:07:58
I remember when I started this podcast, you know I was talking
00:08:03
to a friend.
00:08:03
I'm like I have no business talking to.
00:08:05
You know, these CEOs and these founders and these guys that you
00:08:09
know hack airplanes midair with them on it, like I have no
00:08:13
business talking to these people .
00:08:14
Like how am I even going to?
00:08:15
You know, do this conversation?
00:08:18
Like it was a?
00:08:19
I was talking to the CISO of some large company, you know,
00:08:23
and my friend just kind of broke it down to really simple terms.
00:08:27
He's like well, you know, when he gets hurt, do you think he
00:08:31
like bleeds another color or is it red, like you, you know?
00:08:35
Is he?
00:08:35
Is he from this planet, you know?
00:08:37
And you know obviously all of those questions are yes, and
00:08:42
he's like well then, you have nothing to worry about.
00:08:43
He's just another person, you know, like he has a journey just
00:08:46
like you, and you just have to remember that you're just two
00:08:50
people having a conversation and I think that that that skill,
00:08:56
you know, really helped me going forward, right, because now I
00:08:59
feel like I can honestly, you know, talk to anyone, have a
00:09:02
conversation with anyone it doesn't matter what industry
00:09:05
they're in or you know their expertise or anything like that
00:09:08
and you know, obviously that helps me with the podcast, but
00:09:12
it helps me overall, right, because when I go into you know
00:09:17
interviews or I meet new people at conferences or whatever you
00:09:21
know.
00:09:21
It's a lot, it's a lot easier, in my opinion, to have those
00:09:24
conversations.
00:09:25
I feel like I'm a little bit more pleasant to talk to you
00:09:28
after that.
00:09:31
Speaker 2: For sure.
00:09:31
I think it helps me deliver my message with confidence because
00:09:35
I don't second guess myself as much.
00:09:37
I know what.
00:09:38
As long as I know what I'm talking about, I'll be
00:09:41
articulate about it and I'll deliver it with clarity and with
00:09:43
confidence.
00:09:44
And I think that that's something that I got from big
00:09:47
around these people again who I once idolized, and realizing
00:09:50
that like, oh, they are just like me and some of them
00:09:54
probably have more insecurities than me, or just everyone has
00:09:57
their own issues and so like, why should I, why should I view
00:10:00
them any differently?
00:10:00
And it really, it really.
00:10:02
I think I mean obviously, a lot of working in the tech and all
00:10:06
that stuff that I've done and technology really kind of helped
00:10:08
to get me here and gave me sort of the technological skills to
00:10:12
be able to do what I do today.
00:10:13
But I think that it's a good thing that I did work in film,
00:10:16
because it definitely gave me the ability to communicate well
00:10:19
and have confidence going into most of the interactions and
00:10:22
engagements that I do now as the CEO of a company.
00:10:27
Speaker 1: So when you were doing pen tests, for you know
00:10:31
these, these very powerful customers, you know, I mean I
00:10:36
guess that's probably a good way of saying it and I've actually
00:10:40
worked on the other end of that, where I worked for a large
00:10:43
wealth management firm here here in Chicago.
00:10:47
I mean, everyone knows I'm in Chicago now, so they can, they
00:10:50
can go Google it.
00:10:51
But you know, it was interesting how we approached
00:10:56
pentests and how we kind of tried to influence, like, the
00:11:01
opinion of the pentester and things like that.
00:11:04
And you know, yeah, you know me personally, I feel I was very
00:11:10
uncomfortable being in that room , right, because I I am not
00:11:15
someone who's gonna tell the pentester, oh, you should look
00:11:17
over here and not here, right?
00:11:19
Or you should, you know, try and authenticate via this method
00:11:23
and not this.
00:11:23
That's not my job, right, like it's the pentester's job to get
00:11:28
in.
00:11:28
It's not my job to tell them where to look.
00:11:32
Speaker 2: You know I mean, then obviously they were doing
00:11:35
something right, so you don't need to tell them how to do it,
00:11:38
if they were able to get in well , that that's.
00:11:42
Speaker 1: That's part of the problem, right?
00:11:44
So Our firm would put so many restrictions around them that
00:11:49
they wouldn't be able to get in.
00:11:51
So then we could say, you know, in some report, a clean report,
00:11:54
oh, we pass it, you know.
00:11:55
But I'm over here and I'm like, yeah, I can tell them that into
00:12:00
the core switch in our network.
00:12:02
Like, you cannot tell me that that is secure.
00:12:06
You can't tell me our network is secure if I can just tell
00:12:09
that, right, in no authentication and oh, I now
00:12:13
have root, like now I have root and I can do whatever I want.
00:12:17
But I'm not a network guy, so I can't even.
00:12:19
You know, I don't know the Cisco syntax or anything like
00:12:22
that.
00:12:23
Right, did you ever come across something like that where you
00:12:29
know people were trying to somehow influence the results of
00:12:33
the pentester, influence how you approached it and how did
00:12:36
you?
00:12:37
How did you approach that situation?
00:12:39
Because I feel like, as a security professional, right,
00:12:42
you're kind of it's like you're tied to these industry standards
00:12:45
where you absolutely shouldn't do that.
00:12:48
But it's, it's a, it's a war internally, right, between you
00:12:54
and the organization to be like To kind of thread the needle, so
00:12:59
to speak.
00:12:59
Right, because the org may want it was a certain way, and then
00:13:03
you may know you need it another way, right?
00:13:05
So how do you?
00:13:06
How do you balance that?
00:13:08
If you've encountered that?
00:13:10
Speaker 2: Thank you for that Communication with what you're
00:13:13
going to be doing and what the expectations are of the people
00:13:16
that you're going to be Testing.
00:13:18
So if they're going to gray box it and keep it very limited
00:13:20
scope, and we'll have that communication with them.
00:13:23
But we need to be clear about like, hey, if we were a Moistus
00:13:26
adversary or a hacker, those they're not going to only focus
00:13:29
on this tiny scope, they're going to focus on your entire
00:13:31
platform.
00:13:32
So I Don't know if this is the best phrase, but it's something
00:13:35
I always tell people is no one likes to hear that their baby is
00:13:39
ugly, so no one wants to think like, oh, we built this program
00:13:43
and we thought it was great, and then we just had a company come
00:13:45
in and have kid a bunch of different ways and show us all
00:13:48
the holes in.
00:13:49
And I think that that's always.
00:13:53
Conversation changes on depending on what level of
00:13:55
person you're talking to within the organization.
00:13:57
If you're speaking to a security engineer who's
00:13:59
responsible for essentially building and maintaining that
00:14:02
security program, he may have a much different reaction than a
00:14:06
C-cell or someone that understands that if you do get
00:14:09
hacked and you do actually there's a loss of data or
00:14:13
there's a breach or something like that, understands the how.
00:14:16
The repercussions for that can be pretty detrimental, the
00:14:19
conversation switches.
00:14:20
So if you're speaking to an executive there, I'm going to
00:14:22
understand and kind of empathize with you.
00:14:25
They're going to say, yes, thank you for finding this.
00:14:27
Like I can happen with that large law firm.
00:14:29
There's the security engineering team.
00:14:31
After we left Probably didn't have a very good conversation
00:14:35
with their management team, but the management team from that
00:14:38
law firm, because we did such a good job, ended up referring us
00:14:40
into another really prestigious client.
00:14:43
So I Think when you, when you're talking about how to kind of
00:14:48
frame it, there's two ways.
00:14:49
When you, when you go to scope something out, you have to be
00:14:52
very clear about, like, what the scope is and and what they want
00:14:57
you to look for.
00:14:57
And then, if it's just a pointed part of this, you have
00:15:00
to be very clear that says fine, we're happy to do that.
00:15:02
However, like you should know that your entire tax surface is
00:15:05
at risk, it's not just this one tiny part.
00:15:07
And so if you can clearly communicate that to them and
00:15:11
they still want you to focus on just a small part, to get a
00:15:14
clean report or whatever their logic is for that, we'll do that
00:15:17
.
00:15:18
But we've done our due diligence and we've done our.
00:15:20
We've done well by telling them what the actual risk is and
00:15:24
then when you deliver the report results especially if it's
00:15:26
something where we've kind of been able to hack them a bunch
00:15:29
of different ways we typically just are very open and honest
00:15:34
about it we go back and we show them.
00:15:36
We're willing to show them.
00:15:38
One of the things that we do when we pen test is we all of
00:15:40
our pen testers are based here in the US and we actually open
00:15:44
up all set up like a slack channel or Microsoft Teams
00:15:46
channel or whatever, and as we're doing a pen test we're
00:15:49
talking to the engineers telling them this is what we found,
00:15:52
this is how we found it.
00:15:52
So they don't just wait for the report and then it's not a
00:15:55
surprise when they give it.
00:15:56
So I think that softens the blow a little bit and they
00:15:58
understand the process a little more.
00:16:00
So it's a little bit easier for us to justify it when we're
00:16:05
delivering that report and we could fill out whenever we
00:16:08
Remuting.
00:16:09
We also typically give our customers a two week window to
00:16:13
do any remediations, so they can remediate within that two week
00:16:17
window anything that we found and then we will issue not
00:16:20
another report, but we'll issue an attestation letter to that
00:16:22
report that says, hey, these were these vulnerabilities that
00:16:26
were discovered on, as reflected in the report dated, whatever
00:16:30
the data is.
00:16:30
We went back and retested those as of the state, which again
00:16:34
was never longer than two weeks, and they were all remediated
00:16:37
and are no longer found with us.
00:16:38
So there are some ways that you can kind of Help out the
00:16:42
security team by giving them that window, as long as they're
00:16:45
doing their Doing good work, by getting everything remediated
00:16:49
and doing what they need to do, we're happy to kind of go back
00:16:52
and attest to the fact that they put in the effort to fix these
00:16:54
problems.
00:16:55
Speaker 1: Hmm, you know, do you think that you ever would have
00:16:59
started the company if that exact you know didn't push you
00:17:03
towards it right, and kind of show you like hey, there's
00:17:07
another customer here.
00:17:08
You know, you could start this company for I don't know
00:17:13
thousand bucks, right, and you can make.
00:17:15
You know, I'm just I'm just throwing out, you know, yeah.
00:17:21
Speaker 2: I think they knew that I was gonna start my own
00:17:22
Company regardless, and I think that because we did, because I
00:17:25
talked to them and again I've been this is a while from I used
00:17:28
to sell Microsoft licensing to back in 2002, so I'd known these
00:17:31
guys for years, and so I think that the fact that they knew
00:17:37
that I wanted to do this and the fact that they, that I did such
00:17:40
a Great job on their pentest they were looking to kind of be
00:17:44
like, hey, we know Justin does good work.
00:17:46
We know that he did this like we know that he wants to start his
00:17:49
own company.
00:17:49
Let's help them by giving him like a platform, pick the coffin
00:17:54
, by giving them me, ultimately, one of the most what I would
00:17:58
consider still the stare, most prestigious client, but one of
00:18:02
their best clients to To do good work by them, that they, they
00:18:06
definitely sped up the process, because I remember when they
00:18:08
told me and I had to go home and make a website and get all my
00:18:11
contracts together and they can have a week, they, they sped up
00:18:16
the process, but I think it's something that I would have done
00:18:18
.
00:18:18
Actually, no, it's something I would have done regardless.
00:18:20
I probably just wouldn't have had that, that helping hand.
00:18:25
Speaker 1: Yeah, it's, it's a.
00:18:26
It's interesting, you know, when you start going down that
00:18:30
path of, like, founding a company and going, it's a
00:18:35
totally different stress, you know, like I Mean.
00:18:39
For me I guess it's a lot less stress, right, because I'm not
00:18:42
dependent on the success of the company, you know, to pay my
00:18:45
mortgage, right.
00:18:46
But it's a different kind of stress in terms of, you know,
00:18:51
kind of knowing or defeating that impersonation,
00:18:54
impersonation syndrome, right, because Now you're starting the
00:19:00
company and you're the expert, right, by default.
00:19:02
You're saying you're the expert in this space, whatever it
00:19:07
might be.
00:19:08
You know, did you face any of that when you started the
00:19:12
company or did you already kind of move past that, you know,
00:19:16
with your, your previous endeavors?
00:19:19
Speaker 2: So a little bit of both, I guess, to answer your
00:19:21
question.
00:19:22
So I think when I first started this company, I mean, I knew a
00:19:26
lot about the industry still, and I knew what I was doing.
00:19:29
I think one of the things that people get them up on, though,
00:19:32
is they if you are the CEO of a cybersecurity company and
00:19:36
someone asks you a Question, you have to be truthful.
00:19:39
If you don't know the answer to that question, say hey, I don't
00:19:41
know the answer to that question, but I'm gonna do some
00:19:43
research, or I'm gonna ask around and I'm gonna come back
00:19:45
to you and I'm gonna get you an answer and then follow through
00:19:46
on that, and then people will actually respect you more when
00:19:50
you do that, because they're gonna say, hey, like not always
00:19:53
do people follow up.
00:19:54
Sometimes people will just give a half kind of witted answer so
00:19:56
that they can sound like they know what they're talking about.
00:19:58
I think a lot of times, people can see through that.
00:20:00
So I Didn't know everything from the start, but I recognized
00:20:05
I didn't know everything from the start, and I was never gonna
00:20:07
be dishonest to my customers, so I was always honest with them
00:20:10
as the cloud security space started to evolve more and more
00:20:15
and I would be with other executives, or I would go up to
00:20:17
Silicon Valley and I knew with like these founders of like
00:20:19
these well-funded kind of like Security security companies and
00:20:24
I would meet with them.
00:20:25
And then I realized there was a point in time where I was like I
00:20:28
actually End the subject matter expert here, like I know what.
00:20:31
I thought these people are coming to me Rather than me
00:20:33
going to them, and this is someone kind of like said with
00:20:36
film, someone who I would have idolized before in this industry
00:20:39
or I would have thought of as being a subject matter expert.
00:20:41
They're actually coming to me as the subject matter expert on
00:20:45
this.
00:20:45
And so there was really a point in time where that switched.
00:20:48
So did I have imposter syndrome?
00:20:49
I didn't, because I was always honest with my customers, right,
00:20:54
I never tried to make them think that I knew something that
00:20:56
I didn't, but I was honest and told them what I didn't know,
00:21:01
something.
00:21:01
We've fallen up on that.
00:21:02
And then there was just a point in time that way I do, actually
00:21:07
, from doing this for so long and how we're going on 10 years
00:21:10
running this company, that I Actually am the subject matter
00:21:14
expert and I don't need to think of other people as being man, I
00:21:17
certainly don't feel any sort of imposter syndrome anymore.
00:21:22
Speaker 1: Yeah, it's.
00:21:22
It's interesting how being honest with your customers can
00:21:27
really alleviate a lot of that, a lot of that stress.
00:21:31
You know, I feel like it's very easy to get into a mentality of
00:21:36
you have to, you know, appo, uphold some some type of image
00:21:39
or whatever it is.
00:21:40
And I remember when I first started, you know, my consulting
00:21:44
LLC, and I had a customer that was asking me, you know, about
00:21:49
my experience around a certain you know project that they had
00:21:52
going on and Things like that.
00:21:54
And I told them very honestly like hey, I know what you're
00:21:57
talking about and everything, but I'm not the right person to
00:22:01
actually deploy, you know that that portion of the technology.
00:22:04
I understand it 100%.
00:22:06
I just don't have a technical expertise to actually do it
00:22:10
because it's very code heavy.
00:22:11
I'm not a developer to save my life, you know like there's
00:22:16
other people out there that can do this a whole lot better than
00:22:19
what I can give you.
00:22:21
And I fully expected them to not give me the contract, to not
00:22:27
accept the deal or anything like that.
00:22:29
And for some reason they accepted it.
00:22:32
And even after accepting it, I told them like, hey, I am
00:22:36
probably not the guy, and it alleviated a lot of the stress,
00:22:43
just being upfront with them and come to find out their
00:22:47
requirements were a little bit different.
00:22:49
It's a little bit lighter than what they were actually telling
00:22:52
me and when we did the discovery session we were able to hash
00:22:55
all of that out.
00:22:56
But I've always found it valuable to be very upfront and
00:23:04
even today my nine to five I'm very upfront with what my
00:23:07
limitations are in the space, because not everyone is gonna be
00:23:11
able to work in the cloud 100% with all of the different
00:23:17
services that AWS launches in a year, right Like I think.
00:23:22
Last year they launched something like 40 services.
00:23:24
How can anyone keep up with that?
00:23:28
Speaker 2: We can't, it's impossible.
00:23:29
And so I think the pressure that people feel to try to portray
00:23:33
that they're a complete subject matter expert on all of this is
00:23:37
irrelevant.
00:23:38
And I think that when I look at when I hire people or when I'm
00:23:43
working with, like, I appreciate a level of vulnerability and
00:23:47
honesty, because then again I would always go to my customers
00:23:50
and say, hey, I don't know that, but I will find out and I will
00:23:52
come back to you.
00:23:54
And then I would, I would research it, that I'd ask around
00:23:56
and I would get the right answer, and that I'd come back
00:23:57
to them, and then they would know that I was being honest
00:24:01
with them, because I wouldn't have wasted all that time to
00:24:03
figure out something and then come back to them with something
00:24:05
that wasn't true.
00:24:06
And so I find that, like you just showing a little again,
00:24:11
kind of going back to the thing I learned in film, which is that
00:24:13
we're all human, we all have vulnerabilities like we're all
00:24:16
vulnerable to something, showing that you're a human but then
00:24:20
showing that you're an honest human that cares about their
00:24:22
best interests, which is what people will really appreciate,
00:24:27
more than you trying to sound like you know what you're
00:24:29
talking about, but it comes across as disingenuous.
00:24:36
Speaker 1: Yeah, that's a very good point.
00:24:37
So you brought up previously how you identified SaaS as being
00:24:45
kind of the future at that point in time, and whatnot.
00:24:48
Are you still looking at the industry and actively looking at
00:24:54
where it's going?
00:24:55
And if you are, which I would totally assume that you are
00:24:59
where do you think it's going?
00:25:00
Where are those new security domains and areas going that
00:25:06
people should be paying attention to in the next five
00:25:09
years?
00:25:10
Speaker 2: So if you are a SaaS based company which means you've
00:25:12
probably started a company relatively recently and you're
00:25:14
not that are 20, 15 years old, I think obviously you're gonna be
00:25:20
.
00:25:20
The majority of your data will be based in the company.
00:25:22
You'll be a SaaS based company.
00:25:24
I think a lot of companies that are gonna be implementing data
00:25:26
from their end users are gonna need to give you some sort of
00:25:30
compliance standards.
00:25:31
I think that the industry is shifting quickly with a lot of
00:25:34
compliance platforms that are coming up and automating a big
00:25:37
portion of what needs to be of the compliance and controls
00:25:43
policies and procedures.
00:25:44
So I think that's a big piece in the industry.
00:25:46
You look at companies like Vantab that are out there right
00:25:48
now and they're really killing it because they're automating
00:25:50
this piece.
00:25:50
So I think that is a big piece of it.
00:25:53
I love everyone wants to talk about AI, right, that's the
00:25:57
biggest buzzword right now and can you check?
00:25:58
If you just mentioned AI in Silicon Valley, you'll find some
00:26:01
extras that are willing to give you a massive audience in the
00:26:04
industry.
00:26:04
Ai is gonna be a threat.
00:26:08
I don't.
00:26:10
Again, I feel like everyone wants to talk about it because
00:26:12
they wanna feel like they're on the map.
00:26:14
I understand it, but we don't know what those threats are
00:26:16
gonna be yet.
00:26:16
We don't know how it's going to evolve.
00:26:18
The only thing that I would say about AI is really, I'm sure
00:26:23
the threats will evolve with AI, but similar defenses that's
00:26:26
just the continual kind of way that we've continued to grow in
00:26:29
the cybersecurity industry has grown.
00:26:30
Is this?
00:26:31
Threats evolve, so do the defenses.
00:26:32
They may be growing much quicker with AI that's yet to be
00:26:37
determined but I think the defenses will continue to grow.
00:26:40
But outside of that, I mean I don't know, are we gonna have
00:26:44
chatbot hackers?
00:26:46
Maybe, but I think no one really can answer that question
00:26:49
definitively, and so, whatever anyone tries to, I kind of smart
00:26:52
, because I don't think anyone really actually knows.
00:26:54
I think they just wanna think that they know.
00:26:55
But yeah, so I mean, how AI progresses is gonna be a big
00:27:00
piece of it really.
00:27:02
And just overall cloud security, I think there's a huge, like I
00:27:06
said back when I kind of focused on primarily cloud-based
00:27:09
architecture in 2017.
00:27:10
I viewed that as being the future of technology.
00:27:13
I don't need a lot of companies that are starting up today that
00:27:16
are inputting a lot of IBM mainframes or a lot of SQL
00:27:20
servers on-prem, anything like that.
00:27:22
So I think that securing the cloud, which is a whole
00:27:25
different thing than securing an on-prem environment, is really
00:27:28
something that people need to pay attention to in the future,
00:27:31
and I can speak firsthand from saying there's a huge I don't
00:27:34
think there's a huge shortage of cybersecurity professionals in
00:27:37
the industry.
00:27:38
I think there's a shortage of people that understand cloud
00:27:40
security, because you may have worked in cybersecurity for the
00:27:44
past 30 years, but your job was really patching that one SQL
00:27:48
server in the office and that's the aspect of cybersecurity you
00:27:52
worked on.
00:27:53
When you have an architecture that's in the cloud, it's much
00:27:57
more of a high-level overview of what you're working on, because
00:27:59
a lot of the controls are already in place, because you
00:28:02
don't technically own them AWS or Google or someone else does
00:28:05
and so you have to look more around processes and stuff like
00:28:09
that.
00:28:09
So cloud security really big and really trying to find people
00:28:13
to fill that talent gap, because there's not enough there
00:28:17
right now, I think, are some things that I'm focused on
00:28:21
really, and that security is gonna be changing over the next
00:28:24
few years.
00:28:26
Speaker 1: Yeah, I actually have a friend I've known him for
00:28:31
several years at this point and I was telling him back in like
00:28:35
2017, 2018, hey, you need to get into the cloud, get the basic
00:28:40
AWS foundations, azure foundations, certification at
00:28:45
least know the vocabulary like, because everything is going into
00:28:49
the cloud and it's gonna transform how we do everything.
00:28:51
And recently he kind of put it off and everything else like
00:28:56
that right, didn't think it was that important or urgent for him
00:29:01
to do that right.
00:29:02
And so recently he got onto a phone call with the rest of his
00:29:05
team and they started talking about AWS a lot more right,
00:29:10
because their company is moving towards AWS and they're
00:29:12
providing consulting services towards customers in the cloud
00:29:17
and things like that.
00:29:18
And he said he didn't understand a single minute of
00:29:22
this hour long conversation.
00:29:24
He said it sounded like they were just talking a foreign
00:29:27
language.
00:29:27
They had words that he had never heard before or anything
00:29:31
like that, and that's very true.
00:29:33
And now I am I'm studying to actually retake or re-up my AWS
00:29:40
security cert.
00:29:41
It's insane how the vocabulary changes just from three years.
00:29:49
Three years ago I took it, passed the cert, got it.
00:29:53
I understood the majority of the content on there, obviously,
00:29:56
but there wasn't ever a vocab word, so to speak, that I didn't
00:30:01
know what it was.
00:30:01
Then I go back and I'm trying to prepare for this new exam.
00:30:07
Speaker 2: Hold me back just here.
00:30:08
Speaker 1: Yeah, it's like okay, I'm from square zero again.
00:30:12
What is going on here?
00:30:15
Did that much stuff change in the last three years that we
00:30:20
have it's literally like 100 new words that you need to know
00:30:25
what they are.
00:30:25
I'm sitting here like did I select English for the test?
00:30:31
Like, did I accidentally select German?
00:30:34
Because this is insane.
00:30:40
Speaker 2: I think that a couple things like like technology in
00:30:45
general just moves fast, but climate moves really fast.
00:30:48
I also think that when you look at the testing that you were
00:30:52
taking, I think that a lot of times the vocabulary and just
00:30:57
kind of the way that they articulate things and tests
00:31:00
they've tried to make them more than what they've used,
00:31:04
sophisticated or challenging.
00:31:05
So it may not be.
00:31:06
It may be the same test, just with different words that
00:31:09
they've just recently made up to fulfill that task.
00:31:11
But yeah, I think that it's again.
00:31:15
I love technology for all the acronyms and all the real words
00:31:18
that it has in it and what I think they're like.
00:31:21
Really, the actual changes over the past years that you've seen
00:31:26
, especially from three years ago and your certification with
00:31:29
AWS, they probably haven't dramatically changed.
00:31:31
I would say that there has been some changes.
00:31:33
Again to your point, there was 40 releases last year.
00:31:35
They do have some changes, but I would say that the majority of
00:31:38
what you're dealing with is probably the semantics in the
00:31:40
test and how they've phrased and worded things to make it more
00:31:43
confusing and even more challenging for people to find.
00:31:47
Speaker 1: You know what it is.
00:31:48
Is they added?
00:31:50
You know they didn't add that much brand new capability, right
00:31:56
?
00:31:56
What they did is they took existing capability and then
00:32:00
they delineated it even further, right?
00:32:03
So you know, cloud formation has been around for a long time.
00:32:09
Speaker 2: You know, if you don't know, just move your
00:32:11
server out of your room and then it's in the cloud.
00:32:14
Speaker 1: Yeah, if you don't know cloud formation, you're
00:32:17
probably not in AWS.
00:32:19
You don't understand.
00:32:20
You know anything in the cloud, right, okay?
00:32:23
So I got that down and now when I go and take the test, there's
00:32:26
like five or six new cloud formation dash something service
00:32:31
that does a you know a smaller component of cloud formation and
00:32:37
that's all it does.
00:32:38
But it's not like you can just look at it and know what it does
00:32:44
because you know the functionality of cloud formation
00:32:46
.
00:32:46
You know, like they have some weird lingo with it that now
00:32:50
it's like okay, I need to learn this stupid vocab word that you
00:32:55
know, does this thing that I've been doing for five years?
00:32:58
Speaker 2: You know, like I could tell them to learn more
00:33:01
about this and to do it.
00:33:02
So I think it's capitalism, yeah, yeah.
00:33:07
Speaker 1: How can we, how can we get the most from our
00:33:10
customers Exactly?
00:33:12
Or this one thing?
00:33:13
Yep, that is.
00:33:15
That's the truth.
00:33:16
It's a very good point.
00:33:18
You know, how do you, how do you recommend people learn the
00:33:21
cloud?
00:33:21
Right, and it sounds like a very straightforward answer,
00:33:27
right, but it's not that straightforward, because if you
00:33:30
go in AWS for just talking about AWS, because that's the most,
00:33:34
I'm the most familiar with AWS, right, if we're talking about
00:33:37
learning AWS, the first instinct is to go in AWS, create an
00:33:42
account, start getting up you know some infrastructure or
00:33:46
whatnot, using that quote unquote free tier right, I can't
00:33:50
tell you how many times I've started a free tier account and
00:33:53
deployed only free tier assets.
00:33:55
To find out, I had the $300 bill you know, six months later.
00:33:58
Speaker 2: Right, that's not great.
00:34:02
Speaker 1: I can't even tell you the amount of times you know.
00:34:04
Recently I guess relatively recently I've dove more into the
00:34:09
cloud guru space, right, they learn about different topics.
00:34:12
They have a sandbox environment set up right there for you.
00:34:15
You don't have to worry about getting that random.
00:34:17
You know $300, $400 bill six months down the line that you
00:34:21
didn't even know was running in the environment, right.
00:34:25
So how do you recommend people learn it best and quickest?
00:34:30
Speaker 2: So I think this is a really tough question and it's
00:34:33
something that we've struggled with at Remetic because, again,
00:34:35
this is relatively new.
00:34:36
I don't have a huge pool of talent to pick from, so we have
00:34:39
to train a lot of our staff in house and a lot of people.
00:34:42
Everyone learns differently, like I always tell everyone, and
00:34:44
one of the things I ask people during the interview is how do
00:34:46
you learn?
00:34:47
I'm a visual learner to see something or experience it.
00:34:49
It's really up to that person and how best they learn.
00:34:56
Are they going to need to, or do we need to, set up a test
00:34:59
account for them and let them play around in it and understand
00:35:02
it?
00:35:02
Do they need to just go get the standard certifications that
00:35:05
they get, because they'll just read it and retain it and
00:35:06
they'll know it?
00:35:07
Do they need to work with one of our more senior people and
00:35:10
learn off of them?
00:35:11
There's just different ways for everyone to learn and I think
00:35:15
that it's not standard across the board.
00:35:17
I wish there was like one sort of security, sort of
00:35:20
standardized testing that we could just put everyone through
00:35:23
and be like once you've graduated this, you're ready to
00:35:25
go.
00:35:26
You'll start working with Remetic customers, and it's not
00:35:29
that simple.
00:35:30
It really is something where we have to kind of customize
00:35:33
training for each one, because we also hire people that come in
00:35:35
with different levels of skill set.
00:35:37
We have to kind of customize training for each one of those
00:35:41
people.
00:35:41
That's been something for us.
00:35:43
Frankly, that's been one of the biggest issues we've had,
00:35:47
especially over, let's say, the past five years, because we've
00:35:49
gone through, ultimately, hyper growth We've been adding
00:35:53
numerous customers every single month was to find talent, train
00:35:59
talent and retain talent and keep them here.
00:36:02
We always keep people here.
00:36:03
We don't actually lose them, but find them and train them and,
00:36:06
through that training process, realize that they want to stay
00:36:08
here, they want to work in tech, and then they will.
00:36:13
I think part of it is too.
00:36:14
Everyone will learn differently , so they need to understand how
00:36:19
they learn and they have to have really a desire or interest
00:36:22
to work in technology, because then they're not going to care
00:36:28
as much, they're not going to try as hard, they're not going
00:36:30
to be as invested as if they don't care.
00:36:32
If they're like oh, I took this job because I just needed a job
00:36:35
, or this was just something that I thought paid well and it
00:36:39
wasn't necessarily like aligns with my interests, then they're
00:36:43
not going to really learn it because they're not going to
00:36:45
have a passion for it.
00:36:46
I think when we look for people that we want to bring on board
00:36:48
a Rometic and train them.
00:36:49
We want to understand that they don't how they learn, because
00:36:53
then we can customize training for them, and we want to
00:36:57
understand if they have a passion for security and
00:36:59
technology, and if they do, then we can typically bring them on
00:37:05
board and train them as they need to learn.
00:37:09
Speaker 1: Yeah, it's fascinating that you put it that
00:37:14
way, right?
00:37:15
Because I feel like a lot of companies are looking for you to
00:37:19
be the expert day one and they're kind of looking for that
00:37:23
unicorn and then they don't pay unicorn money and it's like,
00:37:28
guys, if you want me to be a unicorn and I'm not a unicorn
00:37:32
right now you need to be able to train me up to get to that
00:37:37
level.
00:37:37
And it's really refreshing to hear you say that.
00:37:40
I've actually only heard maybe one other person or executive.
00:37:46
Overall, I actually say that and practice it and that's
00:37:50
actually how I got my start in IT.
00:37:52
Overall, this guy literally took me from nothing.
00:37:57
I could spell Linux but, god forbid, I had to look at a
00:38:02
terminal.
00:38:02
I could not figure it out for the life of me.
00:38:07
And he was very patient, had great training resources around
00:38:11
me and told me hey, if I give you all these resources and you
00:38:15
still don't make it, maybe IT isn't the thing for you, but I
00:38:19
think that it is and if you keep on learning, you keep on
00:38:21
pushing yourself, you keep investigating this thing, it's
00:38:25
going to work out, and I believe that it will.
00:38:27
That's all that I needed in that situation and in that part
00:38:31
of my life to really dive in and become what I became today.
00:38:38
It's really refreshing to hear that, because there's a lot of
00:38:44
people out there that do not have that same mentality, but
00:38:47
they'll complain about the shortage in security.
00:38:51
Speaker 2: Then how are you going to fix it?
00:38:52
Are you just going to keep complaining about it and expect
00:38:54
it just to automatically change, or are you going to do
00:38:57
something to try to fix that problem for your business
00:38:59
yourself?
00:39:00
I tend to veer towards those too, because I don't know how to
00:39:06
do it.
00:39:10
Speaker 1: I used to work for a credit bureau and they had maybe
00:39:15
the best pipeline I've ever seen where they had regular IT
00:39:20
help desk people and if they expressed an interest in
00:39:25
security, there was a very specific team that they went to.
00:39:29
These are the people that are basically just IT support for
00:39:32
security situations and from there all the other teams under
00:39:38
the security umbrella would start identifying their
00:39:42
strengths, their weaknesses and they would actually actively
00:39:46
recruit and try and poach people from this team, that team's
00:39:50
manager I'm good friends with him to this day.
00:39:53
He said yeah, it's great for the people on my team, it is
00:39:59
absolutely horrible for my team because we're constantly
00:40:02
rotating people all the time I springboard for them.
00:40:07
Speaker 2: I springboard them to cybersecurity, yeah.
00:40:09
Speaker 1: He's like I'm over here with 30 people on my team
00:40:13
on a good day, next week I'm losing two people.
00:40:16
I got to replace those two people.
00:40:18
My workload doesn't end just because some other team needs
00:40:22
them, but it was a great environment, great pipeline,
00:40:28
because you could go down a rabbit hole and you could say,
00:40:33
maybe six months in.
00:40:34
Oh you know what.
00:40:35
I don't think that this thing is for me.
00:40:36
Maybe the offensive cybersecurity is more for me,
00:40:41
and there was five, six teams under the offensive side.
00:40:44
So one of them would say, okay, come and work for us for six
00:40:48
months and it's not a big deal.
00:40:50
It was a fantastic way to kind of get started in cybersecurity,
00:40:56
I felt.
00:40:57
Speaker 2: Yeah, now for the same.
00:40:59
I mean I don't.
00:41:00
I'm not as probably as big as that company was, I don't have
00:41:02
huge departments and different aspect of cyber security, but we
00:41:07
tell all of my employees that when we come, they come here and
00:41:10
we train them Like I'm part of what I forget fulfillment.
00:41:13
I'm just having employees not just having to work here to do
00:41:17
the job but develop their skills , developing them.
00:41:20
I receive the things.
00:41:21
Those are the things that make me feel proud and so when I'm
00:41:24
interviewing people to come work here, I Will frankly tell them
00:41:29
I'll be like this is the role that we have you in, but like
00:41:31
you are growing tremendously fast.
00:41:32
So I don't want you to think that you're gonna be pigeonholed
00:41:35
into this.
00:41:35
If you come here and you are also on the side doing some
00:41:39
other Learning into something else and you realize like you
00:41:41
want to be a pentester, that's someplace I can place it pretty
00:41:44
easily.
00:41:44
But if there's other aspects within the industry that you
00:41:47
want to work in and there's an opportunity for us to build out
00:41:49
a Line of business around that, we're talking about doing.
00:41:52
No, no detection response, actually as a service we're
00:41:54
gonna be adding this year.
00:41:55
So if there are people that are interested working as like a
00:41:57
sock analyst.
00:41:59
There's absolutely that opportunity to kind of grow and
00:42:01
learn with the company and so, yeah, I think it's important to
00:42:06
be able to hire people and let them know that like I want you
00:42:09
to grow, I want you to continue to grow with the company and I
00:42:11
think and it to the point you had before where you said your
00:42:14
friend was losing people all the time to get that there's always
00:42:18
churn.
00:42:19
I've recognized that from the start with Rometic and I want my
00:42:22
employees to always feel very appreciated here.
00:42:24
So we're a startup where bootstraps start up, so I don't
00:42:27
know that we, like I, can't offer equity to my employees or
00:42:30
anything like that, because it's just the company's never gonna
00:42:32
be worth on it and $50 million for them, right.
00:42:36
But I make sure that we we have really competitive salaries in
00:42:41
terms of where we're at.
00:42:41
We offer really good benefits.
00:42:43
So we do a lot of off-sites by fly the whole company together
00:42:46
and just show them that they're appreciated, because I realized
00:42:48
that, like, once you learn this skill, you will be poached
00:42:52
because there is such a shortage of talent in the industry, and
00:42:55
so I want my employees to really feel appreciated through
00:42:57
working here.
00:42:59
Speaker 1: Hmm, yeah, that's, that's extremely, extremely
00:43:03
important.
00:43:03
You know I can't tell you the amount of times that I've worked
00:43:06
for a company and, and you know , you just feel like a number,
00:43:11
you know, you just feel like, you know, no one even knows that
00:43:14
you're there and then, when layoffs are happening, you're,
00:43:17
you're really just trying to, you know, make sure that, yes,
00:43:21
you're online but you're not talking to anyone.
00:43:23
You're trying to make sure that people forget about you and you
00:43:26
know it's a, it's a mess, it's, it's not a good situation to be
00:43:30
in, and I've always felt like the companies that really excel
00:43:34
are the companies that actually Truly care about their people.
00:43:37
You know, and you can see that.
00:43:39
You know you can see that in the pay, you could see that in
00:43:43
the retirement benefits, right.
00:43:45
You could see that in the health care.
00:43:47
I've never felt more underappreciated than when I get
00:43:51
poor health care benefits, right.
00:43:54
It's like man, these guys, these guys are like, really
00:43:56
don't care.
00:43:59
Speaker 2: Because we feel the same way because of we pay for
00:44:02
employees and our employees, family and stuff.
00:44:06
So because I realized that and again, we're a huge company with
00:44:09
a ton of funding I realized that, like that said, like I
00:44:12
don't want my employees to ever have to stress out about, like
00:44:14
medical bills yeah, you have a, you have a job here and I want
00:44:18
you to be able to feel like you can focus on that and so any way
00:44:22
that I can alleviate Other stresses in your life that you
00:44:25
may have, so that you're able to focus on your job and, overall,
00:44:29
just be a happier person.
00:44:30
I want to do that and I think what I think about like health
00:44:33
care and just the entire health care industry, it's, it's.
00:44:37
I don't want anyone to have to Any of my employees to have to
00:44:41
go to the hospital and then be like home and I know a hundred
00:44:43
thousand dollars to this hospital.
00:44:44
No, I'm super stuff.
00:44:45
Like that's a stuff.
00:44:46
Yeah, if there's something I can do to make one of the
00:44:49
Romantic employees not have to deal with that, I want her
00:44:52
person.
00:44:53
Speaker 1: Yeah, I feel like.
00:44:54
I feel like we could have a whole other podcast about the
00:44:59
health care system and how you know, like how, how you can go
00:45:04
to a hospital because you're dying, right, you get the
00:45:07
life-saving treatment and then you're hit with a two hundred
00:45:10
thousand dollar bill.
00:45:11
Speaker 2: You know it's a have to be also poor because they
00:45:14
have to pay for all of their bills.
00:45:16
It seems awful, right.
00:45:17
Speaker 1: You know it's a.
00:45:18
It's not, it's not fair, that's not how this should be working.
00:45:23
You know, like my quick story, right, because I want to talk
00:45:27
about Romantic Quick side story, right, I grew up fairly poor.
00:45:32
My family was pretty poor, of course, growing up in that
00:45:35
situation, you know, you don't think you're poor, you don't
00:45:38
identify with that or anything like that, but we were Right.
00:45:42
And one day my sister got really sick.
00:45:44
She went to the hospital, found out her kidneys were failing,
00:45:47
right, she's like 12 years old at this time.
00:45:49
Immediately, you know, through, throughout, throughout,
00:45:54
everything that she goes through got a, got a kidney transplant
00:45:57
and everything like that right At the end of it is something
00:46:00
like four hundred thousand dollars.
00:46:02
How in the world could anyone ever pay for that?
00:46:06
And just to begin to feel like they, can.
00:46:09
Speaker 2: They can begin to think about even how I'm having
00:46:11
to pay back.
00:46:13
I, just to keep their kid alive you know, yeah, I also didn't
00:46:16
grow up with the with really any .
00:46:17
I wasn't poor, but I would say I was.
00:46:19
It was I didn't to your point, I didn't know that I was poor,
00:46:22
but I didn't grow up with a lot and so I and I didn't really
00:46:26
even have much until I started Romantic.
00:46:28
Honestly, I was.
00:46:29
I was very much paycheck to paycheck and Like the idea of
00:46:34
having a four hundred thousand dollar burden on of healthcare
00:46:38
burden it's just would be at that point in time for me would
00:46:41
have been so deflating that I wouldn't even have known how to
00:46:44
start to deal with that because it's like I'm never gonna get on
00:46:47
top of this.
00:46:47
So like, yeah, what, how do I even try?
00:46:49
And so, yeah, I just I think again, it's as someone who is an
00:46:55
employer, it is my responsibility.
00:46:57
Unfortunately, it's my responsibility to I have to do
00:47:02
these things for my employees because I want the best out of
00:47:05
them and I want them to appreciate their jobs and
00:47:08
appreciate working here, and so I want to make take all of those
00:47:11
sort of like things that I can control, all of the stresses
00:47:15
that I can control.
00:47:16
I want to do my best to get those out of their lives so that
00:47:19
they can focus on work and they can enjoy working here and feel
00:47:21
like they're valued.
00:47:24
Speaker 1: Absolutely, you know, let's.
00:47:26
Let's talk about Rometic, you know.
00:47:28
So let's just start.
00:47:29
You know, kind of, from the beginning, it sounds like you
00:47:32
guys offer a lot of different services that are, you know, to
00:47:36
be quite honest, pretty critical in the security space, right,
00:47:40
so let's talk about.
00:47:41
You know what you guys offer, what the areas of specialty you
00:47:46
guys offer in the industry, and things like that.
00:47:49
Speaker 2: Yeah, so when I started the company, like I said
00:47:52
, when I was working for that law firm and then they referred
00:47:54
me to their clients, so I was just doing pen testing at that
00:47:56
point in time, so it was just pen testing and we were and
00:48:00
that's still kind of the heart of who we are.
00:48:01
We divide, amazing.
00:48:03
I'm really proud of the work that we do and I was doing
00:48:07
contests for a lot of larger businesses and then I said I
00:48:10
want to kind of adopt working with smaller businesses and then
00:48:12
I want to do a lot of work with the industry.
00:48:15
We do a lot of speed test or PCI scans, things like that.
00:48:18
So there's the whole sort of like pen testing kind of aspect
00:48:23
of the business.
00:48:23
And then we do we work with a lot of like those compliance
00:48:28
platforms that I mentioned out there, because we leverage those
00:48:31
as kind of.
00:48:31
We use them for compliance and to fulfill some of the controls
00:48:35
that you need, but more times than not we use them as the
00:48:38
baseline, as like the foundation of your security program and
00:48:41
the source of truth.
00:48:41
But we leverage those platforms and then we build and manage
00:48:46
InfoSec and data privacy programs for our customers.
00:48:48
So we typically take those platforms, leverage those as the
00:48:52
baseline and the source of truth, do conduct risk
00:48:55
assessments and then, based upon the risk assessment that we've
00:48:57
conducted for our customers, we build a robust security program
00:49:01
and then we continue to manage it and that's our CISO as a
00:49:03
service offering, which is kind of it's now the biggest aspect
00:49:09
of the business.
00:49:10
But as part of that we offer PEN tests every year.
00:49:12
We work our sort of offensive security program into their
00:49:16
program, into the security program for them, and it's been
00:49:20
great.
00:49:20
I mean there's a lot of companies out there that will
00:49:22
hire us to build the program for them and then they grow and we
00:49:26
actually typically don't lose customers, even when they get
00:49:30
big enough and they hire a CISO themselves, because they still
00:49:33
need to leverage us for some of the things that if you're a CISO
00:49:36
you're probably not wanting to do an access review over quarter
00:49:39
or you don't want to go and review your policies, things
00:49:43
like that.
00:49:44
So they'll still kind of leverage us when they get to a
00:49:46
larger point for some of the more administrative stuff.
00:49:47
But yeah, the CISO as a service is really kind of the
00:49:51
foundation and the rock of our business and that's it for me,
00:49:55
allows me to have because again we're bootstrapped reoccurring
00:49:58
revenue so I can forecast the growth of the business and I can
00:50:01
scale accordingly, which is part of the reason I needed that
00:50:03
sort of monthly retainer, because the PEN test that was
00:50:06
just an up and down payment sort of thing, and so that's a big
00:50:11
piece of it.
00:50:11
And then we do other things too.
00:50:13
So if you're going to be we're not an audit firm, I don't want
00:50:16
to be an audit firm but if you want to get ISO 27, any ISO
00:50:21
complaint framework complaint, you have to do what's called an
00:50:23
internal audit, which is almost like a pre-audit, before you do
00:50:27
your audit with the certifying body to make sure that you're
00:50:29
ready to go into it.
00:50:30
And the person that does that or the company that does that
00:50:33
needs to be an independent third party.
00:50:35
So if you built the program, you can't also do the internal
00:50:38
audit because you're just auditing what you built yourself
00:50:40
, and so that's another aspect of the business that we have as
00:50:44
well.
00:50:44
So it's really kind of centered around providing all of the
00:50:48
services that you need to in terms of, like an offensive
00:50:51
security program, PEN, testing, scans, all of that stuff,
00:50:55
Coderviews, everything there around administrative and
00:50:59
operational aspects of building the program, which is kind of
00:51:01
the CISO as a service area of it as well.
00:51:03
So we combine both of those to kind of create a robust security
00:51:07
program offering for our customer.
00:51:11
Speaker 1: Wow, that is.
00:51:12
That's really fascinating.
00:51:14
It sounds like from my opinion, right.
00:51:19
It sounds like you kind of approach the virtual CISO role
00:51:23
from a different angle, or at least from an angle that I had
00:51:27
never heard of or thought of before is kind of offloading
00:51:30
those tasks to some extent.
00:51:33
That kind of every security department as a whole kind of
00:51:37
doesn't want to do like the access reviews, right, I've
00:51:41
never talked to an IAM manager or an IT manager overall and
00:51:47
heard that they want to do access reviews and that they're
00:51:49
excited for it to identify all of the misusage of roles and
00:51:55
accounts and groups in their environment.
00:51:56
Right, it's a really interesting take on it that I
00:52:02
think a lot of companies would actually benefit from a great
00:52:06
deal, right?
00:52:06
Is that what you're seeing as well?
00:52:08
How did you even think of taking that spin on it?
00:52:13
Or maybe it's just a native virtual CISO functionality or
00:52:18
feature that I just didn't know about?
00:52:21
Speaker 2: So when I decided to kind of work with smaller
00:52:23
SaaS-based businesses.
00:52:24
So again, we were just doing pentests through about 2017,
00:52:27
mostly big businesses in New York and two folds.
00:52:31
One, I wanted to work with the future of technology, which I
00:52:33
thought was cloud, which I was right.
00:52:35
And I also again since I told you I didn't come from a lot of
00:52:40
money I was doing these pentests where I would get a paycheck
00:52:43
and then there would be nothing for two months, and then I'd get
00:52:45
a paycheck and nothing for two months, and I was like I need
00:52:48
some stability in my income to continue.
00:52:51
That's how I just have to live, because I'm not used to big
00:52:54
paychecks and then peaks and valleys.
00:52:55
And so by doing that, I would go to the smaller businesses and
00:53:00
I would offer them pentests, and typically startups didn't
00:53:03
always have a lot of capital to pay for a pentest in one payment
00:53:06
, so I bought them, spread that out over like a couple months.
00:53:09
During that time period that they were paying me, they would
00:53:11
come to me for tons of other services because there was no
00:53:14
one else that could help them with this sort of stuff, and so
00:53:17
that's.
00:53:17
I kind of started to take all of that data in about what the
00:53:20
services were that all these customers were asking us for.
00:53:22
And then I realized that, like that's the program that I need
00:53:25
to build as a CISO, as a service type of program that's based
00:53:29
for these sort of cloud-based companies.
00:53:30
And so again, when you're looking at their architecture or
00:53:33
something like that, yeah, you can do, we have people that do
00:53:36
some terraforming stuff like that here.
00:53:37
But overall, a lot of the work that you're doing is more
00:53:41
administrative, because all of the controls and things you're
00:53:43
built in or you're just putting in sneak or you're putting in
00:53:47
some sort of like intrusion detection system or you're
00:53:49
monitoring that or managing that .
00:53:52
But it just became more like taking everything that everyone
00:53:56
wanted and then looking at the holes in the industry and then
00:53:59
building a program out over that .
00:54:00
So I didn't have this like early on I thought I would just
00:54:04
do pentests.
00:54:05
I didn't have this early on idea of like, okay, I'm going to
00:54:08
do CISO as a service and this is exactly what it looked like.
00:54:10
I really just looked at what the opportunities for in the
00:54:14
industry, I analyzed that and then I followed that and I built
00:54:17
programs out to make what we have today.
00:54:22
Speaker 1: Hmm, that's really fascinating.
00:54:24
It's always interesting for me to see how everything kind of
00:54:27
comes together and you know where different ideas come from.
00:54:32
Right, because it kind of also influences you know how I make
00:54:36
my own decisions and how I view different things.
00:54:39
Right, like I start to get into that mentality of, oh, maybe I
00:54:43
could dive into this a little bit more and offer it a
00:54:46
different way, and whatnot.
00:54:47
So it's always fascinating.
00:54:49
Well, justin, you know our conversation has been fantastic.
00:54:53
You know I really enjoyed talking with you today.
00:54:56
Unfortunately, we're at the top of our time here, you know, but
00:55:01
before I let you go, how about you tell my audience you know
00:55:04
where they could find you, where they could find Rometic, if
00:55:07
they wanted to reach out and learn more?
00:55:09
Speaker 2: Hey, you can.
00:55:10
Just our website is wwwrometiccom and that's
00:55:14
r-h-y-m-e-t-e-ccom.
00:55:17
Or feel free to just email me.
00:55:19
It's Justin J-u-s-t-i-nrendy r-e-n-d-e at Rometiccom, and I'm
00:55:26
happy to answer any questions or help any of your listeners in
00:55:29
any way I can.
00:55:31
Speaker 1: Awesome.
00:55:32
Well, thanks everyone.
00:55:33
I hope you enjoyed this episode .