BizTech Next Level BizTech Podcast

Ep.133 Victory and Defeat- Real Cases of Security/Cloud Transformation Pt.3/3 with Jeremy Pierson

September 3, 2024

Subscribe to the Next Level BizTech podcast, so you don’t miss an episode!
Amazon Music | Apple Podcasts | Listen on Spotify | Watch on YouTube

Join today as as close out the track of Victory and Defeat in Security & Cloud Transformations with Jeremy Pierson, Director of Security at Compunet. Compunet is an engineering-led organization that has grown immensely from its early VAR roots originating in Idaho. With a 5:1 Engineer Sales rep relationship, they have a heavy engineer-led approach to customers. Listen in as we chat with Jeremy about Security, Risk, and a different approach they have that helps customers think differently and will be helpful for all, whether you’re just starting in security or are already in the industry. Don’t miss hearing from the expert today!

Welcome to the podcast designed to fuel your success in selling technology solutions. I’m your host, Josh Lupresto, SVP of Sales Engineering at Telarus and this is Next Level BizTech.

Everybody welcome back to another episode. Today we are wrapping up a track called victory and defeat with some real life cases of cloud and security transformation. On with us today, the wonderful Mr. Jeremy Pierson, Director of cybersecurity at CompuNet. Jeremy, welcome on my man.

Hey, thanks for having me, Josh.

Jeremy, let’s kick this thing off. Let’s get your personal background. How did you get here? Where did you start out? And then we’re gonna get into a little who CompuNet is, your role, all that good stuff.

Absolutely. Yeah, it’s a long road, but I’ll try and give you the cliff notes. I started out doing an IT internship in the early 90s, hooking up token ring devices for an attorney’s office. And just, you know, novel network, early windows, everything broken all the time, the early days, IT support that transitioned into being a network admin and had some opportunities in cybersecurity about 20 years ago, and was fascinated by it. Very dynamic environment, constantly learning, things are constantly breaking, and we’re constantly getting better. So that’s that’s been the journey been cyber focused for about 20 years and been with CompuNet for about the last 10.

Okay, so I love that. Tell us tell us a little about who CompuNet is you guys are a beast out there in the market. You’ve got a ton of things that you do. How do you go to market? Who is CompuNet? And how do you kind of distill that down about how you guys are different?

Yeah, great question. So we started in the varspace in the late 90s, building wide area networks for rural infrastructure out in Idaho. And growing through partnership in Idaho, and just building up naturally doing a lot of network design network architecture that expanded into network security. I joined in about 2014. And we were super focused on network security at that point in time with a really big infrastructure focused customer base. And what we’ve been doing since I joined the team has really been taking a broader business focused cybersecurity approach just looking at how risk affects all aspects of the infrastructure. And we we changed our go to market strategy quite a bit by rolling out CIS gap analysis about 10 years ago, and really trying to talk about sort of maturity within a customer environment and where their roadmap was going in addition to what technologies they had and what technologies they were interested in. So it started to shift the conversation. And we’re really seeing that track catch fire the last five years, where as we focused more on risk and business initiatives of our customers, it’s enabled us to have much broader conversations about where they’re trying to go and what their technology needs are.

And I mean, do you feel like I love I love the shift to risk. And I remember going through all the CIS SP stuff, and it was my numbing and and melt your brain. But my one of the things that stood out to me, as a nerd, I’m looking for these, you know, technical things. And when I hear the section or the domain on quantitative risk assessments, it really changes the way that people understand, hey, this is not just another cost line item. This is this is really something important that I need to look at. So how did how did the customers perceive that as you move this conversation to risk? Were they asking for it? Or did you guys just go, No, this, we need to educate people how this should look?

Yeah, that’s a great question. You know, the rise of ransomware about four or five years ago, really making national headlines and being disruptive for a lot of our customers, that was just a tipping point. Because it was no longer, you know, a fine that was looming out there, a regulatory agency that says you need to do XYZ. It was hey, these these organizations have stopped operating, because they were a little fast and loose with their security controls. And it was extremely disruptive. And in some cases was the end of the organization. And so it was very easy to speak to that message. We’d been talking that talk track for a long time. But the audience was much more receptive once it became so disruptive across our industry.

Yeah, I love that. I remember so many of these early security conversations, we’re sitting here trying to, you know, we know the bad guys, we know what that world looks like, we’re trying to help them do the right thing. And people go, well, you know, I haven’t had a breach yet. Or my favorite was, I’m not a target, right? And you go down this track of, jeez, I’m not. Are you on the internet? Do you have an IP address? Do you have customers? Well, then you are right. And it’s framed it up a lot different. And now yeah, to your point, some of these breaches, everybody’s realizing, okay, clearly, doesn’t matter who you are, right? If you have assets, you have crown jewels, people want them. Let’s have the risk conversation.

Yeah, I mean, very few organizations can just shut down without some sort of, you know, financial penalty or operations difficulties. And that’s been how disruptive ransomware has been across all these different environments. And unfortunately, we’ve seen customers in all different industries get hit pretty hard. And CompuNet being heavily involved in building and designing infrastructure, we got really involved with the recovery process, backup and disaster recovery programs. And it really changed a lot of the conversations for anybody that had reticence around addressing it proactively.

So all right, if you look, let’s go. I love to talk about kind of lessons learned, right? We’ve, we’ve all been surrounded by good mentors, we’ve made a lot of mistakes, we learn, we just get better as we go, hopefully.

What’s one for you, right? You do that a hard lesson, you’ve learned a good mentor, just look back, what’s helped you?

Yeah, a number of them within our organizations, but a few that stand out is really working hard to build relationships and connect with our customers. Because we’ve been around for long enough where we’ve seen our technology project come and go, you know, we’ve installed big voice deployments, and then come back seven years later and taken them out. And so hanging your hat on the technical partnership or the technology itself, it’s great to be an evangelist, but know those things change over time. And hopefully strong relationships will persevere through all those things. And so I’ve had a mentor in, in Reiner Engel at our company who really was like, you know, focus on these key relationships, because these people will be there. And that’s going to be kind of your waypoint as the technology shifts. And that, that was a little bit of a step back from me being a technologist throughout my career is to go, yeah, you know, you’re right, the, the touchpoints I have within our customer organizations, they provide a lot of valuable insights, and they’re not married to their technology, it’s just solving a problem today. The problems we all have tomorrow, they’re going to surprise us.

Yeah, it’s a good, good shout out for Reiner. We love Reiner.

Reiner is fantastic.

I don’t know how you can’t something’s on you if you don’t like Reiner.

You know, it’s a good, it’s a good point. I mean, I you just think I grew up in a different space, right? And I turned a wrench and it was about fixing this or fixing that. And so I you don’t, I didn’t understand this dynamic of no, this is this is people buy from people. These are relationships. You guys are probably seen it a million times. This customer goes from point A to point B to point C. And if you help them in point A, guess what, you’re going to help them in all these different places. And you know, big, big kudos on that. It’s really is that relationship that matters. And who’d have thought that’s what that’s really what defines everything is these relationships.

Yeah, it really changed focus for me. Our owner, Nolan Shue, has long had the mantra, you know, do the right thing for the customer. And in recent years, he’s amended that a little bit. And he’s like, you know, as we’re growing, we’re getting to be a bigger organization, he’s like, do the right thing for your people. And they’ll do the right thing for the customer. And it was a nice little amendment. It was, it was an easy thing to to abide by.

I like that.

All right, let’s let’s jump into let’s talk about some transformations here. So obviously, you guys are a powerhouse, you’ve got some cloud services in house, you leverage channel vendors, and you put this amazing solution, ultimately, in front of the customer, and you’re able to solve some of these problems. So maybe just walk me through an example, some some something the customer was defeated on and really just what did the stack or the business problem, you know, look like before? And then what was it after?

Yeah, you know, we’ve got our wins and losses, just like anybody, we’ve walked customers through transformations where, you know, we started out going through a CIS assessment as an example, and they had very few controls in place, you know, they didn’t have an understanding of their inventory from a hardware software perspective, they didn’t have any password hygiene, they didn’t have good endpoint hygiene, it just it was a kind of wild, wild west, their entire modus operandi was about connectivity. But what the organization was struggling with was communicating those challenges to executive leaders and communicating what really was at stake if they didn’t address those things. And as I talked through this, and you’re saying, well, yeah, there’s a lot of small businesses that don’t invest in cybersecurity. This particular business was a very large financial company. And they had just been focused on, you know, customer service in their industry and connectivity and growth. None of those things really align with stepping back and saying, how do we make sure the architecture is built for this? How do we make sure we have visibility to respond appropriately, and that we’re managing alerts and anomalies. And so that initial conversation was an assessment that we did. And it was it was the reddest red assessment I’d ever handed to anybody. And I thought I was going to get chased out of the building with a stapler, having him being thrown at me. And they were extraordinarily receptive. It was the message that they wanted from an outside third party to say, Yeah, we’re in rough shape. Let’s work on a roadmap together to go implement these things over time. And that’s what we did. And it took several years. But those controls were put in place. And fortunately, there was never a large scale incident, as they were ramping their maturity up to an appropriate level.

I love it. I love to hear that, that there wasn’t an incident. Right. So many of those people don’t see the light until there was an incident or is an incident.

So I have those stories too. Oh, yeah, yeah, yeah. There’s there’s no bigger budget than right after an incident. And that’s, that’s a sad state of affairs. But it, you know, nobody wants to be an ambulance chaser, but an incident will inspire change.

Yeah.

And change is expensive. And so that’s that’s something we’re acutely aware of.

Yeah, it’s good. Fair. I was gonna say ambulance chaser, too.

Nobody wants to be the Lionel Hutz, you know, sprinting down the street after the ambulance. That’s, that’s not a good look.

No, not at all. All right, so I’m gonna I’m kind of going down this. I’ve asked the last couple guests during this track this little bit of a military theme. But there’s a you know, there’s a great guy out there. He’s a he’s a monster guy that I would not want to run into in an alley. Jaco Willink. So he’s a former Navy SEAL. And he has this principle of extreme ownership, whatever it is, moan it, figure it out. And he talks about a couple of these points. He’s got teamwork, he’s got clarity, he’s got prioritization, and he’s got delegation. Those are what he kind of uses in, you know, leadership and combat. So how do you take that, you know, off the battlefield on the on to ours? And how do you help customers in the end make some of these business decisions on a technology side?

Yeah, you know, teamwork is epically important. And that works thrown around a lot. The way we operationalize that is by building communities within our engineering groups. And one thing that’s a little unique about CompuNet, we have a huge engineering workforce, we have about 170 engineers around the organization. And that’s about five for every account executive. So it’s a unique ratio from a lot of our competitors, we invest very heavily in engineering, our owner and CEO started as an engineer, that was kind of his background. And many of us in leadership positions have engineering backgrounds as well. So it’s really important to us that our technical players have loud voices, but also that they work closely together, because specialization doesn’t scale, you really need that that teamwork and that communication in order to have deep expertise, but also to have it diversified so you can bring a multitude of solutions to your customers. So we invest a lot in engineering summits and regular cadences in incentivizing these folks to go work on things and build things together. Because that’s where we get the best results every time.

I love it. Yeah, I love the innovation. I was listening to a podcast yesterday, they talked about just kind of what the early days of AWS were. And it was, you know, they, they inherently insisted in Bezos inherently insisted just on multiple tracks of innovation, you know, green light these projects, just let these guys internally go build and solve things, solve things that, you know, it was the impetus for what AWS became. And you had multiple people trying to build towards the same thing that ultimately, you know, Andy Jassy ran for a number of years. But it was just about, you know, just go build it, go try it, go figure it out. And any of these great things have been designed by necessity or just designed by, Oh, you know, we kind of stumbled this, I bet you somebody would buy that I bet you we could help somebody with that. So love to love to hear the innovation, right. And that, that I think everybody should draw attention to. That’s a big number of engineers, right? That that shows to what you guys have built over the years. And that it’s just that’s a different kind of customer experience than, you know, one sale, one sale or five sales execs to one engineer. It’s just, that’s cool. You want to bring in the data center architect that’s really good at you know, this storage. I mean, there’s, there’s so much incredible depth there. It’s got to be so nice to go. Yeah, cool. Let’s just bring him in or bring her or whoever it is, bring him in.

Having that scale is definitely something that we use to differentiate ourselves. But you know, operationally, it can be a challenge. It’s it’s a lot of headcount. And we’re highly attuned to the culture where really I was trying to build and maintain and a flexible culture where people are happy to work here, happy to be a part of the larger team, and they feel like they’ve got a voice in what we’re delivering. So it’s it’s super important to us.

So let’s shift now. We talked to cloud deal earlier, let’s talk about security. So walk us in again, similar question. But you know,

what was the tech stack? What was the business problem? Anything different or different kind of opportunity where the customer might have thought they needed this and it ended up with something completely different?

Yeah, yeah, we’ve, we certainly have a number of those.

You know, I would say just about every MDR opportunity we have goes that direction. And to be clear, we love all of our EDR and MDR partners. They’re they’re all a huge part of our ecosystem. We’ve had a lot of mutual success in that space. But what we found recently is the matchmaking portion of it and really defining the business problems and setting the expectations of what that service is going to look like day to day is an often overlooked step. And the customer satisfaction around that is so much higher when we go through an evaluation process and say, what does monitoring and response look like for you today? And what are you hoping to get out of this? Which pieces are you going to own? And which pieces do you want a third party to own? And let’s make sure that we align your expectations with somebody who can deliver that. Because there’s so many gradients of MDR out there in the marketplace. And they all have value, but customers have different expectations.

Are you are you finding, I guess, as you go down that and you go through this process, is there a huge misconception on what the customer thinks? Who’s going to do the R? I mean, what do you find, I guess, most common in that?

Absolutely. There’s there’s a number of opportunities for miscommunication. And a parallel would be, you know, we first started getting into cloud, the shared responsibility model was something we had to work hard to communicate with the customers. Here are the pieces that you own. And here are the pieces that your cloud provider owns, you know, they’re going to provide power and they’re going to provide HVAC. But if you’re not managing your passwords and your operating system health, you’re going to have a bad time. And we have that same parallel in the MDR world. You know, if you’re not making sure that sensors are deployed, everywhere, they need to be deployed. And you’re not responding to alerts, or both agencies collectively are missing alerts, you’re still going to have a bad time, you’re just paying for the luxury of that.

Fair, it’s good.

All right, let’s let’s shift gears here a little bit. Let’s let’s start moving towards the future. Let’s talk about large language models, because there’s not a day that goes by. I think it’s been about an hour since I’ve talked about this. But you think about with with where everybody is being told, hey, we got to look at this, we got to get it is gonna make our business better, right, right, wrong or indifferent. So people are setting out to integrate with build their own llama, copilot, whatever it is, right. So if you think about from a security perspective, is it you know, you’re at the helm of security, is it data classification? And that stuff going awry? What’s, what’s your perspective on the right way to tackle security? If people want to go down this road of large language model?

Yeah, let me type that into chat GPT real quick.

We have this conversation often, and it’s a recurring topic at our CSO summits, we host a number of CSO summits for our customers throughout the years just to check in and say, you know, what’s operationally, what’s top of mind, we know what our manufacturers and our service partners are telling us, but in your environment, what’s going on with you. In our customer base, every time we bring up LLMs,

data classification and data loss is top of mind. How do I make sure that if my organization is adopting this, or if we’re trying it, or if it’s going into anybody’s workflow, we’re doing it in a responsible way where we’re not giving away company secrets or disclosing too much about internal contact information processes, etc. So that goes into a larger data management conversation. And we’ve seen a big acceleration around data management conversations in the last two years, starts with data classification, but then ultimately, you know, we look at do we need to have policies around enforcement? And who are we notifying? If there’s leakage? What’s the recovery plan with all these things?

That’s been a very interesting conversation in in the LLMs have just been the gas pedal on all of that. My counterparts in the collaboration space have seen a little bit more success with customer service chatbots and inner experiences like that, where the LM is really, really taken off and being operationalized immediately. In the cybersecurity world, we’re seeing a lot of manufacturers adopt AI technology as part of an existing product stack, use that for justification for price changes.

I haven’t seen a ton of game changers yet. But there are some interesting things happening there.

Yeah, where, where do you feel, you mentioned, right, the development and the marketing of LLMs and everybody thinks they have to do this, or being told they have to do this accelerates it. If you go back to that data classification, which you mentioned, you know, forced everybody to kind of look at this,

what grade would you give the broader world of customers out there of doing data classification right now before they have to now going into LLMs percentage wise or grade, however you want to frame that up?

Optimistically C minus,

you know, the tools are getting better to interact with.

Many of our customers have complex diverse footprints, it’s difficult to assess it from the outside in, it’s a big project, and it’s a big expense.

If you don’t have a tight handle on BYOD, shadow IT, and your data footprint today, all of these things get much, much exponentially harder, because those are all foundational steps. And we saw this with cybersecurity adoption years ago, you know, if you can’t account for the number of sites you have, the number of devices you have, well, how the heck can you secure them or respond to an incident? There’s some fundamental layers here we still have to achieve. So for organizations that are doing great at understanding what their device footprint looks like and understanding what applications their users are using, if they’re already at that maturity level, I think there’s more tooling than ever to understand what their data footprint looks like and start adopting classification policies. They’re in a good position, the tooling has never been better. For organizations that are still behind, I think they’re getting further behind.

Ooh, I like it. I like it. Spicy take. So much opportunity here. And it’s it’s forcing everybody to, to kind of do what we’ve saying been saying before is just do the right thing. You know, this should be something that, and for whatever reason, as they go around the wheel of resiliency, it’s just been like, yeah, we’ll get to that, right? But now they have to. So I love it. I love a good solid C minus. That’s a, I think that’s fair. I think that’s an optimistic C minus. There’s plenty of opportunity there.

I think it’s generous, to be honest with you. I mean, it’s just, it’s not an easy thing to light switch and turn on. It’s a big investment. So our largest customers are taking it very seriously. But there’s a lot of opportunity for improvement, from what we have seen.

Agree. Agree. All right, so as we get to the final couple thoughts here, so advice for partners. So if I’m a partner, maybe I’m in cloud, I haven’t jumped into security, or maybe I’m in CX, and I haven’t, you know, I haven’t gone down this track as much. What’s the advice for them? Is they’re going to approach their customers, their prospects and kind of staying in tune with some of the topics we’ve been talking about?

Yeah, defining the business problem is always a strategy that’ll pay dividends. I mean, if we can clearly define the business problem the customer is trying to solve, and not go in with the technology or a solution in mind, it’s it’s so much easier to succeed, especially with the wide breadth of partnerships and suppliers that are out there. And just driving conversations on what is the business problem? What’s a reasonable outcome to that? And then how do we go into a user acceptance perspective before we steer into a technology? How do we say, can we pilot this? Can we test this? Can we go around any user adoption? Because what I found, and I’ll go back to the MDR example, there are just a lot of caveats. And it’s time consuming to go through that discovery phase as to, you know, where the gaps are in these solutions. Anytime you bring in a service provider, you’re going to find the gaps quickly. And best to identify them quickly, define success criteria in what you’re outlining as the business problem. And then everybody walks away happy. Again, goes back to good service back to you spending your inches. It’s all about service.

Yeah, yeah, yeah. If I had $1 for every 10 millimeter socket I lost back in the day, that is out there somewhere stuck in somebody’s engine.

Yeah.

But good service was the the snap on guy going, you know what lifetime replacement, I’ll replace it for you. And guess what I wanted to buy every single time?

More than next time I had time to spend money or or money to spend. It was going to that guy. So that snap on truck always got me man.

All right, so as we talk about the future transformation, the next couple years, let’s look into the Jeremy crystal ball here. Take this anywhere you want. But I mean, what kind of innovations are you most looking forward to? And and how do we all play a role in that?

Yeah, a lot of our manufacturer and vendor partners have talked about platformization for quite a while. And I’m looking forward to seeing that be a very tangible consumable thing in the marketplace where where that story continues to make sense. There’s a lot of cybersecurity tools out there that generate data as an outcome. And I’m looking forward to automation and platformization bringing it to a point where we actually see the benefits of bringing all those sensors together. And we have easy to consume services that really bring operational efficiency. I think right now there’s a lot of hardworking service providers that are filling a lot of gaps on behalf of these platforms, but it’s it’s rapidly evolving. And there’s a lot of capabilities coming around to speed up response times to alert the right people and to help customers be prepared for events and kind of minimize the collateral damage. So short answer, I’m looking forward to the maturity in that space. I mean, I think we’re going to see cat and mouse and offense and defense for a long time. But the short of the response time is the least disruptive the cyber incidents become.

Back to resiliency. I love it.

Yeah, great. Absolutely.

Great point. We know we’re gonna have a breach. Hopefully, it gets less and less duration, you know, as we go, we can’t be perfect. But maybe we can sure try a lot harder.

Yeah, hopefully, it’s a lost device, a person locked out on the count. Hopefully, it’s just, you know, a really small blast radius.

Yeah, I love it. Well, that’s it, my friend. Jeremy, I appreciate you coming on, man. Lots of good stuff. Thanks for sharing all the expertise.

Yeah, absolute pleasure, Josh. Thanks for having me.

Okay, everybody, that wraps us up for today. We’ve got Mr. Jeremy Pierson from CompuNet, director of cyber security. I’m your host, Josh Lupresto, SVP of Sales Engineering here at Telarus. As always, the like go subscribe so you get these every Wednesday, Apple Music, Spotify.

Telarus.com