0:53

How's it going , russell ? It's great to

0:55

finally get you on the podcast . I feel like

0:57

we've been planning this thing for I

1:00

mean what seems like at least six , seven

1:02

months now at this point .

1:04

Yeah , thanks , joe , glad to be here , glad

1:06

we could make it happen and

1:08

, yeah , excited to have

1:10

a conversation .

1:12

Yeah , absolutely Well

1:14

, russell , why don't we start with

1:16

what interested you in

1:18

IT or security that brought

1:20

you down this path ? Right

1:23

, I start everyone off there

1:26

, not only to hear your story

1:28

, but there's also a lot of people

1:30

that are listening to this podcast that maybe

1:33

want to get into IT or maybe

1:35

want to get into security and maybe they're doing a

1:37

career change or they don't

1:39

really know how to do that right , and

1:41

I feel like it's always helpful for

1:43

people to hear someone else's story and maybe

1:45

they can relate to your story and

1:48

hear like , hey , if this guy did it , maybe

1:50

it's possible for me , and

1:52

that's that little spark that some people need

1:54

. So what's your background

1:56

with that ?

1:58

Well , I'd be flattered to hear if I'm

2:00

inspiring anyone in that way

2:03

. But regardless , I

2:06

always feel like I draw from a

2:09

personal curiosity and

2:11

interest and I think that anybody

2:13

should follow that to

2:15

whatever degree and if it's IT or

2:18

technology in general , definitely

2:21

foster that in

2:23

any way you can . So I was

2:25

introduced to computers

2:27

at a young age through

2:30

my father who had a job in

2:32

telecommunications and

2:34

I think he was personally

2:36

interested in the personal

2:39

computer and the evolution of a

2:41

processor and memory and applications

2:44

. He was not into

2:47

software , he wasn't writing software , but

2:50

kind of a tinkerer , craftsman

2:52

at heart and

2:55

hobbyist , which I think I

2:57

inherited largely . And

3:03

I think my first foray

3:05

into IT was networking between

3:08

systems on a local area

3:10

network for

3:12

the purposes of multiplayer gaming

3:15

. So

3:17

I recall trying to connect

3:20

to computers to play games

3:24

like Doom

3:27

or

3:29

Doom 2 . And

3:32

I remember this moment where I

3:34

played this game and

3:36

you could see another

3:38

character in the game . So

3:42

normally you're playing this first person

3:44

, All you see is your character's

3:46

kind of like field of view

3:48

and the other characters are

3:51

all procedural

3:54

or not procedural . At the time you

3:57

know part of the game's software but

3:59

not other people playing Right

4:02

. And that moment of

4:04

multiplayer games with a friend in the

4:06

same room but on a different computer

4:08

kind of just really ignited

4:11

the

4:13

passion for technology

4:15

for me overall , and so that evolved

4:18

to learning more

4:20

about networking , learning more about

4:23

software and computers in general and

4:28

fast forward , let's say

4:32

, five-ish years

4:34

. I was trying to write web

4:36

pages for people to make money

4:39

and I had an early entrepreneurial

4:41

spirit , I'll say so . I was mowing

4:44

lawns and washing cars , but

4:46

also writing HTML

4:49

and JavaScript

4:51

and stuff for folks to

4:53

make money . And

4:58

fast forward another few years , I'm

5:00

working for a large , let's

5:04

say like Fortune 500 company

5:06

as an IT

5:08

support person or application

5:11

support person . So I had managed to find

5:13

a career or job , full-time job

5:15

doing that , focusing on networking

5:17

and application support . And

5:20

my

5:23

first introduction to security

5:26

as a profession was

5:28

after that in a

5:31

deep network or deep packet inspection

5:33

and intrusion detection and

5:36

in a security operation center . So

5:40

I

5:42

think , to go back to your question again

5:45

, I would suggest that

5:47

you just follow your own interests and curiosity

5:50

Like , why are you curious or interested

5:52

in IT , Right , Is there a particular technology

5:55

? And follow that thread

5:57

as far as you can , Because if you're happy and

5:59

you're interested in and

6:03

you're doing what you like . You can probably

6:05

find a way to make money doing it right .

6:08

Yeah , it's a good point and it

6:10

sounds like your background

6:12

is actually pretty similar to my own

6:15

. One of the earliest memories I have

6:18

with my dad is actually sitting on his lap

6:20

and I'm just typing on the keyboard

6:22

not typing , I'm just pushing buttons

6:24

, but it was a lot of fun for

6:26

me to do that and I

6:29

see something come up on the screen

6:31

and it's like , oh

6:36

, I'm doing something and same thing

6:38

. He had a career in telecom and computers

6:41

was more of a hobby that he was trying

6:44

to learn and figure out and whatnot . And it's

6:48

really interesting . And thinking

6:50

back as well

6:53

, I always had a bit of an entrepreneurial

6:56

spirit , right . I was kind

6:58

of always trying to look for

7:00

creative ways of making

7:03

money and taking

7:05

myself to that

7:07

next level . And when I got to college I

7:11

actually didn't even study computers

7:13

. I thought IT was extremely

7:16

boring . I thought to

7:18

myself like if I'm stuck

7:20

at a desk every single

7:22

day for my whole career , that sounds

7:24

like a miserable career

7:27

. It sounds like a miserable existence

7:29

. I hope that never happens . And here

7:32

I am in security and I love it . It's

7:35

like how

7:38

the tables have turned on me . But

7:40

right before you got that first job , did you

7:42

go to college ? Did you study computers

7:44

at all ?

7:45

Yeah . So I went to school

7:47

for business initially to

7:50

follow that kind of more general entrepreneurial

7:53

avenue and

7:55

I planned on using kind of my experience

7:58

kind of as a freelance IT

8:01

web developer

8:03

, software developer , to kind of sustain

8:05

that but not necessarily take it into

8:07

a career . And

8:10

I dropped out of school

8:12

when

8:15

I realized that I could probably do that full time

8:18

and

8:20

I first focused on Linux administration

8:22

, actually primarily on Red

8:25

Hat and an RHCSA

8:28

certification , but I was writing

8:30

software in Python and

8:34

basically at some

8:36

point I just

8:38

did some mental math

8:40

on how much money I could make this

8:43

year versus spend on college

8:45

and I haven't gone to school

8:47

since . I often think about

8:50

what I would study if I went back to school

8:52

and I don't think it would be

8:56

a computer science degree to

8:59

this day . I think it might be nursing

9:02

or something , just something that would be really interesting

9:04

to learn . I think

9:07

that there's one

9:10

of the interesting things about the security industry

9:12

is the kind of the

9:16

heterogeneous

9:19

nature of folks background that

9:21

are in it . So you have folks who

9:23

are computer science

9:26

but

9:29

a lot of folks come in from different angles

9:31

to make security or

9:33

the industry their career . Now there's obviously

9:35

lots of different focus areas , and

9:40

I think that one of the challenges

9:43

with security is actually developing a sane

9:45

curriculum . It

9:47

would have been time for it to be relevant

9:50

. So this is largely

9:53

a problem with academia

9:55

in general , but I think it's just much

9:57

more difficult with

10:00

technology to develop a curriculum

10:02

that makes sense for someone going

10:04

out into the workforce , and so

10:06

that hands-on experience

10:09

is just so much more relevant

10:12

but also valuable to folks

10:15

. And now I'm largely part

10:18

of my role today is hiring . So

10:20

I'm looking at I'm

10:23

looking at it through a different lens , trying

10:25

to find the best people to help solve certain

10:30

problems , and I

10:32

do look at academic

10:34

history in some degree , but but

10:38

it's certainly not something

10:40

that can be looked at in a vacuum . I think

10:42

your personal experience

10:45

, motivation , intelligence

10:48

and other things apart from just a

10:51

degree , is really what

10:53

we're looking for , and

10:56

I

10:58

would just say that hands-on

11:02

experience and a passion for the problem

11:05

is just so much more valuable than

11:07

some certificate

11:11

or degree

11:14

, though

11:16

I do certainly appreciate the first principles

11:18

and

11:22

the pursuit of academic

11:24

excellence . We're obviously standing

11:26

on a lot of shoulders that

11:29

came from that .

11:31

Yeah , it's a balance . I

11:36

take it from the approach of

11:38

let's

11:40

check as many boxes as

11:42

I possibly can to get

11:44

through HR , because

11:47

this is the thing

11:49

right . The hiring manager

11:52

yeah , they weigh the

11:54

degree and certifications and experience

11:57

properly . Where experience matters

11:59

a whole lot , the certifications solidify

12:03

that or say , yeah , he does

12:05

probably have this experience , and

12:07

the same thing with the degree

12:09

to some extent , depending on where you go

12:12

and the program and all that sort of stuff

12:14

. But it's about getting

12:16

through that HR screening

12:19

. That probably doesn't exist

12:21

at smaller companies , but

12:24

for the majority of companies you still have to

12:26

get through that checkbox . So

12:29

I always recommend that people take a

12:31

broad approach to this . It's not one

12:35

for sure method of getting

12:37

yourself in the door . It's

12:39

really more about you being passionate

12:41

and you diving in and

12:44

you becoming more

12:46

well rounded on

12:48

paper at least , at least on paper

12:50

and , of course

12:52

, having those technical skills to back

12:54

it up to really be successful and get

12:57

in the door and get that job .

12:59

Yeah , yeah

13:02

, I feel like I kind of breeze

13:04

past where

13:06

I might normally kind

13:08

of say what I'm up to now and

13:10

kind of qualify my opinion . So

13:15

first of all , like

13:18

I founded a company a few

13:20

years ago we're

13:22

called VISA Trust . We're in the security

13:24

industry , we focus on

13:27

third party risk management and we're

13:30

essentially bringing artificial

13:34

intelligence and natural language processing

13:36

into

13:39

a product or platform

13:41

that aims to help businesses

13:43

understand the risk of doing business with

13:45

one another , and

13:48

we primarily look at the

13:50

language within artifacts

13:52

or documents , websites to

13:56

derive information about the

13:59

strength of a business's security program

14:01

and whether or not it's been attested in

14:03

high assurance or third party

14:05

audits other places that might be

14:08

relevant and get people out of

14:10

the business of reading questionnaires and

14:12

SOC2 reports . And

14:17

founding that company , I think is kind

14:19

of right along the same trajectory

14:22

of entrepreneurial spirit

14:24

. And also

14:26

, if you start a company

14:29

, you don't necessarily

14:31

have to go through HR , so

14:34

it might be one of the only

14:36

options in some cases for

14:38

me , but

14:40

I found

14:42

it to be very rewarding . Now

14:45

we have a bunch of customers , we have

14:47

an amazing team and

14:50

, in the age of large

14:52

language models and generative AI , I

14:55

feel like we're very

14:57

fortunate . There's

15:00

definitely a degree of luck here being

15:02

in the position that we are now

15:04

trying to solve this problem with the technology

15:07

. That really makes a lot of sense doing

15:09

it .

15:11

When did you start the company ?

15:15

So Paul and I , as co-founders

15:17

, technically created a business

15:19

entity and filed for patents for

15:22

the network and the system

15:25

of interacting with businesses

15:28

deriving risk

15:30

exchanging data in 2016

15:34

. And

15:37

we left our full-time jobs in

15:40

2020

15:42

to dedicate full-time to the product and

15:44

the company . So

15:47

, depending on how you look at it , we

15:49

founded the company in 2016

15:54

, but went to work

15:56

, so to speak , at the company

15:59

in 2020 .

16:01

Yeah , I asked that because

16:03

LLMs

16:06

and AI it's

16:08

everywhere now and

16:10

so it's really easy for people

16:13

to kind of hop on that bandwagon . But

16:16

you forming it in 2016 shows

16:18

that you had that innovative

16:20

idea long before people

16:22

were really thinking about AI

16:25

or LLMs and how it will impact

16:27

their lives or anything like that , and

16:31

I think you're approaching this from

16:33

kind of a common

16:35

sense approach , almost

16:37

right . Maybe

16:39

the worst part of my job

16:42

is dealing with compliance standards

16:44

and trying to

16:46

identify risk of third

16:48

parties and stuff like that . It's

16:50

just terrible . I don't want to do that , but

16:52

it's a part of it . I have to

16:54

do it , I have to deal with it , and

16:57

it sounds like you're approaching

17:00

that from a

17:03

new area , a new way

17:06

, with involving this cutting-edge

17:08

technology that's able to

17:10

assist us in actually getting through it in

17:12

a much more efficient way .

17:14

Yeah . So the

17:17

idea evolved from

17:19

personal experience and

17:21

you know colonize

17:24

kind of mandate at a company we

17:26

were working at to essentially get

17:28

a grip on third-party risk and

17:31

, being technical

17:34

, we were

17:36

addressing kind of like a largely people

17:38

and process problem at the time . It

17:40

still remains that way in a lot of organizations

17:43

. But you have your questionnaire and you

17:46

have a

17:49

process of sending that to your third parties

17:51

and then waiting for them to answer it and then making

17:53

sense of that answer or

17:55

collection of answers . But also , like

17:58

you mentioned , the compliance problem

18:00

of you know at the time there

18:03

were less but still many , many different

18:05

compliance frameworks that people might adhere

18:07

to in some way or have a certificate

18:10

or some artifact to prove

18:13

that they did adhere to

18:15

it . So the job was sending

18:18

emails , reading questionnaires

18:20

, reading compliance reports right

18:23

, and workflow around

18:25

sending emails

18:28

is a problem that can be solved

18:30

with kind of existing web

18:33

application technology very easily . But

18:36

reading documents and understanding language

18:38

, referencing material

18:40

from some corpus of you

18:44

know known industry frameworks

18:46

, mapping that to an assurance

18:48

level and having it , you

18:51

know , culminate into a risk

18:53

assessment , you know that

18:56

seemed to be rather novel , but in particular the

18:58

affluence of natural

19:01

language processing was clear at

19:03

that time and I feel like

19:05

the technology has kind of evolved

19:07

, obviously , since

19:09

all you need is attention

19:12

or the papers that support it , and then

19:14

you know , inform

19:16

things like generative , pre-trained

19:19

transformative models

19:21

. But at

19:23

the time I was dealing with

19:25

anomaly detection and machine learning

19:28

models in the Security Operations Center since . So

19:30

, like you know , tell me , you

19:32

have all you have this gigantic amount of data

19:35

, network traffic data . Tell

19:38

me if something is different that

19:40

might be interesting for me to look at . Not just

19:42

that matches some heuristic rule

19:44

, right , and

19:47

the promise

19:49

of machine learning back then was still largely

19:53

that unrealized

19:58

in a business application . For

20:01

that reason , a lot of people looked at it like snake

20:03

oil . In 2020

20:07

, even when we founded the company , a lot

20:09

of people were skeptical about machine

20:12

learning and artificial intelligence ability

20:14

to predict or help with this

20:16

process . I think , fast forward

20:18

to today . It's amazing . People are like well

20:22

, of course , of course , you use

20:24

machine learning to query

20:26

and return insights

20:28

from unstructured language . It's

20:34

like a business imperative

20:36

to adopt this technology in those use cases

20:39

. I think we're well positioned to take

20:41

advantage of the core technology that we have

20:43

already . On top of that , but

20:49

yeah , it's

20:51

been our philosophy since day

20:53

one that it is , at its core

20:55

, a natural language process problem

20:58

. Making sense

21:00

of language very

21:02

quickly is

21:04

the primary task

21:06

as a third-party risk professional . Looking

21:09

at a compliance report , what is

21:11

the standard ? Tell

21:14

me whether this document

21:16

is better than another or it

21:18

substantiates the existence of a mature

21:20

security program differently

21:22

than another . Machine

21:27

learning and large language

21:30

models now are very well suited to

21:32

help with that .

21:35

Yeah , it's a fascinating area

21:37

I was actually thinking

21:39

about this just the other day of

21:42

how complex

21:45

English is as a language

21:47

and then how

21:49

much more complex Mandarin

21:52

is and Russian and all

21:54

those languages . I think

21:56

about that because I remember when I was going

21:59

through school , I

22:02

took Spanish a couple of years in high school

22:04

and then I also took a few semesters

22:06

of it in college . By the

22:08

time I got to college doing Spanish , I absolutely

22:10

hated Spanish . I

22:13

just the

22:15

sentence structure just didn't make much

22:17

sense to me . I think

22:19

I was a bit burnt out on it , to be

22:21

honest . So I switched it up

22:23

and I went with German , not because I thought

22:26

that it would be easier in any

22:28

way or anything like that . I just

22:30

needed something different . And

22:33

German made a whole lot more sense

22:35

to me because you

22:38

have the exact same sentence

22:41

structure in German as you do in

22:43

English , because English is a Germanic

22:45

language , right , and

22:48

so that whole part of it

22:50

made a lot of sense to me , and

22:52

the fact that you could have an entire

22:55

sentence in a block of like 26

22:57

characters . That looks like one word , and

22:59

then learning how to be like oh no

23:01

, there's like five words in that thing . You

23:04

know it's just pronounced this

23:06

way , right Learning

23:08

that was a lot more fun and easier

23:11

for me . But you

23:13

know , looking back and looking at the different

23:15

languages , they're all unique

23:17

, they're all very different and complex

23:19

in their own ways , and so it'll

23:22

be . I think it'll be really interesting

23:24

to see you know where a

23:26

solution like this will go , really anything

23:29

that has to look at language and make an assessment

23:31

where it'll go . Once

23:34

you start venturing out into other languages

23:37

, you know like what's that learning curve ? Like what

23:39

is , what's the different sources

23:42

that it has to pull from to actually

23:44

learn what it needs to learn . Have

23:47

you explored that at all , or are you

23:49

still trying to kind of master the

23:51

English side of it ?

23:53

Well , I think , you know

23:55

, similar to kind of other other

23:59

problems

24:02

, it's helpful to kind of abstract

24:04

and maybe identify a

24:07

reasonable like

24:09

single language , so to

24:11

speak . So , in a lot of ways , you know

24:13

, like , like mathematical

24:16

notation might be

24:18

, you know , recognized

24:21

across different languages

24:23

the

24:26

product , and I think the

24:28

way that we address

24:31

this space is

24:33

to use technologies

24:35

that are strong at translating

24:38

other languages to a

24:40

common language that the product

24:42

can then interpret . And so , for that

24:45

reason , what we do is we translate

24:48

from foreign languages into

24:50

English always , and

24:53

then we provide , you

24:55

know , instantiation of

24:57

controls through that . So we rely

25:00

on the accuracy of translation , you

25:02

know , translation models and

25:06

our ability to translate to English

25:08

correctly first , right , but

25:13

that a similar problem exists around

25:15

control frameworks and compliance , right

25:18

, the there

25:21

really is no unique security question

25:23

or control outside

25:26

of the ones that are being , you know

25:28

, added , let's

25:31

say , for machine learning or

25:34

artificial intelligence risk . Now

25:36

, it's very uncommon

25:38

to see a question that hasn't been asked before , right

25:41

, they're all just slightly

25:43

different . They all relate

25:45

to the same control , though

25:47

, or set of controls , and so

25:49

what we do is we

25:52

translate to a

25:55

risk model that recognizes those controls

25:58

but then appreciates that they might

26:00

exist as a

26:02

control within different frameworks

26:04

as well and allow you to understand

26:07

okay , this is the

26:09

AICPA trust

26:11

services criteria for background

26:14

checks , whatever the

26:16

ID is , but it also maps

26:19

to the ISO 27001

26:22

control for

26:24

background checks and you

26:26

know , nist and CSA

26:29

or whatever the other frameworks are right

26:31

. But again

26:34

, similar to how we translate to English , we

26:36

look for that control itself rather

26:38

than some specific

26:40

instance

26:42

of that in a language

26:45

or something right .

26:47

Yeah , that makes sense . That

26:49

probably cuts it down . You know

26:52

significantly of the learning period

26:54

that you have to have with that . I

26:59

also focus on how it

27:01

works and everything .

27:02

I also focused on German as my

27:05

foreign language in school

27:07

for similar reasons

27:09

, finding

27:11

that it was just easier to learn , given

27:13

its similar kind of structure

27:16

. Right , and

27:20

I certainly appreciate that .

27:23

Going into it . I thought it was going to be a

27:25

lot more difficult than it actually was

27:27

, but

27:30

I love going to Germany you know

27:32

, have you ever been to Germany ?

27:33

I have not . No , no

27:35

, I'd

27:38

love to . I haven't been to Europe actually .

27:41

Oh , really Okay , yeah , yeah

27:44

. I've been to Germany too many times . I need

27:46

to go to other places . I think this

27:48

year I'm forcing myself to go to London

27:50

and I'm using the Bears game

27:52

as an excuse to go to London . So it's like

27:54

see like the Bears are going , I have to have

27:56

to go support the team , you know .

27:58

Yeah , you know that's one thing

28:00

about Chicago that I really miss is the

28:02

strong

28:05

kind of identity

28:08

and

28:10

culture of like appreciation

28:12

of Chicago that was just so obvious

28:14

everywhere you went . I

28:18

mean , obviously it's hard to live in Chicago

28:20

, so if you do live there it's

28:22

probably for good reason , right

28:24

, and you like it . But

28:28

the sports , the sports

28:30

fandom , I think , remains kind of unparalleled

28:32

in a lot of ways . So are you a fan

28:34

of other Chicago teams

28:36

Besides

28:39

the Bears ?

28:41

Oh yeah , yeah , Pretty much all of them . Yeah

28:45

, bears , bulls , blackhawks

28:47

my wife converted me several

28:50

years ago from a Sox fan to a Cubs

28:52

fan . You

28:54

know really just about all of

28:56

them and I go to a lot of games a

28:58

year . You know , like I've kind of put a hold

29:01

on it since I got a 10-month-old . You know I

29:03

want to have too much fun without the wife because

29:06

then she'll get a little jealous

29:08

and whatnot . But yeah

29:11

, I mean I love

29:13

the sports . It's , you know , it's interesting

29:15

, right , because my generation , I

29:18

mean we , grew up with one

29:20

of the greatest dynasties in basketball

29:23

ever , right . So we're used

29:25

to we kind of grew up being

29:27

used to that like level

29:29

of performance , you know , and

29:32

we , you know , grew up

29:34

with our baseball teams just basically forever

29:37

being terrible , you know

29:39

, like not

29:42

even close to being competitive , you know

29:44

. And then we get like these one or two years

29:46

tied together where it's like , oh , we're

29:48

the best , you know . And

29:51

so it's always

29:53

interesting being a Chicago sports

29:56

fan , especially like

29:58

for the Bears , you know , like the Bears is

30:00

just the most frustrating

30:02

, you know , topic

30:04

for me , because it's just like we could

30:06

be so much better if

30:09

we just had , you know a

30:11

different owner . You know , at this point we've changed

30:14

out all the other pieces . We need to change out that

30:16

owner and see what we

30:18

could actually do . I

30:21

have you . Have

30:24

you been into sports or what's your

30:26

? What's your sports city

30:28

, if you have one .

30:30

I , I

30:32

feel like I

30:35

appreciate a , an

30:37

amazing game , an amazing

30:39

team overall

30:41

, and so I find myself kind of enjoying

30:43

all sports . I

30:46

was , was and remain

30:48

kind of a pretty big Blackhawks

30:51

fan During

30:53

the time that I lived in Chicago . Would you

30:55

know , kind of the same

30:57

time , that they were doing really well the

31:00

kind of the age of Kane and Taves

31:02

and their streak . I

31:08

grew up , I grew up playing all sorts of sports but

31:10

but mostly

31:12

played tennis and

31:17

ironically , I don't really follow that much

31:19

. But yeah

31:22

, I think , like I love , I love watching

31:24

hockey , I love watching , you

31:27

know , any , any game that's like competitive

31:29

and I love seeing , like you

31:31

know , the , the

31:34

human Kind

31:36

of performance , the

31:39

, the pinnacle of any

31:41

kind of like hard work from

31:44

an individual , the dedication , right

31:46

, I mean to think about how much work goes into

31:48

To becoming

31:51

a professional athlete

31:54

overall . So I , you know , I'll watch someone

31:56

doing the mile sprint or

31:58

, you know , playing

32:01

table tennis or whatever , and it's just , I'm

32:03

just fascinated by human accomplishment

32:05

like that . But

32:07

nothing beats a good yeah

32:10

to Jagger goal celebration

32:12

In

32:15

the United Center . So so

32:17

that's still my top .

32:19

Those are . Those are so much

32:21

fun . Like I love hockey

32:23

, you know , unfortunately

32:26

, like well , I guess now it's not unfortunately , but

32:28

like I try to get into the season

32:30

but I don't have a whole lot of time to

32:32

spare , you know , so , typically

32:35

, like right now is when I start to kind of get

32:37

back into hockey

32:39

because football is ending , so

32:41

that's my , you know , my , primary sports

32:43

fix right , and the bulls are terrible . So

32:46

now it's like okay , I can focus

32:48

more on hockey that I want to be

32:50

, you know , more into . Yeah

32:53

, and the closest I've ever sat at a

32:55

Blackhawks game was probably like second row

32:57

and I learned real quick

32:59

you can't bang on the glass anymore . So

33:02

that's that . That was fantastic

33:04

, but you know it was

33:07

. It's a great experience and seeing , you

33:10

know , these , these guys , move around

33:12

the ice and shoot the puck , like that

33:14

. I mean the , the hand-eye

33:16

coordination that you have to have , the agility

33:19

, the speed , the strength , yeah , um

33:21

, I mean it's just it's really impressive

33:24

. Yeah , um , because you

33:26

know , when I , when I grab a hockey stick and I

33:28

try , and you know

33:30

, shoot the puck right , like it's terrible

33:32

, yeah , you know it's going like what ? Maybe five

33:35

miles an hour on a good day . You know for

33:37

me like I can't imagine

33:40

. You know the amount of hours and

33:42

practice that they put into it . You

33:44

know , even even just growing up , do

33:47

you have ?

33:48

a ? Do you have a similar

33:50

appreciation for

33:52

you know people in

33:55

the security or the technology

33:57

kind of space ? Like I think

33:59

there's a there's , you

34:02

know you might see somebody and

34:04

think that looks pretty easy

34:06

, like I could shoot the puck

34:08

like that , or is there , is there kind of like

34:11

a ? Is there an

34:13

analogous phenomenon

34:16

like that in the in IT

34:18

for you , um , yeah , yeah

34:20

.

34:21

Yeah , yeah , absolutely . You

34:24

know , I , I it's interesting , I

34:26

haven't tied the two together

34:28

in that way , but I do have that same

34:30

reaction . You know , I , I , I

34:33

talked to a lot of people on this podcast . That's

34:36

probably the biggest benefit of of

34:38

this podcast is networking

34:40

and talking to so many different people . And

34:43

you know I'm I'm constantly

34:45

blown away by the expertise of my guests

34:47

. You

34:49

know , I was talking to someone a couple of weeks

34:51

ago about

34:53

quantum , quantum

34:56

computing , quantum security , and they were

35:00

talking about how , you know , they're using crystals

35:02

to create

35:04

this quantum connection and secure communications and

35:06

things like that . Right , and that's , that's

35:08

a level . That's , that's a level

35:10

that I'll probably never reach

35:13

, you know , and that

35:15

is something that takes so

35:17

many hours to get into

35:19

and to actually like wrap your head around

35:21

it and figure it out . You know , like

35:24

you have to appreciate that kind of work

35:26

. And then I talked to people that hack airplanes

35:28

while they're on the plane . You

35:31

know , like that

35:33

that's a that's a totally

35:35

different you know world

35:37

than what I want to be on . And you

35:40

know , this person goes to Defconn and it's like , hey

35:42

, what , what flight are you on again , so

35:44

I can make sure I don't book that flight

35:46

you know like , because if

35:48

this guy gets a little too bored he's going to

35:50

start hacking this airplane , and I don't want to be

35:53

on that .

35:53

Yeah , yeah , no

35:57

, I feel like that . I feel the same . You

35:59

know , it's very easy . It's easy

36:01

to . It's

36:04

easy to kind of be inspired

36:06

and then take on a challenge

36:08

after being being inspired

36:10

and only to realize that it's there's

36:13

a lot of work ahead of you to

36:16

be , you know , proficient

36:18

to the same degree as that person , right ? Uh

36:21

, yeah , I

36:23

feel like my , my position

36:25

.

36:26

Do you ?

36:28

go ahead .

36:29

Oh no , no continue . I think you were going to

36:31

answer my question anyways .

36:34

I feel like the the startup

36:36

founder role kind

36:38

of favors , uh

36:41

favors someone who's

36:44

interested in learning a lot , um

36:47

and uh is

36:49

comfortable kind of switching

36:51

, switching hats , so to speak , and

36:54

letting go of , of

36:56

, kind of Maybe

37:00

, some pressure that's self-imposed to become

37:02

the the perfect expert

37:05

at one particular kind of focus area

37:07

, and finding those people

37:10

and

37:12

and bringing them together right

37:15

and and

37:17

enabling them , um

37:20

, so that I feel like that's kind of a unique

37:22

and uh and especially rewarding

37:26

challenge for me is , like you know

37:29

, find finding the right people who

37:32

are smarter than me , uh

37:35

, to solve , to solve a problem right , yeah

37:38

, that is , um , that's the challenging

37:40

part at that level is finding the right people

37:43

.

37:43

You know , I always hear about , like , how important that

37:46

is , especially when you're , when you're a small company

37:49

. You know , because you , you can't

37:53

, you can't spare the time

37:55

of training . You know another new person every three , four

37:58

, five months . You need them to be there to actually

38:00

, you know , build

38:02

this thing and solve these problems and really grow

38:04

with the

38:06

company and whatnot . You know

38:09

, yeah , and

38:12

that's the uh , that's a , it's a interesting

38:14

, challenging problem that

38:17

you don't really face . You know , outside of the startup program and you know

38:19

, to an extent , I , I personally , I kind

38:21

of miss that startup world

38:23

. You know , because you can wear as many

38:26

different hats as you want , you

38:28

can try as many different things that you want

38:31

. You know , like there's no one holding you back

38:33

telling you no , I need you to focus on

38:36

. You know this one thing , um , and it's

38:39

that it's that faster

38:41

pace environment , that smaller company , that

38:45

that I miss . You know , like now I work at

38:47

a giant company that employs over 650,000

38:50

people worldwide . I

38:52

mean , I know , I know what like 10 people . You know 10 , 12

38:54

people maybe

38:56

at most . You know I know the people that I need to know to get

38:59

my job done , but there's

39:01

no way I'll ever know everyone that works at the company and

39:07

there's also probably no way that I'll ever , you know , move

39:09

up in the company , right ? So

39:12

, like it's , it's different , different problems

39:14

, different challenges . Um

39:19

, and it's uh , it's interesting

39:21

, yeah , yeah , I mean to the same portion of the audience that

39:24

might be interested in

39:28

.

39:30

You know , uh , re recount a personal experience

39:32

getting into IT , you

39:34

know , aimed at trying to guide their own search

39:36

for the company , and I

39:38

would say that trying to guide their own search

39:41

for a career , I

39:43

would say that , you know , being a being

39:46

at a startup can be extremely rewarding

39:49

for a lot of reasons . Um , there's obviously , there's

39:51

obviously , you know , a

39:54

trade off and stability between

39:57

a startup and a 650,000

40:00

person company , right , uh

40:03

, but the trade off also includes an opportunity

40:06

to learn all sorts of things that you wouldn't

40:08

, wouldn't necessarily have

40:10

an opportunity to learn , but also

40:13

is actually discouraged from being

40:15

learned for . Responsible

40:17

for , right , um

40:19

, and , and

40:22

yeah , I think , like , if you're the kind of , if you're

40:24

the kind of , that's a good

40:27

oh , I was going to say you

40:30

know that that's a .

40:31

That's a great point that you bring

40:33

up . I didn't mean to cut you off

40:36

, I apologize for that , um

40:38

, but

40:41

you know it's a . It's a great point that you bring

40:43

up that ability to

40:45

learn . You know so many

40:47

different new things and I

40:49

just think about my own experience when I was at a

40:51

small company . You know

40:53

, I had never really worked

40:55

with Linux before , and at this

40:57

small company our product was built on Linux

40:59

. So guess what

41:01

? I got really good at learning

41:04

Linux and learning the ins and outs

41:06

of this operating system , all from

41:08

a , from a terminal . You know , we didn't even have

41:10

a GUI , right , um

41:13

. And then , you know , I took it a step further

41:15

and I had to learn SE , linux and

41:17

learn vulnerability management for Linux and

41:20

use only open source software for

41:22

vulnerability management , cause the company is

41:24

a small business , we don't have money for Nessus

41:26

or Tenable or or a QALUS

41:29

. You know something like that , right , you got to figure

41:31

it out with zero budget . Yeah

41:33

, um , oh . And it absolutely needs to

41:35

be done because we have to meet these compliance

41:37

requirements for the federal government , because

41:40

we're going , you know , on site and

41:42

oh , did I mention you're going

41:44

on site to some of these facilities

41:47

that you know are in the middle of nowhere , in the

41:49

middle of some mountain . You

41:51

know , and you , you're alone , you can't use

41:53

your cell phone , you only have to have

41:56

. You know what's on a piece of paper , right , you've

42:00

learned it so well . In

42:02

that situation , you know , by the time , by

42:05

the time I was going on site for these federal

42:07

agencies , I was doing what's called like double

42:10

blind or triple blind troubleshooting

42:12

, where you can't see the screen , you

42:14

can't get any log files , you can't get any screenshots

42:16

, they can't send you the error code

42:18

, they have to read it to you . And

42:21

there's someone that's on the other end of the phone

42:24

that doesn't know Linux , they don't

42:26

know anything about the terminal and you have to learn and you

42:28

have to literally spell out the

42:30

commands and when , sometimes , when you

42:32

say space , he types out space

42:34

and not hit the space bar . You know

42:36

like that's the level that you're dealing with

42:38

.

42:39

Reminds me of the where

42:42

is , where is the any key ? Uh

42:48

, in response to the press , any key

42:50

? But yeah , I

42:52

, I , I think that

42:54

one of the most salient

42:57

kind of um , uh

43:00

, yeah

43:02

, it's when you're at a small company . You're

43:05

very much close to the

43:07

business problem and

43:10

understanding that

43:12

you

43:15

know what you might be responsible for

43:17

doing really

43:19

impacts the company and how

43:21

, I think is one of the one

43:24

of the especially rewarding aspects there

43:26

. It's not only that you're responsible for it or

43:28

that it's different and you have to learn , but when you

43:30

do it , you're accomplishing

43:32

something meaningful to the business

43:35

. It's much more obvious what that is right

43:37

. And when you're at a much bigger company

43:39

, you might have some KPIs

43:43

or metrics that you're following

43:46

, but those projects

43:48

and things that you're doing are hard to see as

43:53

valuable , right . But

43:58

that trade-off translates

44:00

to pressure that if

44:03

you don't succeed , right , the company

44:05

won't exist , right

44:07

, or there's . You're definitely

44:09

much more responsible

44:11

for its success , right . So there's a lot of pressure

44:14

, yeah

44:18

, which I find very , very

44:21

rewarding as well .

44:22

Yeah , there's definitely

44:25

a lot of pressure with that as well

44:27

. That you

44:31

know you can't lose the customer

44:33

. You know if they have a recommendation

44:35

you kind of have to take

44:37

it . You kind of have to , you know , work

44:39

towards building that in and I actually , you

44:41

know

44:44

, I remember going on site for

44:47

a federal agency for the very first time

44:49

and in my preparation

44:51

of going , the person that was in charge of the project

44:53

beforehand they're like , they told

44:55

me , they warned me , you know . They

44:57

said oh , you know , they always

45:00

ask for this thing and we're never

45:02

going to build it in to our product

45:04

, right . And they told me the background of it and everything

45:07

, but they told it from our

45:09

side of it . You know why we weren't

45:11

going to do it and whatnot

45:13

. Well , I got on site

45:15

and the first thing that I asked the customer was

45:17

well , tell me about why you want it . You

45:19

know , like what's the story behind

45:21

you getting this feature , this functionality

45:24

? You know , because internally

45:26

, we don't see any value in it . Right

45:28

, but you obviously see a value in

45:30

it , but we don't know what that is . And

45:33

they told me , you know it

45:35

was quite literally a life or death

45:37

situation that they had

45:39

encountered at this facility , and

45:42

this feature functionality would provide

45:44

, would have provided them with precise

45:47

information of where they

45:49

needed to send first responders in this situation

45:52

, and without that , you

45:55

know , it turned into a much bigger or

45:57

deal than what it needed to be , and

46:00

so they were looking for a solution and

46:03

so once I got , once I got that

46:05

information , once I understood that and I

46:07

was able to bring it back , you know

46:09

, then within a week or two

46:11

we had that functionality and I was back

46:14

out there , you know , updating their

46:16

products so that we could get them that new functionality

46:18

Right . And it's like

46:21

you would never experience that at a large

46:24

company . Yeah , you never . You would

46:26

never experience that . There's like

46:28

what ? Maybe two or three roles

46:30

at that company that would that would

46:32

experience that .

46:34

But you know , at the at a small company

46:36

I'm one of a team of like 10 or 12

46:38

, that any one of us could have been on

46:40

site to go and experience that

46:42

, you know yeah , yeah

46:44

, the connection between the

46:47

customer and the value and the product

46:49

, that super tight

46:51

feedback loop and being involved directly

46:54

, as is something

46:57

that I think is is

46:59

just very , very

47:02

rewarding at a startup and

47:04

available at a startup Right .

47:06

Do you ever ? Do you ever miss

47:08

working the nine to five , or

47:10

do you just enjoy doing

47:13

the startup ?

47:14

You know , I have , I have three kids

47:16

and

47:19

I've worked at large companies

47:21

, right , I've worked at a few

47:23

stable nine to

47:25

fives , and I think that there

47:27

are moments where I miss , I

47:31

miss the work-life

47:34

separation in

47:37

a certain way , but

47:40

for the most part for

47:43

yeah , it's , it's , it's very infrequent

47:45

that that happens , I

47:47

think for me , I I even

47:49

, even when I was working for those large

47:51

companies , I was , I

47:54

was thinking about work , I was thinking about

47:56

my own professional development

47:58

and learning and and

48:01

the , the , the

48:03

kind of personal interest being

48:07

close to my , my career , led

48:09

me to be working constantly

48:11

anyway , right . And

48:15

so now I feel like it's rewarding , because when

48:17

I think about problems at work , making

48:20

progress is is much more meaningfully

48:22

rewarding , you

48:26

know , because a lot of times you might spend , you might spend

48:28

a lot of time thinking about a problem or learning

48:30

something , and it's

48:33

not necessarily within your role or

48:35

responsibility at the company to use

48:37

those skills or present new

48:39

ideas , right

48:42

. So it

48:45

felt like that was wasted time

48:47

almost in some cases . But you

48:51

know , I think I

48:55

think it's very rare , but sometimes , sometimes

48:57

I do , you know .

49:00

I do .

49:01

Yeah , I do . I do recognize

49:04

that , especially nowadays . You know , even

49:08

before this was before kind of our time

49:10

, so to speak . You know the the

49:14

recognition and appreciation

49:16

of employees at large companies has been has

49:19

changed a lot . You know , at the end of the

49:21

day , even if it's a 650,000

49:24

person company , if there's

49:27

a reduction in force , you're

49:29

going to find out that . You know , on

49:32

Monday morning or whatever , you're going to have the pink slip

49:35

right and

49:37

and

49:40

I do think that

49:42

you

49:45

know , you work to live right

49:47

, and so you just just

49:50

kind of remembering that across

49:52

both even my , I consider this

49:54

my life's work and passion , but

49:56

it's still a job right , and

49:58

I still have a family and I still have my

50:01

health and other things to worry

50:03

about outside of work .

50:05

Yeah , you know I always

50:07

tell people right

50:09

to really protect , protect

50:11

your time , protect your , protect

50:14

your home time , your , your

50:16

work-life balance , not

50:19

because you shouldn't work hard at

50:21

your job you shouldn't , you know

50:24

, love your job or anything like that but

50:27

because there's other things

50:29

that are more important than

50:31

you know . Just your job , right

50:33

? Like you

50:36

know , now that I have a kid

50:39

, I mean it

50:43

would be such a hard sell

50:45

to have to go into the office , not

50:49

out of convenience but out

50:51

. Of . You know me being able to hear

50:53

my kids' first words , seeing them take

50:55

their first step . You know like

50:58

being there when they wake up , being

51:00

there when they get out of school

51:02

, you know like that sort

51:04

of stuff is so irreplaceable

51:06

and I I

51:09

personally I did not share that with my

51:11

parents growing up , you know . And

51:14

so now I get to have that and

51:16

it's like , man , you'd

51:18

have to pay me so much

51:21

money that it's not even feasible

51:23

. You know like it's . It's

51:25

not and

51:28

you know I always tell people to

51:30

also , you know , work on

51:32

your own skills and develop

51:35

yourself outside of your your

51:37

nine to five . You know like , literally at

51:39

five , turn off your laptop , turn off

51:41

the notification for those work apps

51:43

and maybe study for

51:46

a certification , maybe learn a new skill

51:48

, maybe you know . If you haven't touched Linux

51:50

, maybe pick up Linux and

51:52

learn Linux , right ? Yeah , the reason

51:54

is you know really what you said , right

51:56

, if there's layoffs , you

51:59

could be one of them , and it's not personal , it's

52:01

just your name came up on a list

52:03

that's tied to a , to a cost

52:05

to the company that they have to eliminate

52:08

. And you know , no matter what you do

52:10

at that company , no matter , you know

52:12

what your role is . You know you

52:14

, you are expendable to a certain

52:16

degree . You know like , you are replaceable

52:19

to an extent and the

52:21

company will absolutely cut that cost because

52:23

the company , at the end of the day , has to survive

52:25

no matter what , and

52:27

so it doesn't make much sense for

52:30

you to put in 80 , 90 , 100

52:32

hour weeks into a nine to five

52:34

. That will let you go , you know , at the drop

52:37

of a hat . Yeah , I

52:39

learned that the hard way . I wasn't

52:41

, I wasn't laid off

52:43

, but I was working , you

52:46

know , 80 hours a week , every

52:48

single week , for an entire year , to

52:50

find out that I wasn't getting a raise

52:52

, find out I wasn't getting a bonus

52:55

, that there was no money at the end of the

52:57

tunnel for me that I was told that there would

53:00

be , you know , and it's like okay

53:02

, this is never going to happen again

53:04

. This is , this

53:06

is a 40 hour work week

53:08

, you know type of thing , and I'm going to

53:10

develop myself on the side , I'm going to start

53:12

a podcast , I'm going to start doing consulting

53:15

for companies and stuff like

53:17

that . You know , like having things

53:19

on the side , and you

53:21

know , recently I just thought of you

53:24

know kind of a new slogan

53:26

that makes a lot of sense is one

53:28

income , is one too close to zero

53:30

? Yeah , you know , like you should have these

53:32

other , these other

53:34

, you know things going

53:37

on right to supplement other things

53:39

and whatnot .

53:39

Yeah , yeah , I mean , if

53:42

the 40 hours you're spending

53:44

outside of your 40 hour work week are

53:47

are

53:49

uniquely beneficial

53:53

for your day job alone and that

53:55

company alone , you know , you should definitely

53:57

rethink how you're spending that

54:00

time . I think it's

54:02

. It's , it's definitely better

54:04

to kind of treat those

54:06

hours outside of work as

54:09

maybe coincidentally

54:11

, beneficial to your current job

54:13

, but definitely as a personal

54:15

and professional development opportunity

54:17

, right ? How ? How is

54:20

this going to look in an interview

54:22

? Or my next , my

54:24

next line on my resume ? And

54:27

is it skills that are translatable

54:29

to other companies and

54:31

jobs that I I

54:34

foresee , as you

54:37

know , ideal for my own career path

54:39

? Right ? So that's the cert

54:41

. You know , if the cert is specific

54:43

to your company and not applicable

54:46

to any other technology or software

54:48

or whatever , maybe think

54:50

about a more broadly applicable

54:52

certificate or

54:54

or or something you know

54:56

, right , like like Linux generally , or

54:59

security , rather

55:02

than those like corporate specific certificates

55:06

or something . Right , I don't know how to

55:08

, how to describe it . I always , I

55:10

always described it as kind

55:13

of the

55:17

knowledge being kind of driven into

55:19

a mountain of

55:22

which is just more difficult to escape

55:24

from if you're outside of that company . So the

55:26

company being the mountain and your own specialization

55:29

being deepened inside

55:31

of there , in some tunnel system that

55:33

you just cannot escape from . So you

55:36

leave that company and you're interviewing it another

55:38

and this person's

55:40

like . I have no idea

55:42

what technology

55:44

or software or skill you're talking about

55:47

, even though you spent however long

55:49

learning the ins and outs of it

55:51

. Right , it's not applicable here . So

55:58

trying to stay valuable

56:00

outside that one company .

56:02

Yeah , absolutely , that's

56:06

what I tell a lot of people . I feel

56:08

like they

56:10

view getting

56:12

these different skills or certifications

56:15

or whatever it is . They

56:18

can easily get caught up and

56:20

viewing it in terms of oh , how

56:22

does this benefit my current company

56:24

or my current

56:26

job or anything like that ? You should be

56:28

thinking much more into the future

56:31

, much more a brown

56:33

. What if all of this ends ? What

56:36

if this goes wrong ? You should

56:38

have those other skills , you should understand

56:40

the other components and maybe it

56:43

tangentially makes

56:46

you better at your job , maybe

56:48

it does right , like

56:50

for myself , I want to get into

56:52

management , right , and so now I'm

56:54

trying to pick up all these new

56:57

skills of project management

56:59

and things like

57:01

that to make myself more competitive , to

57:04

develop myself . And

57:06

, yes , it does benefit my

57:08

day job . Right , definitely

57:10

benefits me there . But I'm

57:12

thinking ahead . I'm trying to think towards

57:15

what do I want to do next and try to build

57:18

those skills up now while I can . Well

57:23

, russell , unfortunately

57:26

we're at the end of our time here and

57:28

I mean I had a fantastic conversation . I

57:30

absolutely want to have you back on . I

57:34

think that this conversation went down quite

57:37

a few rabbit holes that we

57:39

could spend another two , three hours going

57:42

through . But

57:44

, russell , before I let you go , how

57:46

about you tell my audience where they could find

57:48

you , where they could find your company

57:51

if they wanted to reach out and learn more

57:53

?

57:54

So visatrustcom , that's V-I-S-O-T-R-U-S-T

57:58

and you

58:00

can find me quite easily

58:02

at Russell Sherman . And

58:06

yeah , we're especially

58:08

interested in bringing on folks

58:10

at the company in

58:12

the security B2B SaaS space

58:14

. Particularly on my team , I'm looking

58:17

for folks who are

58:19

strong , product-minded

58:21

developers and technologists

58:24

in the large language

58:26

model and artificial intelligence space . I

58:29

really appreciate it as well . It was a great conversation

58:31

. It's

58:34

always amazing to meet someone

58:36

else in the industry , so to

58:38

speak , and find out about

58:40

that background and how it might differ or be

58:42

the same , because

58:45

it's truly amazing how

58:47

different backgrounds

58:50

arrive in the same industry and security

58:52

. So it was

58:55

my pleasure .

58:56

Yeah , definitely . It's

58:59

always a fascinating conversation to hear

59:01

everyone's story , so

59:04

I'm glad that everyone could hear your story

59:06

and probably

59:08

even a little bit more of my own . Well

59:11

, with that , thanks everyone . I

59:14

hope you enjoyed this episode .