Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:53
How's it going , russell ? It's great to
0:55
finally get you on the podcast . I feel like
0:57
we've been planning this thing for I
1:00
mean what seems like at least six , seven
1:02
months now at this point .
1:04
Yeah , thanks , joe , glad to be here , glad
1:06
we could make it happen and
1:08
, yeah , excited to have
1:10
a conversation .
1:12
Yeah , absolutely Well
1:14
, russell , why don't we start with
1:16
what interested you in
1:18
IT or security that brought
1:20
you down this path ? Right
1:23
, I start everyone off there
1:26
, not only to hear your story
1:28
, but there's also a lot of people
1:30
that are listening to this podcast that maybe
1:33
want to get into IT or maybe
1:35
want to get into security and maybe they're doing a
1:37
career change or they don't
1:39
really know how to do that right , and
1:41
I feel like it's always helpful for
1:43
people to hear someone else's story and maybe
1:45
they can relate to your story and
1:48
hear like , hey , if this guy did it , maybe
1:50
it's possible for me , and
1:52
that's that little spark that some people need
1:54
. So what's your background
1:56
with that ?
1:58
Well , I'd be flattered to hear if I'm
2:00
inspiring anyone in that way
2:03
. But regardless , I
2:06
always feel like I draw from a
2:09
personal curiosity and
2:11
interest and I think that anybody
2:13
should follow that to
2:15
whatever degree and if it's IT or
2:18
technology in general , definitely
2:21
foster that in
2:23
any way you can . So I was
2:25
introduced to computers
2:27
at a young age through
2:30
my father who had a job in
2:32
telecommunications and
2:34
I think he was personally
2:36
interested in the personal
2:39
computer and the evolution of a
2:41
processor and memory and applications
2:44
. He was not into
2:47
software , he wasn't writing software , but
2:50
kind of a tinkerer , craftsman
2:52
at heart and
2:55
hobbyist , which I think I
2:57
inherited largely . And
3:03
I think my first foray
3:05
into IT was networking between
3:08
systems on a local area
3:10
network for
3:12
the purposes of multiplayer gaming
3:15
. So
3:17
I recall trying to connect
3:20
to computers to play games
3:24
like Doom
3:27
or
3:29
Doom 2 . And
3:32
I remember this moment where I
3:34
played this game and
3:36
you could see another
3:38
character in the game . So
3:42
normally you're playing this first person
3:44
, All you see is your character's
3:46
kind of like field of view
3:48
and the other characters are
3:51
all procedural
3:54
or not procedural . At the time you
3:57
know part of the game's software but
3:59
not other people playing Right
4:02
. And that moment of
4:04
multiplayer games with a friend in the
4:06
same room but on a different computer
4:08
kind of just really ignited
4:11
the
4:13
passion for technology
4:15
for me overall , and so that evolved
4:18
to learning more
4:20
about networking , learning more about
4:23
software and computers in general and
4:28
fast forward , let's say
4:32
, five-ish years
4:34
. I was trying to write web
4:36
pages for people to make money
4:39
and I had an early entrepreneurial
4:41
spirit , I'll say so . I was mowing
4:44
lawns and washing cars , but
4:46
also writing HTML
4:49
and JavaScript
4:51
and stuff for folks to
4:53
make money . And
4:58
fast forward another few years , I'm
5:00
working for a large , let's
5:04
say like Fortune 500 company
5:06
as an IT
5:08
support person or application
5:11
support person . So I had managed to find
5:13
a career or job , full-time job
5:15
doing that , focusing on networking
5:17
and application support . And
5:20
my
5:23
first introduction to security
5:26
as a profession was
5:28
after that in a
5:31
deep network or deep packet inspection
5:33
and intrusion detection and
5:36
in a security operation center . So
5:40
I
5:42
think , to go back to your question again
5:45
, I would suggest that
5:47
you just follow your own interests and curiosity
5:50
Like , why are you curious or interested
5:52
in IT , Right , Is there a particular technology
5:55
? And follow that thread
5:57
as far as you can , Because if you're happy and
5:59
you're interested in and
6:03
you're doing what you like . You can probably
6:05
find a way to make money doing it right .
6:08
Yeah , it's a good point and it
6:10
sounds like your background
6:12
is actually pretty similar to my own
6:15
. One of the earliest memories I have
6:18
with my dad is actually sitting on his lap
6:20
and I'm just typing on the keyboard
6:22
not typing , I'm just pushing buttons
6:24
, but it was a lot of fun for
6:26
me to do that and I
6:29
see something come up on the screen
6:31
and it's like , oh
6:36
, I'm doing something and same thing
6:38
. He had a career in telecom and computers
6:41
was more of a hobby that he was trying
6:44
to learn and figure out and whatnot . And it's
6:48
really interesting . And thinking
6:50
back as well
6:53
, I always had a bit of an entrepreneurial
6:56
spirit , right . I was kind
6:58
of always trying to look for
7:00
creative ways of making
7:03
money and taking
7:05
myself to that
7:07
next level . And when I got to college I
7:11
actually didn't even study computers
7:13
. I thought IT was extremely
7:16
boring . I thought to
7:18
myself like if I'm stuck
7:20
at a desk every single
7:22
day for my whole career , that sounds
7:24
like a miserable career
7:27
. It sounds like a miserable existence
7:29
. I hope that never happens . And here
7:32
I am in security and I love it . It's
7:35
like how
7:38
the tables have turned on me . But
7:40
right before you got that first job , did you
7:42
go to college ? Did you study computers
7:44
at all ?
7:45
Yeah . So I went to school
7:47
for business initially to
7:50
follow that kind of more general entrepreneurial
7:53
avenue and
7:55
I planned on using kind of my experience
7:58
kind of as a freelance IT
8:01
web developer
8:03
, software developer , to kind of sustain
8:05
that but not necessarily take it into
8:07
a career . And
8:10
I dropped out of school
8:12
when
8:15
I realized that I could probably do that full time
8:18
and
8:20
I first focused on Linux administration
8:22
, actually primarily on Red
8:25
Hat and an RHCSA
8:28
certification , but I was writing
8:30
software in Python and
8:34
basically at some
8:36
point I just
8:38
did some mental math
8:40
on how much money I could make this
8:43
year versus spend on college
8:45
and I haven't gone to school
8:47
since . I often think about
8:50
what I would study if I went back to school
8:52
and I don't think it would be
8:56
a computer science degree to
8:59
this day . I think it might be nursing
9:02
or something , just something that would be really interesting
9:04
to learn . I think
9:07
that there's one
9:10
of the interesting things about the security industry
9:12
is the kind of the
9:16
heterogeneous
9:19
nature of folks background that
9:21
are in it . So you have folks who
9:23
are computer science
9:26
but
9:29
a lot of folks come in from different angles
9:31
to make security or
9:33
the industry their career . Now there's obviously
9:35
lots of different focus areas , and
9:40
I think that one of the challenges
9:43
with security is actually developing a sane
9:45
curriculum . It
9:47
would have been time for it to be relevant
9:50
. So this is largely
9:53
a problem with academia
9:55
in general , but I think it's just much
9:57
more difficult with
10:00
technology to develop a curriculum
10:02
that makes sense for someone going
10:04
out into the workforce , and so
10:06
that hands-on experience
10:09
is just so much more relevant
10:12
but also valuable to folks
10:15
. And now I'm largely part
10:18
of my role today is hiring . So
10:20
I'm looking at I'm
10:23
looking at it through a different lens , trying
10:25
to find the best people to help solve certain
10:30
problems , and I
10:32
do look at academic
10:34
history in some degree , but but
10:38
it's certainly not something
10:40
that can be looked at in a vacuum . I think
10:42
your personal experience
10:45
, motivation , intelligence
10:48
and other things apart from just a
10:51
degree , is really what
10:53
we're looking for , and
10:56
I
10:58
would just say that hands-on
11:02
experience and a passion for the problem
11:05
is just so much more valuable than
11:07
some certificate
11:11
or degree
11:14
, though
11:16
I do certainly appreciate the first principles
11:18
and
11:22
the pursuit of academic
11:24
excellence . We're obviously standing
11:26
on a lot of shoulders that
11:29
came from that .
11:31
Yeah , it's a balance . I
11:36
take it from the approach of
11:38
let's
11:40
check as many boxes as
11:42
I possibly can to get
11:44
through HR , because
11:47
this is the thing
11:49
right . The hiring manager
11:52
yeah , they weigh the
11:54
degree and certifications and experience
11:57
properly . Where experience matters
11:59
a whole lot , the certifications solidify
12:03
that or say , yeah , he does
12:05
probably have this experience , and
12:07
the same thing with the degree
12:09
to some extent , depending on where you go
12:12
and the program and all that sort of stuff
12:14
. But it's about getting
12:16
through that HR screening
12:19
. That probably doesn't exist
12:21
at smaller companies , but
12:24
for the majority of companies you still have to
12:26
get through that checkbox . So
12:29
I always recommend that people take a
12:31
broad approach to this . It's not one
12:35
for sure method of getting
12:37
yourself in the door . It's
12:39
really more about you being passionate
12:41
and you diving in and
12:44
you becoming more
12:46
well rounded on
12:48
paper at least , at least on paper
12:50
and , of course
12:52
, having those technical skills to back
12:54
it up to really be successful and get
12:57
in the door and get that job .
12:59
Yeah , yeah
13:02
, I feel like I kind of breeze
13:04
past where
13:06
I might normally kind
13:08
of say what I'm up to now and
13:10
kind of qualify my opinion . So
13:15
first of all , like
13:18
I founded a company a few
13:20
years ago we're
13:22
called VISA Trust . We're in the security
13:24
industry , we focus on
13:27
third party risk management and we're
13:30
essentially bringing artificial
13:34
intelligence and natural language processing
13:36
into
13:39
a product or platform
13:41
that aims to help businesses
13:43
understand the risk of doing business with
13:45
one another , and
13:48
we primarily look at the
13:50
language within artifacts
13:52
or documents , websites to
13:56
derive information about the
13:59
strength of a business's security program
14:01
and whether or not it's been attested in
14:03
high assurance or third party
14:05
audits other places that might be
14:08
relevant and get people out of
14:10
the business of reading questionnaires and
14:12
SOC2 reports . And
14:17
founding that company , I think is kind
14:19
of right along the same trajectory
14:22
of entrepreneurial spirit
14:24
. And also
14:26
, if you start a company
14:29
, you don't necessarily
14:31
have to go through HR , so
14:34
it might be one of the only
14:36
options in some cases for
14:38
me , but
14:40
I found
14:42
it to be very rewarding . Now
14:45
we have a bunch of customers , we have
14:47
an amazing team and
14:50
, in the age of large
14:52
language models and generative AI , I
14:55
feel like we're very
14:57
fortunate . There's
15:00
definitely a degree of luck here being
15:02
in the position that we are now
15:04
trying to solve this problem with the technology
15:07
. That really makes a lot of sense doing
15:09
it .
15:11
When did you start the company ?
15:15
So Paul and I , as co-founders
15:17
, technically created a business
15:19
entity and filed for patents for
15:22
the network and the system
15:25
of interacting with businesses
15:28
deriving risk
15:30
exchanging data in 2016
15:34
. And
15:37
we left our full-time jobs in
15:40
2020
15:42
to dedicate full-time to the product and
15:44
the company . So
15:47
, depending on how you look at it , we
15:49
founded the company in 2016
15:54
, but went to work
15:56
, so to speak , at the company
15:59
in 2020 .
16:01
Yeah , I asked that because
16:03
LLMs
16:06
and AI it's
16:08
everywhere now and
16:10
so it's really easy for people
16:13
to kind of hop on that bandwagon . But
16:16
you forming it in 2016 shows
16:18
that you had that innovative
16:20
idea long before people
16:22
were really thinking about AI
16:25
or LLMs and how it will impact
16:27
their lives or anything like that , and
16:31
I think you're approaching this from
16:33
kind of a common
16:35
sense approach , almost
16:37
right . Maybe
16:39
the worst part of my job
16:42
is dealing with compliance standards
16:44
and trying to
16:46
identify risk of third
16:48
parties and stuff like that . It's
16:50
just terrible . I don't want to do that , but
16:52
it's a part of it . I have to
16:54
do it , I have to deal with it , and
16:57
it sounds like you're approaching
17:00
that from a
17:03
new area , a new way
17:06
, with involving this cutting-edge
17:08
technology that's able to
17:10
assist us in actually getting through it in
17:12
a much more efficient way .
17:14
Yeah . So the
17:17
idea evolved from
17:19
personal experience and
17:21
you know colonize
17:24
kind of mandate at a company we
17:26
were working at to essentially get
17:28
a grip on third-party risk and
17:31
, being technical
17:34
, we were
17:36
addressing kind of like a largely people
17:38
and process problem at the time . It
17:40
still remains that way in a lot of organizations
17:43
. But you have your questionnaire and you
17:46
have a
17:49
process of sending that to your third parties
17:51
and then waiting for them to answer it and then making
17:53
sense of that answer or
17:55
collection of answers . But also , like
17:58
you mentioned , the compliance problem
18:00
of you know at the time there
18:03
were less but still many , many different
18:05
compliance frameworks that people might adhere
18:07
to in some way or have a certificate
18:10
or some artifact to prove
18:13
that they did adhere to
18:15
it . So the job was sending
18:18
emails , reading questionnaires
18:20
, reading compliance reports right
18:23
, and workflow around
18:25
sending emails
18:28
is a problem that can be solved
18:30
with kind of existing web
18:33
application technology very easily . But
18:36
reading documents and understanding language
18:38
, referencing material
18:40
from some corpus of you
18:44
know known industry frameworks
18:46
, mapping that to an assurance
18:48
level and having it , you
18:51
know , culminate into a risk
18:53
assessment , you know that
18:56
seemed to be rather novel , but in particular the
18:58
affluence of natural
19:01
language processing was clear at
19:03
that time and I feel like
19:05
the technology has kind of evolved
19:07
, obviously , since
19:09
all you need is attention
19:12
or the papers that support it , and then
19:14
you know , inform
19:16
things like generative , pre-trained
19:19
transformative models
19:21
. But at
19:23
the time I was dealing with
19:25
anomaly detection and machine learning
19:28
models in the Security Operations Center since . So
19:30
, like you know , tell me , you
19:32
have all you have this gigantic amount of data
19:35
, network traffic data . Tell
19:38
me if something is different that
19:40
might be interesting for me to look at . Not just
19:42
that matches some heuristic rule
19:44
, right , and
19:47
the promise
19:49
of machine learning back then was still largely
19:53
that unrealized
19:58
in a business application . For
20:01
that reason , a lot of people looked at it like snake
20:03
oil . In 2020
20:07
, even when we founded the company , a lot
20:09
of people were skeptical about machine
20:12
learning and artificial intelligence ability
20:14
to predict or help with this
20:16
process . I think , fast forward
20:18
to today . It's amazing . People are like well
20:22
, of course , of course , you use
20:24
machine learning to query
20:26
and return insights
20:28
from unstructured language . It's
20:34
like a business imperative
20:36
to adopt this technology in those use cases
20:39
. I think we're well positioned to take
20:41
advantage of the core technology that we have
20:43
already . On top of that , but
20:49
yeah , it's
20:51
been our philosophy since day
20:53
one that it is , at its core
20:55
, a natural language process problem
20:58
. Making sense
21:00
of language very
21:02
quickly is
21:04
the primary task
21:06
as a third-party risk professional . Looking
21:09
at a compliance report , what is
21:11
the standard ? Tell
21:14
me whether this document
21:16
is better than another or it
21:18
substantiates the existence of a mature
21:20
security program differently
21:22
than another . Machine
21:27
learning and large language
21:30
models now are very well suited to
21:32
help with that .
21:35
Yeah , it's a fascinating area
21:37
I was actually thinking
21:39
about this just the other day of
21:42
how complex
21:45
English is as a language
21:47
and then how
21:49
much more complex Mandarin
21:52
is and Russian and all
21:54
those languages . I think
21:56
about that because I remember when I was going
21:59
through school , I
22:02
took Spanish a couple of years in high school
22:04
and then I also took a few semesters
22:06
of it in college . By the
22:08
time I got to college doing Spanish , I absolutely
22:10
hated Spanish . I
22:13
just the
22:15
sentence structure just didn't make much
22:17
sense to me . I think
22:19
I was a bit burnt out on it , to be
22:21
honest . So I switched it up
22:23
and I went with German , not because I thought
22:26
that it would be easier in any
22:28
way or anything like that . I just
22:30
needed something different . And
22:33
German made a whole lot more sense
22:35
to me because you
22:38
have the exact same sentence
22:41
structure in German as you do in
22:43
English , because English is a Germanic
22:45
language , right , and
22:48
so that whole part of it
22:50
made a lot of sense to me , and
22:52
the fact that you could have an entire
22:55
sentence in a block of like 26
22:57
characters . That looks like one word , and
22:59
then learning how to be like oh no
23:01
, there's like five words in that thing . You
23:04
know it's just pronounced this
23:06
way , right Learning
23:08
that was a lot more fun and easier
23:11
for me . But you
23:13
know , looking back and looking at the different
23:15
languages , they're all unique
23:17
, they're all very different and complex
23:19
in their own ways , and so it'll
23:22
be . I think it'll be really interesting
23:24
to see you know where a
23:26
solution like this will go , really anything
23:29
that has to look at language and make an assessment
23:31
where it'll go . Once
23:34
you start venturing out into other languages
23:37
, you know like what's that learning curve ? Like what
23:39
is , what's the different sources
23:42
that it has to pull from to actually
23:44
learn what it needs to learn . Have
23:47
you explored that at all , or are you
23:49
still trying to kind of master the
23:51
English side of it ?
23:53
Well , I think , you know
23:55
, similar to kind of other other
23:59
problems
24:02
, it's helpful to kind of abstract
24:04
and maybe identify a
24:07
reasonable like
24:09
single language , so to
24:11
speak . So , in a lot of ways , you know
24:13
, like , like mathematical
24:16
notation might be
24:18
, you know , recognized
24:21
across different languages
24:23
the
24:26
product , and I think the
24:28
way that we address
24:31
this space is
24:33
to use technologies
24:35
that are strong at translating
24:38
other languages to a
24:40
common language that the product
24:42
can then interpret . And so , for that
24:45
reason , what we do is we translate
24:48
from foreign languages into
24:50
English always , and
24:53
then we provide , you
24:55
know , instantiation of
24:57
controls through that . So we rely
25:00
on the accuracy of translation , you
25:02
know , translation models and
25:06
our ability to translate to English
25:08
correctly first , right , but
25:13
that a similar problem exists around
25:15
control frameworks and compliance , right
25:18
, the there
25:21
really is no unique security question
25:23
or control outside
25:26
of the ones that are being , you know
25:28
, added , let's
25:31
say , for machine learning or
25:34
artificial intelligence risk . Now
25:36
, it's very uncommon
25:38
to see a question that hasn't been asked before , right
25:41
, they're all just slightly
25:43
different . They all relate
25:45
to the same control , though
25:47
, or set of controls , and so
25:49
what we do is we
25:52
translate to a
25:55
risk model that recognizes those controls
25:58
but then appreciates that they might
26:00
exist as a
26:02
control within different frameworks
26:04
as well and allow you to understand
26:07
okay , this is the
26:09
AICPA trust
26:11
services criteria for background
26:14
checks , whatever the
26:16
ID is , but it also maps
26:19
to the ISO 27001
26:22
control for
26:24
background checks and you
26:26
know , nist and CSA
26:29
or whatever the other frameworks are right
26:31
. But again
26:34
, similar to how we translate to English , we
26:36
look for that control itself rather
26:38
than some specific
26:40
instance
26:42
of that in a language
26:45
or something right .
26:47
Yeah , that makes sense . That
26:49
probably cuts it down . You know
26:52
significantly of the learning period
26:54
that you have to have with that . I
26:59
also focus on how it
27:01
works and everything .
27:02
I also focused on German as my
27:05
foreign language in school
27:07
for similar reasons
27:09
, finding
27:11
that it was just easier to learn , given
27:13
its similar kind of structure
27:16
. Right , and
27:20
I certainly appreciate that .
27:23
Going into it . I thought it was going to be a
27:25
lot more difficult than it actually was
27:27
, but
27:30
I love going to Germany you know
27:32
, have you ever been to Germany ?
27:33
I have not . No , no
27:35
, I'd
27:38
love to . I haven't been to Europe actually .
27:41
Oh , really Okay , yeah , yeah
27:44
. I've been to Germany too many times . I need
27:46
to go to other places . I think this
27:48
year I'm forcing myself to go to London
27:50
and I'm using the Bears game
27:52
as an excuse to go to London . So it's like
27:54
see like the Bears are going , I have to have
27:56
to go support the team , you know .
27:58
Yeah , you know that's one thing
28:00
about Chicago that I really miss is the
28:02
strong
28:05
kind of identity
28:08
and
28:10
culture of like appreciation
28:12
of Chicago that was just so obvious
28:14
everywhere you went . I
28:18
mean , obviously it's hard to live in Chicago
28:20
, so if you do live there it's
28:22
probably for good reason , right
28:24
, and you like it . But
28:28
the sports , the sports
28:30
fandom , I think , remains kind of unparalleled
28:32
in a lot of ways . So are you a fan
28:34
of other Chicago teams
28:36
Besides
28:39
the Bears ?
28:41
Oh yeah , yeah , Pretty much all of them . Yeah
28:45
, bears , bulls , blackhawks
28:47
my wife converted me several
28:50
years ago from a Sox fan to a Cubs
28:52
fan . You
28:54
know really just about all of
28:56
them and I go to a lot of games a
28:58
year . You know , like I've kind of put a hold
29:01
on it since I got a 10-month-old . You know I
29:03
want to have too much fun without the wife because
29:06
then she'll get a little jealous
29:08
and whatnot . But yeah
29:11
, I mean I love
29:13
the sports . It's , you know , it's interesting
29:15
, right , because my generation , I
29:18
mean we , grew up with one
29:20
of the greatest dynasties in basketball
29:23
ever , right . So we're used
29:25
to we kind of grew up being
29:27
used to that like level
29:29
of performance , you know , and
29:32
we , you know , grew up
29:34
with our baseball teams just basically forever
29:37
being terrible , you know
29:39
, like not
29:42
even close to being competitive , you know
29:44
. And then we get like these one or two years
29:46
tied together where it's like , oh , we're
29:48
the best , you know . And
29:51
so it's always
29:53
interesting being a Chicago sports
29:56
fan , especially like
29:58
for the Bears , you know , like the Bears is
30:00
just the most frustrating
30:02
, you know , topic
30:04
for me , because it's just like we could
30:06
be so much better if
30:09
we just had , you know a
30:11
different owner . You know , at this point we've changed
30:14
out all the other pieces . We need to change out that
30:16
owner and see what we
30:18
could actually do . I
30:21
have you . Have
30:24
you been into sports or what's your
30:26
? What's your sports city
30:28
, if you have one .
30:30
I , I
30:32
feel like I
30:35
appreciate a , an
30:37
amazing game , an amazing
30:39
team overall
30:41
, and so I find myself kind of enjoying
30:43
all sports . I
30:46
was , was and remain
30:48
kind of a pretty big Blackhawks
30:51
fan During
30:53
the time that I lived in Chicago . Would you
30:55
know , kind of the same
30:57
time , that they were doing really well the
31:00
kind of the age of Kane and Taves
31:02
and their streak . I
31:08
grew up , I grew up playing all sorts of sports but
31:10
but mostly
31:12
played tennis and
31:17
ironically , I don't really follow that much
31:19
. But yeah
31:22
, I think , like I love , I love watching
31:24
hockey , I love watching , you
31:27
know , any , any game that's like competitive
31:29
and I love seeing , like you
31:31
know , the , the
31:34
human Kind
31:36
of performance , the
31:39
, the pinnacle of any
31:41
kind of like hard work from
31:44
an individual , the dedication , right
31:46
, I mean to think about how much work goes into
31:48
To becoming
31:51
a professional athlete
31:54
overall . So I , you know , I'll watch someone
31:56
doing the mile sprint or
31:58
, you know , playing
32:01
table tennis or whatever , and it's just , I'm
32:03
just fascinated by human accomplishment
32:05
like that . But
32:07
nothing beats a good yeah
32:10
to Jagger goal celebration
32:12
In
32:15
the United Center . So so
32:17
that's still my top .
32:19
Those are . Those are so much
32:21
fun . Like I love hockey
32:23
, you know , unfortunately
32:26
, like well , I guess now it's not unfortunately , but
32:28
like I try to get into the season
32:30
but I don't have a whole lot of time to
32:32
spare , you know , so , typically
32:35
, like right now is when I start to kind of get
32:37
back into hockey
32:39
because football is ending , so
32:41
that's my , you know , my , primary sports
32:43
fix right , and the bulls are terrible . So
32:46
now it's like okay , I can focus
32:48
more on hockey that I want to be
32:50
, you know , more into . Yeah
32:53
, and the closest I've ever sat at a
32:55
Blackhawks game was probably like second row
32:57
and I learned real quick
32:59
you can't bang on the glass anymore . So
33:02
that's that . That was fantastic
33:04
, but you know it was
33:07
. It's a great experience and seeing , you
33:10
know , these , these guys , move around
33:12
the ice and shoot the puck , like that
33:14
. I mean the , the hand-eye
33:16
coordination that you have to have , the agility
33:19
, the speed , the strength , yeah , um
33:21
, I mean it's just it's really impressive
33:24
. Yeah , um , because you
33:26
know , when I , when I grab a hockey stick and I
33:28
try , and you know
33:30
, shoot the puck right , like it's terrible
33:32
, yeah , you know it's going like what ? Maybe five
33:35
miles an hour on a good day . You know for
33:37
me like I can't imagine
33:40
. You know the amount of hours and
33:42
practice that they put into it . You
33:44
know , even even just growing up , do
33:47
you have ?
33:48
a ? Do you have a similar
33:50
appreciation for
33:52
you know people in
33:55
the security or the technology
33:57
kind of space ? Like I think
33:59
there's a there's , you
34:02
know you might see somebody and
34:04
think that looks pretty easy
34:06
, like I could shoot the puck
34:08
like that , or is there , is there kind of like
34:11
a ? Is there an
34:13
analogous phenomenon
34:16
like that in the in IT
34:18
for you , um , yeah , yeah
34:20
.
34:21
Yeah , yeah , absolutely . You
34:24
know , I , I it's interesting , I
34:26
haven't tied the two together
34:28
in that way , but I do have that same
34:30
reaction . You know , I , I , I
34:33
talked to a lot of people on this podcast . That's
34:36
probably the biggest benefit of of
34:38
this podcast is networking
34:40
and talking to so many different people . And
34:43
you know I'm I'm constantly
34:45
blown away by the expertise of my guests
34:47
. You
34:49
know , I was talking to someone a couple of weeks
34:51
ago about
34:53
quantum , quantum
34:56
computing , quantum security , and they were
35:00
talking about how , you know , they're using crystals
35:02
to create
35:04
this quantum connection and secure communications and
35:06
things like that . Right , and that's , that's
35:08
a level . That's , that's a level
35:10
that I'll probably never reach
35:13
, you know , and that
35:15
is something that takes so
35:17
many hours to get into
35:19
and to actually like wrap your head around
35:21
it and figure it out . You know , like
35:24
you have to appreciate that kind of work
35:26
. And then I talked to people that hack airplanes
35:28
while they're on the plane . You
35:31
know , like that
35:33
that's a that's a totally
35:35
different you know world
35:37
than what I want to be on . And you
35:40
know , this person goes to Defconn and it's like , hey
35:42
, what , what flight are you on again , so
35:44
I can make sure I don't book that flight
35:46
you know like , because if
35:48
this guy gets a little too bored he's going to
35:50
start hacking this airplane , and I don't want to be
35:53
on that .
35:53
Yeah , yeah , no
35:57
, I feel like that . I feel the same . You
35:59
know , it's very easy . It's easy
36:01
to . It's
36:04
easy to kind of be inspired
36:06
and then take on a challenge
36:08
after being being inspired
36:10
and only to realize that it's there's
36:13
a lot of work ahead of you to
36:16
be , you know , proficient
36:18
to the same degree as that person , right ? Uh
36:21
, yeah , I
36:23
feel like my , my position
36:25
.
36:26
Do you ?
36:28
go ahead .
36:29
Oh no , no continue . I think you were going to
36:31
answer my question anyways .
36:34
I feel like the the startup
36:36
founder role kind
36:38
of favors , uh
36:41
favors someone who's
36:44
interested in learning a lot , um
36:47
and uh is
36:49
comfortable kind of switching
36:51
, switching hats , so to speak , and
36:54
letting go of , of
36:56
, kind of Maybe
37:00
, some pressure that's self-imposed to become
37:02
the the perfect expert
37:05
at one particular kind of focus area
37:07
, and finding those people
37:10
and
37:12
and bringing them together right
37:15
and and
37:17
enabling them , um
37:20
, so that I feel like that's kind of a unique
37:22
and uh and especially rewarding
37:26
challenge for me is , like you know
37:29
, find finding the right people who
37:32
are smarter than me , uh
37:35
, to solve , to solve a problem right , yeah
37:38
, that is , um , that's the challenging
37:40
part at that level is finding the right people
37:43
.
37:43
You know , I always hear about , like , how important that
37:46
is , especially when you're , when you're a small company
37:49
. You know , because you , you can't
37:53
, you can't spare the time
37:55
of training . You know another new person every three , four
37:58
, five months . You need them to be there to actually
38:00
, you know , build
38:02
this thing and solve these problems and really grow
38:04
with the
38:06
company and whatnot . You know
38:09
, yeah , and
38:12
that's the uh , that's a , it's a interesting
38:14
, challenging problem that
38:17
you don't really face . You know , outside of the startup program and you know
38:19
, to an extent , I , I personally , I kind
38:21
of miss that startup world
38:23
. You know , because you can wear as many
38:26
different hats as you want , you
38:28
can try as many different things that you want
38:31
. You know , like there's no one holding you back
38:33
telling you no , I need you to focus on
38:36
. You know this one thing , um , and it's
38:39
that it's that faster
38:41
pace environment , that smaller company , that
38:45
that I miss . You know , like now I work at
38:47
a giant company that employs over 650,000
38:50
people worldwide . I
38:52
mean , I know , I know what like 10 people . You know 10 , 12
38:54
people maybe
38:56
at most . You know I know the people that I need to know to get
38:59
my job done , but there's
39:01
no way I'll ever know everyone that works at the company and
39:07
there's also probably no way that I'll ever , you know , move
39:09
up in the company , right ? So
39:12
, like it's , it's different , different problems
39:14
, different challenges . Um
39:19
, and it's uh , it's interesting
39:21
, yeah , yeah , I mean to the same portion of the audience that
39:24
might be interested in
39:28
.
39:30
You know , uh , re recount a personal experience
39:32
getting into IT , you
39:34
know , aimed at trying to guide their own search
39:36
for the company , and I
39:38
would say that trying to guide their own search
39:41
for a career , I
39:43
would say that , you know , being a being
39:46
at a startup can be extremely rewarding
39:49
for a lot of reasons . Um , there's obviously , there's
39:51
obviously , you know , a
39:54
trade off and stability between
39:57
a startup and a 650,000
40:00
person company , right , uh
40:03
, but the trade off also includes an opportunity
40:06
to learn all sorts of things that you wouldn't
40:08
, wouldn't necessarily have
40:10
an opportunity to learn , but also
40:13
is actually discouraged from being
40:15
learned for . Responsible
40:17
for , right , um
40:19
, and , and
40:22
yeah , I think , like , if you're the kind of , if you're
40:24
the kind of , that's a good
40:27
oh , I was going to say you
40:30
know that that's a .
40:31
That's a great point that you bring
40:33
up . I didn't mean to cut you off
40:36
, I apologize for that , um
40:38
, but
40:41
you know it's a . It's a great point that you bring
40:43
up that ability to
40:45
learn . You know so many
40:47
different new things and I
40:49
just think about my own experience when I was at a
40:51
small company . You know
40:53
, I had never really worked
40:55
with Linux before , and at this
40:57
small company our product was built on Linux
40:59
. So guess what
41:01
? I got really good at learning
41:04
Linux and learning the ins and outs
41:06
of this operating system , all from
41:08
a , from a terminal . You know , we didn't even have
41:10
a GUI , right , um
41:13
. And then , you know , I took it a step further
41:15
and I had to learn SE , linux and
41:17
learn vulnerability management for Linux and
41:20
use only open source software for
41:22
vulnerability management , cause the company is
41:24
a small business , we don't have money for Nessus
41:26
or Tenable or or a QALUS
41:29
. You know something like that , right , you got to figure
41:31
it out with zero budget . Yeah
41:33
, um , oh . And it absolutely needs to
41:35
be done because we have to meet these compliance
41:37
requirements for the federal government , because
41:40
we're going , you know , on site and
41:42
oh , did I mention you're going
41:44
on site to some of these facilities
41:47
that you know are in the middle of nowhere , in the
41:49
middle of some mountain . You
41:51
know , and you , you're alone , you can't use
41:53
your cell phone , you only have to have
41:56
. You know what's on a piece of paper , right , you've
42:00
learned it so well . In
42:02
that situation , you know , by the time , by
42:05
the time I was going on site for these federal
42:07
agencies , I was doing what's called like double
42:10
blind or triple blind troubleshooting
42:12
, where you can't see the screen , you
42:14
can't get any log files , you can't get any screenshots
42:16
, they can't send you the error code
42:18
, they have to read it to you . And
42:21
there's someone that's on the other end of the phone
42:24
that doesn't know Linux , they don't
42:26
know anything about the terminal and you have to learn and you
42:28
have to literally spell out the
42:30
commands and when , sometimes , when you
42:32
say space , he types out space
42:34
and not hit the space bar . You know
42:36
like that's the level that you're dealing with
42:38
.
42:39
Reminds me of the where
42:42
is , where is the any key ? Uh
42:48
, in response to the press , any key
42:50
? But yeah , I
42:52
, I , I think that
42:54
one of the most salient
42:57
kind of um , uh
43:00
, yeah
43:02
, it's when you're at a small company . You're
43:05
very much close to the
43:07
business problem and
43:10
understanding that
43:12
you
43:15
know what you might be responsible for
43:17
doing really
43:19
impacts the company and how
43:21
, I think is one of the one
43:24
of the especially rewarding aspects there
43:26
. It's not only that you're responsible for it or
43:28
that it's different and you have to learn , but when you
43:30
do it , you're accomplishing
43:32
something meaningful to the business
43:35
. It's much more obvious what that is right
43:37
. And when you're at a much bigger company
43:39
, you might have some KPIs
43:43
or metrics that you're following
43:46
, but those projects
43:48
and things that you're doing are hard to see as
43:53
valuable , right . But
43:58
that trade-off translates
44:00
to pressure that if
44:03
you don't succeed , right , the company
44:05
won't exist , right
44:07
, or there's . You're definitely
44:09
much more responsible
44:11
for its success , right . So there's a lot of pressure
44:14
, yeah
44:18
, which I find very , very
44:21
rewarding as well .
44:22
Yeah , there's definitely
44:25
a lot of pressure with that as well
44:27
. That you
44:31
know you can't lose the customer
44:33
. You know if they have a recommendation
44:35
you kind of have to take
44:37
it . You kind of have to , you know , work
44:39
towards building that in and I actually , you
44:41
know
44:44
, I remember going on site for
44:47
a federal agency for the very first time
44:49
and in my preparation
44:51
of going , the person that was in charge of the project
44:53
beforehand they're like , they told
44:55
me , they warned me , you know . They
44:57
said oh , you know , they always
45:00
ask for this thing and we're never
45:02
going to build it in to our product
45:04
, right . And they told me the background of it and everything
45:07
, but they told it from our
45:09
side of it . You know why we weren't
45:11
going to do it and whatnot
45:13
. Well , I got on site
45:15
and the first thing that I asked the customer was
45:17
well , tell me about why you want it . You
45:19
know , like what's the story behind
45:21
you getting this feature , this functionality
45:24
? You know , because internally
45:26
, we don't see any value in it . Right
45:28
, but you obviously see a value in
45:30
it , but we don't know what that is . And
45:33
they told me , you know it
45:35
was quite literally a life or death
45:37
situation that they had
45:39
encountered at this facility , and
45:42
this feature functionality would provide
45:44
, would have provided them with precise
45:47
information of where they
45:49
needed to send first responders in this situation
45:52
, and without that , you
45:55
know , it turned into a much bigger or
45:57
deal than what it needed to be , and
46:00
so they were looking for a solution and
46:03
so once I got , once I got that
46:05
information , once I understood that and I
46:07
was able to bring it back , you know
46:09
, then within a week or two
46:11
we had that functionality and I was back
46:14
out there , you know , updating their
46:16
products so that we could get them that new functionality
46:18
Right . And it's like
46:21
you would never experience that at a large
46:24
company . Yeah , you never . You would
46:26
never experience that . There's like
46:28
what ? Maybe two or three roles
46:30
at that company that would that would
46:32
experience that .
46:34
But you know , at the at a small company
46:36
I'm one of a team of like 10 or 12
46:38
, that any one of us could have been on
46:40
site to go and experience that
46:42
, you know yeah , yeah
46:44
, the connection between the
46:47
customer and the value and the product
46:49
, that super tight
46:51
feedback loop and being involved directly
46:54
, as is something
46:57
that I think is is
46:59
just very , very
47:02
rewarding at a startup and
47:04
available at a startup Right .
47:06
Do you ever ? Do you ever miss
47:08
working the nine to five , or
47:10
do you just enjoy doing
47:13
the startup ?
47:14
You know , I have , I have three kids
47:16
and
47:19
I've worked at large companies
47:21
, right , I've worked at a few
47:23
stable nine to
47:25
fives , and I think that there
47:27
are moments where I miss , I
47:31
miss the work-life
47:34
separation in
47:37
a certain way , but
47:40
for the most part for
47:43
yeah , it's , it's , it's very infrequent
47:45
that that happens , I
47:47
think for me , I I even
47:49
, even when I was working for those large
47:51
companies , I was , I
47:54
was thinking about work , I was thinking about
47:56
my own professional development
47:58
and learning and and
48:01
the , the , the
48:03
kind of personal interest being
48:07
close to my , my career , led
48:09
me to be working constantly
48:11
anyway , right . And
48:15
so now I feel like it's rewarding , because when
48:17
I think about problems at work , making
48:20
progress is is much more meaningfully
48:22
rewarding , you
48:26
know , because a lot of times you might spend , you might spend
48:28
a lot of time thinking about a problem or learning
48:30
something , and it's
48:33
not necessarily within your role or
48:35
responsibility at the company to use
48:37
those skills or present new
48:39
ideas , right
48:42
. So it
48:45
felt like that was wasted time
48:47
almost in some cases . But you
48:51
know , I think I
48:55
think it's very rare , but sometimes , sometimes
48:57
I do , you know .
49:00
I do .
49:01
Yeah , I do . I do recognize
49:04
that , especially nowadays . You know , even
49:08
before this was before kind of our time
49:10
, so to speak . You know the the
49:14
recognition and appreciation
49:16
of employees at large companies has been has
49:19
changed a lot . You know , at the end of the
49:21
day , even if it's a 650,000
49:24
person company , if there's
49:27
a reduction in force , you're
49:29
going to find out that . You know , on
49:32
Monday morning or whatever , you're going to have the pink slip
49:35
right and
49:37
and
49:40
I do think that
49:42
you
49:45
know , you work to live right
49:47
, and so you just just
49:50
kind of remembering that across
49:52
both even my , I consider this
49:54
my life's work and passion , but
49:56
it's still a job right , and
49:58
I still have a family and I still have my
50:01
health and other things to worry
50:03
about outside of work .
50:05
Yeah , you know I always
50:07
tell people right
50:09
to really protect , protect
50:11
your time , protect your , protect
50:14
your home time , your , your
50:16
work-life balance , not
50:19
because you shouldn't work hard at
50:21
your job you shouldn't , you know
50:24
, love your job or anything like that but
50:27
because there's other things
50:29
that are more important than
50:31
you know . Just your job , right
50:33
? Like you
50:36
know , now that I have a kid
50:39
, I mean it
50:43
would be such a hard sell
50:45
to have to go into the office , not
50:49
out of convenience but out
50:51
. Of . You know me being able to hear
50:53
my kids' first words , seeing them take
50:55
their first step . You know like
50:58
being there when they wake up , being
51:00
there when they get out of school
51:02
, you know like that sort
51:04
of stuff is so irreplaceable
51:06
and I I
51:09
personally I did not share that with my
51:11
parents growing up , you know . And
51:14
so now I get to have that and
51:16
it's like , man , you'd
51:18
have to pay me so much
51:21
money that it's not even feasible
51:23
. You know like it's . It's
51:25
not and
51:28
you know I always tell people to
51:30
also , you know , work on
51:32
your own skills and develop
51:35
yourself outside of your your
51:37
nine to five . You know like , literally at
51:39
five , turn off your laptop , turn off
51:41
the notification for those work apps
51:43
and maybe study for
51:46
a certification , maybe learn a new skill
51:48
, maybe you know . If you haven't touched Linux
51:50
, maybe pick up Linux and
51:52
learn Linux , right ? Yeah , the reason
51:54
is you know really what you said , right
51:56
, if there's layoffs , you
51:59
could be one of them , and it's not personal , it's
52:01
just your name came up on a list
52:03
that's tied to a , to a cost
52:05
to the company that they have to eliminate
52:08
. And you know , no matter what you do
52:10
at that company , no matter , you know
52:12
what your role is . You know you
52:14
, you are expendable to a certain
52:16
degree . You know like , you are replaceable
52:19
to an extent and the
52:21
company will absolutely cut that cost because
52:23
the company , at the end of the day , has to survive
52:25
no matter what , and
52:27
so it doesn't make much sense for
52:30
you to put in 80 , 90 , 100
52:32
hour weeks into a nine to five
52:34
. That will let you go , you know , at the drop
52:37
of a hat . Yeah , I
52:39
learned that the hard way . I wasn't
52:41
, I wasn't laid off
52:43
, but I was working , you
52:46
know , 80 hours a week , every
52:48
single week , for an entire year , to
52:50
find out that I wasn't getting a raise
52:52
, find out I wasn't getting a bonus
52:55
, that there was no money at the end of the
52:57
tunnel for me that I was told that there would
53:00
be , you know , and it's like okay
53:02
, this is never going to happen again
53:04
. This is , this
53:06
is a 40 hour work week
53:08
, you know type of thing , and I'm going to
53:10
develop myself on the side , I'm going to start
53:12
a podcast , I'm going to start doing consulting
53:15
for companies and stuff like
53:17
that . You know , like having things
53:19
on the side , and you
53:21
know , recently I just thought of you
53:24
know kind of a new slogan
53:26
that makes a lot of sense is one
53:28
income , is one too close to zero
53:30
? Yeah , you know , like you should have these
53:32
other , these other
53:34
, you know things going
53:37
on right to supplement other things
53:39
and whatnot .
53:39
Yeah , yeah , I mean , if
53:42
the 40 hours you're spending
53:44
outside of your 40 hour work week are
53:47
are
53:49
uniquely beneficial
53:53
for your day job alone and that
53:55
company alone , you know , you should definitely
53:57
rethink how you're spending that
54:00
time . I think it's
54:02
. It's , it's definitely better
54:04
to kind of treat those
54:06
hours outside of work as
54:09
maybe coincidentally
54:11
, beneficial to your current job
54:13
, but definitely as a personal
54:15
and professional development opportunity
54:17
, right ? How ? How is
54:20
this going to look in an interview
54:22
? Or my next , my
54:24
next line on my resume ? And
54:27
is it skills that are translatable
54:29
to other companies and
54:31
jobs that I I
54:34
foresee , as you
54:37
know , ideal for my own career path
54:39
? Right ? So that's the cert
54:41
. You know , if the cert is specific
54:43
to your company and not applicable
54:46
to any other technology or software
54:48
or whatever , maybe think
54:50
about a more broadly applicable
54:52
certificate or
54:54
or or something you know
54:56
, right , like like Linux generally , or
54:59
security , rather
55:02
than those like corporate specific certificates
55:06
or something . Right , I don't know how to
55:08
, how to describe it . I always , I
55:10
always described it as kind
55:13
of the
55:17
knowledge being kind of driven into
55:19
a mountain of
55:22
which is just more difficult to escape
55:24
from if you're outside of that company . So the
55:26
company being the mountain and your own specialization
55:29
being deepened inside
55:31
of there , in some tunnel system that
55:33
you just cannot escape from . So you
55:36
leave that company and you're interviewing it another
55:38
and this person's
55:40
like . I have no idea
55:42
what technology
55:44
or software or skill you're talking about
55:47
, even though you spent however long
55:49
learning the ins and outs of it
55:51
. Right , it's not applicable here . So
55:58
trying to stay valuable
56:00
outside that one company .
56:02
Yeah , absolutely , that's
56:06
what I tell a lot of people . I feel
56:08
like they
56:10
view getting
56:12
these different skills or certifications
56:15
or whatever it is . They
56:18
can easily get caught up and
56:20
viewing it in terms of oh , how
56:22
does this benefit my current company
56:24
or my current
56:26
job or anything like that ? You should be
56:28
thinking much more into the future
56:31
, much more a brown
56:33
. What if all of this ends ? What
56:36
if this goes wrong ? You should
56:38
have those other skills , you should understand
56:40
the other components and maybe it
56:43
tangentially makes
56:46
you better at your job , maybe
56:48
it does right , like
56:50
for myself , I want to get into
56:52
management , right , and so now I'm
56:54
trying to pick up all these new
56:57
skills of project management
56:59
and things like
57:01
that to make myself more competitive , to
57:04
develop myself . And
57:06
, yes , it does benefit my
57:08
day job . Right , definitely
57:10
benefits me there . But I'm
57:12
thinking ahead . I'm trying to think towards
57:15
what do I want to do next and try to build
57:18
those skills up now while I can . Well
57:23
, russell , unfortunately
57:26
we're at the end of our time here and
57:28
I mean I had a fantastic conversation . I
57:30
absolutely want to have you back on . I
57:34
think that this conversation went down quite
57:37
a few rabbit holes that we
57:39
could spend another two , three hours going
57:42
through . But
57:44
, russell , before I let you go , how
57:46
about you tell my audience where they could find
57:48
you , where they could find your company
57:51
if they wanted to reach out and learn more
57:53
?
57:54
So visatrustcom , that's V-I-S-O-T-R-U-S-T
57:58
and you
58:00
can find me quite easily
58:02
at Russell Sherman . And
58:06
yeah , we're especially
58:08
interested in bringing on folks
58:10
at the company in
58:12
the security B2B SaaS space
58:14
. Particularly on my team , I'm looking
58:17
for folks who are
58:19
strong , product-minded
58:21
developers and technologists
58:24
in the large language
58:26
model and artificial intelligence space . I
58:29
really appreciate it as well . It was a great conversation
58:31
. It's
58:34
always amazing to meet someone
58:36
else in the industry , so to
58:38
speak , and find out about
58:40
that background and how it might differ or be
58:42
the same , because
58:45
it's truly amazing how
58:47
different backgrounds
58:50
arrive in the same industry and security
58:52
. So it was
58:55
my pleasure .
58:56
Yeah , definitely . It's
58:59
always a fascinating conversation to hear
59:01
everyone's story , so
59:04
I'm glad that everyone could hear your story
59:06
and probably
59:08
even a little bit more of my own . Well
59:11
, with that , thanks everyone . I
59:14
hope you enjoyed this episode .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More