Cybersecurity's secret weapon

[00:00] Intro: This is the Cloud Security Today podcast, where leaders learn how to get Cloud security done, and now, your host, Matt Chiodi.

[00:15] Matt Chiodi: Jerich Beason is the CISO at Waste Management, now known as WM. He's worked in industry giants like Deloitte and Lockheed Martin, and he is very active on LinkedIn, with over 31,000 followers. Now, Jerich's employer, WM, has a fascinating origin story that I wanted to tell you a little bit about. They actually started back in 1983, by a Dutch immigrant collecting trash in the city of Chicago. By 1982, almost 100 years later, WM had become the world's largest waste disposal company, with over a billion dollars in sales. Today, the company has over 111 landfill gas projects, six power production plants, and provides services to over 21 million customers in the US, Canada, and Puerto Rico. Their revenue has grown quite a bit since 1982. As of September of 2023, revenue eclipsed $20 billion. I wanted to have Jerich on the show, because he has a passion for sharing his leadership experience, not necessarily his technical knowledge, which certainly he has a lot of, and I love this about Jerich, and we agree on a lot of things, but one area where we have probably the most common ground is that security practitioners typically have a lot to learn when it comes to soft skills and learning how to speak in business terms. On a lighter note, if you're a vendor listening to this podcast, make sure you listen to the end, because Jerich dropped some nuggets, in terms of how to get on to his schedule.

Let me ask you a favor. If you love what you hear on Cloud Security Today, do me a favor. Pause the episode right now and give us a five-star review. I always love to hear from our listeners. So, if you have feedback, please send me a note at Matt@cloudsecuritytoday.com. Enjoy the episode.

Jerich, welcome to the show.

[02:29] Jerich: Happy to be here. Thanks for having me. A long time coming. Well, you nailed me down.

[02:34] Matt: Finally. I know, you and I actually do interact quite a bit on LinkedIn, but this will be the first, I think, in-depth conversation that we get to have. So, I'm really looking forward to it. Thanks for coming on.

[02:45] Jerich: As am I. I've listened to a number of your episodes, and happy to be added to the roster.

[02:49] Matt: Awesome. All right. So, let's just jump right into it. I'm really curious, at what point of your career did you think, “I want to be a CISO”?

[03:00] Jerich: It's a great question. So, whenever I dive into anything, I've always really just played to win, and I may not be like that in my personal life, but absolutely in my professional life, and ever since I was young, it's just really been ingrained in me to just be the best at whatever it is that you do, and so when I started off my career, the title of CISO, it wasn't even on the radar. It really wasn't even a thing, but I knew I wanted to be the head of it, and as I learned more about what a CISO does, I started to aim a little higher, and I thought if I was the most technically skilled cyber expert, that would be my ticket. For a while, it seemed like that was going to be the way it went, but actually looked at being the CISO of the State of California. That was the first time I decided I want a CISO. I lived in California. I said, “Hey, if I'm the CISO of the City of California, it can’t be any better than that, and then I realized that government gigs weren't all that they were thought up to be, and that really wasn't right for me, but I remember telling anyone I could that I wanted to be a CISO for a large organization, and around the time, I started doing that, I started reading a book on mindset by Carol Dweck. I started embracing growth and orientation, and overall, I knew that I needed to grow in my experiences, and I started to tailor the different jobs and different roles I will take after that, and also start focusing on my soft skills and not just my deeply technical acumen, and I didn't really answer your question directly because I didn't really know until I learned what the role was, and I didn't really know what the role was until I started taking other roles that weren't too deeply in the weeds and they were more around helping the business, working with the business, working with other leaders. So, I think I always wanted to be at the top, but I didn't know that I wanted to be a CISO until I started to see what it was like to be a true C-level executive.

[04:51] Matt: I love that, and I do want to double-click a little bit on what you said. You said you started to look at, I think you said, how you could tailor the roles. What does that look like for you? I think I know what you mean, but maybe give us an example. What does that mean for you?

[05:05] Jerich: Yeah. So, when I looked around at people that hit a ceiling, that I thought knew more than me, and were sharper than me, I had to ask myself, why did they hit that ceiling? And it became pretty evident that it was around the relationships that they had developed, that was around some of the soft skills, and I knew that if I continue down the path of being the person turning the wrench and not the person leading the person turning the wrench, if I continue down the path of being able to operate in silos, that I would never really have the perspective and the experience, or even the credibility to sit at the big kids’ table, and so I started to give myself opportunities and to take on roles that would inch myself towards sitting at that big kids’ table, so that I could have the big kids’ conversations, and actually really add value beyond, “we need to secure this, and we need to secure that,” and that was very deliberate in the types of roles that I took in.

[06:01] Matt: So, you've worked at some really amazing places, like the Department of Energy, Lockheed Martin, Deloitte, Capital One, and now, WM. So, this is a hard question, but if you had to pick one thing, maybe two if you can't do one, but what are you most proud of, and why?

[06:20] Jerich: So, looking back at my time at all those places, if I had to just pick one thing that I'm most proud of, it would definitely be seeing the people who used to report to me grow into amazing leaders themselves. It's incredible to think that people who were once on my team are now leading the charge as directors, VPs, even CISOs, partners in Big Four consulting firms, and the reason why that makes it so special to me is, it's not just the titles that they achieved, but the impact that they're making, and when I see them out there leading with confidence, making big moves, it feels like a validation of everything that I believe in about leadership, and it shows me that, in many ways, some of the little things that I'm doing, that I've done, are now being duplicated in their efforts, and to know that I had a small part in watching their waves ripple through the industry. It's gratifying, and it's definitely something that I'm proud of.

[07:15] Matt: So, in my view, nobody has gotten to any level of success without, likely, a mentor, and personally, I've been blessed with a few of them in my life. I'm curious, from your perspective, what's maybe some of the best advice a mentor has ever given you, either about the industry or about life in general? And then maybe talk a little bit about how you bake that into your leadership at your current role.

[07:42] Jerich: Yeah, I've had several mentors throughout my career. Some didn't know they were mentors. Some did. Some I gave back to. Some I just took, to be completely honest, but if I'm thinking about the mentor within the industry, there's only one person in the industry, and she was the CISO at the time, I was her deputy, and she's now the CIO. So, she's left the dark side, and her guidance was invaluable. She would caution against becoming a Chicken Little CISO, and I'd never forget the phrasing. In cybersecurity, it's easy to feel overwhelmed by risks. Patch management is never perfect. Databases have their flaws. Someone's downloading something they shouldn't be downloading. There's so many different things, and the list is endless, and if you’re in security leadership, you are well aware of the potential consequences. However, with a direct line to the board and to the CEO, like I have, I've learned that not every issue warrants a Sky is Falling alert. The media has already done a good job of making every board, every CEO in America, wary of all the cybersecurity risks. The SEC has thrown down the gauntlet, so we know how bad it can be, but if I were to raise the alarm for every single issue, I'd risk becoming the CISO who cried wolf, which actually weakens the impact of any genuinely critical warnings when I bring it to them. So, it's really important to understand the business context, assess the risks accurately, and then choose the right timing for communications, and that's the first one.

Then, the second one, also from her, was she really drilled into me the importance of storytelling. Now, I once fashioned myself as a PowerPoint guru, and then I could put a good slide together. Clear, visually appealing, solid points that directly address the goal that I was trying to get across, but she would always challenge me with a simple statement. “What is the story that we're trying to tell? What message are we trying to convey? How will the audience receive and interpret this story that you're putting in front of it?” And that's changed how I communicate. It’s pushed me to refine my use of metaphors and analogies, and I've really learned to speak to my audience in a way that actually resonates with them, not just what I think I want them to hear, and in those two things, from a mentorship perspective, they were not things that she just had to say one time, but over time, as she said them enough, they really resonated, and now, I say the same things to my team. What is the story that we're trying to tell? How do you think so and so is going to perceive this? How does so and so to see like to see information? Do they want the details, or do they want the big picture? Because we’ve got to give it to them the way they want, if we want to be able to develop influence. So, all these things have snowballed into a lot of the foundations of my leadership style.

[10:41] Matt: Maybe, is there an example you can share? Even if it's, obviously, you probably can't give any details, but if there's any examples of that, or a story, I think that would be super interesting.

[10:52] Jerich: Yeah. I was at an organization, and it was during COVID, and I was starting to push for some of the tenets of Zero Trust, and we all know what it means, we all know the benefits if you're in cybersecurity, but trying to use the phrase “Zero Trust” with someone that we've been trying to build trust with is not necessarily going to get the job done, and so I used COVID as an example. I said, “alright, we know how bad COVID is. If you know that someone potentially has COVID, they may or may not have COVID, you need them to get something out of your backyard, are you going to want them to walk through your room, touch your doorknobs, go into this room, go into the nursery? You want to give them just a direct path to the backyard. Well, that's ZTNA. We don't need you in our house to get to the backyard,” and so I used that analogy, and they're like, “Oh, I get it.”

Or another one, for that micro segmentation. So, the Navy, they have big, huge, large ships, but they're designed so that they can take a blow, shut off that area, and the rest of the ship doesn't go down. I just explained this to a leader recently in my current organization. He said, “Like Christmas lights? If one goes out, they don't.” I'm like, “I'm using that analogy in the future, and I love that you brought the analogy to me. I don't have to bring the analogy to you. That shows me that you really understand,” and so that is just one example of analogies in storytelling. I don't use a single technical term, but they understand what I'm trying to accomplish and how I go and do it. They don't really care. They're just like, “Okay, what did you ask for this million dollars for?” and now they understand it, go forth and be successful, and that's really what I've learned to do, and I rarely talk in geek-speak when I'm having a regular conversation these days, unless than talking to my team. Other than that, I had to put the geek aside and put my business hat on.

[12:51] Matt: I love that you brought that up, because I can definitely remember a time in my career where I just felt so comfortable speaking technically, and it felt good, because I knew it, and I knew it was somewhat of an elite language in the business world, that whole geek language. As you said, it feels good to know how TCP works, and to talk about the stack and to get into packet captures, but that doesn't translate really to anybody else in the business. Maybe talk about that point of tension, for you, moving out of that area where you were comfortable, maybe where you probably started your career, really technical. What was that like, moving out of that point of tension over to saying, “if I want to be, as you said before, at the big kids’ table, I can't speak this way, from a technical perspective”? Maybe talk a little bit about what that transition was like.

[13:47] Jerich: The transition was met with a lot of internal resistance, because at the time, soft skills weren't as wanted as they are today. So, at the time, I didn't even know they were called soft skills, to be honest with you. I was just like, “I need to be able to communicate with people that don't understand when I’m talking. I don't want to have to use the phrasing ‘No,’ but you're not giving me enough reasons to say yes, so I have to do something different,” and in the government, the concept of risk, at the time, and even today to this degree, wasn't really a conversation. It was mission-driven. It wasn't about making money. It was purely about achieving the mission, and in doing so in a compliant way. NIST was very much still paper security back then. Continuous monitoring didn't even exist when I started on this path, and so for me to then start doubling down and reading about organizational psychology, reading about how to communicate, how to give and receive feedback, how to build empathy, how to build trust, those were just not conceptsthat people were talking about. So, I was taking the risk, because I knew that if I dove into that, over time, I would slowly start to lose some of my technical abilities, and that is what made me employable, at the time, was my deep technical acumen.

So, it was definitely a lot of, “I don't know if this is going to work out,” and I gave it a few years. I said, “I'm going to try down this path for a few years. That's enough time for me to up if I need to, and go right back into the geek world,” but I started to see influence being developed, not realizing that I was developing influence, but people were just listening to me. People were having more conversations with me. I was actually able to speak with the entire organization, versus just a small piece of the organization, and have the same level of effectiveness, and so once I started to see that success, then I was just all-in and had to really look back, and that really started to help other people get on this train as well.

[15:54] Matt: Yeah, I think that's some sage advice. I guess the other thing I would say, too, is, there are those that will choose to stay in that technical track their entire career, and just for people who are listening, that is totally great. If that's your passion, we need those people. We need those people that know TCP better than anybody else, who can look at a packet and know exactly what it's doing. So, I think for people listening, maybe who are earlier on in your career, if you're thinking “well, I've got to be on the CISO track,” you don't have to be. That's not what we're saying. We're just saying, for the two of us, we've gone down this path and have said, “maybe this is quite frankly where our skills are better at than those that may choose to stay on the technical side.” I don't want to put words in your mouth, but is that same?

[16:43] Jerich: Yeah, let me double down on that. A lot of people that want to pursue the CISO path do so because they think it's the path that pays the most amount of money. That's just what it is. People think if you’re at the top, you get the most amount of money. I know sales engineers that make more money than me, probably by a high clip, probably a lot less stress. So, if it's about money, there are technical ways to get to the high-level pay without some of the stuff that we have to deal with, and they are not necessarily the most skilled and adept at all of the soft side, because they have account leaders and account managers that can do that. So, either way, you can be wildly successful, but if you choose the path of CISO, you're going to have to develop the soft skills.

[17:29] Matt: So, you might be one of the most prolific CISOs that I know, in terms of democratizing your leadership, especially from a strategy perspective. I think it's a lot of the things that you've learned throughout the course of your career. Walk me through, I guess the question is, how did this become such a passion for you? You've done a lot of things on LinkedIn Learning. You are prolific.

[17:59] Jerich: Yeah. So, I don't know when this is going to be aired, but just yesterday, one of the people that I look up to highly is Kobe Bryant, and his statue was unveiled yesterday, and his wife spoke, and the very last thing she said was a quote that resonates with me profoundly, and it's “leave the game better than you found it, and when it comes time to leave, leave a legend,” and that is my approach. I've been mentoring people for a while, and over time, the request to become a mentee grew to a point that I couldn't sustain it, and that's when I decided that “I'm sharing some of the same sentiments with multiple different people that I mentor. Why not go from a one-to-one ratio to a one-to-many ratio?” And then from there, LinkedIn posts are born, podcasts are born, articles, LinkedIn learning courses, working with SANS, the world leader in security training, and so many more other opportunities, and I specifically focuse on the soft skills, because from what I can tell, that's where the gap is in a lot of our talent pool, and that's also where there is a gap in available content out there, when you look at what people are talking about online, in the trainings, and so forth, and so for me, I decided to just democratize everything I know about cyber, everything I know about leadership, in the hopes that more people would receive it and more people wouldn't have to go through some of the same mistakes that I went through to learn some of the lessons that I learned.

I like to say that I want to help people see in plain sight some of the things I've learned in hindsight, and if you look at my posts of people are following that example. The comment section of my posts have far more nuggets than anything that I share, and I just get the necessary conversation started. If you go back to that Kobe quote, legends reach that status because of the legacy that they leave behind. I believe legacy is what you leave in people, not what you leave to people, and I'm doing my best to just empty out my cup and deposit it in everyone I interact with, and the knowledge and experience that I have, it does no good in the cup. So, why not pour it out?

[20:14] Matt: I love that, and you mentioned with Kobe, the statue. So, that's actually not far from where I live in Lower Merion. So, that's something that's near and dear to me. So, I appreciate you bringing that up, and I love that story. So much of leadership in any role, but it may be especially in security, is really about, and you talked about some of this already, is building and maintaining relationships across the organization, and we talked some of this already, but often with leaders, who again, have no technical background. So, I was listening to your LinkedIn Learning class called Becoming a Chief Information Security Officer. In that, you discuss the PRIME framework. So, I was just wondering, can you just walk us through it, maybe do a little teaching? Give us an example of how you've used that in your role.

[21:05] Jerich: Yeah, sure. So, I created a framework. I call it the PRIME framework, and the goal of the PRIME framework is to help new CISOs or new leaders in general, really anyone, establish a simple repeatable way to build and sustain lasting symbiotic relationships with anyone in the organization, specifically the leaders in the organization, and so the acronym, PRIME, stands for Prepare, Research, Impress, Maintain, and Enable, and I’ll break that down a little bit. So, when you start with the P, it's for Prepare. You want to go into these meetings with new people and are uniquely prepared for that audience. Even to answer the question, when they say, “tell me about your background,” you should tailor that response to the people you're meeting with, going back to some of the things I learned earlier in storytelling. You want to reach them in a way that's going to help them remember who you are, and then the R, it's for Research. Take the time to understand the person that you're getting ready to meet with. Do some open source intel, ask about them, search online, do as much as you can to learn about them, so that you can do the I, which is Impress. You’re going to take that information, you want to weave it into your narrative when you're speaking to them, and the goal is for them to leave the meeting realizing you have their interest in mind, and that you speak their language. That is not the time to tout your cyber skills, especially if you're a CISO. They already assume you have those. The goal is for them to see, how are you going to add value to them?

And then the next one is M in the PRIME framework, which is for Maintain, and once you start these relationships, you want to maintain these relationships. So, I do so by keeping a relationship register, and I keep it evergreen, and it's a document and it has all the different people, and has different pieces of information about them that's going to help me maintain that relationship, and it's going to help me keep a recurrent contact with that person, and it's important to have anything on there that will help you with that relationship. I have things like having their coffee, what their favorite sports team is, whatever it may be, so that when I say “hey, would you like to go get a coffee?” or I show up to their office with the café double latte with skim milk, or whatever it is that they want, that goes a long, long way, and then the last one is E, which is Enable. You’re just going to take all that information you gather, incorporate it in your strategy, and you will be enabling the business, which ultimately is what they say security is about - enabling the business.

[23:23] Matt: That's pretty awesome. I'm curious. A lot of times, when people hear about these types of frameworks, sometimes people think it was an epiphany that you had at one moment. Was it? Or was it something that you developed over time as you were going through these various different situations?

[24:28] Jerich: So, going back to my time at Deloitte, whenever we would have a major project, we would have a stakeholder register, and within that stakeholder register, I would include, how much influence does this person to have? Are they a supporter of security? I would have all those different pieces of information. So, that was really the foundation for it, and then the rest of it was, in my head, things seem so normal and natural, but if I'm talking to other people, they don't do some of these things already. It's how you prepare for an interview. This is how you prepare for a lot of other things, and so I said “okay, well how can I make it into a way that people will remember it and receive it?” I didn't land on PRIME right away. There were a lot of other acronyms and so forth, but PRIME seemed to be a real word, and it ended up working out.

[25:16] Matt: That's a good story. So, everyone is talking about AI right now. It is all over the place. It's blaring on the headlines. People who aren't even technology are talking about it, and this is again, another area where you have done a LinkedIn Learning class, this one's called Securing The Use Of Generative AI In Your Organization. Let me ask you this. So, what is not being talked about, when it comes to AI, that should be? Help us to get past, maybe, the headlines, and talk about the actual risks that you think are not being talked about.

[25:52] Jerich: Yeah, great question. I've thought a lot about this lately. There are risks introduced by either cyber use cases for harnessing AI. There are courses now, mine’s an example, on how to protect the use of it, but I don't see people talking about how this is affecting leadership, and, in my lifetime, I've seen the move from command-and-control leadership style to people-centered leadership, and not only this embracing people leadership, but it's been a movement for a while now. I think we're entering into a new model with AI. The evolution of leadership styles, over time, they really reflect the broader changes of organizational dynamics, technologies, societal values, and this journey from command-and-control just maybe 10 years ago, to people, and now, AI, it's exciting and scary at the same time, and so if you don't mind, I'll share a little bit of history.

I read a ton of books. When I said I had mentors that don't know they’re mentors, is primarily the books that I read, they became my mentors through those books, but one of things that I learned is, historically, the command-and-control leadership model was really about the Industrial Age efficiency, standardization, hierarchical structures. That's what dominated the workplace, and so that model required strict oversight. It required centralized decision-making. It required a clear chain of command, and that was really effective for predictable tasks, but it didn't foster innovation or employee engagement, and that's what led us to this more people-centric leadership, which is, as knowledge work is increasing and organizations are recognizing the value of human capital, leadership styles had to evolve to support that. So, now you start seeing empathy and employee empowered, and some shared decision-making. Leaders are focused on developing their teams, encouraging collaboration, fostering positive cultures, and you hear the word culture talked about a lot.

In this era, moving into of, AI, I don't have a name for it, but it's embedding AI and machine learning into the workplace, which I think demands another transformation in our leadership style. How we hire looks different. Today, we place high value on those who can answer tough questions. Do we now shift that value to those who can ask the best questions? Because AI is going to get us the answers to a lot of the tough questions already. Now, we're telling people to leverage this assistant, but don't trust everything it says. We're telling people “this will enhance your productivity, not replace you.” Will they really believe that? I think our biggest under-discussed risk is the cultural change that's going to take place, that aren't really being accounted for, and culture is the combination of what you celebrate and what you tolerate, and if we, as an industry, don't start celebrating the innately human elements that AI can't necessarily do today, you really run the risk of those traits being undervalued over time, which will make people stop demonstrating them. So, we still have time, but I think the risk in AI is the change in culture that's simply not on anybody's radar and will just pop up on us.

[29:09] Matt: So, if you could change one thing about the cybersecurity industry, what would it be?

[29:15] Jerich: That's an easy answer, actually. So, I would make entry-level roles just that. Roles for people entering the workforce, or career changers entering the industry with zero experience. So, I’ve talked about it on LinkedIn, I've talked about a little bit, my top two performing posts ever on LinkedIn, essentially, both said the same thing. They got 300,000 likes or more, which is crazy for LinkedIn, and it's simply read, “Dear IT or cyber hiring managers, you got your very first job in IT or security with zero experience. Be more like the manager that hired you.” All over, just crazy response whenever I make that post, and I think we really need to embrace that, because the talent deficit is at the mid-level cyber roles. We have so many people trying to break in, because they've heard about these 2 million, 3 million openings. I don't know what the number is really, but there are a ton of openings, but they're at the mid-level skillsets, and if we don't start letting people in the door, that mid-level skillset gap is going to stay for the foreseeable future. So, we’ve got to start letting people in and we’ve got to start taking the time to develop people and not expect them to come ready-to-go.

[30:33] Matt: Let me ask you, on that note, you obviously work for a large company right now. What programs, maybe, have you put in place, or are you putting in place to actually help with that? How do you approach that? Because let's face it, doing that, where you have someone who comes in and they literally know nothing. They have maybe a four-year degree and maybe it's in cybersecurity, maybe it's not. How do you bring someone in? And how do you make it so that, A, they feel welcome, and B, that they're learning and they're not just doing the proverbial getting the coffee and doing things where they're not really, truly progressing in their career?

[31:08] Jerich: So, it starts off with the type of people that you hire, first, and I'm not looking for a degree, necessarily. I'm not looking for certification, necessarily. Those are all helpful, and it will demonstrate to me that you have a capacity to learn, and a desire to learn, but I'm really looking for continued development and continued growth outside of that structure, necessarily, and then I'm also looking for someone that has a passion for it. If I asked you about the latest headline in cybersecurity, I expect you to know about it. Simple as that. So, I can make sure that I hire people that are going to fit the culture for the organization that I'm trying to establish, but then, on my side, in my organization, you’ve got to create internships. You’ve got to pay those people that are going into those internships. This isn’t indentured servitude. So, the idea is to create internships, and create pathways which then convert from interns into employees, assuming they meet some of those cultural values that we're talking about, and then incentivize the people on my team to develop those people.

When these people hit their development milestones, you actually see your reward, because you took time and you invested your effort into that person, and once again, culture is a combination of what you're celebrate and what you tolerate, and if I celebrate the person that developed the other person, we're going to see a lot more people wanting to develop other people. Even if it's not for the right reasons, don't really care, as long as they're developing the next generation of cyber warriors. Then also, I try to educate as much as possible, talk about to democratize and stuff. There's so many transferable skills from non-cyber or even IT jobs that we need in our industry. We don't communicate very well. We don't how to build relationships. A lot of us don't even understand the businesses that we're trying to secure. We don't multitask very well. We're not good project managers, and I could go down the list of things that you just typically don't see in a regular security analysts or engineer that has been doing it for 10 years, but there are people outside of our industry that bring those skillsets. Why can't we teach them cyber just as much as they can bring some of those other skills? A friend of mine is the CISO at a tech company, and he uses the military. He says the military hires people and then equips them to go do the job. Why can't we do the same thing, as long as they have some of the foundational fundamentals to do so?

[33:34] Matt: That’s pretty powerful. So, as you mentioned before, you said when you're interviewing people, you want to make sure they have passion, that they know what's going on. So, that's my question for you. There's always so much going on in cyber. What is your personal method for staying sharp?

[33:49] Jerich: Podcasts like this one. I read articles. I'm on LinkedIn every single day. I even tell my employer before I come on board, “I spend 30 minutes on LinkedIn a day. If that's a problem, I’m probably not the right guy for you.” The CISO Slack channels, I’m part of many of those. Vendors are not allowed. Vendors are not allowed in most of them, but I just take it in from every direction, and one thing I don't talk about often because it results in my inbox blowing up, I typically meet with one vendor a week that I've never met with before. Sometimes, it's in response to a LinkedIn cold message. Sometimes, it's me just reaching out, but every new vendor is trying to solve something unique in a unique way, where they just wouldn't exist. No one is complete cookie-cutter, and I just learn about new risks. I learn about new mitigations. I learn about new ways that other organizations are approaching things. I didn't even know about API security until I was bombarded by API security vendors, as an example, and I have no problem admitting that. How would I have known that if I never had to deal with it? Those are some of the ways that I stay up to date.

[35:06] Matt: All right, you brought it up. So, I'm going to double click on it. So, you said you try to meet with one new security vendor a week. You're obviously a busy guy. Without giving away your secrets, I don't want you to get inundated, but let's just talk about that, because I think, especially on LinkedIn, there's so many people that are very vocal about their hatred for vendors, and in my view, obviously, I've been on both sides of this now, a lot of vitriol, let's put it that way, around vendors. You see it as a way to stay sharp, and I can appreciate that. How do you maybe programatize that for yourself? Because obviously you've got your day job, the thing that you need to do to deliver for your organization, but you are carving out time in order to do that. How do you look at that? How do you set up your schedule? What does that look like for you? What has worked?

[36:00] Jerich: It depends. Typically, Friday is when I have the most amount of time, assuming I don't get that 4PM, “hey, this thing has occurred. Hope you didn't expect to have a weekend” type of call, and I give them 30 minutes, and at the front of that 30 minutes, I make it clear to them, “I'm not the one you have to impress. I don't pick any technologies in my organization. You went for the chief, when you should have went for the lieutenant. I'm here because I want to learn, and if it's solid, I'll pass it on to them, but I'm not going to make the decisions that my team then has to inherit and deal with it.” So, I start it off with that, off the top, and “if you want to end the call now, feel free, if you'd like, or let's continue on,” but then also, my goal is to build a relationship that may be of use down the line. I can't tell you how many vendors I've spoken with that, I come back a year later, “hey, you guys have this thing. I now have this problem, or I'm not ready to tackle this problem. I didn't have the basic fundamentals in place. Those are now in place for me to stand on to do your thing,” and you're right about the vendor vitriol. It's spewed all over.

It's because of some of the tactics of certain vendors, and it's because even the right vendor with the right tactic, if we get 100 of those messages at the same time, the human brain just can't handle the decision fatigue, and so we make no decisions at all, and then eventually we get annoyed and irritated by it, but let it be known, we don't exist without vendors. Simple as that. We do not exist without vendors. VARs don't exist without vendors. There is nothing more central to cybersecurity success at an organization than a vendor providing a tool that's effective. I recognize that, and I understand that. It's just about vendors recognizing when they're barking up the wrong tree, and when it's just not an opportunity, and it's a shared thing. We both have to see that, and vendors have to be ready to play the long game.

If I'm talking to a vendor that's ready to play the long game, and if it's a tool, if it's a capability that's in my roadmap in my foreseeable future, I’ll play the long game with you. I don't have patience for vendors that don't want to play the long game. I've worked at the private security companies. I recognize that it's a quarterly type of thing. You need to hit these numbers quarterly. So, you're talking to me in January, you want me to email by the end of March, and I'm thinking “hey, your earliest bet is November.” That's not necessarily something that jives with the way that you're being incentivized or even keeping your job. So, I get that you guys are put in an impossible situation, but there's nothing I can do about that. I have my own budget cycles. I have my own ways of approaching things. So, it's really a top-down challenge that we have to deal with, but we cannot keep just shutting vendors out, and making it seem like y'all the bad guys. It's just some of the tactics are not so desirable.

[39:02] Matt: Yeah, and believe it or not, even though I'm on the vendor side right now, I also get pummeled with these, as well, and I love responding to people, “I think your pitch was awesome, but either this is completely not in my wheelhouse, or I have no budget for this.” Sometimes, I snicker at it, and I'll tell people “this was really good. I'm just not the right person for this.” So, for those listening, when you get those, feel free to respond, if you have time. The other thing I'll double click on that you said, that I thought was really great, was just that people, whether it's someone in the vendor community or someone that is on the cybersecurity side, everyone's moving throughout their career, and so I just view it as, I will take meetings a lot of the time if someone pings me on LinkedIn, and I just get the sense that they're really truly trying to learn and there's not necessarily something they're trying to sell me. A lot of times, I will take that conversation, and I have done this probably hundreds of times over the last decade, and I'm always amazed at, when I did that, maybe it is somebody who just wants to talk about career or whatever it might be, I'm always amazed at how I will bump into that person again. It might be 5/7 years later, but I've built that relationship before I even needed it, and quite frankly, maybe I built it when I thought, “maybe this isn't going to be useful.” So, I would just tell people that you really do have to be very mindful of your time, because time is, of course, our most precious resource. So, obviously, you can't be spending four hours a day, or maybe even an hour a day doing this, but think about, “if over the course of a 40-hour week, if I spend an hour or a half hour a week,” think about the network that you could build, and not necessarily just on the vendor side, but just across the board. So, that's just my piece. I don't know if if you agree with that or not, but curious.

[40:57] Jerich: Wholeheartedly. So, number one, I talked about sales engineers. They don't always want to stay in sales. They want to come and be practitioners, and who better to be practitioner of your tool than the person that was inside of there for the last three or four years? So, there's some beneficial ways, but ultimately, I am a little altruistic, and I just want to help the security community at large, providing feedback to the vendors, I'm giving them suggestions as a CISO. Sometimes, there's board opportunities. There’s so many different benefits to having the conversation, and if you limit it to 30 minutes a week, we can probably find 30 minutes a week, and if you're selective in the vendors that you bring in. I bring an 80-year company in? Absolutely not. I've covered that ten times, but if there's a new way of solving an old problem, and I'm maybe a year away from my contract ending, that's the conversation that I'm ready to have. When someone says, “we just signed a three-year contract,” shut it down vendors. It's done, and just little things like that, but for me, I'm all about growth, and every opportunity I get to engage with somebody that's not inside of my echo chamber is an opportunity for me to grow, and I'm going to take advantage.

[42:18] Matt: I love that. Well, Jerich, I’ve loved our conversation. Is there anything else that I should have asked you?

[42:27] Jerich: Yeah, I'll say, you didn’t ask me how you did as an interviewer. Answer is very well, by the way. I've appeared on multiple different podcasts, webinars, and I've hosted my own shows, but you managed to get me to talk about and share things that I’ve never shared before, and that, my friend, is a skill.

[42:43] Matt: Thank you so much. I appreciate those kind words. Thanks for coming on.

[42:46] Jerich: Thanks for having me.

Thank you for joining us for today's episode. To find out more, please visit us at Cloudsecuritytoday.com.