Sounder SIGN UP FOR FREE
Peer Check
Peer Check

Episode · 3 months ago

#12 - Is Your Engineering Data Safe in the Cloud?

ABOUT THIS EPISODE

Adopting new technology comes with major concerns around data security, financial risk, business value, longevity, and more. Yet these concerns are causing many engineering leaders to overspend on outdated technology instead of reaping the rewards of the cloud.

In this episode, Robert Percy, VP Security & IT at CoLab Software, joins Adam to discuss how engineering leaders can think differently about cloud technology, build strong partnerships with IT leaders, and create effective adoption strategies for new tech.

Listen to Adam and Robert discuss:

  • How to evaluate new cloud tools for security and reliability 
  • Why emails are unsecured communications 
  • How engineering leaders can build a partnership with IT leaders
  • Risk vs. reward for cloud technology vs. on-prem infrastructure   

More information about Robert and today’s topics:

To hear this interview and more like it, subscribe to Peer Check! Find us on Apple Podcasts, Spotify, or our website—or just search for Peer Check in your favourite podcast player.

M. Welcome to Pierre Check, a Colab podcast. This is a show for engineering leaders who want to challenge the status quo for how design teams work together. You're about to hear a conversation about the ways the engineering world is changing and how top teams are carving a new path forward. Let's do it. Welcome to Pierre Check. I'm your host, Adam Keating, and today we're talking about the playbook for adopting cloud technologies for engineering leaders and I leaders trying to work in the manufacturing industry. I'm joined by security expert Robert Percy. Robert is COLLABS VP security and I and its dedicating his entire career to figure out to secure some most important software technology out there, from fighting financial crime of Verafin to helping secure a multibillion dollar project and even starting probably the locust biggest local security conference B sides here in St John's, Newfoundland. Robert is one of a kind, Robert, thank you so much for joining us today. Thank you for having me. I'm very excited to be here. Robert. I gotta go back to the basics, and I asked you this when I interviewed you a couple of years ago. But why security? Like, why do you care so deeply about this to even get into it in your personal life? Well, I've been interested in security for a long time and I'm part of its started way back when I was in university. I am living with a, you know, a group of people, you know, a group of guys. We all had an apartment and, you know, trying to share the Internet back when the cable modems were a thing, and you know, we brought in a cable modem and so I set up a little home network. You don't have to share the Internet. You weren't supposed to, but you don't say anything about that. But you know, we shared it across, you know, everyone that was in the house, and I at the time, I I knew very little bout Internet security. I deal a lot with hardware. I've been dealing with hardward my entire life, writing very bits of code for hardware and stuff, but never really dealing with like Internet and network security. So anyway, we set up this network and it was one of the things with back then, the cable modem was kind of open to the Internet. Back then it was like a shared thing, right, and you know, everyone was kind of like on this whole local network and we had a printer set up and somebody accessed the printer and I started looking and digging and you know me, just being the curious person that I am, like I have to figure out why. I always had to figure out why. Dig Deep Right and I gotta know why. So what was going on? So I dug into and started looking at the logs. Implemented like a little firewall on the thing and then started looking at the logs and I'm like, Oh my Lord, like this is getting nailed and like it terrified me. You actually get that stinking figure, like what the Hell is happening? Like people are just hammering this thing. So this is back in like what is seven, somewhere in there, and I was like this is terrifying. So I started learning understanding how this stuff works and implemented my own, you know, a little fire wall that was there that protected the network for the House and just started going from there. And and I've...

...always been interested in security, a lot of it. I started my career in application development, so I was doing a lot of software development, desktop software, web application software, and with that, having that experience of having somebody poke at Your Home Network Your home pcs, all that stuff. I was like this is crazy, like we're putting this stuff on the Internet, you know, web applications and you know, there's very little consideration for security. So it's it's been a part of my career. Even though the majority of the early part of my career was in software development, it was secure software development. It was always taken into consideration the what if, what's going to happen, and a lot of software now is still developed with that mentality of we're creating this product for people to use and here's how they should use this product, here's how we expect them to use this product. I always flip it and turn around and say, well, what can we do with that product? Right, and it's it doesn't matter how it's supposed to be used, it's how can we use it and we take advantage of it. And so I that that's personal interests. It's Um, it started back then with, you know, securing my own personal stuff and and it's like a now at home, like ever since we've had internet at my house, I've had enterprise grade security in my own home for as long as I can remember. I'm glad that someone hacked your printer. I don't know if it would have ended up crossing paths I had the printer not gotten hacked. So obviously we talked a lot about the shift to the cloud and I know like when we started called five years ago, the cloud was almost like a dirty word, like it was people balked at it from a security perspective. I remember interviewing you too and a half years ago and you get a fundamentally different perspective of the cloud. Why is the cloud important from a security perspective for companies to be considering today? Yeah, a lot of it. A lot of it is around the management infrastructure. A lot of companies still have this perception that on prem is more secure and it evolves into what you and I talked about a lot, which is which is risks, perceived risk versus real risk. And there is a perceived risk with cloud because they feel that they don't have the same control that they have with Prim neither is more secure or less secure than the other. Right it's an on premium frax structure can be made secure or it can be not secure. Cloud can be made secure or it can be not secure. It all depends on the implementation and it all comes down to configuration and the vast majority of breaches are still based on because of misconfiguration. And so companies still have this idea that having things on prem they have full control because it's it's physically there next to them in a data center and they have full control over meanwhile, they have their servers that are sitting on the Internet, they're not patched, they've got wide open networks with no segregation, they have poor security controls for their endpoints, pathway straight then to...

...get through their data. But these same companies are the one to say, well, we can't put our data in the cloud because it's it's not secure and it's wrong. It's a complete misperception. It goes both ways. To this perception to that cloud is more expensive, and then there's also this perception to the cloud is cheaper, and that's not always the case either. It's all boils down to business case and business use and, well, what your appetite is. But the main reason for moving to the cloud is a lot of it is just the management infrastructure, reduces the need for having on Prem infrastructure, the costs associated with that, the maintenance of the hardware, the maintenance of the software, all these services are taken care of for you. You still have to take care of your security. You don't offload security, you never do. Still Your responsibility. You said some of the maintenance a second ago, and I know from my perspective and I talked to engineering leaders and then they bring their I t groups. The main reason they seem interested in moving this direction is the overhead of their current on prime system is almost unbearable and they're crippling on their own weight. So you said stuff like you know things remain unpatched. I think it's not because they don't realize it's unpatched, it's because they literally can't get to it because it's just too overhead. And we've seen lots of high profile on Prim security breaches and last like tons. How do people get comfortable with the cloud? Vendors like aws and, as you're they're doing like an incredible job of how they secure the infrastructure. The more important part, then, is how how is the application built on top of that, like how do you how do you build that? How do people get comfortable, like from a place of discomfort with cloud to saying, okay, I Trust Amazon, I trust Microsoft, I trust the vendor. You know, what steps should people take to get comfortable? Yeah, the biggest part is education. Honestly, it's like everything, it's it's education, educating yourself on what the service providers have to offer, what their platforms have to offer, what their options are, what their natal security solutions are and what you, as a consumer, can bring in to put on top of those, you know, native security solutions to bolster that security, to make it even better. And again, it's it's really truly education, educating yourself on what they have to offer. Look at their compliance, look at their auditing, look at their what certifications they have? Are They I twenty seven one servifde? Do they have their suck too? You know, it's it's really it's it's building that trust based on on education. That makes sense and, like on the you start of a time at risk, and I think it's something we're talking off a lot about. Give me some examples of what the real risks are versus, like the really perceived risks, because I hear a lot of the perceived bucket and I think a lot of the real one is often left behind, in particular when we look at security questionnaires, and we'll get to that after we'll give me an example of some of the things that are, like, truly real risk versus the perceived ones that are holding teams up today. Yeah, well, one there's a well, I mentioned the perceived risk that on prem or, let's say cloud, is less secure because it's it's not in the same location, it's not physic next to...

...me. Therefore I have no control, and that's not true. Right, you still have control of your data. You're still the data owner. Um, you're still the ones that manage those systems. Um, and when it comes to assass solution, there's there's a trade off there where, you know, US, as an assass provider, were the ones that take that data. We're the ones that are now responsible for that data, for the security of that data and making sure that we have the controls in place. So that's where education comes in. You ask us what we're doing to secure the data. But in general, when it comes to cloud, just there is that misperception, right, that that cloud isn't insecure, and it's not true. And, like I said, it's it. Cloud can be as secure as you wanted to be, and we've seen it, you know, we have, you know, major government entities with the most secure data possible that are using cloud infrastructure because they have the controls in place to guarantee that that is secure. If you don't do that, then it's the same as anything else. It can be same as an im a situation where you have this you know server is sitting on the Internet that nobody knows about and it's unpatched and wide open to the Internet and it's a perfect pathway and it's no different. So that that's a very common one. There's another misconception to around the data sovereignty. That's one that we see all the time with customers. They feel that they're pay let's say they're in the US, the data centers in Canada. Therefore they can't use it because they have data sovereignty. Their data has sustained in the US, and that's not true. It's the same with Canada. Like so we have, you know, let's say, customers in Canada and there's a data center in the U S and they say, well, we can't use that service because the data centers in the US, and again that's not true. There are considerations for data sovereignty, especially when it's it's government. There are depending on classification of data. Yes, certain piece of data they have to stay within the geographic boundaries of that country. But in general, when it comes to a company, there are companies that just feel that because I'm a US company or because of a Canadian company, I have to use US or Canadian data centers, and that's not true. And the reality is that your data goes cross borders continuously. Every second of every day there's data gone across the borders. So that that is a common misperception. So that one is around education again, just understanding, because there's no legal obligation for it. Could be a company policy, sure, right, and then nuts up to the company, but it's not a legal thing unless you're dealing with data actually specifically has data soroarty issues. When it comes to a real risk, MIS configuration, honestly, it's it's that is an absolute real risk. We see it all the time. Again, is one of the number one sources for a data breach right now is mis configuration of cloud services. So like in a W S, you have what are called s three buckets. Right, what's your data storage? It's like file shares, basically, and it is so easy to have those sitting publicly on the Internet and and companies just a lot of times they implement these without proper education, will proper knowledge. They don't know how to secure them. So they end...

...up with an astory bucket that's sitting on the Internet with copies of personal data, medical records, and we see it all the time. It's you know, there's news headlines All the time a researcher found x number of records, medical records, in a publicly available story bucket. The same goes for service that are sitting on the Internet, misconfiguration, in containers, servers, whatever infrastructure you have sitting on the Internet, misconfiguration, it's it's it. Yeah, and then again, the vast majority is um that's a real risk. And same with patching. Just because in the cloud doesn't mean that it doesn't need to get patched, and it still needs to get patched the benefited cloud is that, depending on the level of service that you're using, it's the responsibility of either the cloud provider or, like us as a service provider, is our responsibility to patch the infrastructures and not the customer. I'm curious like on that front. Like that's a lot of the technical side of this. What about the Human Front? Like, one of the things I hear the most, I think, is that the biggest irony and security is that most people I will talk to have very stringent secure requirements, oftentimes for things that I think you and I would both classify as a perceived risk. They're they're putting the emphasis in the wrong spot. The thing that they're not focused on is the people's side. And I'm talking to an engineering leader. They're telling me that they're sending their most valuable I. P. through their email to supplier. Like your email is basically open to the Internet. Second you do that, it's gone. It's left your boundaries or no control, no out of lot of no record. Yet they're giving me a hard time about some other security control which really has no meaningful and that is they're focusing on asking, asking us, you know, if, if we we've got, you know, Miss Certifications are you know, and it's like, when you start digging into it and ask the questions, it's like, well, how how do you transfer your data now? And it's like well, you know, we create a PDF document or a power point or Nextel and then, you know, we email it to the vendor's right the email is not secure. At the end of the day, email was never ever designed to be a secure method of communication. It never was. The protocols that are used are not secure. It is completely open and it can be basically every touch point on the internet that an email message hits along the way. That message can be read, every single point. Whatever attachments are there can be obtained, the messages, whatever information you put in there. So once that email leaves your computer, once that email goes, you have lost complete control of the data that was in that email and any attachments. It's gone. so by design, email is not secure. Yeah, and it's like the funny part about the email part is will then often hear the second part of the question is if they're not using email as an FTP or it's we use our plam or we use some other tool. The trouble is most people go outside of that. Like we've seen it time and time again. The touch of the touch points on the Internet gives me the hairs and my hair is my arm stand up because it's scary. Most people don't understand. I say this a...

...lot when I'm talking to other people, other customers or you know, one of them providing majorship and guidance to the various companies, and it's always around data. And I have to say to them you have to ask yourself just some very simple questions. Do you know where your data goes? So where does your data go? Where is your data exists? And when you're sharing that information, whether it's by email, through your p Your plm solution, FTP, whatever, when you're sharing that information, you have to ask, can I prevent someone from sharing, forwarding, uploading, redistributing, printing, copying, doing whatever can you? Can you prevent somebody from doing that with your data? If the answer is no, then you have lost control. Well, like on that front, like, we've talked a little bit about wild cloud matters. You know, risk in general. How does someone actually evaluate this risk when they're looking at a new vendor like a collab or like any other cloud tool? Like what should they be asking and looking for in these questionnaires and evaluations? What should they rely on? The stoft to or an auto report for much of digits in no orally? How do you think about probably because you've looked at hundreds of tools for us, like, what's your process for figuring out is this a good piece of software that we can trust to you. A lot of it. It starts again with with education, and in this time it's educating yourself on that company, on that product, and start by looking at what they have publicly available to you on their website. One of the things that's always a red flag for me is if if I look at a company or a particular solution and their security information is not immediately available on that website, that's a bit of a red flag because it's why aren't you telling me about your security? They have a do they have a privacy statement on their website that talks about specifically how our data is going to be used in that application, how it's treated, how it's managed, how it's secured. If that information is not immediately available, it's kind of a you know, companies should be proud of their security. You know, if if they're protecting our data, they should be proud. We are. I'm very proud of our security and our security program we put a lot of effort into it and this is one of the reasons I love talking to customers so much, because I am so proud of what we do to protect our customers data that I love talking to our customers about it. So others should do the exact same thing. Look for the Information Um, look for the red flags and started asking those questions and definitely educate yourself on what they have in a compliance perspective. So stuck to you know, it's pretty much like an industry standard stock to type one type, to get the report, read through it. Those reports, they are long, yes, but there's typically a kind of like an executive summary at the beginning that will be very short, very to the point of either this company did or did not meet all the requirements of the adjectives that were defined. If there's any exceptions that are defined, go look at them, find out what they are, fund out how to handle them. You know there's lots of companies that are going to have exceptions. The biggest companies in the world have exceptions for stock to sure it happens all the time time. It's all about how they handled that...

...situation right. Did identified early? If they identified early, we were the corrective measures right. It's the companies that they don't identify them. It's the auditor that identified it and there were no corrective measures that were put in place. Those are the ones that you have to be concerned about it. So, sock to sock to is a wealth of information that you can learn talk to. Definitely talk to the security team. Once you've got that information up front. Talk to the security team find out what their security program is like. The stock too will tell you all about the technical controls, all the people controls, all the various methods that they have for software development and those kind of things, but it won't really talk about the the people in a security team. So I asked the questions. Right. What kind of security team do they have? For example, like for us at Colab, we have a what I would consider a very multi disciplinary security team. You know, we don't have like very specialized people that only do one function. It's very multi just mainearing. You know, we have people that can do security operations, security monitoring, alert monitoring. We have, you know, certified penetration testers that are on our team that they test the application continuously. You know, we have risking compliance people that handle all the management of our risking compliance. So it's it's it's pretty broad, broad knowledge. So you get to understand their security team. I think it's incredibly important. One thing to carrys on because, like the first two parts, I'm assuming some people do the website. Most people in big companies at least asked for do you have stuck too whether they read the report not's of different questions, but they at least ask. The third part usually doesn't happen, though. The third part usually is fill out this questionnaire and it's well, it's hard. How do you get around that? Right, because I think the questionnaires is potentially helpful for checking boxes, but it doesn't necessarily mean you've actually understood what is this solution? Who am I working with in business? Like, you know, thinking about this from like an engineering leader perspective. How do you convince your I t team that I should get on the phone with rob a person for a half hour, because every color ever been out, the I t team always ends up leaving. So Um, but like they don't always want to go to that meeting. Like how how do you convince them to say, take the thirty minutes, it'll save you two weeks down the road? Like what's the way to do that? Yeah, well, probably is just that. It's a lot of it is a time saver. You know, I t teams, security teams. They're busy. So you know phrase it in Frameman in that regard, that you know what we can we can talk to these people for thirty minutes and answer all the questions that we could be weeks back and forth. That's that's one little thing. But the main thing is, with any of these solutions that you're looking at, it's recognizing that the I T and security teams are there to be your business partner Um. This is one of the things that I've I've told you right from day one when I started, is that that security, to me, is a business partner and a business enabler. We have to work together with the business to make sure that we do things smoothly correctly. Part of that is going to them, not with the approach of saying we're going to buy the solution, I...

...need you to look at it here, do this right. That's not a good partnership approach. Start by talking to them. They're good people, they're friendly people. There's always exceptions, of course, but you know, you know me being one, but you know there's always they're they're good people and they want to do things right. At the end of the day, I t and security people, that's what they're concerned about, is making sure that we do things right and it's important for them to understand what the business requirements are. So you as a like you're engineering, you're coming down, you're saying, I'm looking at this. Tell them that, you know what, I've identified all of my business requirements. This solution is a perfect fit for my business. There's going to be a business value. Tell them what the business value is. What is it going to save? And, most importantly, you're going to tell them I have looked at this. Here's my problem that I'm trying to solve. Right, everything is all about problem. What are you trying to solve? You can't, if you can't describe the problem that you're trying to solve, then you shouldn't be going for this conversation in their first place. It's start with the problem. Tell them what the problem is, tell them what this product does, how it fits and solves that problem, and here's all of the functional requirements that we need, and they solve all of it. Start with that. They will then go, oh, this sounds like a really great product. I can see that it's going to provide real business value. Awesome. I think we should definitely look at this. How it's literally gonna. That was exactly where my mind was going because when I talked to you know, engine managers, director's VPS and you talk about cloud tech, a lot of them haven't bought a lot of cloud technology yet you're starting to think about it. So when you ask them, I say, Hey, you know Joe at x company, how are you going to get this tool implemented, they usually don't know Um and if they do, it's a little fuzzy. I think what you just have is really important, like starting with requirements, the business value of business case. But what else should they package into, almost like that introduction to this technology that you talked about, websites and to reports, like what's the appropriate way to go to Robert Percy and say hey, Robert, I've got I've got this product I need for X Y Z reason. I'd like your help and evaluating it. What else would be helpful for the I T team to get in that first pass to instill compidents that this is actually worth their time? Honestly, one of the biggest helps is is we've talked about how, you know, as as a team, we look for that security website, we look for the security reports, we look for the privacy. We look for the terms and conditions, we look for all this information. If you come with all that information ahead of time and say we're looking at this solution, but hey, by the way, I know you guys are really busy, so I've already reached out to them. I've already gotten their stock to report. Here's a copy of their you know, like we do, like a like a sales helper, like a pdf document that's like a summary of our security from our web page. Start Bundling in all this information that they need. Give them that information up front. They will be so appreciative that they will...

...love it and they'll say, Oh, like you've just done so much of my work force. This is great, like it's awesome be their friend. Yeah, I think the takeaway here is like a little bit of proactive partnership. It goes a long way from the engineering leaders Lens and then from the I t leaders Lens, which is the second part. I think it's a little bit of the Education Lens. It's understanding. You know, what is that risk? What are they trying to do? You know, taking a broad perspective. Like give you an example. I spoke to a fortunate company yesterday we're talking about how coal I've actually was the first start up that they implemented inside of their pl m ecosystem, where I would call it their core critical business functions. That's a big deal, right, like that's a scary spot to make a mistake. But now that they've done that, the confidence of the I t group has grown to say, okay, we know how to do this and evaluate this. Now we have a bit of a playbook for actually implement these tools. What would be your advice to someone that's in an I t role who is like interested in looking forward and thinking about cloud and the rest, but maybe their peers aren't quite there, like how do they start building a little bit of that internal energy and excitement and education to say, yes, we need to think about doing this slightly differently, because different means change. Change means risk. Oftentimes people, you know, run away from that. Like how do you get that going from the I t front if it's not already part of your culture? That's that's a hard one, to be honest, because a lot of this is it's gonna be a real struggle for someone, let's say in in the I t team, to try to work to try and convince that cloud is good. It's that's gonna be a real struggle and I've I've seen it many times not work. It's failed. The best intentions are there. You know, we've got, you know, let's say, great people coming into the security team, or I t team. They know the value of cloud, what it can bring savings for people, people time. You know, we talked about the management of infrastructure. You shift this stuff to the cloud, a lot of that stuff is taken care of for you. Thus one one of the things that is important is just outlining what the the benefits are. And actually people tend to very focus on the technical side of things, right, so they'll focus on, you know, with the cloud we can have the newest technology, so we can have the newest hardware and but once you start to go up, that doesn't matter as much, right. It's like, you know, you you talk to someone, let's say at our level, about the newest latest, you know, Lenovo Server, and it was like, you know what, what we have there is most of you servers have a five year lifespan. So the thing has been in there for three years. We've got two years left on it. That's all. We're concerned about is, you know, it still works, right, it's we can still patch it, we can still maintain it, is still good, but they're looking for the latest great so don't talk about the technology. Talk about the business value, right, and the savings that we're going to have from a financial perspective, because...

...everything, at the end of the day, boils down to finance. It's money, it's financial risk, is business risk. Starting to shift things to the cloud, you start to remove some of that risk. It's, you know, that five year life cycle on hardware, for example. Don't talk about it in the way of, you know, we're getting the latest and greatest, fastest hardware. Is like, no, we don't love we no longer have a five year life cycle on hardware that we've got to keep into our budget. That's gone because that's their hardware now. Right, is we don't have to include that in our budget, we don't have to maintain that. That's gone. We don't have to have the people that are racking the servers and doing it and switching it out and installing the software and all that stuff. You need to to get away from the technical and start to work up. But honestly, the best approach for getting cloud adopted into any business is to make it an initiative from the top down. Right. You have to start taking this cloud first initiative and you you bring it down and then once you start showing that support from the top, that's when the people down in in I t, they get so excited right because they're looking at it and going this is great. Cloud is something that I've always wanted to be involved in. Now the business is telling me that I have to. They get so excited and that's when things start to happen. Yeah, I saw first hand a couple of years ago there was a fortunate one company that I was trying to work with a collab into great business case, problems solved, solution that made sense, but ultimately got stuck because of cloud. A year year or so later, the leadership had changed in this company and the new leader came with a very cloud first mentality of saying we're going to do our bid, we're going to do business in a smarter way and not just the way we've always done it. And I remember getting the phone call from the I T group saying that we're interested in evaluating this and I was kind of like what I was like, you guys hied core shut this down and fundamentally asked what changed, and the person told me leadership change, and they're now allowing us to do we you know, we thought made sense in the beginning and that was like it's such an enabled too, because being a knockout effect in that particular company has been it's showing in the publicly and the public sphere. You're seeing the way the products being built being more intelligent, more secure, like just like really, really cool to see that type of enablement from the top. It really helps it moral to within, like knowing that they're able to not stick with ten twenty year old mentalities and technologies within their group. Like they're not they're no longer kind of pushed down to say you have to work with what we have here. As soon as you start saying that, you know you can now go and the new things right people they get so excited and it really helps it moral. It keeps people excited and it makes them want to do their job and do it better. Yeah, I think, like we talked about a lot of important things on this episode here. We're getting into like, you know, why the cloud? How do they get risk. How did they even talking to another? But implended this.

But one of the core threads this whole conversation has been education, and I know it's something you invested a ton in, whether it's books or online or training or whatever. But if you're an IT T or security leader, what steps can you take to educate people in a way that doesn't feel like you're just screaming go read security documentation, like a way that actually feels like, okay, I want to learn this from my own personal benefits. I think that's your personal motto and I've heard you say it before. But what do you do that's sort of different than most, to say education is actually like an interesting thing for the broader masses. I don't mean just security team. I mean like, you know, an engineer who has never thought about security or someone who just came straight out of school and has never heard about, you know, a cyber attack. Like how do you make that interesting and something people want to invest in? Yeah, a lot of times it's it's kind of steeding the thoughts. It's just showing and sharing little tidbits of information, you know, like you said, it's it's not, you know, sending them some article or some book or something saying you should read this. It's taking some piece of information out of that, some really core piece of information, and say this is a really great piece of information. Or, you know, maybe it's some cyber attack, you know, some exploit that you might think is is interesting. I do this with the developers, a lot of development team, uh, you know, sharing information on how a certain attacker was able to exploit some vulnerability and this is this is how they did it, and share that with them and it gets there. It gets their mind thinking right. It just flips that switch to say wow, that's really, really cool technical thing that you just told me about of how this exploit was done and how they're able to, you know, take advantage of vulnerability to get data out, and they started thinking, wow, this is really interesting, I love this. And then they start you see that interest, you see the thoughts Um, and the same goes with Um, like on the business side. Uh, you know, when I talked to you know, basically anybody within the business, it's always taking it from their perspective and sharing those little two bits of information, seeing that thought and and those, you know, ideas with what I know that they are interested in because I take a lot of time to learn about every single person in the company. Um, it's one of the things that I've done since I started right here. was every single new employee, I sit with them alone, one on one, for an hour and I've talked to them then. I learned about them, I learned about their hobbies, I learned about their history, I learned everything I can about them in that hour, Um, to understand them, because then I can understand what their interests are, what their passions are, and I take that and you know, maybe this is me doing my own social exploitation of people's vulnerabilities, but I I use it from my advantage, right and and that's what I do. I take things at their level and I learn about them and I can put their own personal spin on all these different ideas and to get them interested insecurity from their perspective,...

...how this impacts them in their own part of the business and how it impacts them in their personal life. Yeah, I think what you say, what you're saying there and then are lying. Piece of that is the education is about two things really. One is about partnership. It's not just me throwing you something, it's me bringing you along for a journey and to it's like an incredible amount of thinking about communication, skills, communication. Yeah, like you can send me the same article two different ways. One Way I'm not going to read it, the other way I probably will open and take a lesson from it. And I think what you said about grabbing the nugget that's relevant and contextualizing it for somebody is where most people don't go right. Most Times it will be do this mandatory training program that takes a long time and feels like it was just thrown at you, versus like I've gotten much more value, I think, from our security program and things that are like tangentially happening to me, and then when it comes up in my own life, I'm like, okay, ship, like how do this is real? I read about this and like how do I actually be? Like I think about all the phishing emails and like things that we like now see our employees sharing, right, like our employees share it because they learned something and now they're doing I think that's where it like really gets to be special, I think, and it's the same for customers. I think it's the same for work with customers. So that's awesome. Man, I totally agree. So I think you know key key takeaways here. Cloud is an option, for sure. It's more about how you implement. Absolutely cloud. Cloud is a perfect option. It's a very viable option and you know what, the cloud platform for the most part, it's irrelevant whether you choose awus as your Google, IBM Oracle. Doesn't matter. Just pick one and be good at it. Yeah, how you do it? It's how you educated, how your partner that's how you think about understanding your risk as a company. And ultimately it's more about the how and not is it literally hit in the cloud or not. So I really appreciate the time the insight. I'm going to appreciate the next ten years of building with you as well. But thanks so much for the time and I look forward the next chat. I really APPRECI IT and hopefully we can do this again and kind of keep a theme going. I think it'd be great, awesome. Thanks for Collab is on a mission to accelerate the pace of engineering innovation by giving design teams a better way to work. As an engineering leader, you know it's crucial to empower your team to do their best work. Let collab help you achieve your goals with our web based tool that makes it easy to share and review cad files with anyone, so you can focus on the work that batters without missing a beat or a bolt. Learn more at COLLAB SOFTWARE DOT COM. You've been listening to pure check, a Colab podcast. Keep connected with us by subscribing to the show in your favorite podcast player, and please leave a rating on the show. That helps us keep delivering conversations about how the engineering world is changing and how you can challenge the status quo. Until next time,.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (18)