Carlota Sage - $how Me the Money!

hey all right give people two seconds hello i am carluta sage show me the money um i'm going to introduce myself first because i like myself a lot and i love talking about myself so there's my my mug with my mug i am a virtual cso i was a solar practitioner for a few years and i joined uh three months ago a company called fractional cso and all we do is take small organizations in that 50 to 100 employee space that are ready for cyber security strategy but not ready to hire cso and we so before i joined cso i actually developed a whole bunch of tools to help my clients let me communicate with my clients who were not

security practitioners and what i found is that they were very valuable for people who are security practitioners and need to be able to speak with business users right so um please feel free to follow me on twitter you get the hot takes and the posting linkedin you get the more professional messaging i want to point out i always do this because i think it's very important i'm a college dropout i dropped out of auburn university i went to durham tech community college i graduated from nc state a public university with a degree in textile chemistry of all things and i did eventually find my way into tech after being a research chemist for a few months going wow this is cool but

i was really interested in networking lab equipment to automatically dump data into a database so i was like i'm in the wrong industry i got into tech 10 15 years later i got a masters of information and knowledge strategy from columbia university so my point here is don't rule out college dropouts don't require degrees don't require certifications because my hope is that one day everyone in this room if you're not already a hiring manager you may have that opportunity so um thank you so at no point in my career did i go hey i want to be a vc so that's a great idea i actually like i said i was a research chemist i put myself through college doing um

web development and i eventually ended up at a little startup one day called fireeye and i was there for a six-week contract and that's how i got into security so with that in mind i have spent a lot of time in my career before fireeye and before security um communicating high-tech concepts to either high-tech audiences or to very low-tech audiences so if you've ever been to support.netgear.com or help.netflix.com i did with the back ends the front ends and the writing style guides for those help sites so that's my background once i found security i found that i was really good at communicating security concepts to non-security people i've spent my whole career in that squishy

space between technology and business technology and non-technology so i wanted to give you a little context on why i think this is important i think it's important because in the united states alone much less the whole world in the us alone there are 5.6 million plus small businesses and that's 500 or fewer employees and this is of as of 2016 so i don't know how the pandemic has affected that number of that the majority of those employees of those organizations are less than 100 employees and so we tend to hear from security and vendors and fortune 500 companies and large-scale enterprises that can afford to address security at scale but what we don't hear from enough

are people who are helping those sub 500 employee spaces because it's a very different model and the other thing as security practitioners and and the security vendors like us to focus on the technology and there's a lot of fun that drives that technology purpose but what you have to remember is that the data we're protecting no matter the size of the organization that data lives at the intersection of people processes and technology and you hear that phrase a lot in security and you hear that phrase a lot because that is a knowledge strategy phrase knowledge strategy is the science and the heart of aligning people processes and technology for business outcomes so in the legal profession which is another

knowledge industry they align people processes and technology for legal outcomes security aligns knowledge processes and technology for secure business outcomes or risk conscious outcomes that's why you keep hearing that phrase over and over again we have to keep our focus on the data i'm going to make a slight assumption and i know never make an assumption i'm going to assume that you're all somewhat technical or familiar with technology and we're going to ignore that completely because i don't think that's why you're at this talk you're at this talk because you want to understand how do i talk to people so we're going to focus in at first on the people lens we're not going to

spend too much time here because that's another hour-long talk on the psychology of getting people to do what you want but the first thing i want you to know people is that you are not your average customer and you've heard that at several talks today you are not your average customer you are the security expert in the room even if you're just an i.t person and you have you are the security expert in the room i became a virtual cso not because i'm great at identity management or threat hunting or any kind of technical capability i became a vcso because i was acting as a virtual cto for a non-profit in atlanta and i kept flagging security

i want them to hire a cso and i'm like you guys have got to have somebody dedicated to security you're supporting 2 400 museums archives and libraries with digital services you got to have somebody to cover that space and they were like oh well you seem to know more about this than i do and then we do would you be our vc so okay because for them i was the security expert it just so happened that i was very lucky that six week contract that i took at a little company called fireeye right turned into a nearly five-year employment with fireeye and that's where i found my love of security and that's where i met several people in this room

who are very kind and not heckling me yet but yes i actually ran fire eyes communities

didn't know technology wasn't interested in security and those communities were getting neglected so i've got my security experience through three years of helping random security teams solve random problems and sometimes there were hardware problems and sometimes they were product problems but they were always security related problems so when i took that vc server role i was like okay i've got a passing familiarity with nist and i've got some other handy things like that i had already gone and gotten my sisp because i thought why not yeah that seems like an interesting space yeah so um yes you are not your average customer even though i was not a paul nelson for example i knew more about security than they did

and more importantly i was more curious and i was more willing to help you succeed building a security program until others in your organization are invested in your success that means that you've got to figure out how to build empathy that means you have to be empathetic right you have to build collaboration you have to make them feel like they are part of the security process and that means that you have to take a lot of the jargon out of things right you can't come in here and immediately go we're going to go sock too and nist and blonde blonde blah they're like okay what does that mean and what's that gonna cost and do we

really have to do it you know um i'll show you the tool that i used basically to get that buy-in in just a moment the last thing i want you to remember about people well not the last thing the last key thing any friction that you introduce to somebody else's process or work is immediately an obstacle i have seen i.t organizations try to turn on multi-factor authentication and the level of drama oh my god i have to pull out my phone and click something so that i can log in that was just ridiculous but it's because they're like hey we're going to make this more secure we're going to turn on mfa and they never gave anyone the context

on what is important and why it's important for you to do it because if you just tell somebody hey you know security is a relay race you start that race off with mfa and then you run a little bit and then you hand me the baton and then i take it and i run a little bit you know when you make it something that they are a part of you know you using multi-factor authentication is the single thing that we can do as an organization to protect ourselves from ransomware make them a part of that process and that friction is no longer an obstacle they are now a part of the solution so anytime that you're introducing an

extra step into somebody's workflow you're an obstacle so i want you to keep those three things in mind when you deal with the people in your organization you need to learn as we said to understand and empathize with your audience that means you have to understand what they care about your exec team cares about operational costs they are not just paying somebody a hundred thousand dollars they are paying somebody a hundred thousand dollars plus the thirty 30 000 of overhead that it takes to have that person's butt in a seat or pay for licensing for software or pay for training and pay for travel if they're remote they're paying other things there's still operational overhead

so there are costs that are hidden to us as has employees that we start to learn about as we start communicating more with that side of the house the other thing are risks right and for for our purposes a risk is anything that can put pressure on the business that may spend you know change the spending above and beyond the expected operational costs so anything that loses us money or makes us spend money that we weren't planning on losing or spending that is now a risk so that's a business risk that's a very different concept from what a security risk is from you know an apt or a risk assessment that we as security professionals do so when we talk about

risk with the business side of the house we need to understand that their definition of risk is very different from ours and don't just accept this ask them right hey this is how we think of risk and security my understanding is that business thinks of it this way is that how you think of it now you've engaged them in a conversation and they see that you are trying to understand what they're doing now they're more interested in what you're doing right that's that building that that investment in your success if they understand what you need to be successful then they will be more bought in your internal customers are whether they know it or not they're

constantly optimizing for work we want to do more with less effort right and that's why when i say any friction you introduce becomes an obstacle it's because you're screwing with their optimization of work if i have to work harder even if it's an imaginary work you're now you're not optimizing my efforts so you have to make sure that they understand that everything that you're asking them to do go to a single sign-on portal to sign in go do this let us know when you're engaging lucidcharts or whatever when you're getting a third-party software you need to make it not i'm doing this to interrupt your workflow you need to make it a part of their workflow and you need to make it

so they want to tell you these things because eventually you want to make it sound like i'm making this so that it feels a little painful now but in the long run help you do less work or get more return on your effort recognition is huge we do not do it enough and that's because we as several speakers have already mentioned this weekend we think of ourselves as you know security experts and i hear cow workers and i hear stupid users and i hear the problem exists between the chair and the keyboard that's great um it's not helpful people feel like you're talking down to them you are you're being a bit arrogant you're being a little condescending or

maybe a lot arrogant and a lot condescending the whole part of that is that you're making them tune out because if you feel like i'm stupid why should i listen to you shaming them for doing what they usually do what any human who isn't a security person is going to do recognize when they do what you consider really basic things you know i think the big with that um atlanta team right this is a non-profit you had very deeply technical really wonderful people who were very good at their job in it or in development and you had really great librarian types who were really great at librarian things but they're very smart they're just not

smart about security so you've got to make sure that you recognize when they do things that you do want to encourage the biggest thing that we did was we had a little in in the all employee channel once a week one of the it people went in there and said hey thanks for sending us this phishing email so and so you were absolutely right what they're doing is they're saying you're a part of this process you've made my job easier you've helped protect the company you're a part of this too and i appreciate that and that went so much further than any cyber security training i've ever seen i mean you need the basic training don't get me wrong

but that weekly drip of thank you you did this right now everyone else sees it and now everyone else learns and it's just this wonderful little self-propelling you know kind of energy where now people feel more bought in and that brings us back to success how do you become a part of their success so that they can become a part of your success if you're recognizing them publicly for doing the right thing even though it's not their job you've just made them more successful and if you can actually make them successful at their job make them more successful there as well you know that just makes everything that much easier they now are more interested in making sure that you are

successful does that make sense i'm going to pause there are there any questions about engaging people this is a little bit of social engineering inside your own company is anyone uncomfortable or disagree with that concept okay i'm saying lots of no no that makes sense okay so we're gonna go right into the process lens and i know i'm just chewing through this content because this the next part is going to take a little bit longer i'm going to actually i'm going to give you a demo in excel eventually but for the moment we're going to talk about the security maturity model this is a model that i developed because i wanted to be able to say

to these wonderful business people who have no interest in technology or security beyond we've hired what seemed to be really good technical people and they seem to be doing the right thing i need to make that ceo and that cfo understand why we need a security budget but that means i need to make them understand what not so great security looks like versus pretty healthy security and i don't want to make it bad versus good i want to make it robust right i want to make it healthy this is not so healthy like that's easy that's an easy concept if i eat a candy bar for lunch that's not so healthy if i eat a salad for

lunch that's healthy when you frame security in this way to a business they really get it i've gotten so much good feedback on this friends who are csos at very large companies take this and use it i've had friends who are customer success managers at very large security vendors take this and use it to train their customer service team so that they understand the pressures that are on the business that they're surveying right i've had mandiant and talos consultants share this with their people that they serve so it seems to be a pretty robust model that applies not just to small organizations but pretty and i break it up by organ

this model i will say is in my github if you go to to carlotus i think it's hub.com carlota sage there is a show me the money repository you can download all of these models that i'm and worksheet i'm going to share with you today and you can customize them and use them in your own organizations in whatever way is meaningful for you so from that perspective i wanted to not only show what's healthy and what's not healthy i wanted to show the pressures that drive you in each direction it's like okay you've shown me what's healthy and what's not healthy and now you're asking me for a budget and what does that really mean

here you go here's how you move not just with technology here's how you move from less healthy to healthy all right and i'm going to attention what we're really here for is the money lens right because when you're a very small organization proving roi to get money build your security program if you're a security practitioner an i.t person you maybe have never had to do this maybe you've never had an econ course maybe you never had a business course in school this is something that may be new to you maybe it's not but hopefully it will make sense i started with a simple roi calculator and actually i'm going to show it to you [Music]

if you if you download the risk and recovery worksheets from my github you can go and play with these and i tried to be on this risk and recovery model that way and big in this oh i don't know

up left ah there we go there we go all right i've tried to be as descriptive in these worksheets as possible so that you can share them with anyone you just have to enter your information in the purple spaces and then we'll automatically crunch numbers so there's my roi okay i'm gonna have to go back i actually didn't download my own um roi model so i'm gonna have to go back to that hang on come on all right so on the roi model that i did not download my apologies and that is not in the risk and recovery estimate the roi model is very simple it's about efficiency and productivity if i have 80 employees who make 80 000 a year

and i think i can save them 15 minutes a day right and my total project cost is only a hundred thousand then my roi is in six months all you have to do is fill in the green boxes on this one and it will actually populate everything else so if you want if you are proposing a project that is going to cost more than productivity saved you're probably not going to get the money for it right you want the number that two hundred thousand dollars you want that savings to be bigger than whatever you're proposing it really is that simple if i can shave a minute a day off of a thousand employees times by optimizing an internal search engine

to search 15 to 25 content repositories in a 3 000 person company then my roi in that particular case was about 4 months because i actually did that right it becomes a very compelling argument and it's an easy thing for people to buy into i'm not saying that i'm going to save you days of effort i'm i'm spreading it over realistically maybe that's one team maybe that's a whole organization depending on who you're talking about but you've got to be realistic you've got to get them to agree i knew in my heart and in my number crunching and then all of the the data that i pulled from the search engines that i could save those

teams 30 minutes a day because there literally were 24 different 25 different content repositories but because i only said i wanted to save people 15 minutes a day or one minute a day i got much easier buy in on that and then legendary but to a cfo they don't to me and you it feels kind of like oh that's okay is that really really no money to a cfo this is really money and if they don't agree with your premise they'll tell you and they'll tell you what they think that premise should be and then you can change the formula and update the spreadsheet everybody's happy like the biggest pushback i've ever gotten was on this arc calculator

and it was a sales going nobody's gonna believe that i was like okay take it to a cfo and find out i've never had a cfo push back on the money part or the concept i've had them adjust things but when you give them something like this it's a lot easier to speak their language it's it may feel unnatural for you but productivity is a real thing that cfos worry about right so any questions on the roi calculator is anyone does it is anyone here because that's just not possible that's not realistic oh okay cool no sales engineers now [Laughter] um i used that roi calculator and um adrian sinabria i believe once posted several times it's posted to

twitter and shared a calculation and i've got the link at the back of the worksheet on how to to estimate the money that you're spending on a single incident his concept and my concept and i smushed them together and i said okay we can actually really get a lot of information about how an incident can affect an entire organization so he was looking at how much money are you spending on the incident response has a security team and i'm saying okay that's that's good information to know but how much money are we losing in productivity potential service renewals or that kind of thing so here's where i'm going to pull up this fancy worksheet that i put together

for you so so that said you know in real life if i've got something an incident that you know takes 60 minutes maybe my internal portal for something my internal portal to the crm or something is down for 60 minutes how much money am i really losing in productivity because then if if that happens once a year maybe we're willing to accept that risk but if that's happening continually now you can say okay well three thousand dollars eleven thousand total not that big a deal it's a big deal if you're a small organization if you make you know a couple hundred thousand a month and you're a non-profit that eleven thousand dollars is a really big deal if

you're an enterprise organization you can change those numbers i mean maybe maybe your help desk is 300 people or your customer support center is a thousand people you put those numbers in you can get a good idea of how much things really cost you in terms of time loss if i am if people are not hammering on their keyboard for an hour how much money am i really losing i also did this from a service perspective so if i am in this particular case a web provider this is a content service and my sites get ddosed i get you know i lose 5 000 a day 220 an hour you know 370 a minute and if you're a non-profit again that 5

000 a day starts to kind of add up money adding up in their head the bigger the problem the bigger that number right now if i'm down for well right so that service disruption is up top support impact estimates if you are a service provider you probably offer customer support and maybe you only get usually 200 200 cases a day okay that's in your operational model now you're suddenly getting an extra 150 cases that you weren't expecting to you weren't expecting to have to pay that money when you're in support in a support operations role you know how contact costs your organization when i worked at netgear a phone call to netgear cost 18 i knew that i knew that because we could

divide how much money we were spending by how many how many phone calls we were getting in a day and you know there you go every phone call costs eighteen dollars if i can save ten phone calls a day i save a hundred and eighty dollars a day that math becomes very simple and a support organization because you have tickets and you're tracking all of that so incident response so support is one thing you can also make that a customer service thing there are a lot of ways you can apply that model to other parts of your organization on your incident response how much is my network engineer my service delivery engineer my security analyst change

those to whatever is meaningful for you fix the salaries how many people you have whatever that number is is your number right and the recovery costs how many new employees do i need to hire what's the average salary i'm going to spend on those what's that cost of labor how much did it cost me to change my platform when that platform i was using got hosed right i mean if your wordpress blog gets hosed and you were thinking about changing the platform maybe you'd already budgeted for it great if you hadn't is what it's gonna how much does it cost me to train people on whatever has happened whatever change i now have to make how much money do i

need to spend on pr or on internal communications those are all numbers that you track talk to your cfo they'll give them to you right so you know maybe the total spent on recovery here is eighteen thousand plus another fifteen hundred plus another fifteen hundred you know plus whatever you're losing on the service side those numbers start that up you can see the cfos doing the the calculations in their head does this make sense i've tried to put a lot of like i said i tried to put a lot of explanation in the boxes so that again this is a conversation starter if you take this to your cfo and go you know somebody gave this to me it seems to

make sense to me does it make sense to you let's talk about this now when you give them these kinds of numbers now you can say there is a cost associated right with responding to an incident that may not be obvious we'll go through some other numbers in a minute but we also have some application development stuff really simple model ransomware this is not a calculator there is i think in the notes on this worksheet there is a link to a consulting group that does have a calculator that's based on their own customer base you know you tell them how many endpoints you have and you know whatever theoretical problem has happened they'll tell you an estimate of what that

incident will cost you i don't know how accurate that is i don't have that insight so i i'm not going to show that off per se but what i want your cfo and your ceo to understand is that there is a cost associated with not doing security so now you've shown them the cost of doing security you've shown them the cost of an incident here's what it's going to cost potentially if we don't do security and we end up in one of the fbi's you know bec reports or yeah there's a lot of stuff here sofa secure world i think it was um sofos who has a really fantastic market uh research that was done they

went to an outside firm and said we want to do research to cover even people who aren't our our clients and they went out and did it and they have all of this great information they update that report regularly it's worth going to look um and i'm pretty sure i've included a link in the notes so if you click over to the helpful resources you've got some of those things that i've i've researched as well let's zoom this in a little bit more yeah so that's just a really quick and dirty walk through that excel file is there anything there that makes people go that doesn't make sense or does it feel pretty natural because i feel like even for security

practitioners who aren't you know math geniuses i'm not this felt good not only did it feel good it it was a good enough conversation piece that i've never had to to go to any of those other outside resources i've always taken that security maturity model and i've taken those risk estimates recovery estimates and pretty much gotten what i needed out of that

that's the show me the money part so there are other tools that i'm gonna show you since i have plenty of time and i could talk more about myself but you're here to learn uh i'm gonna bounce back to the security maturity model because once you've shown those numbers now you come back and you can say okay you know if we want to talk about technology and here's where x amount of spend will get us and you can figure that out with your ce ceo and cfo on how much they want to spend where they want to be now the security maturity model is fantastic i've gotten tremendous huge amounts of really great feedback and i really

appreciate it in fact i think like half the people of this room have given me feedback about it there is a more simplified version that fits onto a slide deck so that if you're having to present for some reason to the c-suite or to the board you can take that more complicated model and make it a little more accessible i like it it's a little dumbed down i would definitely start with the bigger one but more importantly you can take that bigger one and you can really operationalize it so it's great to say hey my organization is healthy not healthy whatever how do i move from one side of healthy to the other or not healthy too healthy

and everything that we've done in that organizational model we can now pull in that had ad hoc compliance driven risk base we now pull that in and we make a one to five scale out of it right and you can put in your different teams that you're using and you can decide whatever is meaningful for you in terms of cross-functional relationships cyber security operations you know on those cross-functional relationships i always start with business alignment because if you're not talking to the business and understanding what they need you can't secure them right because you don't know what data they really care about you may have plenty of access to databases but maybe that's not where the data they actually

care about lives you know we talk a lot about shadow i.t because everything is cloud first these days and if you're not cloud first you know people feel free to be cloud-first on their own you know lucidchart is great about calling you and going hey you have 30 people in your organization using lucidchart don't you want to buy an enterprise subscription yes you do because that actually does reduce your cost but more importantly you've just found out that 30 people are using lucidchart maybe they never told you that i have one client that manages everything they have gotten really good they've they have driven their culture to one login everything goes into one login you need to put every password you

have in one login if it is related to this business put it in one login so when i went to them and said great you know how are we managing vendors for you well who are your vendors uh right so here's what you do you go to your one login and you dump out everything are people saving their passwords to and then you also go to your cfo and your finance team and you get a dump of who you're paying and between those two things you get a really good idea of your vendor list that you now have to manage yay raw but that business alignment what are you doing where are you doing it

like i like to call the business up and say or do a zoom meeting now right hey walk me through your typical week i don't come at them with security crap i go you come in you sit down you fire up slack you check your mail what happens next oh well you know we did this and that every conversation i've ever had with a team that first conversation their it team finds all kinds of things that they didn't know there's at least one application that people are using that it had no insight into right or security hadn't well most of these orgs don't have security i'm the security right so those very casual conversations can be very

want to keep that tone friendly you want to make sure i'm not here to change anything you're doing i don't care if you're sharing passwords right now we'll get to that so i just need to understand how you do your job so i make sure i don't screw anything up and when you approach it from that way people are like oh oh you just don't want to mess my day up that's great yeah let's talk about that all right great you're sharing one password across five people okay that's fine you know look if the license is a buck go ahead and get the license if it's more than that let's have a discussion later but for the moment could you at

least put that password into the password manager because it'd be really nice if we're only sharing it with five people and not five others who've left the company oh yeah okay that makes sense like i'm not asking you to stop or change what you're doing other than let's just put in the password manager so we can change that password and the people who need it have access to it it's that simple and people are so positive when you come in with that attitude i don't want to screw anything up i just need to understand what you're doing so i don't screw anything up and people really like that and because they understand you're trying to make them successful but you

can't make them successful if you don't know what they're doing the other thing that comes out of those conversations is you can see where different groups are maybe leveraging similar tools that you can automate some of that workflow through or maybe they're using the same tool and they're using it in very different ways and there's some efficiency that you can teach one group that you've learned from the other there are a lot of gains to be had and just sitting down with people and figuring out what it is they do

okay that is the maturity model the other thing i have for anyone and this is kind of i thought about making this show me the money talk because originally it was just about those those two worksheets the roi worksheet and the risk and recovery worksheets it's evolved obviously because i put together the security maturity models um i've also four four people have put together a real simple one-year strategy sheet your one year strategy is just taking again those pieces that we talk about in the maturity model and there's a bit of repetition here when you when you use the same concept over and over again the business starts to get it right and you just say what your goals are for

that first year doesn't have to be very fancy right it's just what am i trying to achieve this year don't worry about next year don't worry about four years i'll show you how to worry about that in just a second but when you're talking about strategy and you're not used to that maybe when you're when you're doing tech hands-on tech stuff now you have to pivot to strategy onto your business side they'll coach you through this they'll help you because again now you're saying hey i need to put together a strategy not really sure if i'm doing it right now you're making them invested in your success right i think that this is what we need to do

and they can talk through that with you and now they also know your strategy before you have to go to any kind of meeting right and you have a chance for somebody who who maybe has more experience in building those strategies in those one-year strategies they can take a look at this and help you through it i also had a request at some point for a road map and this is still a little bit in flux and this is actually uh this was originally made for a 150 person actually 100 organization but they had a lot of different things going on so i wanted to separate out for them their business systems from their communication collaboration systems

which were mostly public facing the cloud services that they were using to run their their content management hosting and their application development because they also did mobile applications so even though there were only 100 people they had these four major things going on that you all kind of have to treat a little bit differently so when i originally made a road map for their ceo i had to take into account all of these different things i've tried again to use this cross-functional relationship security operations external relationships and i've tried to give you just a hint of what each of those are what security needs to know about the business and then i give you if you

hover over the comment i actually give you a little more detail um so let's see so your year one let's make this a little bit bigger my other favorite i've had one pushback on this and that pushback was adversaries don't care about your roadmap and i'm like you're absolutely right and your ceo doesn't care about your adversaries either so you've got to put this roadmap together you're like you you can't escape that if you want money from someone because now they're going to want to know okay i'm giving you a bunch of money for tooling that's great for training awesome um how am i getting metrics back on that how do i know if the money i'm giving you

giving you is being spent correctly and that we're seeing success out of that so a lot of that comes down to you know okay you're not going to see a lot of success in the first year boss because you know we're gonna spend all that time setting everything up and all of that and then then we have to get into some ongoing you know continuous improvement stuff this is very generic i've tried to make this very generic for a reason because i want you to come in and i want you to fill it out for what's meaningful for your ceo and cfo right they're they're going to tell you what what's important to them right

you may not know the metrics tie the metrics to what they care about like if what they care about is selling more subscriptions to their content management system service great let's figure out how getting sock 2 actually might enable sales and one of the things i did to figure that out was let's look at our crm and see how many leads we lose because we don't have sock 2 and i literally made the sales team change everything they were doing change everything they were doing no i had them add a field for sock two and if if a potential prospect asked are you sock two compliant before i move all of my precious museum artifacts into your content management

system or at least pictures of them before i spend all of this money and time adopting your content management system and using your service are you sock too they were losing out on 150 to 250 000 deals because they weren't now you have data and you can go back to the ceo and say okay i talked to the sales team last quarter we could not speak to these clients or potential clients because we were not sucked too and that was a million dollars in the funnel that might have only netted us 150 000 but that's a million dollars in the funnel that we just did not have access to at all very compelling reason to get your sock too

beyond we have to do it or it's best practice now it's actually a part of your sales conversation and more and more organizations are asking that of smaller orgs because they do see that as a minimum you must be this tall for me to ride the ride you know for you to push my cart right i need you to at least stop too compliant because that at least tells me has a larger organization that you that you're thinking about security in a way that's meaningful to me and it's a simple checkbox and people are using it now that's great that's great that these larger organizations are holding these smaller organizations accountable but it also means that these small organizations are

having to think about security a lot sooner than they would have 10 years ago we saw a huge influx in we at professional cso saw a big influx of customers in the sas platform space a few years ago because they were starting to they hit a certain size they hit a certain kind of tractability in their market and the bigger guys take a take note of them and now they're getting the calls from the bigger companies and that's one of their questions are you a sock too compliant do you have a cso you have some really basic security questions oh well we'll go call a fractional cso type of people and we'll go get that

done now we're seeing it with the e-commerce platforms now we're going to see it i'm sure every couple of years some different market segment it's going to become really popular we're also seeing a lot of cyber insurance companies when they turn down or cancel someone's cyber insurance they're saying you don't have a cso and you don't seem to have a security plan and we get leads out of that so bringing it back here your ceo wants to know okay great i'm throwing money at you today what's that get me in the next one to three to four years i put four on here i think i'm gonna trim it down to three but in the next one to three years

what can i expect to see how does that move the needle on that maturity model you know what do we do these are exactly what i built to talk to that customer that non-profit in atlanta i still use them now that i'm a with a larger vcso group these been really helpful for me i hope they're very helpful for you so that's really it for me unless you have some questions i see i see mr steffen do you have a question

that's a more and more i will say it's becoming more and more popular especially um for the very small aggressive cloud-first companies right because they're able to spin everything up and down a lot faster so they're able we see customers go from like 50 to 150 you know triple their company size in space of a year and it's because they're going targets and those bigger targets are asking for that it becomes like 50 percent almost of their their funnel sometimes right um and answering the building a pool of security questions for your sales team has become pretty much a request from every customer right because we're very clear we will not be your big desk not going to sit there and

fill out security applications for you all day i hope you make a questions and answers that hopefully i'll give your sales team enough training enough awareness training that they hopefully can map those answers to whatever customer questionnaires and then will any questions that aren't answered we'll do the one-offs on a regular basis but pretty much every customer now would do full of questions for the sales team so thank you that's a good question yes

that's a really good question we are almost never going straight to healthy usually comes to us uh they're going coming because somebody's asked them for compliance and it's usually a customer we're seeing investors ask for it now so they're almost always coming to us wanting immediately to be in that compliance column here i'm going to pull that back up come on the other thing is we tell people they may be in different spaces right they may already be doing some compliance stuff but they're still doing certain things that are in the unhealthy or less healthy side so that we've taken to like hitting a chat putting a check in the different columns sometimes they're all over the place but

their leadership is decided because their leadership is willing to spend money on us right uh their leadership is already starting to move to this box or or up here this organizing principle leadership loves seeing that they have at least one check in that green column because if you come to us and you're willing to spend the money on a part-time cso basically and a security analyst to go through your stuff you're way ahead you're moving in that healthy direction so we put it we give them that check box um we're not brutal like they've already signed the check by the time we start talking about this model so we don't have to be mean about it we're not

trying to use fud to sell anything right um but we are very honest with them and it's like okay you're doing it this way and it's working right now but we've seen other clients in that space that if they don't move in this you know amount of time you know this this project essentially fails if you stop community communicating with us guess what we have a clause in our contract that will cancel your contract like if we don't want we don't want you to get breached either but more importantly if you stop speaking to us for six months and we have no insight to what you're doing we don't want to be associated with you when you do get

breached because we know it's coming right and we just try to to beat that drama of everyone yes everyone is at risk yes but you're doing some right things and the fact that you're talking to us at all is pretty good sign so yeah that they can be anywhere in this map it's not it's not straight down they can be like i said they're often coming to us somewhere between that that red and pink red and yellow column and i've got one client that is already somewhere like i've been working with them for two weeks i'm still in the discovery process right and i can already see they're between the yellow and green which is great because for the average

client average it takes me nine months to get through that discovery process get the gap analysis done once i've done that you're here i want to get you to this space that means that we have to do a bunch of of policy development and a bunch of program work that nobody wants to do we've got templates for that it speeds it up but to get them from where they are to where they're ready to start talking about sock two is about nine months now that client that's already in that yellow to green space i've only been working with them for a couple of weeks but they're really tight and working on that gap analysis but i

imagine it's probably only going to be three to four months because they are already doing so many things right so that means that gives us more capacity to do other projects with them once we get them to that minimum level any more questions has this been oh the giveaway okay oh let's see what we've got we've got a usb wireless adapter ac600 alpha networks okay so who can tell me trying not to use a maturity model in my head here roi productivity who can tell me why you even do it give me any answer really kathy

yes absolutely come get your prize [Applause] all right what is this oh i mean [Laughter] all right what else did i talk about today ooh who can tell me any one of the key principles about talking to people that i put up on the board way back at the beginning of the talk yes

yes ready not quite all right thank you everyone i hope this was meaningful for you if you have any questions you can hit me up with linkedin you can hit me up on twitter you can catch me in the hall whatever have a great rest of your day evening