Endurance is the Key to Success - Melanie Thomas - Channel Security Secrets - Episode #11
Welcome to Channel Security Secrets. I'm Lou Raban. On this show, we expose the untold secrets and critical insights from the people shaping the future of cybersecurity sales in the trusted adviser channel. If you're looking to up your game around selling security, stick around. Channel Security Secrets is brought to you by Cyber Defense Group on a mission to shift cybersecurity from reactive to resilient.
Lou Rabon:I'm stoked to chat with our guest today. She's an award winning cybersecurity leader, educator, and customer advocate with over thirteen years of experience in the field, recognized as one of CloudGirl's rising women to watch and named among the San Diego Business Journal's leaders of influence in technology. Former the cybersecurity principal at Level Blue, she led key services like managed threat detection and response and managed endpoint security. She's currently an adjunct professor at the University of San Diego as well as serving as the vice president of cybersecurity at Bridgepoint Technologies. Melanie Thomas, welcome to the show.
Melanie Thomas:Hello. Thank you so much.
Lou Rabon:Yeah. Great. Like, all this stuff that you have, we're gonna have such a good conversation. I love it. But, you know, I always like to start the show with what what the biggest secret is.
Lou Rabon:So so what's the biggest secret to your success in the channel?
Melanie Thomas:So my biggest secret to success in the channel is harnessing the chaos and complexity that is the cyber industry. Right? Products, services, vendors, all this craziness into something that's really meaningful and obtainable and structured.
Lou Rabon:Okay. So that I'm gonna go deeper on that one. What how do you especially for a lot of people in this channel are nonpractitioners. When you speak to customers, obviously, they if they're practitioners, they get it. But how do you get to the ones that don't understand, like, what is meaningful and how and and to make, you know, order out of chaos?
Lou Rabon:How are you doing that?
Melanie Thomas:We do that in a couple different ways. And this is also what we train our strategists and teams here at Bridgepoint to look at, and we're kind of thinking about cybersecurity and what does it mean to get in these conversations. So a lot of what we coach around, top three things would be that nuance matters. Right? So we're thinking about what are what technologies do they already have?
Melanie Thomas:Right? What how their teams like to function more so than just how many endpoints or servers do they have? Right? How do we actually can operationalize all of those different technologies to work together? Because cybersecurity is really just a team effort.
Melanie Thomas:It's really just a lot of everything's connected kind of conspiracy theory kind of feeling sometimes where it's the firewalls are connected and how we choose different vendors. Right? The nuance matters. What we also tell them is that endurance is one of the keys to success here in cybersecurity as well. So it's not just in learning cyber and being familiar with the different types of solutions that are out there, vendors, theories on how to structure cybersecurity and secure architecture.
Melanie Thomas:It's also remembering that when we do get in these conversations and customers are making decisions about their budget or making decisions about partnerships or tools they wanna use, there are a lot of stakeholders. Right? So it's not necessarily that you're gonna get a sale off your first call because it happens to be the CISO, for example. It's also endurance, and there might be 10 stakeholders that we have to win over. And how you talk to an engineer is different than a CRO, right, or different than a CFO.
Melanie Thomas:And we wanna kind of make sure that we're explaining all of this and strategizing for that.
Lou Rabon:I love it.
Melanie Thomas:It's a lot of strategy at the end of the day.
Lou Rabon:Yeah. I wanna go into deeper into some of that because, I mean, it's just great stuff. First, it's like you're you're talking about the why. Right? Like, you're not just saying, oh, you need an EDR?
Lou Rabon:You need an endpoint detection tool? Sure. Okay. Here are three vendors. Here are the quotes.
Lou Rabon:Pick one. Have a nice day. You're you're going deeper, and you're asking why.
Melanie Thomas:Absolutely. Absolutely. Because we can be transactional, and that's also the Bridgepoint way is we're not necessarily transactional, right, on security. You can replace, you know, EDR vendors all day. You can throw something over the fence to say, hey.
Melanie Thomas:Here's the Gartner top five or whatever it is. It happens to be that that quarter, that year, however they do that. It matters on what do they wanna do for a roadmap, right? What do they need to worry about for data security? What is their plan for, right, their MDR, their EDR?
Melanie Thomas:What is their insurance that they have to do? Right? What rules do they already have to play with? So I'm not I don't always love a check-in the box conversation where it's like, well, let's just pick an EDR because this list says that we have to have an EDR. Let's be mindful of it and make sure that we're picking something and implementing something, and we're using the resources that we have, money, humans, technology, in a good direction.
Melanie Thomas:Right? It's gonna save us time. It's gonna save us a lot of frustration. Ideally, it's gonna save some careers, so you're not spending a significant amount of money just to have it blow up in your face at the end of the day. Right?
Melanie Thomas:So it's also what are we making sure that we're mindfully suggesting and mindfully selecting the customers to really make sure it moves the needle for security?
Lou Rabon:Yeah. It's looking at the big picture, and it's also going back to that why we we're often getting inbound requests from from trusted advisers saying, hey. We want a pen or customer wants a pen test. And we're like, why? I mean, we had one that was, you know, looking for just a really kind of textbook pen test when they didn't even have one person dedicated to security.
Lou Rabon:It's like, sure. You can find out that maybe the things that you know that are gonna get tested have enough controls, but is that gonna tell you that you, don't have a proper off offboarding process for, you know, a user that has admin privileges? Probably not. I mean, if they're one of the people that we're testing against, but, you know, a pen test often is not gonna tell you that.
Melanie Thomas:Right. And it's a corporate document. You gotta be risky whenever you get those in because you have to do something with those results. You can't just let it sit there.
Lou Rabon:Yeah. Which is also a a reason why I think a lot of companies are, you know, kind of hesitant. Certain ones because they're like, okay. For the smaller ones that are just getting into security, maybe they're not regulated. They're like, okay.
Lou Rabon:Do we really wanna do a pen test or an assessment? Because now we're gonna have a bunch of stuff to do. And, you know, just as a side note, what one of the ways that we handle that is we we get them into a twelve month contract. We say, we'll do the assessment, but not as a project. And if you don't like it, afterwards, you can exit.
Lou Rabon:But the thing is we want them to know that this is not something that they should put on a shelf because data is, like, you know, good a good baguette. It gets stale after a couple days. Right? So the assessment after, you know, they let it sit and collect dust for three months while their analysis paralysis about what to do next and what to attack, all of a sudden, that's not even their environment anymore. Right?
Melanie Thomas:Absolutely. I think it's a very funny similar conversation when people are looking for MDR or MXDR or source solutions. Right? And they want it managed. So it's like, you still have to have someone on your team as a customer giving them feedback and helping them provision and facilitating requests and reading alerts and things like that.
Melanie Thomas:Right? It's not necessarily that you hire a third party MXDR provider and you can fire your entire security team. Right? You still have to have that back and forth. So it's interesting when people are like, well, we know we have to do it.
Melanie Thomas:It was in the news. Right? It was someone mentioned they can do this. You're like, well, let's let's talk about it. Like, I always have at least three questions to anything.
Melanie Thomas:So let's let's this is for this a little bit more and see if that's really what we wanna do right now.
Lou Rabon:Yeah. So dive in, dig deeper. I mean, you're a practitioner. You you come from a a really storied security background, so it's easy for you to have those conversations. What about the trusted advisers that may not?
Lou Rabon:I know that you you are the person for security essentially at Bridgepoint. You have some other people that that hold that, but, like, it's the Melanie show. So what you know, how do you empower those other sellers that might not be comfortable, like, kinda doing those deep dives, like, big picture conversations with the customers?
Melanie Thomas:That's great. Every once in while, I'm very uncomfortable getting into some of those conversations as well. So I get it. One of things that I love about it is when we're getting into, like, learning something that's very new. Right?
Melanie Thomas:Kind of similar to what I I talk to my my students about as well at USD, where it's, you know, knowing that you don't know everything is fantastic. Right? No one in security knows everything. And so, yes, you can walk into Black Hat, for example. You can go to DefCon and talk to who might be the smartest person in the room, but that's different context, different experience.
Melanie Thomas:Right? And it really is a team effort. So doing some due diligence. Right? Take some courses, some free courses.
Melanie Thomas:Right? Go online. There's lots of vendors who will provide kind of free training. Keep your mind open. Right?
Melanie Thomas:Some ups guided. But, right, find something that you also enjoy. Right? Find something that maybe lit a little bit of fire that you wanna investigate a little bit more and do some of your own kind of research. Spend some time learning security.
Melanie Thomas:Eventually, it's, you know, it's really, I say addictive, but it's really contagious. Right? It's this is really super interesting. You start seeing it in the news and you wanna continue digging deeper. Also, for help.
Melanie Thomas:I lean on my teams all the time because they have, right, different experience, different ways of doing things, different approaches. So ask questions, ask for help, get somebody else in the room with you. But definitely, you know, learn a little bit on your own and be able to write know a little bit of acronyms, and it takes time. So don't beat yourself up if you don't get it after your first call, after your first month, maybe after your first year. Right?
Melanie Thomas:It's security is complex. There's hundreds of ways to do it, and everyone does it differently. So it's not a one size fits all. Jump in. Right?
Melanie Thomas:Get someone to back you up and and go from there.
Lou Rabon:Yeah. Big time. And I think saying I don't know, that's really important. I've spoken to other TAs that are are you know, they say, hey. Listen.
Lou Rabon:That's one of your biggest strengths is being able to say, hey. I don't know, but I'll get you the answer. And another point on that is when it's kind of a a a ancillary service. So for instance, if you're selling circuits or bandwidth, it might be, DDoS protection. That's kind of an ancillary service, something that's complementary.
Lou Rabon:So you're still speaking in your kind of lane because, you know, as a trusted adviser, that person may understand that. But it's and they may not understand DDoS protection, but they understand denial of service. They you know? So that's, I think, where a lot of them enter too.
Melanie Thomas:That's a great point. Yeah. Find something that, yeah, it's it's tangentially related. Right? Something that you can kinda be familiar with, and maybe that's a great breadcrumb, right, to where you might be learning something completely different, right, in three months from now.
Lou Rabon:Exactly. Exactly. You you also mentioned I wanna go back endurance because I think I mean, listen. I think a lot of life is about endurance and a lot of success in life at least. Right?
Melanie Thomas:So Yes.
Lou Rabon:What tell me more about that, about the endurance in a sale for security.
Melanie Thomas:I wanna say, I think one of the recent statistics that I've heard, I don't know who said it. I'll find some more research on that. But one of the things that we've seen a lot of vendors also say, I should say, is that it could be up to eighteen months or longer, right? That a customer is looking at replacing some of these key pieces of security. And so if they don't sign in thirty days from talking to you, from filling out a demo request randomly online, from maybe a lead that you purchased from a B2B lead marketing, for example, and they'll buy the first time you talk to them, that's okay.
Melanie Thomas:You're competing against hundreds of other people, thousands of different technologies and combinations of that. And so that's gonna take time just to weed through, right, get to that first phase. And so our trusted advisors is also where we help. Right? It's like, let's go through, let's talk about some of the top ones that we have experience with that we know are gonna be legit, right, as we move forward with that.
Melanie Thomas:Mhmm. But it's also looking at, you know, these are not transactional services, to use that word again. So these aren't something that's really easy to rip and replace. It's gonna take one day to change an API token, things like that. Those aren't these kinds of services, right?
Melanie Thomas:Security services are really ingrained, not just in your security stack, it's in your processes, it's in your company policy, it's in your business impact analysis, your backup and recovery, your disaster recovery, incident response, right? And so all these matter. And so it matters. We can't just rip and replace an EDR. Right?
Melanie Thomas:So for example, when CrowdStrike had that very unfortunate development incident last year, not we didn't see a lot of shift in CrowdStrike usage. Right? Because they're still a very legit company. They just happen to have made a very unfortunate mistake and got themselves in the news. Yeah.
Melanie Thomas:And so it's not just it's easy to rip and replace. Even rip and replace could take six months by the time you get a vendor depending on, right, how you access your devices and things like that. So It gets really complicated and sometimes that's where people just kind of glaze over. They're like, yeah, there's no way I can remember any of this. That's also fine.
Melanie Thomas:People like me are nerds. We love the details and we love getting into that. And team effort, right? It takes all of us to get through these. But having the endurance to say, you know what?
Melanie Thomas:This might take six months. We might be talking next quarter by the time we can look into their vendor, and that's okay because that's how long some of these systems take to really mindfully implement something that's gonna stick.
Lou Rabon:Yeah. So be prepared. Right? Be prepared that it's going to be a longer sales cycle. So endurance and patience would be, part of it.
Lou Rabon:So that's that's really good advice for anyone selling security. And for selling solutions, it's even harder, meaning, like services, like what we do. It's like if you're selling a services sale, often to your point, it's not just that it's so hard to rip and replace a vendor for EDR or a service vendor, but it's also if you make the wrong, you know, choice, it really could be your job, and it could be a couple people's jobs because it could risk the company's reputation if you make the wrong choice. So not like if you get an IT vendors I I think the same for IT vendors, but that's another story. You you definitely wanna choose the right one or it could be disastrous.
Melanie Thomas:Oh my gosh. Right.
Lou Rabon:But I mean yeah. Like, let's say printers or whatever. Like, if you're gonna or toner, you know, if you wanna get a new toner, if you make the you know, maybe a company lost a couple, you know, $100 or some thousand bucks, but that's that's something that you can just do on accounting and and recover from, save some money, whatever. But you make the wrong choice of a vendor and you get, you know, the the hacked, basically, the worst thing that could happen. There's there's real impact there.
Lou Rabon:So I think it's definitely and and that leads to my you were talking about these you know, all these vendors, and you go to Black Hat and you see this, the the big security conference. It's scary how badly the vendors are misleading everyone. I think that's part of the the the big problem that we're having in cybersecurity because everyone is trying to market that they've got the silver bullet that's gonna solve all the problems, and you know very well what's behind that. You know, what are some of your experiences with that?
Melanie Thomas:Oh my gosh. I think the prime example is AI. Oh, we have AI. AI can do all these things. And it's like, no.
Melanie Thomas:I have I have questions. AI is shiny data science. It's data science with software. It's not a magic bullet, and it matters, right, how they train it, how they implement it. Is it AI for security or security for AI?
Melanie Thomas:Right? There's a lot of different ways that you can do that. So we see a lot of people saying, well, it has to have AI. Luckily, think we're starting to see that tide turn where we're starting to question like, what does that really mean? And do I really wanna pay more for it because I don't really understand it.
Melanie Thomas:Right? So it's not the steep or shiny thing. Another thing that we're also seeing is not being transparent with the total cost of that vendor, of that technology. So sure, you could be an MDR provider, but if you don't tell them, well, now you have to deploy collector at 31 different sites, and it's a physical Collector, your team has to go do it, but we have to have it. You don't find that out until afterwards.
Melanie Thomas:Well, now you just it's a significant cost to you and your teams. Microsoft Sentinel is a big one too since we're seeing more companies wanting to leverage Microsoft and consume more in the Microsoft ecosystem. That's not free. Just because you have an E5 license, that's not free. There's extra cost behind that.
Melanie Thomas:I think if we start going back to some of the fundamentals, if we think about IT fundamentals, security fundamentals, as you're designing an environment, the total cost absolutely makes sense. It's not just what you're paying that vendor. It's the ingress egress, right? It's the bandwidth in your network. It's servers they have to set up their services on and all that comes at a cost.
Melanie Thomas:So as we get more and more into very economic uncertain times, customers are having to reduce budget or freeze budget. They can't absorb like they used to, right, significant extra costs on the back end that they didn't plan for.
Lou Rabon:Oh, yeah. Big time. So many good things in there to unpack. I mean, first is the cloud model, which is this elastic amazing you know, I'm I'm old enough to remember that the cloud was like the three servers that were so loud in my you know, under my desk, and that was my cloud. Now you can go you know, you can do basically anything.
Lou Rabon:We we are now, you know, moving to forensics in in the cloud, having a forensics lab. Super secure, easy to get, huge data, you know, transfers. Don't have to then download that data. It stays up there. It's awesome.
Lou Rabon:However, the cost for that are ridiculous. I mean, you know, just to have a cloud based one big, forensic workstation in the lab is, like, probably about $200 a day. And when it's idle, it still costs money, you know, because you're not completely destroying the instance. So that, like, thing about, yeah, the the the customer's not really taking into account that, okay. Here's the licensing cost.
Lou Rabon:Cool. But it's like, wait a second. What's the compute cost for all that and the story? And then you get all, yeah, the ingress, egress of data, the bandwidth. There's that.
Lou Rabon:And then there's you know, the other thing that's really interesting is the vendors when you were talking about the AI vendors. And what's you know what kills me is and that most people don't realize is you'll go online and and every time I see a new AI vendor and they're like, give us all your data and then our AI will tell you, you know, first look at the privacy policy, which is probably like, we're gonna use your data to train our model because now data data is not the new oil anymore. Data is like the new diamonds because they've just basically exhausted all content that they can get other than, you know, a now they're paying API fees for Reddit and stuff like that. But, you know, there's just no way for them to to find the amount of data that they need. So they're using your data, usually.
Lou Rabon:It's usually they're using someone like Claude or Chad, you know, OpenAI or, you know, Grock in behind the scenes, so they're just paying a a cost there. This is a whole startup ecosystem based on this stuff. And then third, the worst part is go on to LinkedIn. Look at their, you know, the people in their company. There's usually 10 people, and they're all either sales and or tech.
Lou Rabon:There's no one that does security. And you're it's like but you go to their security page, and then they paid Vanta $20 and some, you know, fly by night auditor to give them green checks all over everything. So sorry. I had to get on a soapbox.
Melanie Thomas:That's good. No. I agree.
Lou Rabon:You know, the the AI this whole AI bubble, it's just like, you know, 2,000 all over again. It's crazy.
Melanie Thomas:Right. And all the regulations are gonna come in. So, yeah, you sign let your users sign up for all these free AI accounts. Now when we get to the accountability part of it, and that's added to your third party risk, and now you have to figure out what of all your tools use AI and how, and how do they report that and how do they use your data. It's a whole other piece of third party that's going I think, become more relevant in 2026.
Melanie Thomas:And there are, of course, vendors out there that people can connect with and do all these things, it's attestations, right? It's a whole extra set of surveys that you send your vendors on top of what you're already doing. So especially if you're a vendor yourself, right? What are you up to now? Because now you have to send it to all of your customers.
Melanie Thomas:It's a whole thing. So I think it's we're starting to see now when people jump to emerging tech, it's great. It's innovation, but it it all comes at a cost, especially if they said it's a free service.
Lou Rabon:Big time. Big time. We're getting a a ton of inbound, you know, inbound AI governance requests. So which is great because we've got, you know, we've got the capability there. But I don't know.
Lou Rabon:I've I'm on the fence. You know? It could be like privacy. I was in privacy before people really knew back in, like, 2013 for a big company. And, as I started, you know, my practice, CDG, I was like, alright.
Lou Rabon:I'm gonna lead with privacy, and I got a lot of inbound in the beginning when GDPR came out and stuff. But then it just went to the lawyers, basically. And it just became kind of a pay paper exercise. So I kind of feel like AI is gonna go that could go that way where it's like you have a lot of stuff to do, but, you know, maybe you can template it out and then just have a the the challenges for security teams, so back to, you know, what's relevant to us, how do you control that within the environment? But, you know, I think there's certain companies, at least from our experience in this channel, where they they don't even have the basics down.
Lou Rabon:Like, the the simple blocking and tackling, they're they're not doing any of that stuff, or they've been misled by a vendor. You know, we're we're seeing the second and third generation of, like, b c so, you know, an an overused term where in the beginning, they were just getting the one person that was telling them what to do and then comes back a month or two later and says, did you do that? And now they're evolving to our model, which is we bring a team and we execute, you know, and and actually operationalize it. So I think it's the same with AI where we're going to your point, we're going through that, like, kind of everyone's excited, Dutch tulips. You know?
Lou Rabon:Right? But NFTs, best thing since sliced bread. Yeah. And then and then it's gonna, yeah, kinda even out probably.
Melanie Thomas:Then something else will come along, and we'll have this all over again, and AI would be the new privacy.
Lou Rabon:Voila. It totally you know, that's that's a fun roller coaster that we've jumped on.
Melanie Thomas:I love it. Never boring.
Lou Rabon:Yeah. Seriously. And by the way, you did mention about being curious, and so it's such a an important part of being a cyber practitioner, and I think that that's really relevant for salespeople too. And and any you know, if you're the person that, to your point, is going out there looking at, you know, reading, you know, Brian Krebs and, trying to figure out, how did that happen? Who's getting hacked?
Lou Rabon:You don't have to be technical. You don't have to be, like, the guru. The fact that you're already asking those questions and kinda going down those rabbit holes is a good indicator that you'll be a good security salesperson, I think. So I I think that's good advice too and a good app call out. You mentioned insurance too.
Lou Rabon:That's one thing I wanted to kinda dig into a bit. Cyber insurance. So what are you seeing in the cyber insurance market right now?
Melanie Thomas:Rates are gonna go up. That's an easy one. So I think across the board, everyone needs it. Right? Everyone's everyone should have cyber insurance.
Melanie Thomas:If you don't already, like, we should talk about it. Right? We should talk about cyber insurance. We're seeing a lot of need for claims coaching right now, which I've been in a lot of really good conversations about. So we're kind of also looking at connecting the dots.
Melanie Thomas:So in claims coaching, right, sure you have cyber insurance. Ideally in your incident response plan or something, someone knows how to call those people. So when something does go bad and go wrong, right, you can call them and they know what to do. But it's also should you file a claim, right? So we want to think about cyber insurance the way we think about homeowners insurance, about car insurance.
Melanie Thomas:The more you use it, it's not necessarily going to be beneficial for you as a company, right? But we see largely in the industry, everyone's using it. It's paying out most of the time. And right, because they don't have to approve the claim. They can walk away and say, no, this is your fault.
Melanie Thomas:We're not paying out. But should you even file that claim? Right? Is it something that you already have measures in place for? Is it something that you guys can respond to or burn something down and start over instead of filing a claim?
Melanie Thomas:It's unfortunate, right? We want insurance to be a parachute. We want insurance to come in and help out. Typically with the FBI, just because you call them doesn't mean they can help you out with an incident. They'll do what they can, but more likely than not, they might not actually be able to help.
Melanie Thomas:And then how do we reduce premiums, knowing that we're probably going to have to use it, we're probably going to know how to file a claim and when, but all of that's going to make our premiums continue to go up. Underwriters are getting more technical. They're getting more scrutinized. It's not just, hey, we're gonna check a box and that's what it's gonna be. You can attest to it and we'll walk away.
Melanie Thomas:They wanna see proof. It's like a whole other audit that you have to do. And so, yeah, you need to actually be doing these things and also prove it. So when they, when you do need to file a claim, they pay it. But a lot of what we're talking about too is also the strategy around reducing premiums.
Melanie Thomas:Talking with your insurance provider, letting them know when you deploy new technology for your security, maybe that can bring a premium down. Making sure that your NDR, your IR provider, whoever it is, is on your insurance policy as your preferred vendor so you can use them and they can jump in and help from this time. So a lot of the conversations that I think were largely siloed before. Like you mentioned, you hand it off to the lawyers and that's kind of if you need it, it's there. But more conversation and more coordination is really gonna help everyone at the end of day.
Melanie Thomas:That's gonna help, right, make sure that you're validated, make sure that your premiums ideally can come down or at least be contained as much as possible with that better communication with your insurance provider as well.
Lou Rabon:Yeah. Great. Great points. And and it's interesting too. We're seeing where if we have an IR retainer we had one client recently that we were on retainer, but because we hadn't been approved by the insurance company prior, they didn't force the the, you know, claimant, but they were just like, hey.
Lou Rabon:Use our provider. They always wanna use their providers. We're not on the panel on purpose. It's actually something we're moving away from. It's just it's a IR is a whole different animal.
Lou Rabon:As you know, we we won't go down that rabbit hole on this podcast. It's probably a topic just that we could cover in a full podcast. But, you know, as far as people and salespeople that are trying to speak to their customers about cyber insurance, yeah, there's no you can't mess around anymore because back in the day, I remember when the policies they would just cover it, and they wouldn't really look like you're saying. Then they were like, okay. Have these things.
Lou Rabon:And they started some of the I don't know if they still do it, but some of them had these, like, useless web browser extensions that they wouldn't say, okay. If you install these, your premium will go down or something.
Melanie Thomas:Because they're monitoring everything you're doing. Yeah. Yeah. There's still some that do that.
Lou Rabon:It was still not you know, that's not really. I guess that's for really, really small companies. And then, now they're saying, yeah. You've gotta attest to this stuff. And if you even, you know, are if there's anywhere that we can drive a a hole, a gap through this or a truck through this gap, we're gonna do it.
Lou Rabon:You know what I mean? And and that's what happens. I think that there's policies that are not getting claimed. And and finally, you're talking about maybe you don't even, file a claim. I mean, it really depends.
Lou Rabon:If it's a huge hack, you're not gonna have a a choice.
Melanie Thomas:Yeah. You don't have the cap you won't have the money to pay it out. Yeah.
Lou Rabon:Exactly. But we do talk to them about, you know, our our our clients about listen. When you're writing your IR plan, make sure that not everyone's calling it a breach. I mean, you you know this. The the the most amateur move, and this is why that's a danger of not doing tabletops and not having a written plan.
Lou Rabon:And, also, if you get companies that don't know what they're doing, like, vendors that are like, oh, yeah. Here's a plan, and they just download it from NIST or something and just, you know, throw in the blanks. For for practitioners that have done this, there's certain things that we know. Like, don't call it a breach. It can only be called a breach by the IR lead, and it's gotta be an official you know, so you call it an event.
Lou Rabon:There's a security event. Let's talk about the event because there's the shot clock that starts, especially for some of the privacy regulations, especially overseas. CMMC now, the the twenty seventy two hour, shot clock and and things like that are even it's probably even gotten smaller now.
Melanie Thomas:That's a great point. Yeah. We we actually I coach that to my to my strategist as well in our CAs where because we'll have cup calls you know, customers will call up our strategist and then meet, like, in the middle of the day, and we can do a little bit of coaching. But, right, we're not an IR firm. But they'll send an email or send a text and be like, hey, they're having a security breach.
Melanie Thomas:I'm like, you guys, we talked about this. Never use that word. Only use security event. Never put it in writing because it's not our responsibility. Right?
Melanie Thomas:We don't want to have to, like, attest to that later on because it was a breach two weeks before they actually reported it.
Lou Rabon:Exactly.
Melanie Thomas:But yeah. The words we use matter.
Lou Rabon:Yeah. Big time. And especially there's there's liability associated with that. But there are there are circumstances, and this is what we're trying to drive towards, which is a word everyone's using now, thankfully, which is resilience. Right?
Lou Rabon:So cyber resilience. So cyber resilience means you can actually be, breached or have a major security event or, you know, at least moderate security event and and get over it and then not have to use your insurance because you've put up the detective and preventive controls and responsive controls to be able to, you know, detect, prevent prevent, detect, and respond in a way that, you know, you isolate it. Maybe the endpoint is gets isolated, either automatically or by the MDR firm, etcetera, etcetera. So there are circums for anyone out there that's listening that hasn't been through a breach or doesn't understand how these things work, it is actually possible to be breached and not have to report it and not have a huge downtime incident. That's what we're all working towards.
Lou Rabon:That's that's what a real security program, people process, and technology can get for you, and that's not just a point pen test. That's not just a couple vendors thrown together in a package on a per seat license basis. Right? It's a real strategy and road map to over multiple years towards security. Yeah?
Melanie Thomas:So yeah. And it works. We've seen it work all the time Our customer's like, yeah. We we contained it. Our EDR code was was able to contain it because we've got the the logs from whatever.
Melanie Thomas:Right? And it it actually works. It doesn't have to be this full blown, you know, spend a week of your life doing that thing but digging into logs. Like, it's it's ad it 100% works. You said this you know, mindful.
Melanie Thomas:Right? It's strategy. It's building that program.
Lou Rabon:Big time. Yeah. No. That totally true. And then, yeah, with the insurance, you just I think having, you know, you're you'll help your customers when they're like, hey.
Lou Rabon:We wanna get cyber insurance. Is that something you do? You'll help them kinda go through that, or do you even recommend carriers or brokers?
Melanie Thomas:We do to a point. We don't have, like, partnership agreements with anything because there's a lot of gray area. Right? There's a lot of reasons why you can't be in partnerships with certain insurance providers and things like that. There's rules to that.
Melanie Thomas:A lot of what we do is facilitate. We'll talk about the need for cyber insurance. We'll suggest some things to look into. More often than not, we're doing it via a provider. And so it's because we're looking at, right, an MDR provider.
Melanie Thomas:It's because we're looking at identity solutions or managed identity solutions. And by the way, this vendor also works really well with x y z insurance company and kind of facilitate the conversations that way, and kind of help leverage some of those partnerships. The vendors that do have partnerships with in with insurance providers, right, that are already on those lists really help with explaining to the customer if they don't have it, why they need it, but also why that proof is important and the reporting back is important and just maintaining that communication with them. So we do it a couple different ways. It's it's a program that I'd like to build out more, but there's lots of rules around why you can't.
Melanie Thomas:So I get it. I'll follow the rules, but a lot of nuance. Yeah.
Lou Rabon:Liability and all that fun stuff. So, yeah, you gotta be, it's just more about just giving the information and then pointing them in the right direction, I think.
Melanie Thomas:Mhmm. Absolutely.
Lou Rabon:Yeah. And, you know, with all this AI stuff, we and and, you know, all the the ways that security moves so quickly, what what are you excited about? What excites you about the future of, like, what's going on in cyber?
Melanie Thomas:What I love so much, it makes me super excited to see a shift in the industry, and maybe it's just because I'm a very hopeful person, a very optimistic person. What I love to see is more of this, like, converged idea of focusing on identity and data security, especially with AI. That's really where it lives. Right? We don't have to buy solutions for everything.
Melanie Thomas:Let's strat let's start well. Right? Let's lock things down. Let's classify our data. Let's make sure people need to access it, and that only helps you with everything.
Melanie Thomas:So sure, it'll help you with AI and deployment of AI tools and whatever. It's also gonna help us with everything else down the line. Right? As you implement new technology, you deploy new software, things like that, all of that continue to be controlled. I'm also loving mobile solutions becoming more of a conversation.
Melanie Thomas:It's usually something that people wanna avoid because it's a nightmare to talk about acceptable use and BYOD and whatever. Even since COVID, people don't wanna talk about it. But I love so much that a lot of our customers are now asking. And they're like, you're right. If we're talking data security, mobile devices have just as much access to all that data if you don't control it, and that's such a big vector.
Melanie Thomas:So I'm really loving more emphasis on mobile security. I think we'll probably see more ideally, see more big vendors putting more of an emphasis on mobile support and not just laptops and servers, right, and desktops. We really have to look at mobile platforms and tablets.
Lou Rabon:Oh, yeah. Big time. Yeah. MVM. And yeah.
Lou Rabon:Because think about it. That phone now has become the keys to the kingdom, really, because it's like you're biometric proof, which I'm glad pass keys are are now exist. It's much stronger than, you know, doing SMS for two factor and stuff. But it's also yeah. Once you get in there I I've had a couple calls.
Lou Rabon:We often get, like, personal people personally calling to, and we don't help them, unfortunately. We we just obviously don't have the time, and they can't pay what we would be charging anyway. But, you know, and I feel bad. Sometimes I'll I'll send them other places. But, one guy, he had his everything.
Lou Rabon:Like, he his he had, like, a password vault that also was, like, just everything was hosed because he had everything on his mobile device, like his Coinbase, all his crypto was taken. You know, like Yeah. It was really and then we're talking pretty big numbers. So, yeah, those mobile devices are not just you know, we can't treat them like they were you know, in my era, there was a phone with a cord attached, and that was your device. My my cool friend had the one with the suitcase, you know, that, like, you it was portable that you could take in the car, but it had battery of, like, a a, you know, thirty minutes, and it was, you know, $15 a minute just to, like so, anyway, it's these things are not the same.
Lou Rabon:You know? They're they're basically basically everything. So
Melanie Thomas:Everyone has at least one of them. Yeah. So and your kids have it. Right? You gotta lock down the kids too.
Melanie Thomas:So we have some providers, right, that'll be like, here's your company. Like, here's your your company use. That's what you buy it for. And I think I've seen a few providers recently also say, here's a personal use version. So the company buys, right, the licenses for that, but the employees can also break it off and have as part of it, a compartment of it that's also personal to be able to manage that because just same, right, their personal stuff gets hacked if they have, you know, saved it forward anything from their personal email.
Melanie Thomas:Right? All that can still be, attacked as well, unfortunately.
Lou Rabon:Yeah. Or if they're letting their kids play Fortnite on their business computer. Yeah.
Melanie Thomas:$20,000 from a business card?
Lou Rabon:Yeah. You know? Or they just wanna, like, get the latest wall hacking or something, and then they download, you know, malware, and there you go. So, tell tell me a little bit more. Bridgepoint has a very unique it's like a hybrid TSD TA firm.
Lou Rabon:What what what can you tell me about and and listeners, people that might be not be as familiar with Bridgepoint?
Melanie Thomas:The Bridgepoint, we are not and that's but the fun of learning Bridgepoint, because I've never been in the channel before, We are not a TSD and we're not a VAR. So for the consulting kind of services we provide, right? So these relationships that we're building that our strategists have, we don't charge for our services, right? So the customer isn't signing a contract with us. They don't buy licensing from us.
Melanie Thomas:They don't buy services from us. It's all through the vendor. And so it's one of the things I love too, it helps us be agnostic. So we're not fighting for commissions or whatever. Right?
Melanie Thomas:It's we get paid by the vendor when the customer buys. And so it also helps us be, you know, the advocate, like a really true advocate for our customer. Because we'll get paid regardless, right, whoever we send them to, but let's make sure that's actually a good match, not just because they have a bigger commission percentage or whatever. There's no shame. People do that all the time, and I'm not trying to shame anybody.
Melanie Thomas:Do your thing. But in my perspective, it really helps us and the customer see that we're we're really just looking out for the best solution for them in a really holistic way. So we are very mindful when we have direct partnerships with different vendors, and we build up those relationships to give them access, right, to all of our strategy space for our client advisors, right, to all of our customers. And a lot of our customers are our partners also. So it's been really fun.
Melanie Thomas:So we do have the two services of Bridgepoint that are direct contractual and our CX implementation side. Those are we're actually boots on the ground, installing stuff and things like that. With the rest of our practices, the advisor that we do, it's for the betterment of the customer. Right? And then it's just connecting them and and matchmaking really at the end of the day.
Melanie Thomas:So to get really deep with it, right, we want to do all of their stack, just transactional, not just their connectivity, not just the firewall project that's gonna replace it or whatever. We really want to know what do they use across their stack, how can we help them roadmap, and how can we help build that out. So we're in it for the long run. Right? We want to see what that looks like and roadmap with them and create some of these projects with them and support it at the end of the day.
Melanie Thomas:So since we maintain those relationships, we care about how our vendors are servicing our customers. We care about escalations. We jump in with escalations also. Right? We're saying, hey, maybe that service wasn't provided like you said it was.
Melanie Thomas:Let's let's talk about this on a QBR. I've helped customers with, like, incident reporting or just normal, this is what our SLA was for this month. You're like, well, that didn't meet your contract. How are we gonna remediate that? How are we gonna make sure that you meet your SLAs and give that credit that your contract says you need to give them?
Melanie Thomas:Right? So we can jump in on some of those relationships as well. And really, it's about helping it stick. It's helping maintain and keeping the customer getting what they're paying for, and and getting those best services.
Lou Rabon:Yeah. Yeah. It's long term. It's long term relationships over a long period of time versus, yeah, that transactional, which I guess if you had a theme other than all the cool cyber stuff we've spoken about today, it's like, don't be transactional. Transactional is not you know, that's going the way of the dinosaur.
Melanie Thomas:Yeah. It's trust in relationships and and long term planning. Yeah.
Lou Rabon:Yeah. Yeah. So so who's Melanie? Let's let's, you know, kinda transition a little bit to personal stuff. I see that you've you know, you're you're down in San Diego.
Lou Rabon:Yeah. And and you're, you know, being a professor at use USD. That's pretty cool.
Melanie Thomas:I love it.
Lou Rabon:UCSD. You know, what tell tell me about, like, what you're you've got a lot of stuff going on. I'm looking at this list here. It's it's pretty amazing. Yeah.
Lou Rabon:What what do you wanna talk about about some of the stuff you do outside of work?
Melanie Thomas:I am really big about giving back to the communities and every community that I'm a part of. So I do a significant amount of volunteer work, on boards, right, with other nonprofit agencies. And that's just always been really important to me to volunteer. So we'll volunteer with, like for B Sides, for example, also. So I'm the president for B Sides here in San Diego.
Melanie Thomas:Very fortunate, amazing group of people. And we have, you know, one annual conference a year. It's a really big conference. Super fun. That attracts everybody, practitioners, you know, C levels, things like that.
Melanie Thomas:You know, we want hands on, we want talk tracks, students, things like that. But we also maintain presence with all the other nonprofits in San Diego. And San Diego has an incredibly robust cyber and technology, just in general community. And so we have, I don't know, 13, maybe different nonprofits here in San Diego. I would say that board members and I make sure that we're members of everything.
Melanie Thomas:We try to go as much as we can to keep connection with the community so we can support, right, from the b side side, whenever they have events or when they need sponsors. And it's really about, like, a collective action, to help everybody out. So we have vendors, right, that wanna do some partnerships. I've referred them to, like, ISSA chapter, for example, or YSYS. We're we we can't use them for b sides because we're a once annual event.
Melanie Thomas:But look at how many other people also need, right, money for events and sponsorships and things like that. So it's fantastic.
Lou Rabon:That's awesome.
Melanie Thomas:There's one coming up for Girl Scouts, which is really fun. And their cyber badge and Girl Scouts can volunteer with that. I have that
Lou Rabon:so many.
Melanie Thomas:But then we have San Diego CCOE, which is the San Diego Cyber Center for Excellence, which is a fantastic organization that helps, same thing, right, boost cyber. Our InfraGard chapter is really, really big as well. So I can nerd out about cyber all day, every day, whether I'm at work or at USD or out in the world. There's so much to do with it, and it's such a great group of people.
Lou Rabon:So That's awesome.
Melanie Thomas:It's a great community.
Lou Rabon:Yeah. And you've got, you know, the I used to spend a lot of time in San Diego visiting my marine buddies. So there's the marine and navy presence, the military presence down there, which has a lot of former, cyber people from that area, you know, practitioners and the the federal government and stuff. So and it's, like, the most laid back, I think, city in California, you know, made perhaps in the country. Just, like, super cool.
Lou Rabon:Very yeah. I always love coming down there. So
Melanie Thomas:I love it. I think they were voted, like, friendliest city in the country maybe.
Lou Rabon:Oh, really?
Melanie Thomas:Yeah. It's beautiful. It's gorgeous almost all the time.
Lou Rabon:Yeah.
Melanie Thomas:Yeah. It's super friendly people. There's just awesome awesome vibes all the time.
Lou Rabon:Yeah. Like, for those that are listening and can't see the cool, you know, California flag with the surfer behind Melody, it's so cool. So, that's awesome. And where can people connect with you?
Melanie Thomas:LinkedIn. I try to keep track of my LinkedIn as much as I can. We also have Bridgepoint Technologies, and I have a page on Bridgepoint Technologies as well. We're gonna go through, right, kind of how the Bridgepoint way is, what it looks like as we're talking to different vendors, things that we're kind of highlighting for our practice as well. So, like, best places or bsidessandiego.org to give a shout out to b sides.
Melanie Thomas:Great. If you're gonna be in the spring, we have our spring camp here in San Diego every year.
Lou Rabon:Great. Well, Melanie Thomas, thank you so much. This has been, like, a true pleasure to take this this route through cyber with, you know, all the things that you know and all the things you've experienced. So thank you for sharing your your thoughts with us.
Melanie Thomas:Oh, thank you so much. It was really fun. I appreciate the sign. Thank you.
Lou Rabon:Yeah. Yeah. And thanks to everyone that's watching and or listening. If you learned something today or laughed, please let us know and let someone know about this podcast and, you know, reach out to us as well. Thanks again, Melanie.
Melanie Thomas:Thank you so much.
Lou Rabon:This has been another exciting episode of Channel Security Secrets. See you next time. That's a wrap for this episode of Channel Security Secrets. Thanks for tuning in. For show notes, guest info, and more episodes, visit us at channelsecuritysecrets.com.
Lou Rabon:Channel Security Secrets is sponsored by Cyber Defense Group. When it comes to protecting your business, don't settle for reactive. Partner with experts who build resilience from the ground up.
