Channel Security Secrets

CSS - Eric Ludwig
[00:00:00]
lou-rabon_46_09-02-2025_130753: I'm excited to chat with our guest today. He's an entrepreneur, keynote speaker, and expert technology advisor with more than two decades of IT experience. Recognizes an authority on connectivity, cloud computing, and cybersecurity.
He has spoken to major industry events, including the Channel Future Summit. He has designed transformative technology solutions for organizations [00:01:00] ranging from Fortune 500 enterprises to fast-growing startups. He's the co-founder of Rise Technology Advisors. Eric Ludwig, welcome to the show.
eric-ludwig_3_09-02-2025_150804: It's my pleasure to be here, Lou. And boy, that sounds a lot better than, uh, than, than I think I do my self justice. So thank you for that.
lou-rabon_46_09-02-2025_130753: Yeah, of course. You, you deserve it. So let's just jump right into it. Uh, Eric, what's the biggest secret to your success in the channel?
eric-ludwig_3_09-02-2025_150804: You know, it, it's, it shouldn't be a secret. Uh, but it is unfortunately, and I think, you know, the secret is, is to, to know when to say, I don't know, and to know when to say no and know when to phone a friend. I think if you, if you kind of look at. How to summarize being a true, trusted advisor. You know, I, think ultimately it's, know when to say no. it's know when to say, I don't know. Three, it's know when to say, I know, but. And four, it's know when to [00:02:00] call a friend. And I think, you know, the real key to our industry is integrity, is making sure we articulate our value to our clients, which isn't always, we know everything, but it is, we have access to virtually everything.
And then to really, you know, that number four is, is to leverage your partners. Leverage people who you trust within your network. People that'll make you look good. And, you know, don't try and do it all yourself. because when you do, you're gonna fall down and clients will see right through it.
lou-rabon_46_09-02-2025_130753: Yeah. Yeah, that's a common theme I think with all of the trusted advisors that we speak to. I mean, perhaps sometimes, uh. People forget trusted trust. Honesty, integrity, all of that is important. Of course, you know, we're all in sales to some extent, but, um, you know, you gain trust often by saying the, the hard answering, the hard questions and being honest and I don't know.
While it may make some people feel uncomfortable to, to say that, that's really the sign of a, a [00:03:00] true expert because, you know, there's that. There's a number of, uh, you know, memes I've seen on this and stuff where you're, you know, you believe you're the expert at something when you know very little about it.
Then there's a huge valley when, uh, you know, you actually start to learn and, and realize how much you don't know, right? And then there's, you kind of go back up a little bit bit from there, but it's only those that are truly ignorant that can, you know, claim complete mastery of any subject. So I think you're onto something.
eric-ludwig_3_09-02-2025_150804: I appreciate that. I think it also really. You know, clients don't expect you to know everything, and, and they're skeptical when they, when you, you suggest that you do about even about a specific topic. So I agree with you. I think, uh, you know, a little bit of humble pie and, and being transparent and honest upfront really goes a long way, uh, toward the end.
lou-rabon_46_09-02-2025_130753: Yeah. Yeah, absolutely. So, um, how about security in the channel and selling security? Uh, are you, are you finding it difficult to sell security? You've been doing it for a while, so, [00:04:00] uh, you know, what, what does that look like?
eric-ludwig_3_09-02-2025_150804: You know, I, I do find that it's more difficult than the other, uh, products and services that we sell. And I think there are several reasons why. You know, I think there are so many distinct types of organizations in the channel. Uh, you've got. Big Fortune 500 value added resellers and service providers, all the way down to sole proprietorships individuals that you know are a one man band. And then you have every permutation and iteration in between. think it's easy to talk about security and. Ultimately it's an adjacent technology and an adjacent silo, if you will, to everything that everybody does in the channel around technology. There's always a, a, a, a talk track around security for every component that we sell. I think the one challenge. We have found is that larger clients tend to buy security products and by way of product [00:05:00] services as well from large Fortune 500 value added resellers, folks that are kind of top of the food chain in the VAR world, or they buy specifically from a security expert like a Guidepoint or an Optiv or some, some other permutation.
So we do find that it's not. Difficult to bring it up. It's not difficult to have a conversation, but there are times where we find that some of our recommendations are disintermediating ourselves from opportunity because we don't sell products and sometimes client don't need the services. Or they, they say they don't need the services that we provide.
Uh, and ultimately I think where, where to press, knowing when to win, when to push, uh, you know, we have a mantra of win fast, lose faster, and ultimately finding partners like. Like you who can help work with clients no matter what their estate, no matter who they buy from. Um, and, and no matter where they are in that journey.
So [00:06:00] it's easy to talk, to, talk about, in my opinion, Lou, but, but it is, it does pre present some challenges that maybe the other product categories in the channel do not.
lou-rabon_46_09-02-2025_130753: Yeah, I, I would challenge you on it to, uh, when you say it's easy, I guess you mean. Saying security, the word security is easy to say, but um, you know, we find that there's a lot of TAs that are hesitant to, to broach that topic because they don't have the expertise. So, you know, what was your transformation?
I mean, uh, you know, you've, you've got a technical background. Um, so, so you understood security, probably, you know, most of your career, but how do you speak? What about the TAs that haven't had that, that background?
eric-ludwig_3_09-02-2025_150804: Sure. I mean, look, I, I learned it because I had to and I didn't wanna look like a fool. And ultimately, uh, you know, my background is large distribution. I was a practice lead at CDW and we were the team that, uh, that everybody turned to for the quote as a service [00:07:00] portfolio, as cloud and cloud type services were incubating and growing.
And so. I had to learn this stuff because clients were asking for different ways to consume these technologies. And there were a host of service providers that were offering it, and many of them were our traditional partners. Things like, uh, traditional, uh, DDoS protection or some sort of mail relay, uh, product or service.
So for me it was a defensive measure of saying, I don't wanna look like a fool, so I'm gonna find two or three specific adjacent security. Talk tracks that compliment the products and services on that I'm used to selling and the types of technologies that I'm used to clients, uh, engaging with us on. I, I think the other thing is, is that, you know, we need to have some curiosity and it requires a little bit of work.
It requires you to, to go out and, and read the paper. Nowadays, you don't even have to read something that's unique to security. You read the Wall Street Journal or the New York Times, [00:08:00] or. Or the LA Times, Washington Post, Newsweek, it's everywhere. And so, you know, we have to be intellectually curious. We have to find one or two work streams that compliment what we talk about regularly. And then again, be, don't be afraid to say, I don't know. And ultimately go out and create opportunity that that is complimentary to what you do. I think, Lou, it's very. to when Unified Communications as a service became a product category in the channel. You know, you had a bunch of telco guys and gals that were scared to death of talking about an application because we never talked about applications. Uh, we talked about speeds and feeds and networks and close user groups and such. And so. People that were out in front of that were really able to take advantage of it from, uh, an opportunity perspective. They became even more trusted to their clients and if they were running a business or or looking to monetize, which ultimately we're all in the business of doing in addition to [00:09:00] helping our constituents. They were, uh, the ones that were on the forefront. So I see security is no different than unified communications or customer experience or infrastructure when infrastructure became big or colo. So, uh, be a little curious and, and go out and read some articles and find some, uh, find some work streams. It's, that's the part that I think when I say it's, it's easy to talk about. Uh, I find that it is easy to, to bring some parallels. agree and perhaps overstepped by suggesting that it was quote, easy. I think it's just quote, easy to talk about. That doesn't mean that it's easy to sell or support or find opportunity per se, but, but it is easy if, uh, if you're a little curious.
lou-rabon_46_09-02-2025_130753: Yeah, I, that's great advice. I love the curiosity aspect because actually to be very good as a practitioner at security, you need to be curious and you need to be a lifelong learner. You're, uh, dead in the water in this field. If you think you're gonna come in, learn a couple things, and then just kind of float on that the rest of your career because in, in, in [00:10:00] a week.
That's all data and, and you have to kind of relearn the, the underlying concepts are the same. And that's probably one of the shocking secrets that we can share here on this podcast is we've been saying the same thing for 30 plus, really 40 plus years. Some of these concepts are really fundamental in security, and, and they're not as complicated as, as people think, but when it comes down to it, uh, some, the, the vectors of attack and the way that, uh, companies are, um, having to protect themselves, defend themselves.
That's changing, uh, in many ways. So, um, the curiosity aspect is really interesting and, um, I think it is, uh. Also, I think you're actually right. I, I do agree that the, the ease of having the conversation with security is probably easier when you talk about unified comms or bandwidth or something that's super commoditized these days, right?
So if you, if you, um, are cold calling someone and, or even a relationship you have, you're like, listen, you know, Eric, you sold me that already. I've got a five year contract. What are you [00:11:00] calling me about? But, you know, um, I would imagine what, from our perspective, you call someone up that you haven't spoken to in a while and say, Hey, what are you doing about security?
Do you wanna, we have a, you know, someone we, we would like you to speak to. Uh, how can, um, we get some time on the calendar? I think, you know, nine times outta 10, that person's gonna get back to you. Do you agree?
eric-ludwig_3_09-02-2025_150804: I couldn't agree more. Uh, I think that there, within everything that we've advised our clients to implement in their environment becomes a security work stream and. If we're doing our jobs right and we're humble and we're curious, then there's no reason for that client not to take that call and not to be willing to have that ancillary conversation.
And maybe it's something really easy, uh, or maybe it's something very sophisticated that. You've seen in the news in, in a parallel organization in the industry. So I, I, I couldn't agree more. Uh, I think if, if, if we as, as practitioners do our job [00:12:00] and understand our client's business in conjunction with what we have sold or implemented for them, I think that ultimately. There will be work stream, work streams abound, and those clients will, will take those calls. And if you're, if I think people are just afraid of what they don't know, they fear
lou-rabon_46_09-02-2025_130753: Yeah.
eric-ludwig_3_09-02-2025_150804: And they fear, you know, getting out of their comfort zone. And there's just examples up and down the channel of where people have found themselves in that position. And look customers. They don't know everything either. And so, uh, overcome your fear. Make, make a phone call. And again, back to the, you know, the secret of saying, I don't know, but I'll find out. Just like I may not have known X, Y, and Z in the past. I may not know that now and, or that may have, have rapidly changed, but, but I have a lot of resources available that are agnostic, that will be honest and will help us together. Figure out how to help solve some of these [00:13:00] problems. So humility and, and just finding stuff that clients have already implemented. Inevitably there's something there. You mentioned, you know, unified comms, for example, being commoditized. Well, yeah, it's been commoditized, but one of the fundamental over probably the last seven, eight years in my opinion, has been the network connectivity. So if you looked at how unified communications was rolled out, initially it was done over private networks and clients spent lots of money in order to provide security and provide consistent performance with their voice communications and. Really, I think the, the straw that broke the camel's back, so to speak, was COVID and people realizing that you didn't need a private network.
So now everything's connected to a public network and when it's connected to a public network. It means that you have vulnerabilities that perhaps didn't exist in the past. So there's something as simple as understanding [00:14:00] the life cycle of a particular product line that perhaps someone is very comfortable selling and talking about, and quite technical and talking a little bit about. and being on a public versus a private, and how are you protecting yourself? And, and that could likely lead into several, you know, business and risk discussions that, that aren't technical at all, but rather are, are more, you know, estate driven and risk management driven. And, and those are things that anybody should be able to at least have a little bit of a conversation around.
lou-rabon_46_09-02-2025_130753: Yeah, if you wanna speak to anyone above the maybe director of. T you better be speaking business. And that is really relevant for cyber, especially because with cybersecurity it's the practitioners that are, um, able to get past the technical and speak in business terms. To your point, outcomes, you know, uh.
Shameless plug on our part, having a, you know, trademarked outcomes based security. It's [00:15:00] because that is really important. You can't speak about security unless you're speaking about outcomes. Otherwise you're playing whack-a-mole. So you to have the longer term view, I think, you know, that's great advice for whatever you're selling.
Um, tie it to the outcomes, move your way up to the C-suite and the board, and you're gonna be sticky, especially if you're solving pain points for these customers. They're gonna remember that and they're gonna rely on you as the trusted advisor much more than, oh, it's renewal time. I want you to sign this three year agreement again.
Let me, let me buy you a steak dinner. It's like, I haven't spoken to you in over a year and you have no idea what my business is, and now you want me to spend money, you know, those, that, that's not gonna be very successful for, uh, you know, over the long term.
eric-ludwig_3_09-02-2025_150804: Yeah. I think that to add to that, the person that you've traditionally connected with, particularly for those kind of traditional. Down the Fairway channel people that, that, that individual or that group of [00:16:00] individuals, they may not be the security people. And I think that's also fearful. Um, but they have responsibility in that broader security posture as well.
And there's no question that they can say to somebody, Hey, these guys have delivered for us in the past and. They may not be, uh, you know, they may not be the security expert per se, but they have some great relationships. They take care of us. They make sure that our partners live up to the obligations they outline in the services engagement process. And, um, we think you ought to have a conversation with them. And so it may not be that you're talking to the right people, and that's also fearful, uh, or causes fear for. For folks. But, uh, at the end of the day, uh, ensuring you know who that audience is, how you integrate with them, when the last time you touched them was whether they've had security ins, incidents, or their competitors have, you know, those are all things that I think, um, any of us that are just comfortable in our own [00:17:00] skin should be confident,
lou-rabon_46_09-02-2025_130753: absolutely. And it's interesting too because we talk about, um, having these conversations in security, it. Is, uh, can be a more complex sale. You know, if someone says, yeah, I want these 10 cities around the globe to have a certain amount of bandwidth. Get me three quotes and you know, let me sign on the dotted line and, you know, collect your money.
That is, uh, it's obviously never that simple, but it's a lot more simple doing that then it is to say, well, let me understand your business. What are your goals over the next one and three years? What's been happening? Are you growing? Are you shrinking? What's your attack surface look like? You know, things like that.
And, um, again, without getting too, I think there's that line that a lot of TAs, rightfully so, are a bit afraid of stepping over because then if someone's like, oh, my attack surface, and then they just start getting technical and the, and the trusted advisor's not ready for that, um, you know, there's going to be a bit of backpedaling.
But to your point, it's like, Hey, listen, I, you're getting technical. That's not [00:18:00] really my area of expertise, but what I can do for you is introduce you to the experts, which would be us or, you know, whoever the, the supplier might be. Um, so that I think is really relevant too, that those complex sales take a little more time.
In the short term, they might, um, not be as profitable as those, you know, huge bandwidth or data center deals that seem a bit easier to get across the line, at least from a complexity standpoint. But it makes you, when, when you go in and you lead with security and then you start solving these very, very relevant business issues, you're sticky, you're, you're in there, you know, as long as you're, uh, you know, the, the people that you're speaking to.
And that's the other thing I think, which is really a, perhaps a secret here is. Um, the worst thing that can happen is when you are, uh, the person that you're working with, they get, they go to another, uh, company or they get fired. That's even worse. And maybe you've been, you know, your champion internally is, is no longer there now, if you haven't made relationships.[00:19:00]
With the other C-suite executives and other people that make decisions, then you could be dead in the water with a, an account that maybe you've been working 10, 15 years.
eric-ludwig_3_09-02-2025_150804: True.
lou-rabon_46_09-02-2025_130753: Being able to have these bigger conversations, I think that's a, it's, it really, uh, gives you longevity where you might not have had it if you're just one person that's your champion.
eric-ludwig_3_09-02-2025_150804: I couldn't agree more, and I, and I think, you know, you present, you being a cyber defense group presents opportunities for clients to have that business conversation and to. Start the discussion without being technical. Talking about things like, do you have a cyber insurance policy? And you know, when was the last time you renewed your policy and what does your policy call for? And how might underwriting look different this year than it looked last year? Um, things like. Governance within different components of how they go to market. Specific specifically around ai, uh, you know, I, I had, uh, [00:20:00] an opportunity with a pretty large, actually a very large financial institution in the Midwest, and it was for their contact center and. It was a real easy, uh, chat bot type engagement. And, and I went on their website and their chat bot was horrendous. It was just, was hard to believe that for a, a firm of their size we're talking, uh, probably 20 to 30 billion in revenue and, and close to a trillion, perhaps more in assets. They had a almost non-working chat bot.
Well, the problem is, is they can't get out of their own way and. When I spoke to the senior VP of customer experience and said, why, why, why do you have such a bad chat bot? She said, well, we, we have a governance council around ai, and every AI product that gets discussed and implemented goes through this laborious, rigorous process. And wouldn't it be great if that created an opportunity, which it did for me. Regrettably, um, my champion left the firm to say, mm-hmm. do you, who do you [00:21:00] use as, you know, someone that helps you run through governance around ai, across the entire estate? So examples abound. And it's just a matter of kind of understanding the business aspect of it and understanding the, the governance.
Uh, you know, who, is it a board? Is it a person? Is it an organization? Um, what are their investors looking for? Uh, how do they, how have they, uh, how have they represented themselves terms of, uh, being a secure environment? Um, and then more importantly, what are other people in their industry doing? What are their competitors doing? And there you can gain a lot of insight. In those discussions to to talk to your advocate and then find ways to use that as a springboard to other conversations that can still remain business focused rather than technical.
lou-rabon_46_09-02-2025_130753: Yeah. Yeah. I think a, a big question too should be why, um, you know, don't be an order taker. We, we've seen this so many times. I, I had a, actually a very [00:22:00] negative experience with one company that wanted to do a penetration test, and they clearly needed a lot more. They needed a commitment to a security program.
They had no one. And it was, again, a, a decent sized, uh, firm. They did, um, you know, they were adamant and the trust advisor, you know, even though we, we back channeled with them and said, Hey listen, we really want to give them something that they need versus this security theater stuff. And they, um, you know, so we had the conversation, but unfortunately the, the TA didn't have.
They wanted to just take the order. They were like, no. And I understand, listen, if you've got eight projects, this is one, you've gotta, you've got some political capital and you don't wanna rock the boat. I don't, I don't fault the TA for that, but it's ultimately, it's frustrating because then the, the customer's not getting what they, they need.
Um, so I mean, being able to say, uh, if you can. Why, like, why are you asking for a penetration test? Um, you've done it every year. Um, you know, it makes it, uh, it makes it [00:23:00] up to the C-suite and board. It says that if you drop a USB key in the parking lot, you know, someone may or may not plug it in. But what about the fact that your HR offboarding process doesn't?
Actually, uh, exist. And therefore if someone has admin privileges, whether they picked up an ad, you know, a USB key or not, they, someone can log, they can log in two months after they were fired with cause, you know, and cause havoc in your system. Um, a penetration test is not necessarily going to, uh, illuminate that.
And so I think when trusted advisors. Can feel confident in saying, listen, we wanna really ask you why. And that's to your point, Eric, that um, you know, you really want to get deep into the business and understand, hey, are we just ticking a box here or are we actually trying to do something to, to move the needle forward?
eric-ludwig_3_09-02-2025_150804: I agree a hundred percent. I, I think some of the things that have helped me are. Uh, you know, we created a, a what we call the Wheel of Zero Trust back when everybody talked [00:24:00] about Zero Trust. And you know, it's funny because you hear the packaging of these conversations and marketing changes,
lou-rabon_46_09-02-2025_130753: Yeah.
eric-ludwig_3_09-02-2025_150804: Of the day, the, the function of it remains the same.
lou-rabon_46_09-02-2025_130753: Concepts. Yeah.
eric-ludwig_3_09-02-2025_150804: We tried to create, uh, the wheel of, of zero trust, and it was, um, it, it was, it. Dan, uh, user device application network. Um, and uh, ultimately within Udan there are products that point solutions that customers are purchasing and implementing across that entire wheel, and some of 'em have. Have really nothing to do with zero trust.
Some of them have everything to do with zero trust, but each of them represents an opportunity, and a vulnerability
lou-rabon_46_09-02-2025_130753: Mm-hmm.
eric-ludwig_3_09-02-2025_150804: For a client. And so, um, you know, I think another great tool to find where your entry point is and what you're comfortable with is. Sunil, you, uh, and, and the, uh, cyber defense matrix, you [00:25:00] know, that is a, that is an incredibly powerful tool for TAs to take a look at before you go in and talk to your client and, and start to map out within the cyber defense matrix. do you know about that customer
lou-rabon_46_09-02-2025_130753: right.
eric-ludwig_3_09-02-2025_150804: And where might you find something that you're comfortable with? Uh, this notion of cyber resiliency, which is again, repackaging of disaster recovery
lou-rabon_46_09-02-2025_130753: Yeah.
eric-ludwig_3_09-02-2025_150804: Heck of a lot
lou-rabon_46_09-02-2025_130753: Yeah, exactly.
eric-ludwig_3_09-02-2025_150804: Resiliency than, than if it's business continuity, where it went disaster recovery.
Well, you know, business continuity is a little different than disaster recovery. And then, oh, well, you know, cyber resilience is better than, than business continuity. And so. You know, there, there are components I think of that, that matrix of the wheel of zero trust around u udan and, and other elements I think that TAs can leverage to, to look through and find that inflection point. Um, but there are some key things you gotta know about, you gotta [00:26:00] know about, uh, incident response. You, you, you, you need to know what tabletop exercises are, you know, and these things are readily, readily available. On the public internet for TAs to go and research and add to their nomenclature and their, you know, add to their tool book of alba alphabet soup from
telco
lou-rabon_46_09-02-2025_130753: Right, right.
eric-ludwig_3_09-02-2025_150804: And, and know about a couple of these things.
And then just ask those questions and
lou-rabon_46_09-02-2025_130753: Yeah.
eric-ludwig_3_09-02-2025_150804: It'll take you where you want to go, in my opinion.
lou-rabon_46_09-02-2025_130753: Yeah, well, you're talking about curiosity, but there's also the fact that, um, you know, lean on the suppliers, lean on us. Um, we like to do account mapping. We like to have those conversations with the trusted advisors before they have those conversations with their customers. So we can point out what do you know about them?
Here are some que questions to ask. You know, I think enablement is a big part of that too. So it's, um, it's really that I think having the, the partnership with a good su um, trusted supplier. And you brought up another thing that I just had to, to, to comment on, Eric, which is [00:27:00] you. I love Udan, by the way.
That's really good. I hadn't heard that before. So it's, it's great because it helps, you know, look at the different applications. One of the issues we see is the configuration. Drift and the actually the, the, the poor implementation of these tools. And that's where we're, we've said like, you know, for us, we're doing people in process, we're saying cyber defense group, we do the people in process.
We'll help with the technology. We've got a great engineering staff, but we're not to your point where agnostic, we don't care what you have. But we're not gonna lead with the tools and the technology. We're just gonna make sure that they're implemented correctly. And a lot of. I think where a lot of trusted advisors may go wrong and, and they may have been burnt a bit on security, is when they have recommended a tool or a vendor, usually maybe MDR or something like that.
And, uh, you know, it's a good entry point. It's, it's relatively easy to sell compared to the other stuff. But when you just let the vendor lead, if you're not overseeing as a trusted [00:28:00] advisor, and I would argue that that's. Part of the job of trusted advisors to not just get the money and get the quotes and then move on to the next, but to make sure that there's, you know, post-implementation support and, and it's configured correctly.
I think there's a, there's a pain point right there where a lot of promises are made by the vendor and if there's not oversight on, uh, the implementation, they can still get hacked. Even if they had, you know, insert amazing security tool here. Have you had that experience?
eric-ludwig_3_09-02-2025_150804: You know, I haven't had it specifically in security, but I've certainly had it in other aspects of being a trusted advisor. I mean, we, you can build the most resilient networks possible, but there's still outages.
lou-rabon_46_09-02-2025_130753: Yeah.
eric-ludwig_3_09-02-2025_150804: I, I think, I think what it does is it creates an opportunity for us to say there is no silver bullet.
lou-rabon_46_09-02-2025_130753: Nope.
eric-ludwig_3_09-02-2025_150804: And anyone that comes in and says there is a
lou-rabon_46_09-02-2025_130753: Mm.
eric-ludwig_3_09-02-2025_150804: You should show 'em the door and walk 'em out 'cause there isn't one. And there are [00:29:00] always different ways to do things and there are varying levels of investment that clients can make to statistically reduce their vulnerability And. single one of them needs a separate set of eyes, uh, every one of them.
And, and there should be opportunity abounding for organizations that. Are a actually supporting their clients. And you make a good point about a lot of TAs just kind of zoning out. They get, they find an opportunity, they hear security, they register it, you know, they get, they get lose team on to talk about a security awareness program or a compliance program. And they're tuned out. They're, they're multitasking, they're doing something else and they're not taking away perhaps from that discussion. So it goes back to being curious where. your client is making the time to engage with your partner or engage with you, it's incumbent for [00:30:00] you to recognize that, in my opinion, and and to join them on, on taking the time.
Moreover. These, these services are not in perpetuity. They're not like a, a circuit and even a circuit nowadays with commoditization and the race to the bottom, the varying media available. Uh, I was in South Haven, Michigan this weekend for Labor Day. We have family, friends and neighbors that have a farm in, you know, middle of nowhere.
It's like seven or eight miles away from South Haven. And South Haven is certainly not a, you know. A, a burgeoning municipality. If you're from the Midwest, you might know it, but if you're not, you probably don't. Uh, in fact, you, you even mentioned when we were talking,
lou-rabon_46_09-02-2025_130753: Yeah.
eric-ludwig_3_09-02-2025_150804: We went on air, you, you know, grand Haven, but you never heard of South.
lou-rabon_46_09-02-2025_130753: Never heard of it.
eric-ludwig_3_09-02-2025_150804: So, but the reality, they, they didn't have internet for a long time 'cause it was too expensive. So then they got a, you know, a hues net service, which was terribly expensive, unbelievably slow. You couldn't do any kind of good quality service over it because of the [00:31:00] delay. Well now they have starlink. I, you know, I'm the, the geek that I am, I'm, I'm speed testing out in the back by the fire and, you know, in the front of the house, in the garden, et cetera.
And, and it's pretty remarkable that these services are available everywhere. And so, uh, I, you know, for us it's, it's a matter of sticking with those clients so that when, when those rev cycles change, when markets evolve, when new technologies become available, when there are new. Ven, uh, ventures or entrance into the market that we know who those people are.
We've supported our clients and we've been with them, good or bad, and we're transparent. So I expect, and I articulate to clients, when you look at these security services that we may recommend, that doesn't mean that you're never gonna have an incident, but what it does mean is that you're. Are responsible, you're a steward of your internal coworker and or client information and data, [00:32:00] and that you're potentially protecting yourself from what could be a much bigger problem down the road by making small investments now.
And that typically does resonate and, and it does require organizations to have resources that can at least, you know, we, we, you, you, you talked about through implementation, you know, we don't. We don't fancy ourselves as project managers. We, we suggest that our service after a client makes a decision is program management. And that that's where we have to be an advocate for our clients. And, and as well being an advocate for our partners, ensuring that, uh, both parties align and both parties are delivering. As advertised and helping to keep that train on the track, then they'll come to you for everything. Even if every time you're in, you're engaging a, a trusted partner like you, Lou, and your team or other suppliers, they'll, um, they'll listen and they'll engage.
lou-rabon_46_09-02-2025_130753: Yeah. Yeah. And you, you know, uh, bringing it back to what you said. Ford too, Eric, [00:33:00] you know, such great points. Um, the, you were talking about tabletops and how I, I love the, you know, the, the, the, how the words change, the, the monikers change, maybe the acronyms change, ZTNA and all of this stuff, and how disaster recovery is now, uh, you know, cyber resilience and all this.
Um, you know, you talked about tabletops and you talked about incident response, which is a topic very close to, near and dear to my heart. Um, you know, being a responder and leading, you know, tons of these and we often say, you know, we, full disclosure, we make a ton of money. When we go in for an incident response, usually, especially if it's like a ransomware incident or something, usually the insurance is paying it.
The, you know, the, the, uh, retainers are flying. It's really, it's almost like a, you know, an investment, um, for, for us as a company, meaning that it's, it's. People just dropping money into our bank account. And so you would think that we would wanna do more of those. And, and to be [00:34:00] honest, there was a time earlier in our history when CDG was, you know, more, uh, embryonic, I'll say where I actually went, you know, after that kind of work.
And that's, that's a topic for another podcast. But, um, essentially we prefer to do it proactively. It's less money. It's, it's completely counterintuitive. But, you know, you made the point as well, Eric, that it's. You when the, you can convince your customers to, to commit to this stuff proactively, and especially the ones that are not.
Traditionally committing to this stuff, like we're seeing a lot in auto dealerships and anyone around the auto industry right now is just getting hammered and um, you know, one of the reasons is they've usually, it's a, you know, low tech environment. They're just using it for point of sale or, you know, writing contracts, however.
Think about the amount of personal, personally identifiable information they have loan documents, you know, social security numbers, date of birth, all the, all the stuff that's really [00:35:00] juicy to someone that wants to commit financial fraud and they're unprotected. And because they're also unregulated, um, you know, if you can convince them, and we've been successful with some of them to say, Hey, listen, you can see that your peers are getting hit here, that they've already, you know, there's news articles about them.
Let's talk to you about how you stay out of the news. And what's just shocking about that is they can amortize like one 10th of what an incident response costs over a year and, and get to a much better place than their peers are. So if they just invest, you know, 10, 20, 30 K per month, let's say between 150 and let's say two 40, let's say thousand 240 k.
Sounds like a lot of money when your budget for security has been zero, you know, since, uh, you, you started 60 years ago. Um, however, the cost of an incident usually runs in the millions, even if you have insurance. And those, those policies aren't being written anymore, you know? [00:36:00] So, um, all that to say that.
Committing proactively looking at their business saying, Hey, listen, let's do some things that are going like tabletops and a tabletop exercise. That's probably, uh, definitely 10 times more effective if you just want to do a check the box exercise than a pen test, because a pen test might say, Hey, there's some stuff out there that you have to close up, but I guarantee you 90% of the firms.
You can just do a vulnerability assessment and find out what's open. You know what I mean? But with a, a tabletop, there's so many things that illuminate, like everyone thinks they have it covered until they're like, wait, what is, wait a second. We don't even have a call tree. We don't even know who to call.
If, if everything goes down, who to, you know, what if John, the, the director of it is. In it, you know, overseas it's, it's three in the morning. He's asleep after a big night out from a, you know, a wedding in South Africa. Like, or what are we gonna do? And, and they, that's really eyeopening. So I just, you know, everything you're saying.
I just hope the trusted advisors are listening to [00:37:00] this because it's, it's absolutely relevant from us practicing on the ground.
eric-ludwig_3_09-02-2025_150804: You know, I have three, three points to make from that. That's great. First we'll start with. Security practitioners are, they don't like to sit and stare at a screen. They wanna work, they wanna figure stuff out. They want to compete just like the rest of us compete. So this notion of red team purple team folks that are trying to attack and others that are trying to defend. They like that stuff and, and it exposes where they're really strong and where they're not. And I think security practitioners appreciate that because it requires them to do more than just sitting at a screen waiting for an incident. So, so. You can, you can get some sponsors within, you know, kind of down tree of folks that are actually doing the work. When you start asking questions, if you're exposed to those resources. Um, the, the two other things I'll mention 'cause you brought up the automotive industry, uh, anybody that is in the automotive industry, whether they're selling new [00:38:00] cars or selling cars or to servicing cars, fully understands the idea of investment in security.
Number one, CDK Global, who owns. I don't know, 90, 95%. When you go into a car dealership and you buy a car and you go into the back where the, you know, the, the manager who's actually writing the deal tries to sell you the clear coat and all the other
lou-rabon_46_09-02-2025_130753: Yeah.
eric-ludwig_3_09-02-2025_150804: That you may or may not buy. The extended warranty on a new car that comes with a five year bumper to bumper warranty.
You know, it's like
lou-rabon_46_09-02-2025_130753: Oh yeah.
eric-ludwig_3_09-02-2025_150804: All the paperwork. That they generate comes from a system called CDK Global, and last summer it was down for weeks because it was hit with a ransomware attack. And literally you had car dealerships, big ones like Fortune 500, publicly traded ones, doing old school, black, white, and gray forms that most people who are young enough have never even seen where if you don't press hard enough, you can't see it on the copy that you get. And, [00:39:00] and, and so they understand. Because they lost a lot of money and a lot of productivity, and they couldn't write orders as fast as they needed to. Some of them sold cars to people that probably they shouldn't have sold them to because they couldn't do their due diligence because the systems were unavailable.
So anyone that sells a new car. You can bring up and Google at CDK Global outage and you'll be able to go into an automotive dealership and have a constructive discussion. On the flip side, people who are servicing vehicles, there are new mandates. So one of our clients is an automotive dealer group and there are new. Manufacturer requirements for bandwidth, minimum bandwidth requirements to service vehicles, BMW and Volkswagen before the end of the year require dealers that do service to have a minimum of a gig because their
lou-rabon_46_09-02-2025_130753: Wow.
eric-ludwig_3_09-02-2025_150804: Are security. Their systems are entirely security driven. If you look at BMW and Volkswagen Group and others, they're car manufacturers, but they're technology companies.
lou-rabon_46_09-02-2025_130753: Yeah.
eric-ludwig_3_09-02-2025_150804: They're [00:40:00] making money on subscriptions, on all sorts of internet connected components within their vehicles. And so does that mean? there's a potential for a vulnerability. At a minimum, if you're servicing vehicles and you have a gigabit to the internet and you get hit with a denial of service attack. You can't service vehicles anymore.
lou-rabon_46_09-02-2025_130753: Yep.
eric-ludwig_3_09-02-2025_150804: Those people gonna go? They're gonna go down the road to your competitor who's up and they may never come back.
lou-rabon_46_09-02-2025_130753: Yep.
eric-ludwig_3_09-02-2025_150804: So, and what does that cost to, you know, there's an opportunity cost. There's a cost to risk. There's a cost of goods sold. There's a cost of delivery.
So. Every and every person in the trusted advisor community, they know how to sell a gig circuit. the telcos sell denial of service.
lou-rabon_46_09-02-2025_130753: Yeah.
eric-ludwig_3_09-02-2025_150804: So it's a simple add-on that gets a security conversation going. That then gives, uh, folks an opportunity to then step back and talk about. do you test things? Do you have a [00:41:00] ciso? You know, go look at what, and, and, and this is pivoting a bit, but go look at what jobs are open for that organization in security and find out are there, are there hundreds of jobs for folks that are, uh, security practitioners? Do they have a gap at the C-suite in the cso uh, seat? Because if they do. know, firms like yours provide virtual CISO and virtual work that. Also provide checklist of, of different duties and jobs that folks have to, uh, complete in order to successfully be a ciso, you know, challenge the organization to say, do, do you really wanna hire a full-time staff member that could then leave the organization? Which is probably what happened and why you're asking to
lou-rabon_46_09-02-2025_130753: Often.
eric-ludwig_3_09-02-2025_150804: Person.
lou-rabon_46_09-02-2025_130753: Often, yeah.
eric-ludwig_3_09-02-2025_150804: That's an, it's being curious, so understanding if you're an automotive company, what happened in the industry, what's going on in the services business, asking about something you're comfortable with, [00:42:00] and then being curious and going on on their website. Go into, go to Indeed, go to some of these places and check. Who are they looking to hire? And then how does that potentially correlate into a portfolio and partners like, uh, CDG, and the ability to come in and create a prescriptive plan and fill heads that maybe they can't fill in their own.
lou-rabon_46_09-02-2025_130753: That's great, Eric, that, I mean, that's phenomenal advice. One of the, I, you know, get. LinkedIn Sales Navigator. If you don't have Apollo or ZoomInfo or something. And then look at, I often, that's the first thing I do when, when you know less and less am I going out and doing the, thankfully the hard yards of, of prospecting and stuff like that.
I'm, I'm not doing it day to day now, but once in a while I'll be like, okay, we're speaking to this company and I'll, uh, the first thing I'll do is exactly what you recommended. I'll look and see, okay, security. I, I do a search. You know, get, get 'em up in LinkedIn, uh, sales navigator. And then I look at people and then I do security.
It's that simple. And [00:43:00] often, you know, I'll see there's either zero people with security or the person that has the title for security is also the director of it. And it's like you, especially if it's for a couple thousand person organization, there's no way they have the time to properly look after security and look after the it, and then if you look at their team and, and things like that, it's just, it's.
Great advice, and I, again, I hope this is, you know, we're, we got some really good nuggets that are coming out here. I hope that people are listening and taking notes because this is, this is great stuff. And one other point that I wanted to make, um, on, on what you were talking about with the, um, team, you know, that's, we often, we, we stopped, we still call it Vcso for S-E-C-S-E-O purposes you know, we have vcso, but what's really important is. We don't do just vcso. We're coming in with a team.
It's one of our value props. And often, you know, we don't call it vcso 'cause we're working with chief information security officers and they might have a team, but their team is already busy [00:44:00] enough. So we come in and augment or at least look at things that we can help them with, and that might be threat intel and stuff like that.
So, all that to say that even if they do have a security team, that's not a reason to say, okay, you've got security covered. Let me sell you a product. There's still areas where we can help. And I imagine there's other providers as well where it's not just the vcso, it's like, let's speak to the CISO or the CIO and then, um, find out how we can help.
But, um, I wanted to pivot also be because we're running close to time here, uh, for just personally, um, you know, uh, do you, do you have a personal story maybe that, that demonstrates where cybersecurity might have had a direct impact on your life?
eric-ludwig_3_09-02-2025_150804: You know, I, I, I have had probably a half a dozen. Instances where my credit cards have been compromised.
lou-rabon_46_09-02-2025_130753: Yeah.
eric-ludwig_3_09-02-2025_150804: I tend to use that as a talking point with our clients because this notion of, of intelligence [00:45:00] and AI in security is not new. And so, you know, I've had cust, I had a customer in particular tell me, uh, we're not, we're not, we're not gonna implement in our security estate. And, and I asked why. And, uh, you know, he was one of these guys that had this big, burly personality. And you know, he's kind of the guy that you know, where, where I say stay humble and know when, when to say, I don't know. I don't think that's in that this gentleman's vocabulary. Um, and I, he, you know, he, he could be a lineman for an SEC team 'cause he likes to go around and hit people whether they have the ball or, or not. Um, and, was, uh.
lou-rabon_46_09-02-2025_130753: And literally.
eric-ludwig_3_09-02-2025_150804: And literally. Right. Uh, and, and, and he was pretty adamant about the lack of need for ai. And, you know, I, I, I basically challenged him, but in a way that I felt was not confrontational because I, whether you win or lose, you lose every time when you do something like that. And so it was, I, you know, I asked, I, I, I said, Hey, you know, if you ever had your, you know, your credit card compromise, you know, I'm an unlucky [00:46:00] guy. Where there have been periods where. a couple months, my, my credit card has been compromised, you know, two, three times. Uh, you know, call somebody, call me and say, did you, did you just buy an an iPad in Paris? And no, I'm, you know, you can also see I just bought a coffee at the Starbucks around the corner.
Well, that's ai. That's machine learning. That's behavioral analytics. That's a credit card company looking at correlating events. And in this case it's when did you swipe your credit card? Did you use your card physically or was it over the internet and where did you buy it? And then that if I just bought a cup of coffee with my credit card in Starbucks around the corner, that there's no possible way that an hour and a half later I could buy an iPad on the Shali in Paris
lou-rabon_46_09-02-2025_130753: With a card Present? Yeah. Card present transaction. Yeah.
eric-ludwig_3_09-02-2025_150804: so this notion that, oh, I'm not gonna implement ai, and I, I, I [00:47:00] said that specifically to the client. Now clear, I haven't won the day yet. And I think, you know, in this instance, this, this customer, he's just a difficult client. But, but it allowed me to take what, what has been a personal experience with security, and it's a basic one in. own credit card experience to then correlate that to machine learning, behavioral analytics, uh, looking at incidents and points in time. That's what Security Posture and Security Health does in many cases, is looking at different compelling components in a client's estate, understanding where the risks are and looking at how do we proactively determine where we might be able to, A, stop something and or B, improve the interconnectedness between.
One, uh, uh, point solution. And another point solution. And it takes people like, uh, you guys and like your ability to provide a programmatic approach and, and look at an outcomes based view [00:48:00] to say, Hey, we're gonna take the same approach that Visa or American Express does into how. How you go out and use your credit card.
So I, I do, I do use that experience, uh, to talk to clients. Uh, but specifically for that client, uh, it allowed him to say, huh, now it didn't necessarily help me sell anything.
lou-rabon_46_09-02-2025_130753: Right.
eric-ludwig_3_09-02-2025_150804: Be told, I don't want to talk to the guy anymore because first of all, I don't think he is gonna buy anything. And if he does, he is gonna be the world's worst customer. And finally, we're at a point in our business where we can say, yeah, we don't, that's not good business, even if it's business. But nonetheless. we should all have that kind of an example in our, in our in our, in our nomenclature, to be able to draw from it and, uh, and try and show how these things are real and real in a, in, in day-to-day life.
lou-rabon_46_09-02-2025_130753: Oh yeah. Yeah. And since you touched on ai, we, I will mention that AI for, for anyone in any company to say, well, we're not. Dealing with ai, uh, right there, I can immediately just know that they're probably, they've, their marketing department is putting down a [00:49:00] company credit card using AI and probably pumping, you know, a sensitive information through that and contracts or whatever.
And that's just dangerous. It's better to, to know it's kind like security where they're like, we don't want to do an assessment. We know we have a lot of problems. It's like, okay, that, that's, you know, not a really good strategy. So. That's, that's great and, and I'm glad that you're able to use that, but yeah, you were probably in Miami when the credit card got stolen too.
That seems to be like the Miami and Vegas are the two that they're just stolen constantly. Um,
eric-ludwig_3_09-02-2025_150804: Uh, that does happen a
lot
lou-rabon_46_09-02-2025_130753: oh, it's horrible.
eric-ludwig_3_09-02-2025_150804: but it, there's no safe place
lou-rabon_46_09-02-2025_130753: No, not anymore.
Not anymore. So you're, you, you know, you're in Chicago, um, Chicago area. Uh, what, you know, what got you here through, I we're, we're running close on time, but if you can, you know, kind of a bridge how, how you became a trusted advisor.
You said a little bit about you were, you know, had a, a lot of responsibility at, at CDW. So yeah. Tell me how, how you [00:50:00] got here.
eric-ludwig_3_09-02-2025_150804: Sure. I mean, uh, the, the, the role at CDW was a trusted advisor before trusted advisor. Was, was even a term. And uh, it started as just a telco guy. I, I spent over 10 years at at and t outta college, mostly as an international specialist, and I was always the guy that was willing to talk tech. So, I was a managed services guy for a while.
We. Talked about disaster recovery and business continuity and sold what was the network integration portfolio at at and t. And and I, when I joined CDWI was part of the hosting division, the managed hosting and managed services group. But that draw back to the telco space really kind of stuck with me.
And, and so, uh, I was part of what was a large team that, that generated very significant, uh, top line and gross profit numbers and. We were trusted advisors for our clients and it started with stuff they didn't wanna deal with, which was dealing with [00:51:00] Telco, billing issues and chronic troubles and you know, construction fees and whatnot.
And that evolved into. figuring out what works, when, where, why, and how. And at CDW, we were keenly aware of the stitching between a service that we might recommend and a manufacturer that buttered the bread, Cisco or Dell, prior to that EMC or IBM or hp. Uh, and so we got, we became comfortable asking questions about where clients have investments and then correlating those to products and services that exist. With a different purchasing and consumption model. For example, you use Dell data protection. Well, there are Dell data protection opportunities in the channel for clients that don't wanna buy another box or maintain backups, et cetera. And so that evolved into where we are today, which is all of these services are now available, uh, as a service.
Uh, very few people are. Purchasing them and [00:52:00] managing them and, and care feeding for them. And so, uh, you know, our role as we exited CDW and started Rise, it was the same motion that we've generated for many years. It was using our two ears and one mouth to listen first and talk second. It was asking questions about. What investments do you have? Who are you working with? What do your contracts look like? Where are there, uh, where are you being, what you find yourself successful? Um, you know, there, everybody wants to save money, and so it's an easy discussion to say cost optimization in four areas. It's either renegotiation. Of an existing agreement. It's a vendor swap. It's cutting heads, sadly, uh, or cutting operational expense, or it's new tech adoption and minimizing other potential increasing costs. And so if you, if you stick to those. Four or five things. Um, I, I don't know that it matters what, what [00:53:00] jersey you're wearing.
I think it's just a matter of, of having those broader discussions. And so Ed Wu and I are, uh, founded Rise, and we have carried that same banner we had at CDW. We have invested in program management and back office and client support. Uh, and, and we will continue to do that so that our customers stick around and invest in us because we certainly are investing in them. Yeah, thanks Lou. Uh, people can connect with me on LinkedIn. Uh, I'm not a, I'm not a Twitter or X guy. I'm, I'm LinkedIn, uh, rise tech advisors.com. Uh, you can follow our page I'd, I'd love for you to follow our page on LinkedIn as well. Uh, if you have ideas. You'd like to engage with us, uh, by all means we do work with other trusted advisors who have relationships, but have blind spots in certain, uh, areas of technology where we agree not to, you know, not to go over those guardrails.
So hit me up on LinkedIn, Eric with a c, uh, or check us [00:54:00] out@risetechadvisors.com.
Thanks for having me, Lou. Uh, appreciate you, uh, reaching out to me and supporting Rise and offering some, some great advice to those of us in the channel. Uh, we we're glad to have you and we're, we're real fortunate to have you.
[00:55:00]