Values-Centric Selling - Carraig Stanwyck - Channel Security Secrets - Security Expert - Ep #18
CSS - Carraig Stanwyck
===
Carraig: [00:00:00] when you're being honest about stuff, when you're not misleading people, when you're being, you know, candid and transparent, that's a double-edged sword.
Lou: Hi everyone. I'm eager to chat with our guest today. He's a seasoned people leader, board director, startup advisor, and three time chief information security officer, a powerhouse leader in cybersecurity.
He recently made the [00:01:00] leap from Fortune 200 CISO to CEO. During his time at the USDA's Risk Management Agency, he served as acting ciso, safeguarding more than 100 billion in liabilities. H and R Block. He built the company's first fully integrated global team and launched a 24 7 incident response program from the ground up. He's currently the chief executive officer at Threet Tree Tech, carig Stanwick, welcome to the show.
Carraig: Hey, thanks. It's good to be here. Appreciate it.
Lou: Yeah, really looking forward to, to getting your insights, especially with that storied career. So my first question, carig, is what's the biggest secret to your success in cybersecurity?
Carraig: it's interesting, right? Like you go around and you talk to the various CISOs out there and one of the things that seems to be relatively common is just how uncommon everybody's backgrounds are. And I would say that's the case for me as well. Uh, my first career was in human intelligence.
Not it, I didn't grow up [00:02:00] with the same stereotypes. I didn't grow up in the same culture. So coming over from the, uh, human intelligence world into cybersecurity, it really gave me a lot more focus on, on the business, on the people on asking questions, right? Asking the why. 'cause the why matters, right? The why matters.
And I would, I, if I were to point to one thing that would've helped me in my career, it was the why. Asking the why and, and because the reality is the business generally has pretty good reasons for what they wanna do. And if you can help them succeed in their goals, they're the ones paying your paycheck.
So it, it tends to work out pretty well.
Lou: Yeah, I mean, it's good advice. I think also the, uh. the, your background coming from the, uh, you know, like kind of military DOD government side and over to commercial. You also obviously had a [00:03:00] stint, um, in, in other government work at the USDA.
Carraig: Mm-hmm.
Lou: Uh, any, any perspectives there making the jump from, uh, you know, being kind of a, on the government side to the commercial side?
Carraig: Yeah. You know, in the government as a contractor, in the government, it's not as big of a deal, but as soon as you move into an actual government role. You realize that there is a lot of bureaucracy and a lot of it is bureaucracy for bureaucracy's sake. You know, there are so many policies, so many standards, so many regulations that you have to comply with within the government.
You know, at one point I thought that if you wanted a higher rank, you had to come up with some sort of new policy and give it some sort of acronym, right? That that became the measure for promotion. So I was at a point for a while in government where I was like, you know, there's just way too much when in the way of policies and programs and everything else.
And then I came to the [00:04:00] non-government world where in many cases there've been none. And I was like, you know, let's find a happy middle. So I went, I went from really hating the, the overhead of all of the policy and structure. To valuing it when seeing organizations that largely had none or had very minimal, uh, and have long learned as I've gone through, you know, government and different organizations building programs, that the boring stuff, that foundational component, the foundational structure, that's not exciting to talk about.
It's not going to win any awards for drama, right? It's not gonna keep people excited at a talk. That's the kind of thing you listen to when you're trying to go to bed. Right? And yet it's probably one of the more successful reasons, um, that these programs have worked is by having that structural foundation laid.
Lou: Yeah, I, I would say that that's probably one of the biggest secrets in cybersecurity is that to do it right is [00:05:00] actually. Very boring. It's kind of the lather, rinse, repeat, you know, brushing and flossing kind of, um, everyday stuff that you do. And yeah, the, the, the really exciting, sexy stuff is the AI and, you know, kind of anything with AI in it. Um, things that silver bullet approaches with, you know, here's a shiny tool that's gonna solve everything. Um, all that obviously doesn't work. Um, they can work in concert with the boring stuff, but to your point, you gotta have the boring stuff down first, uh, before you get to those shiny, shiny object.
Carraig: Uh, there are, there's so many times I've gone into organizations. In fact, I would say in every organization that I went into as a CISO or as a security leader, where I was coming into build programs, which seemed to be my niche, you know, in that world, the one biggest commonality was everywhere I went.[00:06:00]
There was a lack of rationalization. There was a rack, lack of utilization of what was already there.
Lou: Right.
Carraig: Chase the shiny and forget about taking advantage of what they already have. Sometimes people chase the shiny, not even recognizing if they need it, where it fits on their roadmap, where it fits within their current capability, needs, or risk tolerance of their organization.
I mean, a lot of organizations that I've gone into don't even know what their risk appetite is because nobody's ever asked them to define that. So I always go back to how can you even build any of these programs? How can you know what you need to buy? How can you, you know, really run an effective program in line with your company's business goals?
If you have no idea what their goals even are, if you have no idea what their risk tolerance is.
Lou: Yep.
Carraig: I mean, our job is not to overpower the business. Our job isn't to tell the business what to do. Our job is to help the business [00:07:00] understand the risks of what they're trying to do. But you can't do that if you haven't sat down with the business to ask
Lou: That's right. To enable the business essentially.
Carraig: A hundred percent.
Lou: Yeah. And ensure it continues. Uh, know, and, and it's funny because you
Carraig: I.
Lou: Um, the not understanding what the risk is. This is something that we've been coming across now, we embed this in all of our assessments, is an organizational risk alignment.
We don't even call it an assessment. We get all the stakeholders in a room C-suite board if necessary, and we say. Do you even know, you know, what is the risk appetite to your point? And, and everyone's gonna have a different answer.
Carraig: Mm-hmm.
Lou: Aligned, yeah. Like CFO is gonna be like, Hey, we just want to keep the lights on.
Maybe, uh, you know, the CISO's gonna be like, Hey, we, we have a lot of things that we need to cover. I need more budget. Things like that. So, so relevant. It's, um, you know, it's interesting. Do you find that, um. Now it's evolving [00:08:00] because you've, you know, seen multiple environments. Uh, one would hope that we're starting to evolve, uh, past the kind of basic stuff into people getting it.
But you're shaking
Carraig: No,
Lou: no.
Carraig: uh, I, I, it's, it's, it's a loaded question. I think that there is more awareness in the cybersecurity community. For the need to be in alignment with the business. I don't think it's as bad as it once was where cybersecurity was the office of no, like the no, no. Right. I don't think it's as bad in my experience, where cyber is actively out to get the business or out to get everybody else with that kind of cop mentality the way it was when I first got into this industry, I haven't seen that as much.
What I have seen are a lot of security leaders being promoted for their technical expertise without giving any of leader any of the leadership training to make them effective without giving them any of the [00:09:00] skills they need to have business acumen or to understand, you know, what the business actually needs without helping them have the skills that they need to build rapport with the stakeholders on the other side of the table.
To really build those alliances you need for everybody to be effective. That's where I, that that's what I haven't seen a lot of success with. Right. There are some CISOs that are exceptional at it. There are some that shouldn't be CISOs frankly.
Lou: Oh
Carraig: Right. And unfortunately, a lot of it right now happens to be a luck of a draw because there, you know, how many programs do you know of that are CS o programs?
From a business perspective? How many programs do you know that are set up to help? IT leaders with their business acumen internally. It's just not something that we've gotten good at at this point.
Lou: No,
Carraig: We,
Lou: not at all.
Carraig: we promote people expecting that because they're good as an engineer or because they're good as an analyst, they're going to automatically, automatically be a good people leader, and that's just not the case.
Lou: Yeah, absolutely. Those people [00:10:00] skills that business tying security outcomes to business
Carraig: Mm-hmm.
Lou: Yeah, that's, that's a really missing, uh, component.
Carraig: I mean, it's not just one sided though either though. The, the other aspect of that, and I, and I don't mean to interrupt, but I think it's important, not only do we kinda have it wrong on the cyber side, but a lot of these companies, especially these older companies, they've been around for a hundred years, or sometimes 50 years or 60 years, they haven't had a major breach.
So how do you make them care? How do you help them understand the risk? It's, you know, out where I live in the country, here in the middle of nowhere in Missouri, there's a lot of people that don't wear seat belts. And if you ask 'em why, it's, 'cause it's never been a problem before. Right?
Lou: Right.
Carraig: And, and you kind of get that same mentality a little bit with some of these, these corporations.
So I think it's a mix of responsibility. I don't wanna put all the blame on on one side here, but I don't know that it's getting better as fast as it should.
Lou: Oh, it, it definitely isn't, and I think that car analogy is accurate. I, I often use that when I'm trying to explain [00:11:00] what is cybersecurity, because it's like, yeah. In Missouri on some of those roads, less traffic probably kind of, some of 'em might be windy, right? So you're not gonna be going 150 miles per hour. Um, and you might even have a 30, 40-year-old car that you're driving. Um, however, now take that to the Audubon. Um, and, and put it in at, you know, where there's people going 150, 200 miles per hour or more. You want to go to the same speed, but you know, you've got a lap belt, no shoulder belt, no anti-lock brakes, no collision avoidance, you know, no, no, uh uh, collision zones in the
Carraig: Mm-hmm.
Lou: You know, if, when you start to look at it from that perspective, that that's how I often try to, uh, portray it. So I think that's a really accurate analogy because. If, if you, once you put that CEO in that driver's seat of a, you know, 1965 Mustang that has lap belts and nothing else, a steering wheel that will impale them, you know, you wanna go 200 miles per hour in that car.
[00:12:00] If you could even do it, you're in trouble. Um, but you start to tack on, that's where cyber, the, the analogy being. We'll put antilock brakes on, we'll put airbags in there. We'll, we'll give you some ability, better brakes, you know, things like
Carraig: Mm-hmm.
Lou: Um, and, and that can allow the car to go faster with confidence.
So I, I do like that analogy, but it's both sides have a problem. So. A lot of the people listening are, are going to be salespeople that are dealing with, you know, this and, and some are going in at the IT side with these legacy companies that, to your point, have not been, or are still not regulated in many ways. And so they have to kind of make this creaky turn towards, you know, the fact that every company is now a tech company because no one can operate without the internet. And we saw that recently with the, uh, latest AWS outage. So, um. What's your, what kind of advice would you give to those salespeople that are banging their heads against, uh, you know, the kind [00:13:00] of ignorance of what actual cybersecurity is?
Carraig: Yeah, it's tough, right? It's, it's really gonna depend on who your customer is, and that's just the sad reality. You're gonna have customers in it who actually know what they're doing. You're going to have those that. Choose to follow some of your industry thought leadership groups so they don't have to do that much thinking on their own.
You have those that are passionate champions with you and your product, but don't have the buy-in internally to do anything with it. I would say the number one. That drove me a little bit crazy. Actually. I would say two areas that drove me crazy when I was in my last global CISO role. One is all the sales folks came to me as a global ciso, not to the people that were using the product, not to those that were [00:14:00] ultimately going to buy the product.
But to me, and I say that as a challenge because. If I go and tell my teams to use a product that they aren't already bought in on, they're not gonna leverage it as well as if it was their idea. If it's their idea, even if it's not the product that I would've picked, they're gonna do a better job with it.
The other challenge is that the sales folks would come in and they would sell the team on a product, but they would do nothing to help their internal champion sell that internally. And I think. The best salespeople out there aren't those that sell the product to the customer. They're those that partner with the customer to sell that product internally to all of the other stakeholders that are involved in that process.
And that is something that I see so rarely on the customer side, that it's a little bit frustrating,
Lou: Yeah, it takes, oh, especially with the larger customers, obviously there's no one person making the decision. [00:15:00] It's
Carraig: right?
Lou: Committee.
Carraig: Mm-hmm.
Lou: To your bureaucracy point, and um, you know, that's why selling into the enterprise is so frustrating too, right? Because it's like once you might have everyone, everyone's buy-in and then all of a sudden there's just one stakeholder that's. I need to, let's revisit this. you, can you now redo all of the explaining you've done for months to, to me now? And then it just restarts the process. So where someone leaves all of that stuff. So it does take, um, a village, I guess so to speak, to, uh, to sell. the enterprise, but that's why mid-market I think might be interesting.
Um, more interesting. We find it more interesting. Is that where Three Tree is playing? Like what, what segment of the, the industry
Carraig: I would say actually Three Tree Is, is playing at a little bit higher, um, up market than a lot of folks that sell with this brokerage Plus, you know, agency model that Three Tree leverages, uh. [00:16:00] We do. Because of that, we do run into challenges more often with, you know, procurement departments and other areas where this type of model isn't as common on the cyber and IT side, where we tend to have a lot more of a foothold than most,
Lou: Mm-hmm.
Carraig: You know, it's pretty common on the telecom side, not as common, you know, on the cyber side.
So we do spend, have spent a lot of our time educating. Uh, I would say that, you know, for us, we're generally in the 5 billion plus revenue. Is what we're looking around. And so we're a little bit more up up market than a lot of folks, uh, on this side. Now, obviously we have customers that span, you know, quite a, quite a large, smaller shops all the way up to, you know, fortune 100 all day long.
So it really depends. It really depends on where we're at. But I would say that 5 billion is probably plus or minus a bit is our sweet spot.
Lou: Do you find, um, are there any like shortcuts or any, any tips you have for procurement when you're going through that?
Carraig: [00:17:00] Hmm, that's the, that that is, it's, it's tough. Uh, procurement is, you know, depending on the organization, procurement is often the tail that wags the dog.
Lou: Right.
Carraig: And if they don't understand the value, now there are some organizations that. Are allowed to go direct, which works great with our model. All of our deals ultimately are direct deals as far as the customer's concerned, right?
And procurement doesn't even see us in the loop, which is great
Lou: Mm-hmm.
Carraig: Those companies that can go direct for those that can't. And trying to find a traditional channel partner on the IT or, you know, cyber side that we can partner with that will be, you know, play ball, be fair. It's, it's tougher than, than you would think.
Lou: Oh yeah.
Carraig: And so we spent a lot of time educating, you know, just had lunch today with a procurement, uh, leader and one of our customers because again, going back to that stakeholder conversation, this isn't just about the [00:18:00] specific champion that wants to buy your product. It's about making sure that all of the stakeholders involved are comfortable with the way that business is being done.
Uh, understand how business is done and the values of. The way that we operate compared to a traditional var.
Lou: Yeah.
Carraig: ' cause I mean, let's be honest. I mean, even on this side, I've been, you know, CEO now for, shoot, it feels like it's been a year already, but it's only been, uh, almost three months. And, uh, and uh, I've learned, I've learned quickly that.
It's, it's not, not exactly what I expected, right? There's a lot more, a lot more cutthroat than I expected. There's a lot more, uh, players in the vendor world, in the channel world who are, who are not values centric. I'll try to say TC on that, right?
Lou: Yeah, we've seen it too. It's, it's a recurring theme with a lot of the guests here too. It's that transactional view versus the long-term view.
yeah.
Carraig: know, and at Three Tree, you know, relationships are our product. You know, trust [00:19:00] is our currency. So we're, we're very careful with who we work with. We're very values centric.
Lou: Mm-hmm.
Carraig: Would rather lose a sale and still be able to sleep at night than not. But that's not normal in our industry.
And so it'll be interesting to see how well we do, uh, trying to scale this and, and build it and grow it. I'm pretty determined to do this the right way, even if it isn't as easy as I thought it might be. Uh, it's one thing for people to say they want things done the right way, but when it comes to stakeholder management, you have to get everybody on the same page.
And when you're being honest about stuff, when you're not misleading people, when you're being, you know, candid and transparent, that's a double-edged sword.
Lou: I agree. I mean, I would encourage you to stay the course with that, even though it's, it's a longer road. Um, it's also got a, a longer tail. It, it's something you know, you're gonna Yeah. And you know it, but it can get frustrating. I, I remember when I first [00:20:00] started the company, I spoke to my business coach and I, I was like. I see so many people doing it, you know, taking the shortcuts and doing the, you know, low integrity or no integrity way, and they're right now they're really successful. And he's like, that's, trust me, that's not a long-term, uh, view of business. And he is right. That was. Nine years ago, eight years ago, and now I can see most of them are, have gone the way of attrition.
Either them been acquired or they haven't lasted, or, you know, so, but it is, it is a harder way to, to take the longer view. Um, you also mentioned, I mean, you're new to this and you're also new to this TSD, you know, channel.
Carraig: From a, from an employee perspective, I mean, I've, I've been a, I was a, I've been a customer of three trees for five, you know, three tree for five years,
Lou: so, so you're familiar with the model as a consumer, someone
Carraig: correct.
Lou: You know, consuming the services,
Carraig: Well, yeah.
Lou: you're on the other
Carraig: This is why I took the job, right? I took the job because [00:21:00] I've had a couple of decent VAR experiences, but by and large. Building program after program government, uh, you know, industry with HR Block Wave Financial, which was a startup that I was the CSO for, up in Toronto, Canada, you know, then Avnet, you know, over and over again, I'm going and building these programs and my experience with VARs were over overall were not great.
Right? They just, it just wasn't great and it was really. Weird to me that the one channel partner I had that provided me the most value was the one that wasn't even a reseller. And so that was what kind of got the whole wheels turning, right? If, if I can scale that so that other people can experience that as well.
Lou: Right.
Carraig: That was a lot of the motivation behind it was this radically transparent, doing the right things for the right reasons. Small company that was unlike any reseller [00:22:00] that I worked with.
Lou: Yeah. And it's not the traditional VAR model either. This TSD channel is different. So what are your, um, kind of, I don't know, insights or takeaways after being on this side of the desk for a couple months? A few months?
Carraig: Uh, procurement's a lot bigger deal than I realized.
Lou: Hmm.
Carraig: The, you know, as a customer, when I looked at VARs, I always thought that v, you know, value added reseller, that v value added should be for me. What I realize now is really, it's more for the procurement teams, so they have less paperwork to sign. Uh, VARs aren't really, in many cases incentivized to provide that value add anymore anyway.
It's just companies are so used to doing business that way, that as the procurement person I was talking to at lunch today, I was like, so like when they bring you these deals and she's like, oh, wait, stop. She's like, our VARs don't bring us deals. We identify the solutions that we wanna buy, and then we take it to the VARs.
It's like, so then what are they earning their money [00:23:00] on? Like
Lou: Yeah.
Carraig: If they're not helping you in that process, if they're not running the RFPs or like the, you know, the, the searches for you, if they're not helping you strategize and, and roadmap and build in, like, what's, why are they making any points at all other than, other than, because they can, you know, consolidate multiple contracts into one MSA.
Lou: Yeah,
Carraig: know, like, what, what else is their value? And the procurement person was like, well, there really isn't one. Like it's getting less and less.
Lou: yeah. They're order takers
Carraig: Yep,
Lou: Yeah. So it's nice, um, to be part of one that's not like that, that brings
Carraig: a hundred percent.
Lou: Services. great. Are you having fun?
Carraig: I am, I, I'm working more than I can remember working. Uh, obvi. Obviously this slide is all about the hustle, but you know, it is interesting. When I was a ciso, I, I asked myself the question. I said, you know, how do you know, you know, how do you quantitatively [00:24:00] determine whether somebody is a good ciso, an above average, an average, a below average?
How do you quantitatively determine that? If there's no breach, if there's no major incidents, how do you even know? And that part kind of bugged me, right? 'cause it's a tough question to answer. Uh, you could sit there and come up with some metrics around business engagement or something, but when it comes to, it doesn't matter if you're the best soso in the world, if you're the best one in the world, then you're gonna be aligned with the business, which means it's not gonna be perfect security.
So business has still got their job to do, which means you're still gonna get breached at some point. It's not a matter of if, it's a matter of when. So.
Lou: Right.
Carraig: Getting breached itself isn't a measure of it. So what is, and so that, that question bugged me. The other thing that challenged me on the customer side was if you are doing a good job as a ciso, you're not trying to get the biggest program possible, right?
You're trying to align with the [00:25:00] business. If you are trying to build a program that's bigger than what the business needs to align with its risk appetite, you're hurting the business.
Lou: Mm-hmm.
Carraig: Which means that there is a built-in glass ceiling to every CISO role
Lou: Yeah.
Carraig: Because you can't grow in some unlimited size program.
If you do, you're hurting the business.
Lou: Right.
Carraig: And so transitioning into a role like this is pretty freeing from the perspective that you, you know, when you're in the sales side of the house and on a company the size of Three Tree Tech, we're all salespeople. Ultimately just, you know, regardless of what our official titles are, we're all selling
Lou: Mm-hmm.
Carraig: On this side.
The more that we can sell, the bigger we can get. The more that we can sell, the better we can scale. And if we're doing it with our integrity in place and our values in place, then even if it's a little bit slower than we'd like, sometimes long term will be, uh,[00:26:00]
great.
Lou: Yeah, it's always slower than you want. But, um, you know, you, you mentioned the, um, you know, how would you, uh, determine, I mean I've got ideas there, but I think you mentioned it's not a matter of if, but when getting breached. I mean, I think that is definitely one indicator because, uh, you can say, Hey, yeah, we had an incident, um, or a very. Um, uh, a security event that didn't turn into an incident, let's say, but we contained it and kicked him out before it became an incident. And I think that that is one indicator, uh, a very strong indicator that the security program's working at least, um. If it's not individual heroics, I mean, how many I'm, I, I know that you've been, um, part of this and I, you know, I too many times for me to count, but it's like, oh yeah.
Individual heroics by one employee that might, you know, on the IT that might've caught an open port or
Carraig: Mm-hmm.
Lou: Stuff and [00:27:00] they never saw that. Services account before, so they
Carraig: Right.
Lou: Closed it down and moved on, didn't document it properly,
Carraig: Mm-hmm.
Lou: An incident know, like stomped all over the evidence.
Moved on to the, you know, didn't do it properly, but they did stop a breach. You know, that's an in immature program obviously,
Carraig: That's interesting. You know, as I, on the customer side, that was actually one of the main challenges I had with the MSSP model because.
In the MSSP model, it's almost like a call center for most of these MSPs, right? So an alert comes in, they do some incident, they do some incident response, and you go from there.
Lou: Yep.
Carraig: When I look at the largest incidents that I've overseen in my career, not one started from an alert.
Lou: Oh no.
It In every single case, and it won't No, no.
Carraig: In every single case. In, in, in my situation, in every single case, in of the larger incidents that I've overseen, and I've overseen a few of them now, it was because [00:28:00] somebody organic to my organization who had the freedom to look around and, you know, use their best judgment, who was in the tools every single day, saw something and said, you know what?
That doesn't look right. Then curiosity drove them to figure out why it didn't look right, and that's how we ultimately identified that something wasn't right. It wasn't an alert, it wasn't, but the, the call center, the call center methodology of most MSPs wouldn't catch that kind of thing.
Lou: Oh yeah. I mean, that's why it's broken. There's a lot of things that are broken in cyber, and I think we could probably fill an hour or more of just listing them. But one of them is the MDR model, um, where it's kind of like, do you have an MDR provider? Or MSSP is the same as. Do you have antivirus, you know,
Carraig: Right,
Lou: years ago or, or firewall.
Like, it's not all are created equal and it's not the only thing you need.
Carraig: Right,
Lou: and, you know, um, the outsourced IT model creates a, [00:29:00] a ton of risk. Uh, so the MSP model, especially when they start to say that they do security, which we all know that they do not do, I mean for SMB makes sense,
Carraig: right.
Lou: If you're larger than. 10 people and you're having your it, you know, uh, company do your security, you're, you're in trouble. And, um, yeah, for the breaches that, that I've been a part of, uh, and it's pretty, it's numerous 'cause that's one of the services we offer. It's typically, you know, we're called in as the responding firm after it's blown up.
So, um, you know, sitting on the other side of the desk, I have some stories too, probably that I can't share, uh, to a public audience. But yeah, it's, uh, I think your, your experience definitely. Not unique in the sense that the, the, the eagle eye person that was, you know, actually paying attention and knew what they were doing and caught something.
Carraig: Mm-hmm.
Lou: Just gotta hope that they catch it early and, and
Carraig: And then do the right thing with it when they [00:30:00] do find it.
Lou: do the
right thing with it. Right?
Carraig: Yeah. Ha. Have those have those foundational components built into your program that we talked about earlier, the boring stuff
so that when somebody does see it. It's handled.
Lou: Yeah, big time. I mean, that leads just kind of logically to the AI conversation. We, um, we're surrounded by it. We're all using it. It's not the panacea that everyone
Carraig: Hmm.
Lou: But it's definitely, um, useful. What, what are your thoughts on, on AI and how it's affecting security?
Carraig: I think it depends. Right? There are a lot of AI startups or ai. New security startups coming up that I'm pretty excited about. There is no doubt that there is a place for. AI and or what we're calling ai. I think AI in and of itself is kind of a stupid thing to say 'cause it's not actually ai, but anyway,
Lou: Yeah. Machine
Carraig: the, the whole, right, exactly.
I mean, I still remember, I, for a while, I had a [00:31:00] screenshot from, uh, nets, uh, um, yeah, Netskope, where like from before open AI went viral to after Chatt went viral. And it was like the same exact front page, but they just changed ML to AI or something like that. I had the, I had two screenshots like that for a while just to show, show the difference and you know, you, and so AI becomes a buzzword.
It loses a lot of meaning. Now Agentic is doing the same thing,
Lou: Yep.
Carraig: And how people define it is just wildly different. All of that aside, the L the, you know, leveraging machine learning with large LLMs is proving to be beneficial from a productivity perspective in many areas. Um, the ability to analyze large data sets to, I mean, there, there, there's some pretty cool stuff from that.
Lou: Hmm. Big
Carraig: And the flip side is people trust it too much and a lot of folks are using, you know, this new vibe, coding, leveraging ai. And, you know, I'd be getting, you know, requests [00:32:00] from, you know, people in various, you know, department, uh, business departments saying, Hey, we want this tool, or Hey, we want that tool. They bring these tools to market so quickly because they're just leveraging AI to do the coding for them.
That the architecture is garbage, the safety is garbage. There's no security built in. I mean, it's, it's such a afterthought that if we were to allow them, they would be just a huge security. You. So
Lou: Disaster
Carraig: I, I kind of have, I kind of have mixed feelings on that. I also feel that all of this talk on, on AI is largely distracting us from our next big topic that we're gonna have to deal with.
And that's quantum as that continues to grow. So right now we're not even talking about quantum 'cause we're so obsessed with ai. And yet, you know, quantum's right around the corner, the, when you look at the development in that space, it's, it's real. So. So what happens with that? Right. So I have a lot of feelings all over the place as it relates to ai.
I mean, there's aspects of it that I love. I [00:33:00] use it every day, right? I have paid, I have paid versions of most of your current ones. I mean, I, my, my monthly bill for all of my, the different AI platforms that I leverage to be productive is, you know, higher than my cable bill. So,
Lou: Right, right.
Carraig: and, and yet at the same time, I'm very skeptical of just how much faith so many people put in it.
Who have
Lou: yeah.
Carraig: Business putting any faith at all into it 'cause they don't know what they're doing.
Lou: Oh my gosh. I mean, yeah. Such a, it's, it's so true. And the worst part is Kerik, that a lot of these people, these, so these AI companies that are popping up, they are, um, taking data, right? And they're, they're purporting to solve whatever problem, usually business related. So gimme your business data and then, you know, every time I see this I'm like, okay, lemme check this out.
Go to LinkedIn. There's five people on the team, maybe 10. They probably just got a hundred million in funding, but you know, it's still like a tiny team.
Carraig: Mm-hmm.
Lou: Got a trust [00:34:00] center. The trust center is probably run by. You know, Vanta or one of these
Carraig: Mm-hmm.
Lou: Companies, and that's where I want to talk about quickly suck too, and how, how useless that's becoming
Carraig: Mm-hmm.
Lou: Because of the Vanta of the world and, you know, respect to Vanta, that business model, you know, they, they solved a problem.
It that was, Hey, these things suck to get through. We need help, let's automate it. But the problem is you can't automate security. You can somewhat automate a little bit of compliance, but at the end of the
Carraig: Sure.
Lou: What. Getting a SOC two in a box where you get a, you know, cheap auditor and a, an automated tool to say that you're fine is making the industry less secure.
Carraig: Hundred percent.
Lou: Yeah, you go to these AI tools and they're brand new, they have tons of funding, they have no security team, they're vibe coded, and then they're taking all your data completely unprotected with no real
Carraig: Mm-hmm.
Lou: You know, recipe for absolute disaster.
Carraig: I mean, when you go out and look, I mean [00:35:00] it was, it was wild. So, you know, in my last role, obviously at Avnet, right, we were a multinational global company. You know, about a hundred companies over the last, I don't know, 30 or 40 years. Tons of various, you know, levels of integration. And so as an organization, and I would expect the same for any of that size, right?
There was no such thing as a, as a avenue wide certification, right? Because we have business units everywhere. I mean, that's, it's what ha It's what you get with any of the large multinationals. And at one point we were looking at doing an ISO cert for one of them and calling around to various vendors to get quotes and get their spiel right.
And it was amazing how many were like asking us the question of, Hey, do you actually wanna be able to mitigate these controls or do you wanna be able to just say, you are like it. It was, it was very open. I mean, when you have these attestation based or attestation based certifications. Like these companies were literally very [00:36:00] open about the fact that, hey, do you want to actually be certified or do you just wanna, you know, BS it?
And it was just wild to me. Like,
Lou: Oh yeah.
Carraig: I mean it, and it's not just ISO you take any of these, I mean, over in the UK cyber essentials, you take, you know, soc, I mean SOC too. I mean a lot of these attestation based, which require minimal artifacts to actually go through, it's, it's not hard.
Lou: Oh yeah.
Carraig: If you're not serious about it internally, if you don't take it seriously internally, you're not really doing anything to improve your security.
Lou: Nope, nope. Just checking the box. And that's where the third party, um, you know, vendor risk management. It's like, oh, do you have your SOC too? But you still get a 200, you know, question questionnaire, even if you. Provide some kind of attestation and things like that. So the worst is what I've seen a couple of them doing, and I cannot believe that, especially the A-I-C-P-A, which is a strange organization to run a security, uh, you know, certification for SOC two, but also just the fact that they're allowing the auditors to do the and, and [00:37:00] prep for the audit.
Carraig: And then certify.
Lou: Yeah. And then Certify. Now they're like, oh yeah, that's another department, or gimme a break. You know, like, same company. No, that's, that's, there's no, know, we're the ethics.
Carraig: That's the best scam in the world. Come on now.
Lou: man, it's crazy. There's even software programs that do that. It's just nuts.
So anyway, um, I think that that's a real risk with the ai. These fly by night, you know, 90% of them will not be around when this bubble bursts. And, uh, it's, it, you know, if these AI companies that are popping up all over and, and most of 'em aren't even solving the problem, but it can be a game changer in cyber, but it's also making it. Um, harder for these companies to operate without a, a real
Carraig: Right.
Lou: because when you don't do the basics correctly, when you, when you, you know, are not doing it in a programmatic fashion, then you're in real trouble because it's, you know, you only gotta be right once as offensive guy.
You gotta [00:38:00] be Ray all the time as a defender.
Carraig: Yeah, I mean, the other, the other analogy is. You know, I grew up, and I'm sure other people have said the same thing, um, but this was a favorite saying from, you know, one of my grandpas. But he was like, you know, you don't have to be the fastest guy running away from the bear. You just can't be the slowest. Right. And, and so like from that perspective. We don't even need to have perfect security. We just need to take care of that low hanging fruit. The problem, going back to the very original comment though, is that low hanging fruit is often just crossing your T's and dotting your i's. It's the boring stuff that nobody really wants to do.
And if you get that stuff done, if you actually take some of these certifications seriously, which help get some of that base foundational stuff done or should, ideally, then that's good. And I will say. You know, Avnet, I believe was the first non-prime to get CMMC level two certified. We were pretty proud of, of that accomplishment.
And the CMMC process I found to be more [00:39:00] credible than most. So I am despite that, despite, I, I guess my feelings that it's gonna be a little bit of a lift for, you know, these hundreds of thousands of organizations that are, are required to go through it. For those that require the third party assessment.
It is not like these other ones. And I was actually happy because of that. Right. It's very prescriptive and it's very, you know, okay, you say you're gonna call this person if there's an incident, great. Call 'em. I mean, it was, it was not just artifact based. It was legit. Now who knows how much that will be diluted now that everybody is trying to go out and become a certifier and become a prep.
'cause there's, this is gonna be a big business on the, on the vendor side for a while due to these requirements.
All these businesses waiting until the last minute. But as far as audits go, or as far as com, you know, certifications go, I felt it. I felt it was one of the better ones from that perspective.
Lou: Yeah. CMMC, the, the, the, you know, DOD kind of standard. [00:40:00] For
Carraig: Mm-hmm.
Lou: know that, what that stands for, used to be DAS, the, this is the evolution. They added maturity, which is, um, brilliant because that's the other thing about cyber. You can't just say. or no, it's not a black or white thing. It's like, I'm doing it, but how well are you doing it?
Things like that. Um, the, it's, it's really interesting to see how, um, you know, special interests have kind of affected that as well, because in the beginning they were, I mean, look at how long it took for them to just get, get everything out. Because once they kind of set it and then everyone started to see dollar signs. it was like, okay, what, you know, all of these organizations piled in and, you know, how are we gonna certify them and stuff. But I agree with you. I think that it's still got a lot of merit. I, I, I, and I also agree that there will be dilution for sure, but, um, in principle, I would say out of all of them, especially because it's based on nist, um, those are, it's very prescriptive and definitely the be better way to go.
So, um,
Carraig: Yeah, I like it.
Lou: [00:41:00] Yeah, it's really good. Uh, so bringing it back to the trusted advisors and,
Carraig: Mm-hmm.
Lou: channel that we're in, uh, there's a lot of people, t trusted advisors that wanna sell security. They're afraid to do it. I know these are your competitors, so you may not wanna like even tell them, give them any advice, but like, how do you, um, uh, maybe even someone on your team, you know, they obviously should and I know. We, you've got some really, uh, strong, strong people on the team. Jacob Love working with him. Um, but, uh, you know, let's say a new TA joins your, uh, you know, firm, your organization at Threet Tree. How do you, and maybe they don't know a lot about security, like where do they start? How do you, how do you get up and running in security or start that conversation when you're kind of not a practitioner like us?
Carraig: I think it generally should start as part of the more holistic engagement. Right? And as much as you say, you know, that maybe we wouldn't wanna discuss it because there [00:42:00] are competitors. I'd actually love for there to be another 23 tree techs out there, honestly. And I am happy to work with any of the other trusted advisors to help them understand how to sell cyber.
Why? Because right now in this space, and most of our engagements we're Coke without Pepsi, and that's just the truth, right? My team spends so much time educating on this model because this model is relatively new to the cyber slash you know, it side of the house.
So. The more that the people out there recognize that there is something different from the VAR model, that there is something better than the VAR model, not just better for them because they get direct access to the vendors because they get, you know, account reps who are doing what VAR reps should be doing when it comes to the relationships, when it comes to the, you know, advocating for the customer, but.
Just the, whole [00:43:00] model is so new and so right now, you know, yes, you have to understand the space to have credibility, right? Let's be honest, CISOs are fickle. Security folks tend to be the most skeptical buyers. they tend to be more technical than most, and so you have to be able to back up, what you're talking about.
But that's where your partners come in,
Right.
That's where you leverage your vendor relationships and. Again, like this is, yes, we do really good. Uh, when it comes to the side of the house, we have a lot of credibility. It's probably what we're better known for. Uh, but we're more than happy to share that playbook with whoever wants to grow in this space because it, I, I mean it when I say it, that if I could reduce the amount of time that we're just educating people in cyber on this model.
Then it would be a win for us. And if that means that, if that means that somebody else has to go out there and compete with us, competition is [00:44:00] good for everybody.
Lou: Agreed. Yeah. Yeah. It's the lead cyclist drafting, right? Everyone's behind. That's, that's how it feels being, you know, at this stage in the TSD channel, being a cyber vendor or a cyber ta, we, we don't have a lot of, um, TAs that we work with, like three Tree that are, you know, really focused on cyber like that.
So yeah, we're drafting basically for the rest of the pack.
Carraig: Exactly. And the reality is, you know, one of the interesting things that I've noticed, and maybe I'm wrong, I mean, again, I'm only not even three months in, but first impressions have been a, the, the TAs tend to get along with each other better than the VARs do in the VAR world.
Lou: Mm-hmm.
Carraig: I just, it just seems like there's more engagement and collaboration as a general rule.
It's not, you know, it's not like in the VAR world where different VARs seem to hate each other.
Lou: Right.
Carraig: You know, they, people lose friendships over it because one happens to jump ship to the other one. It's, it's a wild thing to think about because I've never taken any job [00:45:00] so seriously that I lose friends over it.
But, but, uh, the agent world seems to be better about that. So, like I said, for anybody listening to this, if you guys wanna understand how to get into security and cell security better and more effectively, I'm more than happy to have our team work with theirs and create more of us.
Lou: That's generous and I, I hope people take, take you up on that, uh, 'cause that really is a great offer. Um, let's, let's pivot a bit to, to personal. Um, you know, so you're, you're in, uh, Missouri out there and. What, what kind of got you here? Were you, you, you told me pretty much that you were a consumer of these services and, and that's why you decided to jump over, but how'd you like kind of fall into being a global CIO?
Carraig: So I was actually, my first career was human intelligence. So joined the army after nine 11. I was one of those guys pissed off about the whole, you know, nine 11 happening. And, and, uh, I'd had a lot, I'd [00:46:00] had a lot of success as a kid selling cars and selling other stuff door to door. And when I went to the recruiter, the Army recruiter, they asked me, you know, what I could do well, and I said I was pretty decent at selling.
And so they said, what if you could lock your customer in a room and they couldn't leave until they bought what you were selling? And I said, uh, I said, that sounds pretty good. And they said, great. You're gonna be an interrogator. And so I went overseas, did a, did a year of deployment as a, uh, soldier in Iraq, uh, as an interrogator and, and human operator is the technical term, right?
Human intelligence operator. And, uh, when that was over. Became a contractor for various agencies and spent another few years down range. So total of a couple years in Iraq, a couple years in Afghanistan. Uh, a little, little less than five years total. So, uh, ultimately, uh, the contracting world was ugly and [00:47:00] all these different contract companies undercut each other.
So, uh, landed on a contract back in the us. After a couple years on that contract, again an undercut came. That was pretty severe. So we got the letter saying, Hey, you can keep your job, but it's a 50% pay cut. And I had a friend over, you know, at the, uh, department of Agriculture who was helping to build their cert, uh, CERT CERT and not C-S-I-R-T cert and, uh, 'cause people don't realize the USDA has 26 subagencies, you know, 250, 200 70,000.
End points.
Lou: Wow.
Carraig: Yeah, it's, it's much bigger than people realize. And so, uh, transitioned over and that was the end of it. So, got into cyber, kind of on accident. Got into cyber because I was getting undercut at, uh, in the contracting world, but found a niche because that human background, asking questions, asking the business why.
Proved to be pretty awesome.
Lou: [00:48:00] Pretty amazing. I mean, first of all, being five years in country, that's intense. I'm sure you've got great stories, most of which you can't share. Um, and, uh, you know, then coming over to cyber from that unique perspective of, someone who's not like. Super technical, but knows how to get things done, knows what makes people tick. And, and I think, you know, if you consider cyber being about people doing things like putting the seatbelt on and, and, you know, paying extra for the, uh. The, the, the things that are gonna save their lives in a car, you know? Um, I, there's a real, um, parallel to, to the skills that you have. So I think that's, um, that's brilliant.
Maybe a, anyone recruiting out there needs to look at your background as like a potential, you know, someone who could, could, I mean, sales skills in general,
Carraig: You, you'd actually be, you'd actually be really surprised how many CISOs I've run into that are successful that came out. Uh, or even just IT leaders that came [00:49:00] outta the human intelligence world that came outta sales backgrounds. I
Lou: Wow.
Carraig: mean, think about leadership. It's all sales, right? You're either trying to influence your team, you're trying to influence your stakeholders sales influence, same difference.
Lou: Yeah. Yeah. I tell my kids that. I'm like, if you have sales skills, you have a personality. You're especially in the days now of like everything being two dimensional on a screen and not a lot of human interaction that people still crave and we still need biologically, then, you know, you're gonna be successful if you have those
skills. For sure. And um, what about like just free time? What do you do in your, your spare time?
Carraig: so we've got a 25 acre spread. I've got six kids here at home, so we stay pretty busy. I mean, of those six kids, all but one are teenagers. And so between school events and traveling, know taxiing everybody everywhere. Um, bless my wife who's a stay at home mom. Uh, I think she's got the harder job for sure, but we've got a great [00:50:00] family, great spot out here, out just outside of Kansas City, and life is good.
And we en we enjoy being outdoors. We en got a lake in the backyard. We, we like to go dirt, you know, dirt bikes and other stuff. So outdoorsy family.
Lou: that's very cool. Yeah, that's, that's good bonding time too. And the, um, yeah, six kids, mostly teenagers. They're not driving themselves yet.
Carraig: I've got a couple drivers. Um, the culture's different now. Like when I was growing up, like you got your license on your 16th birthday. I mean, everybody that I knew got their birthday on there and, and now I've got kids that, I've got a kid that doesn't know if he's ever gonna drive. Like he has no real desire to, like, he, his dream is to move into a big city one day and, you know, he, he is, he, he, he loves the idea of cities and.
He, I don't, I don't know if he has an intention of ever driving. So it, it's really a different, like kids these days are quite different. They don't have the same emphasis because if you think about it, when we were growing up, a car is how you had a life.
Lou: Yep.
Carraig: And nowadays with everybody having cell phones and every, [00:51:00] and the video games are the way that they are and all of these various methods of chatting, it's, it's different, right?
They can hang out with their friends without going to their friend's house, which seems kinda weird to me, but it's the culture of the way it is now.
Lou: It's true. And it's funny 'cause um, yeah, I've been in a Tesla, as I'm sure you have too. And it's like, for people that don't like to drive, I actually like to drive. I actually have a 65 Mustang. That's why he, that
Carraig: Do you really? That's.
Lou: that's, it was my dad's. Yeah. It's like, uh, uh, like an inheritance and I love it.
And, and, um. car you need, it doesn't even have power steering like you really have to, and it's manual, like you really have to want to drive that. And Tesla's you get in and, and so that, that's probably what your son's gonna do, is just get in and let the car drive him wherever he wants.
Carraig: Well, I mean, and, and if Teslas are doing full self-driving now and doing a pretty good job of it, you know, imagine 10 years from now
Lou: gosh.
Carraig: We're, where we're gonna be at when it comes to this technology. I mean, when I was a kid, the rule [00:52:00] was my dad had this four old Ford F 100. Full-size pickup truck.
1970, something rusted out like you could see the road below beneath the driver's seat, like the floor plan just rusted out. No power steering. No power brakes. The hardest clutch I've ever driven is standard. And the deal was that before we could drive any family cars, we had to get that truck from the school parking lot to about the seven miles home through the country, roads to home without killing it.
Was the deal for, for all of us kids, we had to get this super difficult truck. Again, no power steering, no power brakes, stick
Lou: Right.
Carraig: Killing it. Before we could drive the family vehicles. And as a result, all three of us kids now can drive any vehicle pretty much out there because once you've, once you've driven that, I mean, everything else is easy.
Lou: That's right. Yeah. Yeah. Definitely a different era for sure. Cary, where can people connect with you?
Carraig: Uh, LinkedIn is [00:53:00] great.
Lou: Trust.
Carraig: Email is my first name@threetreetech.com. Reach out via email. Again, we're here to help, right? Go to the three tree tech.com website. Uh, connect via the website. It doesn't really matter. Find a way to, you know, talk to somebody on the team. It's not a huge company, right? We're not, you're not gonna get lost.
And we're happy to engage either with suppliers that wanna better understand, you know, this industry, right? We're happy to carry our own paper or with, uh, other trusted agents who really wanna better understand how to sell into cyber and it and be successful in that space.
Lou: Amazing. Thank you Kerik Stanwick. Uh, it's
Carraig: Pleasure.
Lou: amazing journey and amazing conversation about, uh, you know, multiple topics. I hope people have gotten something out of it.
Carraig: It's fun.
Lou: Yeah. And, uh, thanks to everyone that's listening or watching, if you learn something new today. Laughed, uh, became very much educated. Uh, please tell someone about this [00:54:00] podcast. Thanks again, carig.
Carraig: Thanks.
Lou: And this has been another exciting episode of Channel Security Secrets. See you next time.
