The Evolving Role of Virtual CISOs

January 29, 2025

Guest: Matthew Webster

Bio: Matt is a technology professional with over 25 years’ experience in networking and security. He has held a wide range of roles with numerous responsibilities for small and large companies, ranging from start-ups to multinational financial services organizations.

For the last 15 years, Matt has focused his efforts on cybersecurity. Matt’s roles include Managing Consultant, VP of Products, Director of Operations, and Chief Technology Officer, as well as others. This technical foundation allows him to translate strategic cybersecurity vision to business goals and operational needs

Summary

In this episode, John Verry and Matt Webster discuss the evolving landscape of virtual CISO services, exploring the common pitfalls and failures associated with these projects. They emphasize the importance of clear expectations, the distinction between a virtual CISO and a virtual security team, and the necessity of executive buy-in for successful cybersecurity initiatives. The conversation also highlights the need for specialized expertise in various cybersecurity domains and the challenges of maintaining focus amidst tactical distractions. They explore the tactical challenges organizations face, the importance of redundancy in virtual CISO services, and how breaches can impact these engagements. The discussion emphasizes the need for cultural fit and industry-specific knowledge when hiring a virtual CISO, ensuring organizations can navigate the ever-evolving cybersecurity landscape effectively.

Takeaways

Virtual CISO services are becoming more common and necessary.
Many virtual CISO projects fail due to misaligned expectations.
Understanding what you need from a virtual CISO is crucial.
Focus on strategic goals rather than getting lost in tactical minutiae.
Expertise in specific cybersecurity areas and industry-specific knowledge are essential for success.
Executive buy-in, client engagement, and commitment can significantly impact the success of cybersecurity initiatives.
Clear communication and understanding between clients and providers are key. The whirlwind of tactical challenges is inevitable in cybersecurity.
Redundancy in virtual CISO services is crucial to retaining institutional knowledge.
Breaches can happen to any organization, regardless of size or resources.
Cultural fit is as important as technical expertise in hiring a virtual CISO.
Understanding regulatory frameworks is critical for virtual CISO success.

Keywords

Virtual CISO, cybersecurity, information security, risk management, executive buy-in, security strategy, breach management, compliance, information security

John Verry (00:00.168)
my microphone. Alright, alright, and I’ve got echo cancellation on. Okay, alright, hopefully that works. Okay, I was smart enough to remember to hit the record button, which is good. I added one more that we didn’t think of. I added redundancy, or like, you know, because we’ve had it happen to us, and we’ve had, you know, turnover on the VC So provider. We lose an employee or the VC So leaves the company that is working for you. And if you haven’t, if you haven’t,

Matt Webster (00:00.439)
Yeah, it is.

Matt Webster (00:12.134)
Ha ha.

Matt Webster (00:28.282)
Right.

John Verry (00:30.774)
If you haven’t built succession planning, if you will, redundancy into the model, and we’ve won projects that way.

Matt Webster (00:42.267)
not sure I quite understand, I’ll get to just.

John Verry (00:44.952)
Well, think about it. Like if you have a virtual CISO and they leave, all of that institutional knowledge is walking out the door, unless they have some type of a model where, yes, exactly. That’s the only one that I added. I’ll throw in the middle somewhere. All right, you ready?

Matt Webster (00:49.731)
huh.

Matt Webster (00:56.421)
yeah, yeah, yeah. Yeah, Not being redundant in the role, redundancy built into the role. Right. Right.

Matt Webster (01:10.939)
Yeah, sure.

John Verry (01:11.79)
Hey there and welcome to yet another episode of the virtual see so podcast with you as always John very your host and with me today Matt Webster. Hey Matt

Matt Webster (01:21.787)
Hey John, how’s going?

John Verry (01:23.544)
Good to catch up, Always start easy. Tell us a little bit about who you are and what is it that you do every day.

Matt Webster (01:25.37)
Always.

Matt Webster (01:31.781)
Yeah, so as John said, my name is Matt Webster. I’m a partner in a company called Harbor Technology Group. Harbor Technology Group has been around about eight years providing virtual CISO for mid-sized businesses. My business partner and I started the company after working for a handful of software companies, working them through &A activity, et cetera.

We took some of that knowledge that Chief Information Security Officer knowledge that we had in the roles at previous companies and right-sized it for mid-sized businesses and started Harvard Technology Group. So we’re really focused on kind of mid-market helping various organizations through the security journey, if that makes sense.

John Verry (02:24.971)
To me it does, because we do it too. I always ask what’s your drink of choice.

Matt Webster (02:26.565)
Yeah. Yeah, exactly. Exactly.

Matt Webster (02:33.943)
A drink of choice. I’m a bourbon drinker.

John Verry (02:37.198)
What’s the most recent bottle you bought or what are you drinking now?

Matt Webster (02:40.711)
what’s the most recent bottle I bought? just probably a Buffalo Trace. That’s kind of the house bourbon that I have when I’m, I’m not a big drinker, but when I do, I do enjoy bourbon. I have some, some fancier bottles up there, but they don’t get broken out very often. Yeah.

John Verry (02:52.919)
Buffalo can’t can’t Yeah, you can’t can’t come yeah, you can’t go crack a roll with a buffalo trace is just a baseline

Matt Webster (03:01.191)
Yeah, it’s a nice baseline. Makes nice drinks as well.

John Verry (03:03.552)
Absolutely Yeah, exactly so today’s Knob Creek is my kind of my go-to drinker, but but I’m a equal opportunity offender and You know, I think the most recent bottle that I you know, someone gave me a bottle of rabbit I think it’s called rabbit hole which is actually really interesting. I’d never seen it before and most recent bottle I bought was probably I went back to

Matt Webster (03:08.997)
What’s your favorite, by the way?

Matt Webster (03:13.348)
Yeah, there we go.

Matt Webster (03:17.159)
Say goodbye.

Matt Webster (03:24.198)
Yeah.

John Verry (03:33.71)
bourbon I haven’t had in years that I always loved it so it’s a little craft no no is mill there are a couple of bourbons I come out of the it’s out of the same I believe it’s out of the same mash that they make like it’s out of the Buffalo Tray the Heavens Hill line I believe and but it’s it’s you know a higher higher wheat whiskey higher wheat bourbon it’s just it’s a nice little simple and it’s reasonably priced too it’s funny it was probably $45 a bottle

Matt Webster (03:39.048)
yeah, that’s a good one.

Matt Webster (03:47.917)
Mm-hmm. Mm-hmm. Yeah.

John Verry (04:00.782)
eight years ago, last time I bought one, was like $45 a bottle still, which for bourbons, right, most of the bourbons have just escalated. I think it’s just, just nobody knows about it and how good a, how good a bourbon it is at that price point. either.

Matt Webster (04:03.984)
Yeah, that’s right.

Matt Webster (04:08.934)
Right.

And it presents well, The label’s nice on it. It looks nice on it. Yeah.

John Verry (04:15.616)
yes beautiful and so it it looks like a little craft little tiny it’s probably you know done by a bigger entity but you look at the bottom it’s like you can imagine some guy doing in the backyard still you know

Matt Webster (04:26.811)
Right. So is this podcast about bourbon or are we going to talk security?

John Verry (04:30.03)
You know, I’m embarrassed to say that occasionally this part of the podcast lasts longer than the actual security content. you know, I mean, the original tagline that we were using for the podcast then it faded at one point was, he drinks and he knows things, which kind of, yeah. All right, so today’s podcast is not about bourbon. Sorry for any bourbon drinkers out there, because I’m not really…

Matt Webster (04:36.359)
That’s great. That’s right.

Matt Webster (04:48.44)
that’s great.

John Verry (04:56.738)
while I drink a lot of bourbon, I’m not smart enough about bourbon to hold the bourbon podcast. But I think I’m moderately smart from an InfoSec perspective, and we can talk about those issues. And one of the issues I wanted to chat with you about, and the reason why we had you particularly on, is you, like us, offer virtual CISO services. They’re becoming more common, know, they’re called virtual CISO, called fractional CISO. And now that they’ve been out there a bit, you know, we’re seeing where the

Matt Webster (05:12.869)
Mm-hmm. Mm-hmm.

John Verry (05:26.446)
holes are that you don’t want to step in as somebody who might be thinking about procuring virtual CISO. We have been part of a number of failed virtual CISO projects. There might be failed virtual CISO projects that we were the virtual CISO of. It might have been a failed virtual CISO project more frequently of why we took over an existing engagement from somebody else. I know you’ve had the same experiences. So I thought that would be a kind of a cool topic to talk about is,

Matt Webster (05:32.807)
you

Matt Webster (05:51.645)
Yeah.

John Verry (05:56.062)
What are the reasons why virtual CSO projects fail? And what can you learn about that or do about that as somebody who might be thinking about procuring virtual CSO?

Matt Webster (05:57.543)
you

Matt Webster (06:05.003)
That’s right. And John, I think I’m speaking for you here. I think it’s important to note we’ve had way more successful engagements than we’ve had failures. But they certainly happen. Yeah, yeah.

John Verry (06:16.822)
absolutely. And sometimes it and again, sometimes the failures are failures on our side or the provider side of the fence. I think sometimes the failures are on the consumer’s side of the fence. And I think that’s an important thing to kind of let them know, like, what what do you need to do on your side of the fence as well to be successful with this? So let’s let’s let’s talk through this. I think one of the one of the obvious ones is

Matt Webster (06:37.799)
That’s right.

John Verry (06:45.794)
failure to have mutually agreed upon expectations. from the consumer’s perspective, their expectations end up being unreasonable. And it might be our fault as a service provider, right? But they think that they’re expecting too much. They want to move too far, too fast at whatever dollar amount they’re willing to pay.

Matt Webster (06:58.213)
Mm-hmm.

Matt Webster (07:06.612)
Right. Right. And I think it works in both sides, in both directions, too far, too fast, or maybe too slow, too slowly. And we can’t advance the ball enough. think both of those are possible when it comes to unreasonable or unaligned expectations, as you point out. I think one of the key points here is, you know, anyone that is out

procuring a service for whatever it is, whether it be security services or accounting services or legal services, you really have to have a clear understanding of what you’re trying to accomplish, right? What is the goal of engaging with this consulting firm or this provider understanding what you want to accomplish? And I think we might be in the security space, might be in a strange position there with

At least for us, we engage with a lot of companies that think of security as kind of an IT problem or don’t understand the ramifications of security. I think that education is important prior to engaging in a deal. Does that make sense what I’m saying? there’s, security is complicated. I don’t want to make more out of it than it is. Most people don’t want to think about it. They look for somebody like you or your firm or my firm to really

provide those services, but if they don’t have the proper knowledge going in, it’s hard to set those expectations correctly.

John Verry (08:40.044)
Yeah, exactly. And as a provider, it’s hard, you you don’t know what you don’t know, right? You get on the phone, you’re on the phone with a client for an hour. They have a clear need. There’s a good cultural fit. They get excited to work with you. You know, you’re, you’re might be making an educated guess on what you think they need at that particular point in time. They might not know enough to tell you exactly what they need. And now we get to go forward on engagement that, you know, and we’re not, we’re not aligned, right? There’s an expectation that

Matt Webster (08:46.033)
That’s right.

John Verry (09:08.834)
we’re doing X and we’re actually, we think on our side that we’re going to do Y. And I think it ties into another one of the points that we were going to talk about, which is you don’t need a VC. So sometimes you actually need a virtual security team. If you think of that advice, you know, like in a perfect world, right? A true virtual CISO is really more strategy advisory governance. They’re not, you know, and I always analogize it to, they’re the architect.

Matt Webster (09:21.998)
Right, right.

Matt Webster (09:30.609)
Mm-hmm.

John Verry (09:36.364)
of your cybersecurity program in much the same way you wouldn’t expect the architect of the building or house to actually be running wires in the wall and hanging sheet rock and painting and running HVAC duct. I think most clients have this expectation that they hire a virtual CISO and they’re going to be able to do all of that. Yeah, exactly. So do you see that as well? I think that ties into this expectation is you really need to understand exactly what you need, right?

Matt Webster (09:53.703)
Wipe your hands on it. Right.

We do.

John Verry (10:07.042)
God, I’ll let you fill that in.

Matt Webster (10:08.263)
Well, I think you’re absolutely right. You’ve hit on something really important. Security and cybersecurity, information security, governance, and all the compliance ramifications therein, it really is no longer just a technical conversation or a technical issue or an operational issue. really needs that architect to organizations, that architect to help run them through the.

what’s the right word here, but kind of just the security game, understanding how to build an approach to security, how to understand the risks and threats that an organization faces. It’s very similar to what CFO would do as analyzing financial risks. That’s right. That’s exactly it. So we actually ran into that a lot when we first started the firm.

John Verry (10:54.456)
to strategic plan, right? I mean, yeah.

Matt Webster (11:04.179)
We use terms like turnkey and all these marketing buzzwords that really set us up for or set that expectation where you bring us in and all your security problems go away. So we’ve really scaled that back over the years to talk about more of the advisory side, the governance side, the compliance side, and those services that Avicesa truly provides.

Now, of course, we can recommend, advise, strategize, I using that word, but build the strategic plan for how to operationalize security. But as a pure VCSA service, I think it’s super important to understand what your provider is bringing to bear. We do see more MSPs, managed service providers, that are providing IT services.

So they really are the, using your analogy about building a house, they’re the ones running the wires and hanging the sheetrock, which is really important for almost all businesses. Offering VC so, and that kind of links the two sides together. But I have seen, and we’ve come in and helped clients out where their MSP is actually not providing enough advisory services.

I’d say this works both ways. Like if you are looking at a kind of an operational IT type shop that provides VCSO, make sure that you understand what type of advisory services they can provide. And then what we’re talking about here, which is the other side of it, if you’re bringing in a VCSO, understand what they can and can’t provide from an operational perspective. that make sense to you?

John Verry (12:47.798)
Yeah, it does. And I’d go a little bit further, right? There’s a reason why in a standard organization, if you look at a global 2000, information security is a different function than information technology. It’s a different skill set. It’s a different knowledge base, a different level of focus, a different level of background of the individuals in it. So, you know, I think one of the more dangerous things is the fact that many of these MSPs are hanging out something and saying their virtual see-saw. And if you really drill in, they’re really, they’re selling you security products.

Matt Webster (13:00.007)
100%.

John Verry (13:18.146)
and they’re aligning themselves with those security products. I think one of the things I’ve increasingly been communicating with clients is much the same way that medicine is not a single field. Information security has become more more fractured and is up to 20 or 30 distinct fields. I mean, identity access management is kind of a field unto itself. We’ve got privacy, we’ve got AI, we’ve got application security. Now we’ve got multiple flavors of different cloud.

Matt Webster (13:32.922)
like it.

Matt Webster (13:41.262)
next

John Verry (13:47.232)
security, we’ve got third party risk management, you know, each of these are independent disciplines and there’s no single person that can be great across all of us. You know, I think I’ve been doing this for a long time. And, you know, this, so I can talk to many of them. But when you really get down below the, you know, what’s the old expression, an inch deep and a mile wide.

Matt Webster (13:56.902)
No.

Matt Webster (14:11.476)
Mm-hmm.

John Verry (14:11.686)
You don’t want someone who’s an inch deep and a mile wide building out your business continuity plan, business continuity, disaster recovery, incident response, all distinct fields. So really ideally what you’ve got is you’ve got experts, you’ve got somebody who knows enough to know what experts we need and then what you’re doing is you’re getting the experts that you need for each of specific tasks.

Matt Webster (14:19.624)
Right.

Matt Webster (14:30.567)
100%. I think using DR and BCP as an example, it’s the best example you can make. So we work with lot of clients as they develop their DR and BCP plan, advising on how to do it, how to be compliant, yada, yada, yada. They have, let’s say they’re a software development shop, they have highly skilled staff that do a great job of building platforms and delivering product.

but even they don’t have the skill set to build a proper DR and BCP plan. Because like you said, if you use the medicine analogy, it’s not, be it a general practitioner or a heart surgeon, if you need something done with your pulmonary system, you need an expert in that area. So you’re right, there are multiple disciplines within cybersecurity. Some of those have an ancillary path into technology, IT.

And some of them don’t. Some of them go directly towards like business operations and compliance. And I mean, it could be revenue, could be sales, could be all sorts of things.

John Verry (15:37.247)
Yeah, so really, I mean, I guess from an end user’s perspective, you know, understand what you need across that spectrum of information security, privacy, AI, and then ensure that you’re acquiring what you need. Right. And that organization has an ecosystem, whether it’s internal people or they’ve got partnerships, right. So that way they can provide, or you have the people on your team. So that way you get, you know, the ability to not buy a plan, but

buy a house.

Matt Webster (16:06.919)
And it’s kind of a shameless plug here. This is exactly what virtual CISO can provide. This is the advisory services that can look at all of those areas that you need to address and advise on how to properly staff, how to bring the parties together to accomplish a task, DR, or implementing new AI in your product, or doing identity and access management, as you mentioned earlier.

That’s where a VCsO can really help guide you in the right way to make decisions on how to accomplish those individual tasks.

John Verry (16:47.886)
Yeah, and to put this in perspective, the virtual CISO component of many of our larger engagements, the actual true virtual CISO is a much smaller component of the overarching engagement. So like we’ve got a few projects, you we’ve got some very small ones, but we’ve got some larger ones that range into the $250,000, $300,000, $350,000 a year. And if you looked at that, the actual CISO component of it is probably five or six, $7,000.

and know, and you know, per month, right? So it’s a third or a quarter of that. And the rest of it is whether it’s security question or response, third party risk management, ISO 27001 implementation or ISO 27001 as a service, internal auditing, application security, threat surface, attack surface management, threat intel, right? So, you know, it’s all of those other things that the organization needs, right?

So the virtual CISO like is actually often one of the smaller components of a larger pie that you might end up implementing.

Matt Webster (17:51.436)
Yeah, I completely agree with you, especially if you’re approaching it in the right way, which is you need the advisory service. You need the CISO. But you have all these other goals that you’re trying to accomplish, the ones that you’ve just mentioned.

Adding them on, I mean, I’m not just talking from a contracting perspective, but considering them as standalone tasks that need to be accomplished is the right way to approach it, the right way to think about it. It’s a department manager with all of the department staff that is working on individual goals.

John Verry (18:29.548)
next one is pretty simple and pretty self-explanatory. Occasionally, we’ve run into situations where we’ve won a project because the existing VCSO did not have sufficient knowledge to handling a pressing issue. So as an example, we ended up with a new client. They were building out a new semiconductor manufacturing facility, which has a lot of operational technology requirements. And they had a VCSO they loved, but this was a

Matt Webster (18:53.347)
Mm-hmm. Right.

John Verry (18:56.726)
significant project and the individual just didn’t have any OT chops. Have you seen that? know, might be, you know, sometimes we see it with SAS, right, would be a place for something, you might see something like that.

Matt Webster (19:09.101)
Yeah, we do. do. Especially if we see it when we’ve been engaged with a client for a while and they’ve acquired a new business or they’ve, you know, are going in a new strategic direction that may force us to think in a way that we haven’t thought about before. You know, we certainly raise our hand and say, listen, we’re out of our depth here. This is not our area of expertise. We should bring in somebody to help out.

making these decisions, et cetera. That certainly happens. I think the VC-SOS get a bad name for themselves as an industry or as a service when people try to do, you know, to be all things, IT or technology, operational technology, whatever it might be, try to be experts in all things. And that’s just, it’s nearly impossible to do that in today’s landscape. It’s just, there’s so much out there.

So much happening.

John Verry (20:08.578)
Right, OT being another one of those fields. Internet of Things is another one of those fields. Like I said, there’s 20 easily distinct fields that you need to understand if you have some of those requirements in that field, you need to make sure that you or the service provider are going to give you that coverage,

Matt Webster (20:26.491)
That’s right. I think speaking as a, thinking as a client, a client of these services, you need to make sure you’re working with your, your VC. So to make sure that they, they have the comfort level, the expertise, if there’s a new area that you’re after, that you want them to spend time on, or if it wasn’t properly scoped at the outset, the effort, and let’s say it’s OT that we’re talking about operational technology. If

If that is now in the VC says remit, make sure that they’re, you know, because the provider is going to be hesitant, especially a new one to say, you know what, I can’t do that. I’m not an expert here. And be willing to hear that feedback from them, because there’s all sorts of things that could have happened during the contracting phase or as the, you know, as the engagement is matured and the company’s matured and doing new things. There’s a very possibility, distinct possibility that

your expert is no longer an expert at an area that you need expertise in.

John Verry (21:32.91)
This one is very frustrating to me. have it happen, you know, on occasion. It’s that the client doesn’t have really the time to support and actually implement the VCSA’s recommendations. you know, they sign on, they’re paying you a pretty nice fee, and you’re giving them the guidance and people are unable to actually act on the guidance. know, like, hey, you know, we need to, like, we need to get together and we need to understand the risk associated with this.

Matt Webster (21:51.292)
Mm-hmm.

John Verry (22:02.51)
particular element of your organization. You and you’re trying to schedule this risk assessment with them and it takes weeks to actually get the risk assessment scheduled and then you finally get the risk assessment scheduled. You go through the risk assessment. Now you got this list of things we all agree on like, my God, we can’t live with these risks. And then you kind of lay out plans to do it and there’s things that have to happen on their side of the fence. And you you get on your weekly or bi-weekly meeting and you’re like, hey, you know, where are we at with this? I haven’t really gotten to it yet.

you know months have gone by and you’re really not making a lot of progress.

Matt Webster (22:33.311)
That’s right. That’s right. It’s frustrating for all parties involved, right? It’s frustrating for the client. It’s frustrating for the provider, the advisor, the VC cell.

And I think this is kind of the death spiral for these types of engagements. For us, for Harbor Technology Group, we’ve had a couple of clients where we’ve enacted the cancellation period because we’ve said to the client, listen, you’re not ready. You don’t have the appetite to really go after the pressing needs.

you know, why don’t we step back from everything and we’ll reengage when you guys have the time, the wherewithal, the desire to accomplish tasks. I think this is an area that if you’re considering a VCSO, that you have to understand that kind of going back to what we said earlier, your VCSO isn’t going to accomplish everything for you. They’re an advisor.

I know speaking personally for our firm, and John, sure it’s the same for yours, we take our clients, what they do, very, very seriously, to the point where we feel like we’re part of the staff. But if you’re not accomplishing anything, it’s not doing anybody any good. It’s a waste of time, it’s a waste of money, it’s a waste of expertise. So I think it’s really important to think about the time commitment, the effort commitment that it’s going to take.

if you’re gonna start this journey of really considering cybersecurity as an important task for the, or important goal for the organization.

John Verry (24:21.986)
Yeah, you know, it’s funny because we have the particular client that I’m referring to, like we had that sort of come to Jesus meeting where it’s like, Hey, you know, really, you know, what are we doing here? And it was interesting to hear their perspective. Their perspective was no, we don’t want to scale back. No, we want to keep working with you exactly the way we are. You know, we know that we’ll be aware of everything that we need to be aware of. that, you know, and that, you know, that’s still projects.

i think he’s the term you know you guys are sort of insurance policy

Matt Webster (24:54.117)
Right.

John Verry (24:55.17)
Which I thought was interesting. like he was saying, I’m still getting the value out of the relationship that we’re paying for, despite the fact we’re not moving as fast as we ideally would like to, because I know that I’m not going to go off a cliff at any point in time.

Matt Webster (25:05.415)
Right. Right, I could hit bumpy roads, but the cliff, you’re going to prevent me from going off that cliff. Yeah.

John Verry (25:14.919)
Yeah, so I thought that was interesting. And I think that not having enough time in a weird way ties into another thing that we’ve talked about is not having enough gravitas to drive change with senior management. So it’s sort of the same net thing. You you engage with VC, so you’re excited to get stuff done, and you either don’t have the time to do it or you don’t have the juice to push it through.

Matt Webster (25:27.495)
That’s right.

Matt Webster (25:35.153)
That’s right. And I was going to add that. In fact, I flipped to just some thoughts that I had jotted down. That was a thought further down a list where it’s really important for the boardroom or the C-suite to be bought in on the effort that the VCSAO is providing. If that top-down focus is there, then things like

you know, not accomplishing tasks, you know, everything being delayed that we talked about the last couple of minutes that tends to go away because now you have executive, you know, buy in on the task at hand. If you’re working, let’s say, you know, we’re often working with the CTO, let’s say, or the COO. The COO needs a little bit of budget to, you know, bring in some new technology to do X, Y, or Z within the organization.

If the CEO and the CFO are bought in on all the effort, then these things are not going to get delayed for a month. That executive buy-in is so critical for security services. And John, you and I have been doing this. I’ve been in security for about 30 years. I think you’re similar in time, showing our age a little bit. Yeah, that’s right. I mean, look, you look good.

John Verry (26:52.106)
I’m lot younger than you, Matt. Who you kidding?

you

Matt Webster (27:01.423)
now I lost my train of thought. That’s right. Thank you. Thank you. Thank you. Thank you. Right. Right. No, I was going to add that, you know, going back to something I said earlier, which is this idea that security is a technology problem. There’s still that mindset out there. And we know having been in this business for a long time, it was a technology problem for a while, or at least it was really looked at and focused on that way. You know, the bigger companies,

John Verry (27:02.83)
Yeah, you that happens when you get old like I mean after 30 years, know, there be a lot of those brain cells have died off You know what I mean? You know

Matt Webster (27:30.347)
the Fortune 1000 companies do not look at security as a technology problem. They know it’s just a discipline within their organization that they need to have focus on. So that the C-suite, the board, if you’re a public company, obviously the financial world out there all consider security important. So it has that top-down push to accomplish tasks. So I think, like you said, the gravitas of the C-suite.

the CXO is critically important.

John Verry (28:03.16)
Yeah, so you’re right. mean, the gravitas and the tone at the top kind of come together, right? You you can either not be able to get attention or there is no tone at the top and they don’t really believe in what you’re trying to accomplish. I’ll give you good example. We have a virtual CISO client where what they’ve done is they’ve at the organization level, they’ve segmented InfoSec and privacy and they have significant requirements around both. They’re run by

two different groups and there is not sufficient information flowing from privacy into security, right? Because you can’t have privacy without security. But we’re not getting the information that we need to update the security controls to meet the requirements coming out of privacy. And we don’t have sufficient tone at the top. So it’s not a matter of the individual working with not having gravitas, he does. What we have is a problem is that there’s not sufficient tone at the top.

for that individual who they’re reporting up through to say, no, we need this to happen.

Matt Webster (29:08.199)
That’s right. That’s right. I mean, it’s a perfect example of being able to that that top down management where you can get things done. And it really goes back to what we were saying 10 minutes ago, which is when things get delayed or there isn’t an appetite to take on a larger task. If you have that that that vision from the top or that that push from the top, it greases the skids for a lack of a better term.

John Verry (29:34.318)
Next one is getting caught up in the tactical. It reminds me of a book, probably on my bookshelf, called The Four Disciplines of Execution. It was written by Stephen Covey’s son, actually, the guy from Seven Habits. And he calls it the whirlwind. So we all start out with a plan, and then the whirlwind happens, and we kind of get off track.

Matt Webster (29:50.698)
right.

Matt Webster (29:59.911)
Yeah. I think it’s, in fact, I don’t know that it’s avoidable, quite honestly, at some degree. Now, it’s avoidable for it to completely derail an effort. You can avoid that. But there’s things that are going to come up. mean, you know, if you got to the bit, you have an incident, some type of breach event, that’s a whirlwind that’s going to take the entire exercise off track.

Right. And that could take it off track for three months as you deal with some type of breach event or incident. That whirlwind, you have to understand that those are going to happen. And you may not agree with this, actually, John. I’m not sure that that that we’re on the same page here. That whirlwind is going to happen. It happens in whether it be info, cyber security, compliance, sales, accounting, whatever it might be.

There’s the tactical things that happen that can take you off message or take your focus for certain period of time. But if you understand that those challenges are out there, I think it’s easy to recover when you make it through that tactical. Now, what you don’t want to caught up in is focused on the tactical all the time. You know, there are, yeah, go ahead, please.

John Verry (31:18.422)
Yes, so that way. I was gonna say the way I would say it. It’s sort of like the Eisenhower matrix. You’re right. You know, the you know what we’re trying to do is stay focused on the important.

Matt Webster (31:24.711)
Mm-hmm.

John Verry (31:31.202)
We set up in our engagements, we have a strategic plan. We set up objectives for the year, for the quarter, and we review those in each meeting, just to make sure we can’t lose track. But you’re right. mean, if something happens that’s urgent and important, then you need to deal with it. So hopefully it’s not a breach, but it might be an unexpected migration. You need to do a new rollout of a particular product or something of that nature.

Matt Webster (31:49.959)
That’s right, of course.

Thanks.

John Verry (31:59.698)
You sign on a brand new client or your SaaS client and suddenly you’ve got a set of new client contractual obligations that need to be implemented in order for you to win a million dollar deal. That’s urgent and important and you’re going to look at that and look at this and you’re going look at the strategy and say, well, you know what? This is more important than anything here. Let’s put those to the side for two months or three months or whatever it’s going to take and implement that. So I agree with you. What we want to make sure is that what is avoidable is avoided.

Matt Webster (32:11.631)
Right. And tactical.

Matt Webster (32:30.129)
That’s right. So I’ll give you an example. have a new FinTech company. They’re mid-size, about 100 people. We’re running them through compliance readiness. And I have the big picture in mind. And the CIO and the CTO that I work with have the big picture in mind. We know what the goal is, the strategic plan here.

But boy, when we meet, we are so caught in the minutia of the tactical that we haven’t been able to advance the ball on the entire goal, if that makes sense. So we’re, we’re so caught up in the tactical where it’s, it’s, I feel like I’m, you know, I have to have crampons and hiking picks to like climb out of this tactical spiral whirlwind that were, that were caught in. It’s very, very hard. Especially when you’re deep in it.

Pull yourself out. have to have everybody has to work as a team to realize that you’ve got caught up in something that is not accomplishing the strategic goal. Like set aside the tactical. Let the let the teams that need to deal with the tactical things deal with the tactical things. Stay on. Stay on point. Stay on strategy to to accomplish the greater tasks.

John Verry (33:51.502)
Agreed. Another one that I think you have to be cognizant of if you’re acquiring a virtual CSO provider is how do they handle turnover on their side? Because otherwise what we end up in a situation is that we could have all that institutional knowledge walk out the door. So do they address it with their business model? How do they address that? How do you manage that risk?

Matt Webster (34:15.112)
So, help me explain, is this where there’s not redundancy built into the Infosec side? What do you say? Restate the problem again. Yeah.

John Verry (34:28.428)
Yeah, yeah, I, well, I, ideally that they, so, so you, you engage pivot point security, we assign a virtual see so to you and they’re there a year and things are going great. And all of sudden that person, you know, gets hit by a bus, wins the lottery, moves to another job, right. And the average tenure of a, of of a cyber security person at this point in time is, you know, less than two years. So, you know, what happens when that happens, right? Are you, are you S O L or.

Matt Webster (34:54.8)
I see.

John Verry (34:57.912)
Do they have a plan? Have they done something to kind of keep you safe, give you that redundancy that you need?

Matt Webster (35:05.799)
That’s right. So when you say you and they, you being the client, they being the provider, right? So yes, I think it’s important that, I mean, if you’re only talking to a single person on a weekly or bi-weekly basis, there’s not enough redundancy built into the system. If that person were to leave, does all that institutional knowledge walk out with them you’re going to spend the next 60, 90, 120 days?

you know, retraining, recalibrating your next V, your VC cell. So I think they, you need to make sure that your provider, your, your virtual C cell provider is staffed in a way that’s that institutional knowledge is not going to slip out the door. Of course, you, may have built a very personal relationship with this person. You feel very confident in their abilities, et cetera. And it’s always tough to learn that lose that type of staff.

But if the provider is at least backing them up in a way, and I don’t mean having a backup, that knowledge is being transferred internally with the VC cell provider, that should give you a little bit of safety coming out the other end if somebody were to walk out the door.

John Verry (36:18.028)
Yeah, the way we do it internally with our offering is we have a project manager that sits in on every meeting. So you have a project plan. You’ve got someone who’s taking notes. You’ve got someone who knows exactly where we are so that we got that exposure. And then we use a more virtual security teaming model. We’ve got a bunch of different experts and a bunch of different things. So almost every engagement has two or three people that are actively involved in it. And while they are experts in their domain,

there we have a lot of guys with gray hair and a lot of experience so you know they’ve you know so what we’ve been lucky because we’ve had turnover in in virtual see so and what happens to you know you you probably seen this you hire somebody into your virtual see so practice you know there’s somebody who’s a senior advisory level consultant they but they’ve never maybe they’ve never been a true see so maybe they’ve been an information security director in a smaller company you know they spend a year with you and now they get

Matt Webster (36:54.811)
Sorry.

Matt Webster (37:10.627)
.

John Verry (37:15.214)
You know, they get hit for a, you know, we’ve had that happen three times where we’ve had, you know, over the, cause we’ve been offered in a long time where two times, excuse me, where people have, and, and you might’ve seen this as well. And it’s different for you because you’re, you’re, you’re a partner in your firm. but you know, we’ve had, we’ve had our twice, we’ve had clients come to us and say, we want to hire this person. And we’re like, well, you can’t do that. We actually have a, an agreement in place, you know, like we have a mutual non solicitation.

Matt Webster (37:19.713)
Right.

Matt Webster (37:37.128)
You

Matt Webster (37:42.099)
Yeah, not solicitation, not compete. Yeah.

John Verry (37:45.1)
And they’ve said, well, can we buy our way out of it?

Matt Webster (37:48.965)
This is

John Verry (37:49.678)
So we’ve actually lost two of our virtual CISOs over the years too, you know, because we hire great people, you know, and the funny thing is, is that both of them said, no, you don’t understand. You know, we still need you and all of the, like remember I mentioned, like, you know, some of these quarter million dollars, 300,000 on engagements with very small virtual C. No, no, no, we still want everything you guys do. And we’ll sign a three year agreement and then we’ll give you, we’ll pay you like the, we’ll pay you the recruiters fee. And it’s actually worked out really quite well because

Matt Webster (37:55.6)
Right.

Matt Webster (38:06.089)
Right.

Matt Webster (38:11.425)
We just want that person.

John Verry (38:18.744)
former employees of VivaPoint are now managing our virtual security team. So if anything, one of the projects has just gotten bigger and bigger. It’s grown after this has happened. But that being said, that wasn’t good for some of the other clients that we had. And fortunately, because we built in this redundancy into the model, we’ve been able to satisfy and keep and

Matt Webster (38:24.495)
Yeah, right. That’s right.

John Verry (38:45.868)
really not have those organizations be negatively impacted when somebody who is working across four or five clients, you know, left.

Matt Webster (38:52.655)
Yeah, we operate similarly. We have project managers. We have security analysts that are part of the team for each of these engagements. And I bet you do the same. We also have regular stand-up meetings where we’re talking about all of our clients together as all the VC SOS are talking about the clients. So at least some of that knowledge is being passed along. Of course, we use tooling to help track some of this stuff too, but tools only can go so far.

The interesting thing I was thinking about, you your, your staff being recruited away by your clients, which is actually really kind of cool if you think about it, because it shows that you, a, yeah, yeah, hire really good staff. is. The cool thing is, is that in theory, you don’t, these clients no longer have these challenges that we’re talking about today because now they have one of your guys that knows how to avoid all of these, these pitfalls and, and, organizing a VC. engagement Coolio.

John Verry (39:33.004)
It’s a compliment.

John Verry (39:51.678)
happens a lot when they’re growing which means that yes they no longer need that component of it but now they need more because you know the piece of the security pie has gotten larger right. Here’s one we probably don’t want to talk about but it does happen we’ve actually won a number of clients this way post breach post incident.

Matt Webster (40:12.839)
So just if we’re talking post, we’ve so I don’t know that that’s a yeah.

John Verry (40:17.974)
No, I’m saying it’s why did VC agreements or engagements fail? A breach. It really shakes management up. And in fairness to, we have not, knock on wood, we’ve never had a really significant incident. We’ve had events, security events, and security events are unavoidable. Someone can click on a link.

Matt Webster (40:28.614)
Yeah.

Yeah.

Matt Webster (40:35.482)
geez, you’re going to say it, aren’t you?

Yep. Sure.

John Verry (40:47.052)
some that they shouldn’t and there’s no virtual CSO in the world that can prevent that from happening. They can minimize the likelihood that that event causes negative impact, know, through, you know, lots of, lots of, of, lots of good processes, right? Mail filtering and good backups and good configuration management at the desktop and not allowing administrative access on desktops. mean, there’s lots of little things we can do, but at end of the day, you can still have something potentially happen. So

Matt Webster (40:58.759)
It’s in a response.

Right, sure, sure.

John Verry (41:15.692)
That’s what I’m saying is that we see engagements fail because people get thrown out because something bad happened.

Matt Webster (41:22.531)
Listen, if you’re the star quarterback for a football team, let’s say, and you have a really bad game, you throw a lot of interceptions in a particularly important game, you could get benched and then ultimately lose your job. it’s a natural reaction. The reality in our field reaches do happen. Similar to you, rocking on wood, we haven’t had anything of significance that’s been significantly impacting to our clients.

But these things happen. we set that groundwork from the minute we start having a conversation, which is this is not a panacea or a silver bullet of avoiding all security or potential security issues. These things can happen. mean, the Bank of Americas of the world that spend a billion dollars in security, they have events.

They have a lot more resources and processes and tooling and staff and money to prevent them. And these breaches happen. don’t know that that natural reaction of assuming that your, that your VC so didn’t have a catastrophic failure, like you were having a breach and they were not available or, you know, they caused the breach or something along those lines. But I would say that there’s actually value in keeping

the institutional knowledge of your VC so in place post breach, because you need continuity of services, continuity of services, prior to the breach, during the breach and after the breach, that continuity of services can be very, very helpful down the road. Understanding that these breaches happen. Does that make sense to you?

John Verry (43:14.764)
Yeah, it does. You know, I, it’s, feel bad for someone. Let’s say, know, you, you, you own a hundred person company you’ve built, you know, spent your life building this. You have some breach that significantly impacts your organization and you’re looking and saying like, well, I said, I’ve got to be a failure of the, of the guy that’s running stuff. And I hired this guy and I’m paying him $7,000 a month to I’m paying him a lot of money and he didn’t keep me safe. I think what you’ve got to look at is, you know, and it’s hard because you don’t have the knowledge often.

Matt Webster (43:31.569)
That’s right.

A lot of money, yeah.

John Verry (43:44.332)
Right? You’re an expert in your field. You’re an expert in running your business. You you’re not an expert in information security, but you really need to a step back. And before you need your reaction is to throw the guy out. I think what you, what you need to do is look at it and say, what happened and why, you know, was this, like you said, was this negligence or, or really bad judgment on, on behalf of the individual that I’m working with, or is this the unfortunate reality of the world that we live in? And that’s a hard thing to figure out.

Matt Webster (44:05.319)
That’s right.

John Verry (44:14.552)
So I agree with you. I think what you have to do is if you have a virtual CISO and you have a breach, I think you need to do your due diligence and determine, do I have the right person in that seat? And you still might have the right person in that seat. Right?

Matt Webster (44:23.982)
That’s right, that’s right, that’s Because you need to understand that these things happen. to be fair, you may not have the, that’s right.

John Verry (44:30.606)
But there’s times when you need to look at that and go, wait a second. No, no, Yeah. How did we have a Windows 2000 server sitting out on the internet, housing our most critical assets? No, I’m sorry. You need to get rid of that guy, right?

Matt Webster (44:43.088)
Right.

Matt Webster (44:46.521)
Yeah, exactly. That’s right. That’s right. That’s like the be in the quarterback that throws four interceptions in the Super Bowl. Right. Exactly.

John Verry (44:54.21)
Yeah, right. Versus, you know, you’ve got a sophisticated Alpha Black Cat V, you know, targeted attack against your organization that occurred through a third party service provider. I mean, you know what? There’s, you know, there’s probably not a virtual CSO in America that would have kept you from having that incident.

Matt Webster (45:01.574)
Yeah.

Matt Webster (45:16.519)
That’s right. That’s right. That’s right.

John Verry (45:18.67)
Okay, so we’re on the same page there. Here’s one that is a good way to have this happen. Sometimes, and we’ve had it happen once, twice, and probably gonna happen shortly, a third time unfortunately, our clients outgrow virtual CISO.

Matt Webster (45:35.047)
Yeah, we haven’t had that happen very often. Our clients are typically a little bit smaller than yours. We’re in the 150 to 200 person range, maybe 250. That most certainly happens. I think my business partner and I, the guy I started the company with, we’ve talked about this and what we would do in this case.

we would advise our clients like, it’s time, bring in your own staff. Somebody that is there 40 hours a week, 50 hours a week, 60 hours a week, whatever. The value of having your own staff and no longer a fractional or virtual role. You’ve matured to the point where you need that position. But having the advisory services in place still makes sense. mean, CFOs have all sorts of…

advisory services around financials and how to deal with &A or whatever it might be, at least keep that virtual CISO around to create that continuity of knowledge. The time that they have spent learning about your organization, putting controls in place, putting policies, putting procedures in place, understanding your environment. It would be just like if you were replacing staff, you would want that

that extended period of time to make sure that there’s a transfer of knowledge, for lack of a better term. I mean, these things happen. These things happen for sure. What happened?

John Verry (47:09.422)
Yeah, yeah, and you know, it’s a compliment. It’s actually a compliment to the virtual CISO. Like, so we had a client that was in the private wealth management space. We got there because they’d had a very significant, very public breach of some very important people’s information. They had an SEC.

Matt Webster (47:32.095)
boy.

John Verry (47:32.746)
Yeah, MRAs, we got called in, worked with the SEC, cleaned a bunch of stuff up. We were told that we’re talking with organizations about an acquisition. What do you need to do from an InfoSec perspective? We kind of built out a really robust information security program. They got bought for north of a billion dollars. They were not a big company. They were a very small company, in fact. But they got bought for north of a billion dollars.

Matt Webster (47:52.071)
Great.

Matt Webster (47:57.639)
Good for them.

John Verry (48:02.912)
Literally, one of the feedbacks we got was they complimented our security program and said it made it streamlined and accelerated the process of being acquired, knowing how strong your cyber program was. that’s the good news. So if you’re listening to this and you’re lucky enough that if you are a fast growing, we do a lot of work in the SaaS space and some of our guys are unicorn or unicorn track. So we actually have those conversations with them. When do you?

Matt Webster (48:13.6)
That’s great.

John Verry (48:30.89)
If you’re working with a PE firm, you’ve got to understand when is the PE firm’s window? What are they trying to accomplish? And we need to make sure that we position them so that way. So we have another client right now that they’re on the go public track. And if they go public, they’re going to need a chief information security officer up on the website. And we’re like, OK, here’s what we’ve got to do. And we’ll be part of that process of getting them there when it happens.

Matt Webster (48:44.851)
Yeah.

Matt Webster (48:55.157)
Yeah, the one time we’ve had this happen, we actually did the interviewing, the recommendations on staffing the CISO position. Basically finding our replacement, which is fine. This is similar to you guys. What we care first and foremost is about our clients, right? So their success is of critical importance for us.

And if the successful path for them is to basically replace us, then that’s what we’re gonna be there to help them with, for sure.

John Verry (49:29.484)
Yeah, one that is probably obvious, but we have seen it cause problems is lack of cultural fit.

Matt Webster (49:39.791)
Right. It’s, it’s, it’s similar to hiring somebody that doesn’t, you know, a direct hire that’s going to work full time with you. That turns out the interviews went well, but the, the, the staff, you know, they didn’t get along with the staff or they weren’t, they, were too aggressive in board meetings, whatever it might be. there, these things happen. you know, we, it’s, our recommendation would be

In fact, we say this all the time, don’t hire us if you wouldn’t hire us to work for you full-time. Forget whether we’re going to be virtual or not. Don’t hire us if you can’t imagine us being a full-time staff member. So consider that when you’re hiring a virtual CISO. Think about these. mean, your CISO sees kind of both sides of an organization, both the good side

and kind of the dirty underbelly at times. So that person you need to trust emphatically. You need to be able to have very, very straightforward, latent conversations with. So that person you have to be confident, your virtual CISO, have to be confident that you can have those conversations with them. So take hiring a virtual CISO as seriously as hiring a full-time staff member.

John Verry (51:08.588)
Yeah, in it, yes, and I’ll, at the danger of hurting ourselves, so you might, if you called up a pivot point security and said, we’re looking at virtual CSO, you may end up on the call with me, but it’s not likely I’m gonna be a virtual CSO. And you think, wow, this guy seems smart, he’s engaged, I like a sense of humor, whatever it might be. Yeah, I could see working with this guy. And then what happens is you hire us and I’m not the guy that you get, and then suddenly you get a guy that’s a different personality.

Matt Webster (51:08.783)
Do you feel that same way? Yeah.

John Verry (51:38.222)
So what you want to do is make sure that make sure you know who is going to be the virtual CISO that’s assigned to your project. You know, make sure it’s, you know, like the big four is famous for bait and switch. You you meet the partner and you get, you know, the kid out of college. Not that you’re going to get exactly that because a virtual CISO is going to have some, some gray hairs usually. But make sure that whoever is going to be your virtual CISO that you actually do have some interaction with them prior to being engaged.

Matt Webster (51:45.447)
That’s right.

Matt Webster (52:08.347)
Yeah, 100%. I think it’s like, again, this goes back to a lot of things we’ve said. The person that you bring in is going to be part of the team that’s going to help move the company through, navigate waters that can be rough and choppy and full of tidal waves at times. So it’s important that you know who this person is, that you feel like you can work with this person, et cetera.

John Verry (52:34.434)
Yeah, and then last, I think, is lack of understanding unique to the industry. So I think there are certain verticals where the lack of knowledge specific to that vertical are going to have a potentially negative impact on a virtual CISO’s ability to be successful. So as an example, SAS, if somebody doesn’t have experience, doesn’t understand what it means to instrument a pipeline or doesn’t understand what an SDLC is, it’s to be a problem.

Matt Webster (53:02.791)
Thank

John Verry (53:03.246)
The legal vertical tends to operate a little bit differently, you know, if somebody doesn’t, know, if you’re in a manufacturing and someone doesn’t know a bit about OT or doesn’t know about the uniqueness of manufacturing and shop floors and things of that nature. So I think that’s one last one I think would be worth pointing out.

Matt Webster (53:22.981)
Yeah, I mean, we have specialties. You guys have specialties. I don’t think you call yourselves a jack of all trades across all industry. There are certain industries that we’re not as comfortable working in, primarily around regulations. So you need to make sure that when you when you’re, you know, courting a VC so that you have similar to hiring the right person, that they have an expertise in your area, in your discipline. If you’re a law firm,

You need your VC to understand the nature of law firms and how they operate. If you’re a SaaS provider, like you just mentioned, they need to understand what the four letters CICD actually mean. it might be the most important thing. mean, really comes down to, are you hiring somebody that knows what they’re talking about, is what it comes down to. Because although security as a discipline,

It really has applications everywhere. And if you’re a security expert, you can apply that to every industry. Understanding what a particular company does because of the industry they’re in is also of great importance. Now I will say that the virtual CISO as kind of an offering across the industry is cool that way because, you know, our firm, your firm, John, we have staff that’s doing work in all sorts of sectors.

So we do have that a little bit of that institutional knowledge or that market knowledge about how a particular type of business operates in the vertical that they’re in. Does that make sense? So you actually gain by going with a virtual CISO, you can avoid this pitfall because they may have the expertise across their entire organization or a specialty in this particular area. Unlike

If you’re hiring a direct employee to be your CISO, they may not have the expertise of your particular area.

John Verry (55:31.31)
Yeah, and actually you made me think of this another corollary to this is ensuring that not only do they have industry knowledge, but they have knowledge of the regulations that are or frameworks that are relevant to you. So as an example, if you were in the legal vertical, you know, someone who doesn’t understand, you know, what a document management system is and what its import is to a law firm, you know, that that’s gonna be a bit of a problem. But the second thing is, is that if you’re a law firm, it’s not, you know, it’s not unlikely that at some point

Matt Webster (55:52.277)
Right.

John Verry (56:01.334)
If you’re not already, you’re going to need be ISO 27001 certified, maybe ISO 27701 certified. ensuring that the organization has the knowledge of the frameworks, both the information security, the attestations that you might need to acquire at some point in the future, and or they have knowledge of the underlying regulatory compliance frameworks. So if you’re processing health care claims and somebody isn’t familiar with HIPAA and high trust,

Matt Webster (56:17.351)
Yep.

John Verry (56:29.826)
They might not, you’re not on the high trust track yet, but that’s maybe two years or three years down the line. If you don’t hire somebody that already has that knowledge and expertise, that might necessitate a change on a go-forward basis.

Matt Webster (56:34.557)
Down the road, right.

Matt Webster (56:44.226)
That’s right. That’s right. Exactly right. Exactly right. Well, think we, yeah, I think we talked about a lot of the pitfalls that we’ve seen over the years. I mean, we’ve been around for eight years. You guys have been around for like 15, right?

John Verry (56:47.918)
Cool. I think we beat this up pretty good. Did we miss anything?

John Verry (57:00.006)
Well, you know, I can’t proclaim to be as young as I am and tell you that we’ve been, you know, think 22, 23 years. But, but, but you know what? It was a, it was a junior high school project where you had to start a business, right? So, and it worked, and it worked out, worked out pretty well for me,

Matt Webster (57:07.503)
Right, exactly, exactly.

Matt Webster (57:12.423)
That’s perfect. Yep. Yep. Yep. That’s great. That’s great. Good for you. Well, you look really good for 32.

John Verry (57:22.222)
Yeah, yeah, unfortunately, you know my son and do and yeah, the comical thing is is that Matt Webster actually provides services and works with a company that my son works in in a cyber in a cyber role. So yeah, so Matt Matt could tell you in my actual age, but he won’t. He won’t because he I usually buy the beers when we get together. You know,

Matt Webster (57:28.261)
Yeah, that’s right. That’s right.

Matt Webster (57:38.821)
That’s right. That’s right.

Matt Webster (57:42.907)
Yeah, yeah, I’ll leave that out. I’ll leave that out.

You do, you’re pretty good about that. Or the bourbon, or the bourbon.

John Verry (57:51.342)
Or the burger. Yeah, we know we actually have never had a bourbon while we’ve been out because we always we always end up drinking true Yeah, and for anyone who’s listening there is a small brewery in What is that considered Lawrenceville? What’s that considered? I hope well. Yeah a small brewer called trune TR o o n If you if you’re ever lucky enough to have a trune, yeah, I think you can only buy it at brick farm tavern,

Matt Webster (57:55.087)
Now that’s because we go to the go to the really good beer place.

Matt Webster (58:06.063)
Now, let’s hope well.

Matt Webster (58:11.205)
Yeah, there.

Matt Webster (58:19.503)
Yeah, you can only get it there. He cans some a couple of times a week. People come from Philadelphia, come from New York to buy the canned beer, but you can’t get it anywhere else, only on property.

John Verry (58:31.234)
So it’s like the old days. It’s like the, it’s like the old days of Heddy’s topper. If you remember when Heddy’s topper was like the, like, my God, this is the most amazing IPA when it first came out. And you’d see, mean, like, and he would release those, you know, those big cans, the oil cans, like I forget what it is every Wednesday or something of that nature. And on Tuesday night, there’d be a line outside of his barn with people sleeping in their cars and he’d limit it to like one case or two cases. And you’d have friends go up and drive up and you you’d split. Yeah. Yeah. It was.

Matt Webster (58:35.056)
That’s right.

Matt Webster (58:39.021)
This is Adolf, right?

Matt Webster (58:47.597)
Yeah.

Matt Webster (58:54.791)
Just like that. Just like that.

John Verry (59:01.454)
It’s funny now because the other day I was actually in a liquor store here and I look in the case and it’s Heddy’s Topper was actually in my, you’ve seen it so really I’m not even an IPA drinker but it’s like, wow, okay, that’s a unicorn beer. Let me grab it and have one with my son because hey, you don’t see Heddy’s Topper every day, right? Yeah, exactly, exactly.

Matt Webster (59:12.973)
Right.

Matt Webster (59:18.567)
There you go. Yeah, it’s special. Right. Exactly. Exactly. But we need to get together again for sure.

John Verry (59:26.218)
It sounds good, So if folks want to get in touch with Harbor Technology Group, what’s the best way to do that?

Matt Webster (59:32.184)
You can send a note to info at harbertg.com. That’s H-A-R-B-O-R-T-G dot com. Or my email address, I’ll give that because I’m happy to. Mwebster at harbertg.com.

John Verry (59:45.398)
Awesome man, always good to catch up.

Matt Webster (59:47.579)
Buddy, appreciate it. Have a great week.

John Verry (59:50.21)
You too.

Pivot Point is now part of CBIZ. Click Here for more information.

Episode 147: Why vCISO Engagements Fail

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

CMMC Final Rule: 5 Key Concerns Around the Annual Affirmation of Compliance

CMMC Final Rule: Does My MSP or CSP Need to be CMMC Compliant?

CMMC Final Rule: What is the Final Word on Flowdown?

CMMC Final Rule: When Do We Need to be Ready?

Cybersecurity Contingency Planning 101

TX-RAMP Versus StateRAMP—Which is Right for My Business?

The Rising Threat from Targeted “Data Ransom” Attacks—and How to Protect Your Business

Four Major Reasons Why Up To 60% FedRAMP Efforts Fails – And How To Prevent Them.

What is AZRAMP and Does My Business Need to Comply?

What are the New CMMC 2.0 Flowdown Requirements to Manage Defense Supply Chain Cyber Risk?

What is Swarm AI and How Can It Advance Cybersecurity?

How CMMC Enhances Defense Supply Chain Security

Is Decentralized Cybersecurity Mesh the Future of Cybersecurity?

What is a Post-Quantum Strategy and Does Our Business Need One?

What is Kubernetes Security Posture Management (KSPM) and Why Should We (as Cloud-Native Developers) Care?

Registered Practitioners Versus Certified CMMC Professionals: What’s the Difference for DIB Orgs Seeking CMMC Compliance?

What is a Cloud Native Application Protection Platform (CNAPP) and What Can It Do for My Business?

What is Cloud Infrastructure Entitlement Management (CIEM) and Why Is It Becoming So Important?

What is the CMMC Assessment Process (CAP) Handbook and Why Should DIB Orgs Care?

ISO 27001 vs NIST 800-53: All You Need to Know

How can we help you?

Services

Compliance

Insights

Pivot Point Security