Securing Tomorrow, Today

Carlos Ponce (00:14):

Good morning once again. We're getting unplugged right here on Tech Leaders Unplugged and for another episode of tech-themed conversations. And I'm joined as ever by my fellow teammate and co-host Wade Erickson. Thank you, Wade, for being here with us today. And of course, our guest. We're going to be speaking with Charles Payne, the CISO/CTO at Neptune Media. So thank you Charles, and thank you Wade for being here today.

Charles Payne (00:48):

Thanks for having us.

Carlos Ponce (00:50):

Look, yeah, absolutely. Looking forward to this conversation. So, let's start with you, Charles. Tell us a little bit about you, your background, your story, how you got here, and anything you want to say about yourself.

Charles Payne (01:05):

Well, it's, I won't be too boring, but I've been in cybersecurity for roughly 25 years. So, I started out back in network security back when we just had firewalls and physical appliances, and we moved, and we migrated all the way to know what we call today's cybersecurity. So I've been here for the journey. It's been, it's been an amazing ride. And Kansas, see what we've got in store with AI and machine learning, trying to see what the future's going to hold for us.

Carlos Ponce (01:31):

Excellent. Thank you so much, Charles. So how about Neptune Media? What was the AHA? moment of you said, well, we've got to create this. Tell us a little bit about your journey with Neptune Media, please.

Charles Payne (01:46):

Yeah, so Neptune Media was actually born out of me complaining to our board about how much we've, we've been to all of these other executive events and I, I measure my own personal return on my investment by return on my time. So, I measure based on how many relationships I can build, how many connections I can establish, and, moving forward, basically how many partnerships. Because I want to partner with the vendors, I want to partner with the partners and the sponsors. I want to create some type of relationship and create some type of momentum and try to become some type of builder, and design partner moving forward so we can build better products together. And I found that going to some previous events and some other summits that were available, I really couldn't, I couldn't achieve that goal. So, with media helped build out those relationships on…

Carlos Ponce (02:48):

Are you on mute? Yes. I'm sorry about that. <Laugh>. Yes. Okay. So, thank you, Charles. So now let's move on to today's topic. Okay. As chosen by you, we're talking about securing tomorrow today. So, we're going to be discussing or exploring cybersecurity's cutting edge. And so that, that leads me to the next question Charles, so tell us why you think this is relevant for today's day and age, please.

Charles Payne (03:22):

So, we, we already know reaching out on social media and people don't check their LinkedIn as much as they used to. And then you've got the newsfeed always scroll. Building relationships really helps build out the necessity for the community to grow, grow. If we look at, you know, comparative to where we're today and what we, what we want to have in the future, we want to integrate new technologies, we want to integrate machine learning, AI, and all the other cool buzzwords that people can think of. But at the end of the day, you know, when an executive here is someone, say artificial intelligence, we already, we already hit the, the BSS meter. We're already like, wait a second, you guys are just saving me with buzzwords. So when you really think about securing tomorrow today, it's really one of those things where it has to be like a planned approach where you're actually not trying to hit every single word that, you know, your marketing team's given you. You really have to have some type of fundamentals and some type of grounding into what you're really talking about. And that's, I think, the basis of what we need to do today to help us for tomorrow.

Carlos Ponce (04:21):

Alright, thank you. Thank you, Charles. Wade, I know you have some questions for Charles, so do you want to take the mic?

Wade Erickson (04:30):

Yeah, so we talked a little bit about how marketing and sales are challenged today with social media. That used to be kind of the, the, the darling channel, I don't know, a few years back when LinkedIn was somewhat new. Email of course had its day and spammy and all that kind of stuff is, is largely shut <laugh> shut down that channel. You know, and, and even though we have the phone a lot of people won't pick up the phone if they don't recognize the number. So that channel is struggling but is still very effective in my experience. Tell me about the event model. There's events in marketplaces that are kind of really driving the back to face to face

Wade Erickson (05:26):

Phone, social, and email. Tell me a little bit about the advantages of your events and a little bit about how they're structured to help salespeople and vendors meet the buyer.

Charles Payne (05:38):

Yeah, absolutely. So, our sales approach is, is significantly different than most, we don't, we don't do any of the speed dating or lightning rounds with our summits or with our events. But what we do is we do executive dinners and executive lunches and breakfasts. And our, our whole purpose of sitting the executives down with the vendors and the, the partners and stuff for an hour and a half or two hours at a time is so they can really build those relationships. We already know that if you, if we go speed dating, we, we go see 50 vendors as an executive, we go see 50 vendors. We spend 10 minutes with each person. We're never going to build a relationship. We're not going to create any value for an, obviously not very much for the vendor either. Yeah, we might know who they are, but we might not want to talk to them again because we might have had a bad interaction.

Charles Payne (06:22):

So, our focus is to spend an hour, spend, spend two, and actually have that ability to build that relationship, build something that's a little bit more than superficial, build an actual hard connection with somebody. So you actually have that ability to pick it up with a phone and call them. So now they recognize your phone number. Going back to your point, Wade, like, yeah, if I don't recognize a phone number, I'm not going to answer it. Absolutely. But now you know who I am. We sat, we ate dinner, we had a couple of drinks, we already knew each other, we exchanged phone numbers. I'm naturally going to answer your phone call because I know who you are, you're already my call ID. So that's a little bit more of what our business model does as opposed to some of the other ones. Our business model is focused on building an easy transition from advertising and marketing to actual sales. Our ours is focused on the pipeline.

Wade Erickson (07:13):

What so I know that cybersecurity is one of the summit's focus. Tell me a little bit about it, is there more outside of cybersecurity that you have a focus on for the vendors to be able to meet the executives?

Charles Payne (07:29):

We do, so we actually focus on three main, three main areas. So, we focus on artificial intelligence, and machine learning we also focus on cybersecurity obviously, but also FinTech, so financial services, financial, the financial industries as well. So we focus on those main three areas.

Wade Erickson (07:48):

And when you have events, do you, do you split those three into different events or are they blended and you kind of sign up and a little bit of matchmaking goes on based on the focus even for companies that maybe have both cybersecurity and a, you know, AI in, in their delivery and services?

Charles Payne (08:10):

Yeah, great question. Wait, so we actually blend them. So, what happens is you'll have different tracks that have different things, but you can also cross-pollinate. You can also cross the tracks over if you want to, if you want to go some stuff that's AI and some subset cybersecurity, you can definitely do that or vice versa. And you also do some fintech or you can mix all three of them together if you like to. Everything overlaps. Everything's also going to be recorded and broadcast server. Everybody that's registered also will have the ability to go back and replay it.

Wade Erickson (08:38):

What, kind of trends are you kind of seeing at these events that the executives are targeting looking for vendors with a higher interest or frequency versus the traditional cyber like fiber firewalls and networking? You know, obviously, there are lots of vendors that do that, but you know, a lot of things are like looking for open-source code in your code base. Those kinds of things are a little more on the edge of some of the services folks are providing in this area.

Charles Payne (09:11):

Absolutely, yeah. So, you know, even GitHub's got like a <inaudible> thing where they'll actually go back and they'll, they'll review some of your code. I think their products are called copilot, if I remember correctly, one of their, one of their products. So there are a lot of different things that do that, but I see more along the lines of everybody freaking out right now or maybe not freaking out but given extra money and they're given extra budgets or sometimes a little bit more flexibility with buying stuff that's, you know, artificially intelligent or machine learning based, just because it's what we see on television, what we see on the news all the time. And sometimes our, our board's a little bit more generous for some of the stuff that's new because they don't, they're afraid about being left behind. Like right now it's kind of, I don't want to say an arms race, but that's essentially what it's turned into.

Charles Payne (09:55):

It's like everybody's fighting for what's the next version of machine learning. What's the next version of the AI, you know, machine learning combination? It's, it's turned into funny enough kind of like an I guess it's like an arms race because everyone's like, everyone's trying to one-up the next person. So, it's like you've got one person that's got, you know, AI, one person that's got AI plus ml and then it's just, it's a slam-ending battle. I don’t know how long it's going to go on for, but it's, it's kind of, it's kind of amusing to watch.

Wade Erickson (10:19):

Yeah, we, we, we've seen that before, obviously. You know, I remember back in the days of RPA and automation for robotic process automation, and there was a lot of hype around that eight or nine years ago. And although the technology is very advanced and very solid it just didn't seem to penetrate the way I thought that it would. And I'm thinking, you know, AI and machine learning are in this hype stage right now, although very powerful. I mean, I think a lot of us have already seen some advantages there, but I think to, meet the like you said, the return on investment there takes a lot of intelligence to apply artificial intelligence, right? And I think that that's somewhat we're missing in the business is the people who can be the solution architects.

Wade Erickson (11:12):

It's kind of like software developers right now. Where the power is going to be is the AI-enabled software developer where you can actually do the work of two or three. So that means they need to learn even more. They have to have intelligence on top of the AI on how to apply this. And I just think this is somewhat of a trend we've seen in other technologies that I think is going to fall in the same that AI machine learning is, is that the technology's there, it's just the people that are having to apply it, aren't there <laugh>, you know, so what are your thoughts on that?

Charles Payne (11:45):

True. Yeah, absolutely. So it's like actually my, I actually, at the last summit that we had, which turned into executive dinners, the actually was meeting with the CEO of a company that actually has a, a SIM that they built out. And it actually uses machine learning to see everything that happened. And then it cross pollinates with the Mitre and then it writes you all the TTPs and IOCs that actually meet that are required. It actually does a SOC one, some SOC two-level analyst job, and then it spits it all out for you. And then it says, this is how you remediate your files, how you remediate the infrastructure. I'm like, this is amazing. And he uses machine learning for that. I'm like, this is amazing. because Now I can, you know, repurpose my SOC one, some of my SOC two level analysts to go do something different because now the, the software's doing it for them now, the system's building it out and doing it for them.

Charles Payne (12:31):

So I think what we're seeing right now is there's a lot of hype and there's not a lot of, a lot of activity that's going because everyone keeps saying that they're using artificial intelligence when in reality there's, there's not very much cognizant being or cognizant stuff that's actually artificially intelligent, more along the lines of machine learning and modeling. But we get caught up in that, you know, over hype with the marketing, going back to what you're saying, and it's like I tend to turn a deaf ear to when someone says artificial intelligence only because I know that they're probably not using those terminologies Correct. Correctly. So it's going to boil down to, and going back to what you're saying about RPA, RPAs has actually rebranded itself with which we now know is, you know, no code, low code. So, it's, it's coming back, but they're finally starting to go through the same cycle or cyclical cycle that, you know, machine learning and probably artificial intelligence will do as they go through this whole, you know, we, we made all these mistakes on PR and marketing and now we're going to go back and rebrand it and do something different.

Charles Payne (13:29):

It's, I see that happening with the RPA a now this whole no-code, low-code thing where it's the same thing. You just strike the box and you still do the same thing RPA did. But it's, it's got a new catchy phrase, you know, no-code, low-code. So I think it's going to hit one of those rebranding types of types of scenarios where we finally catch up and realize that, you know, we over-publicized something. We made a lot of mistakes, we overpromised and under-delivered everything and then we're just going to go back and rebrand it.

Wade Erickson (13:55):

Yeah, we'll have to probably categorize things a little better. because AI is wide, as well as machine learning is such a wide topic area, I think we'll start to see some specialized definitions around that so people can actually talk more intelligently about it. And two you know, specialize in this very vast area that generically I think no one company can do it well across the board. It's so vast, right? So whether it's, you know, the verticals of applying it into education technology or they're at, you know, learning on the child, right? As they're interacting with the courseware it's adjusting the courseware on the fly for the students. We have unique learning experiences for every child on the platform, right? So it's things like that. Tell me a little bit about your background. So, you said 20 years from 20 plus years you've been in this space you know, there's a lot of folks that are now coming out of college and cybersecurity seems to be one of the few areas that is not getting outsourced and offshored as much as some of the other tech areas.

Wade Erickson (15:08):

What drew you to that as a career fellow when you were in your <inaudible>?

Charles Payne (15:14):

Yeah, so I'll, I'll admit I actually lucked into cybersecurity by accident. I didn't actually set my hopes and dreams to go do cybersecurity. Actually, I went to school for law decided I didn't want to be a lawyer, and went back to computers and technology, something I was passionate about, and loved. And then, the industry actually just evolved over time into what we now know as cybersecurity. So I mean, that's, that's how I got my start. My background's not in it. I don't have a computer science degree. In fact, I've got, you know, your pre-law degrees and, and such. I studied psychology in school. I didn't, I didn't study computer science and, and all the other stuff that everybody else is doing these days. So, my background is a little bit different. And so it's, it's unique. It's, my background's also in finance, so I bring three things to the table.

Charles Payne (16:07):

So, I love GRC from what I'm doing based on my previous background as well as my financial experience. So I actually do a few different things. So, there are different types of CISOs, as you probably know. There's a business-oriented one and there's you are technical and practical and so on and so forth. So I kind of blend both skills of the technical as well as the business side. And that's, I think, where my strong suit is. But for someone coming right out of school, someone that's in high school, or someone that's in college that wants to do cybersecurity, that wants to do something, it, that's a really broad question. I'm not going to be the guy that just says go get search, because I don't think certificates are valuable in everything. They have some, they have some purpose, but I don't think they're valuable for everything.

Charles Payne (16:50):

It just depends strictly on what you're trying to do and what you're really trying to accomplish. Do you want to be a programmer? Obviously, you don't need a search for that. If you want to be, you know, something in government where you need like security plus or a ci SSB, then that's a different story that's going to be a requirement based on a contract. So, I think someone coming out of school is going to, really need to ask themselves, what they like to do, what their personality likes to do. Do they want to sit in front of a screen and program, or do they want to be out talking and meeting with people and maybe in a different role? So let's, those are always fun leading questions. In fact, I mentor a lot of students when I was teaching, and it's the question they used to always ask me, hey, do you think I can do cybersecurity?

Charles Payne (17:28):

My answer was always like, absolutely, I think you can do everything, but the question is, what do you like to do? What's your, what are you passionate about? Because that's where people are most successful at, is whatever they're passionate about, that's when they, they're able to pick up and they're able to absorb a lot of information really quickly, kind of like an infant where they can learn how to speak a language because they're really passionate, they're really trying to communicate. They're, they're really eager to learn. And I think that's where people who are passionate have, the greatest ability. That's why I asked them what they like to do.

Carlos Ponce (18:03):

Charles, I've got a question actually, well, actually, actually it's two questions in one, and this is more geared towards the viewers who might be watching. So, the first question is, is there a shortage of cyber cybersecurity professionals right now? What are your thoughts on that?

Charles Payne (18:22):

Oh, I love this question. There's, there's actually not a shortage, of people. There is a shortage of money. So in, in, in school when we were teaching, they used to always say that there's a shortage of students in, in, in and staff. There's really not, there's a shortage of money. Even, even when I got approached by an aeronautical company, which I will not name I was, I was chased for like three or four months trying to apply and get the job there. I already talked to their corporate HR department. They're like, look, yeah, we have a, we have a rec open, but there's no money to pay you. If you want to work for free, great. But there's no money to pay you. Yes, we have requisitions open, there's no money behind it, but they are open. So what we see today is the same thing.

Charles Payne (19:04):

It's like we had the requisitions open, but there's no money behind those requisitions to fill those positions at the moment. There are a lot of people, I guess you want to say window shopping, and it's kind of sad because it's a little bit misleading, in a lot of different things. But I've talked about this on, on a different podcast actually, about how they, how they do window shopping more, more so than they probably should do. And I actually helped them had some of their financial numbers. But aside from that, you know, tangent, there's not a shortage of people. There's a shortage of money, and revenue to pay the people.

Carlos Ponce (19:40):

Yes. Okay, thank you, Charles and the second question is, I know you, you gave us an example of cases in which people approached you and asked you, can I get into cybersecurity? You said, yeah, you sure can, right? But for those who want to get into cybersecurity, do you, would you say that they need a special trade per either, you know, be it personality, trade, or professional? So, what do people need to have in order to excel and succeed in cybersecurity?

Charles Payne (20:22):

This is going to sound, this is going to sound a little bit ironic, but the only thing that you really need to, have, to exceed or excel in cybersecurity is just passion and desire. If you want, if you want to be the best, if you want to do the job, those type, those type of things, those type of personality traits are going to make it so no matter what happens or what obstacles that, that you face, you're going to be able to overcome them. It's not a matter of being able to be able to program, you know, a Windows operating system or Linux operating system from scratch and be able to do it in a day. It's a matter of, you know, team building. You know, you've got the whole team building skills and team building exercises that you go through, but it's really, it all stems down from passion and drive.

Charles Payne (21:01):

And that's why you, to ask my students and like, what do you like to do? Because I already knew that whatever they were passionate about, they were going to be perfect. They're going to be flawless in because they're going to have that drive to be the best at whatever they were doing in cybersecurity or in any other walks of life that they chose. So I would always tell somebody that, don't, if you chase it for the money, you, you, it's a very short, it's a very short-lived lifespan. If you chase it because it's something you love to do, then you'll make a career out of it. And that, that's the way I view and that's the way it's, it seemed to play out. Because what happens is cybersecurity is a very cyclical cycle. As you see, in the markets right now, everyone's panicking because the CISO stopped spending money, but they didn't really stop spending money. They stopped buying what's shiny, and that caused all the cybersecurity vendors to stop spending money because they think the sky's falling. Then all these people get laid off. So then you really have to do something that you're passionate about. So, you know how to, to really web those tough times and really go through the industry as it as it's going through, and it, it's changing and it's appreciating itself.

Carlos Ponce (22:09):

Thank, thank you so much again, Charles. So wait, we're, we're coming up on time. We're approaching wrap-up. So, I'm going to pass on the mic to you for final questions, please.

Wade Erickson (22:19):

Yeah, you know, you talked about money being tight, that it's not quite there when it's needed. I have been around companies that have had major breaches and it's amazing how much money becomes available when there's a breach, right? <Laugh>, we'll throw plenty of money at it. Tell me a little bit about what you would say to an executive that is, maybe they haven't been breached, maybe they haven't had a ransom attack, and they're treating their security budget light, like you said. What would you, what would you say to those without, you know, I mean, there's plenty of fear fearmongering but I mean, it's also way more happening that's in the press because it's something people don't want to share in the press. Can you, as a professional, can you tell me how, how, and what percentage of companies are actually experiencing these, whether major breaches or even minor breaches?

Charles Payne (23:21):

So I can tell you from my own, my own experience personally, there are a lot of companies that will experience some type of attack or some type of breach, and they will either deny it or they'll, they'll sweep it, or the rug, like it never happened. I mean, there are some companies that do have, you know, property diligence where they're, they're, they're not affected. So there's also that aspect of it. But to address your other part of the question, how do I, you know, address a company that's, you know, a little bit light on the budget? You know, I did study fair and I went through the Fair Institute for understanding how to actually, you know, tangibly put dollars and cents, quantify the, the dollars and cents values to a breach of, of certain issues. And being in finance myself, it makes it easier if you say like, Hey, look, if all our crown jewels, like all this PII gets leaked, then basically use everything because your company's now bankrupt type of scenario.

Charles Payne (24:13):

So if you have the ability to tie some type of value to the information you're trying to protect, it becomes a lot more sensible. And that's ultimately what happens in a breach, right? because when you have a breach, you already know that like, oh, all my PI is gone. If this gets, if this gets massive or it gets spread out to everybody, we're going to lose billions of dollars if, depending on if it's a publicly traded company or we're going to lose the entire company, depending on if it's smaller. So now they have a real sense of value. And that's really what's missing in the boardroom when the CISOs are explaining it to the other folks, is there, they're missing the ability to communicate the business value or the business risk correctly, to sometimes technical or, but mostly non-technical folks who actually write the checks and they control the budgeting. So, it's really critical to communicate the value of what you're protecting why it's valuable what the risk is and what it's going to cost the company if you don't mitigate that risk. Because at the end of the day, we're still responsible for mitigating the risk, even though we're not the ones actually doing it, we're just advising on it, which is kind of ironic.

Wade Erickson (25:16):

Thanks. That's great. Great response.

Carlos Ponce (25:21):

Alright, so Charles, we are unfortunately coming up on time, so we need to wrap it up, Andy. Well, the only thing left for me to do is thank you big time for having and being with us on the show today. And if anyone watching wants to get a hold of Charles, you can do that at the email address down below. And also, of course, it's at Charlesp@cisoevents.com, and then also on their company website, which is CISOevents.com of course. And of course, how to get ahold of Charles on LinkedIn. It's right there. You can see that down below. So with this being said, thank you so much again, Charles. Thank you. Wait, and please stay with us as we go off the air and wait about upcoming the ones, there's, there are several upcoming interviews, but we need to confirm the topics that are going to be shared. But please keep an eye on upcoming events, most likely by first thing tomorrow and onwards. It's right there on the website, tech leaders unplug.com, and upcoming. So keep an eye out for that. And this being said, again, thank you, Wade. Thank you Charles, and see you next time right here on Tech Leaders Unplug, Monday through Friday, 9:30 AM Pacific. Thank you.