When life threw a curveball at Justin Rende, he caught it and threw it right back, catapulting himself into the cybersecurity stratosphere. Our latest episode features the captivating tale of how a chance challenge from a CEO turned into a flourishing business, as Justin Rende CEO of Rhymetec, our esteemed guest, recounts the twists and turns from IT beginnings to cybersecurity stardom. He doesn't just tell a story—he provides a roadmap for anyone with the audacity to dream big and the versatility to thrive in the ever-changing tech landscape.
The conversation takes an insightful turn as Justin Rende unravels the art of communication within the cybersecurity arena. He dissects the delicate dance of conveying the urgency and complexity of cybersecurity to clients who may not grasp the full technical scope. We get the inside scoop on how his company's strategic approach to transparency and remediation not only eases client concerns but also fosters an environment for informed decision-making. And for those thinking of starting their own firm, Justin lays bare the crucial role industry connections play in igniting the rocket of success.
Finally, we jet set to the future, where the cloud reigns supreme, and AI looms large over Silicon Valley. Justin Rende shares his insights on the tech industry's rapid evolution, keeping us on our toes about what's to come. He also sheds light on the inventive training and retention methods employed at Rhymetec, revealing the secret sauce to cultivating a workforce that's as passionate about technology as they are skilled. Plus, we take a peek into the making of a 'Virtual CISO Program', a concept proving instrumental for businesses big and small in achieving that gold standard in security compliance. Tune in for an episode that's about the journey, the destination, and the countless lessons learned along the way.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
When life threw a curveball at Justin Rende, he caught it and threw it right back, catapulting himself into the cybersecurity stratosphere. Our latest episode features the captivating tale of how a chance challenge from a CEO turned into a flourishing business, as Justin Rende CEO of Rhymetec, our esteemed guest, recounts the twists and turns from IT beginnings to cybersecurity stardom. He doesn't just tell a story—he provides a roadmap for anyone with the audacity to dream big and the versatility to thrive in the ever-changing tech landscape.
The conversation takes an insightful turn as Justin Rende unravels the art of communication within the cybersecurity arena. He dissects the delicate dance of conveying the urgency and complexity of cybersecurity to clients who may not grasp the full technical scope. We get the inside scoop on how his company's strategic approach to transparency and remediation not only eases client concerns but also fosters an environment for informed decision-making. And for those thinking of starting their own firm, Justin lays bare the crucial role industry connections play in igniting the rocket of success.
Finally, we jet set to the future, where the cloud reigns supreme, and AI looms large over Silicon Valley. Justin Rende shares his insights on the tech industry's rapid evolution, keeping us on our toes about what's to come. He also sheds light on the inventive training and retention methods employed at Rhymetec, revealing the secret sauce to cultivating a workforce that's as passionate about technology as they are skilled. Plus, we take a peek into the making of a 'Virtual CISO Program', a concept proving instrumental for businesses big and small in achieving that gold standard in security compliance. Tune in for an episode that's about the journey, the destination, and the countless lessons learned along the way.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
How's it going, justin? It's great to finally get you on the podcast. We've definitely been working on planning this thing for quite a while now, so I'm really excited for our conversation.
Speaker 2:Yeah, thank you. I'm excited to be here.
Speaker 1:Yeah, absolutely so, justin. I start everyone off with giving their background right, like how you got an IET, how you got into security, that sort of thing. And the reason why I do that is because there's a portion of my audience that could be getting into security for the very first time or trying to get into IET for the first time, and I think it's always helpful to hear everyone's story and maybe it'll match up with someone and they can say, oh, if he did it, maybe it's possible for me.
Speaker 2:Yeah for sure. Yeah, definitely. I can give you a little bit of background on how I kind of got to where I am today. So after I graduated college I moved to New York City and I started working. I had a degree, I wanted to work in technology and I started working for a company here in New York that did software licensing. This was back in not to age myself back in 2002. We were selling a lot of Microsoft licensing to big businesses. So I got a lot of exposure to IET and to a lot of large businesses primarily based here in New York, the IET departments, and how they work and how they operate, and so I did that for a few years.
Speaker 2:And then I actually left that job for a small period of time where I went to go work in film, because I lived in New York City and I was young and I wanted a job at the law school at that point in time. So I left to go work in film for a while, which was great too, and I think back on how it all kind of played together with where I am today, because I learned a lot of things about like my work ethic and when you work for a film company in New York City there's a million people ready to take their jobs, so you always kind of have to be on your end game all the time, and it also by working in film. I was surrounded by a lot of different celebrities and really people that I viewed at that point in my life as being like really prestigious, important people, and I realized by working with them that they're just people like me and there's no reason why I should idolize them, and so that helped me when I started Rometic as well, because that gave me confidence to be able to do that. But I ended up working in film for a few years and then I really decided that it started to get a little bit older and I was like, hey, no, maybe I don't really care so much about having the cool job in New York City and I'll tell you more about something that I'm going to be good at and so I left film. I also didn't want to move to Los Angeles, which was kind of the next logical step for me that I stayed in film.
Speaker 2:So I left film and I went back and I worked for some consulting companies here in New York doing consulting work, tech consulting work, and one of the companies that I worked for, I ended up doing a large penetration test. I was primarily providing cybersecurity services through these other consulting companies that I was working with, and I ended up doing a penetration test for a large, prestigious law firm here in New York City and we did a really good job working with them. We were able to hack them a bunch of different ways, which was good for us. I don't know if that was necessarily good for them, but it was good for us and they were. They their CIO at that point in time was pretty impressed with the work that we did, and so he had asked me because I had had a longstanding relationship with this law firm through just my various years of working in IT in New York, and he had told me that he knows that I wanted to start my own business and that I wanted to start my own cybersecurity firm, because I talked to him about it before and he said that he's happy to refer me because of the good work we did for them. He's happy to refer me into one of their customers, but the only way he's going to do that is if I start my own business, and so he kind of allowed me to start my own business.
Speaker 2:Turns out, they ended up referring me into one of their clients. Keep in mind, this is a really prestigious New York City based law firm, so their clients are also very prestigious type of customers as well. They referred me into one of the for NDA. I can't tell you who the customer is, but they referred me into a really prestigious kind of wealth management company and we ended up doing a pen test for them as well. And then we found a bunch of different ways as well and that slowly kind of snowballed into working with a lot of high network type of companies here in New York City. So from really 2015 till like 2017, 18, we were really just doing kind of pen testing work for high network type of companies.
Speaker 2:And then I wanted to really kind of even out my workflow and I wanted to provide security services to smaller companies because I could relate to them more frankly. I'm still considering myself a startup, but I was a startup definitely at that point in time and so I wanted to work with SaaS based companies because I just kind of thought of that as being the future of technology. It was cool doing these big pen tests, but we were working on a lot of legacy tech, and so I wanted to work with more innovative new cloud based tech, and so I started working with a lot of startups. I realized there was a huge hole in the market for people that had security expertise, especially in the cloud space, at this point in time, and so I realized there was a huge opportunity for me to capitalize on that and to really kind of build out a whole lot of services around cloud security, and I started to do. That was in like 2017, we had 20 clients and now we have over 600. So it's been. I think I made the right decision.
Speaker 1:Man, that's really fascinating. There's a lot to unpack there. It's interesting you bring up film I've actually never had anyone on that went to the film industry and then into back into IT or into IT in any capacity. Right, A cousin of mine, he actually did some work in film and LA and he worked on Thor, worked on the Spiderman movies and a couple other movies and it was all with Disney and he said that he'll never work for Disney again. So he decided to move to Pittsburgh and teach theater after that.
Speaker 2:Nice, yeah, I think. Like I said, I think when I decided to work in film again, I was in New York City. I was in the 20s at that point in time and I think the periodies were just a little bit different. I didn't go to school for film. It wasn't like I was claiming I'm being a filmmaker, like I love documentaries, but I never had the desire to really make them.
Speaker 2:I did it for the wrong reasons. I did it because I wanted to be surrounded by cool people, because all my friends had cool jobs and I wanted a cool job too, and selling like for self licensing isn't necessarily the coolest job. So, yeah, I went into it for that reason and then I worked there for a while and, like I said, it taught me a lot. It taught me a lot about work ethic. It taught me, boosted by confidence, to be around these people and realized that they're people who I once idolized, but they're really just now. They're just people like me and you and everyone else. And so I think, like I did take a lot from working in film and I was able to leverage that and apply that to how I do work now at Remetic, being the CEO of this company.
Speaker 2:I don't know that I would have had the confidence to necessarily start this company had I not worked in film and put myself in those situations or really even have the confidence to always go up to a lot of. We work with a lot of other companies big companies we work with, partner with some startups and some bigger companies to meet with the executives at these companies and deliver my message with confidence. I don't know that I would have been able to do that had I not had that experience in film, because it really taught me that, like people are just people, no matter what their title or whatever they are, they're all. We're all people. We all have insecurities. We all have like the same thing going on in our lives typically.
Speaker 1:Yeah, it's. You know, having I don't know if that is necessarily like imposter syndrome or, you know just anxiety with talking to someone that you see, you know as beyond you or whatever it is. I remember when I started this podcast, you know I was talking to a friend. I'm like I have no business talking to. You know, these CEOs and these founders and these guys that you know hack airplanes midair with them on it, like I have no business talking to these people. Like how am I even going to? You know, do this conversation? Like it was a?
Speaker 1:I was talking to the CISO of some large company, you know, and my friend just kind of broke it down to really simple terms. He's like well, you know, when he gets hurt, do you think he like bleeds another color or is it red, like you, you know? Is he? Is he from this planet, you know? And you know obviously all of those questions are yes, and he's like well then, you have nothing to worry about.
Speaker 1:He's just another person, you know, like he has a journey just like you, and you just have to remember that you're just two people having a conversation and I think that that that skill, you know, really helped me going forward, right, because now I feel like I can honestly, you know, talk to anyone, have a conversation with anyone it doesn't matter what industry they're in or you know their expertise or anything like that and you know, obviously that helps me with the podcast, but it helps me overall, right, because when I go into you know interviews or I meet new people at conferences or whatever you know. It's a lot, it's a lot easier, in my opinion, to have those conversations. I feel like I'm a little bit more pleasant to talk to you after that.
Speaker 2:For sure. I think it helps me deliver my message with confidence because I don't second guess myself as much. I know what. As long as I know what I'm talking about, I'll be articulate about it and I'll deliver it with clarity and with confidence.
Speaker 2:And I think that that's something that I got from big around these people again who I once idolized, and realizing that like, oh, they are just like me and some of them probably have more insecurities than me, or just everyone has their own issues and so like, why should I, why should I view them any differently? And it really, it really. I think I mean obviously, a lot of working in the tech and all that stuff that I've done and technology really kind of helped to get me here and gave me sort of the technological skills to be able to do what I do today. But I think that it's a good thing that I did work in film, because it definitely gave me the ability to communicate well and have confidence going into most of the interactions and engagements that I do now as the CEO of a company.
Speaker 1:So when you were doing pen tests, for you know these, these very powerful customers, you know, I mean I guess that's probably a good way of saying it and I've actually worked on the other end of that, where I worked for a large wealth management firm here here in Chicago. I mean, everyone knows I'm in Chicago now, so they can, they can go Google it. But you know, it was interesting how we approached pentests and how we kind of tried to influence, like, the opinion of the pentester and things like that. And you know, yeah, you know me personally, I feel I was very uncomfortable being in that room, right, because I I am not someone who's gonna tell the pentester, oh, you should look over here and not here, right? Or you should, you know, try and authenticate via this method and not this. That's not my job, right, like it's the pentester's job to get in. It's not my job to tell them where to look.
Speaker 2:You know I mean, then obviously they were doing something right, so you don't need to tell them how to do it, if they were able to get in well, that that's.
Speaker 1:That's part of the problem, right? So Our firm would put so many restrictions around them that they wouldn't be able to get in. So then we could say, you know, in some report, a clean report, oh, we pass it, you know. But I'm over here and I'm like, yeah, I can tell them that into the core switch in our network. Like, you cannot tell me that that is secure. You can't tell me our network is secure if I can just tell that, right, in no authentication and oh, I now have root, like now I have root and I can do whatever I want. But I'm not a network guy, so I can't even. You know, I don't know the Cisco syntax or anything like that.
Speaker 1:Right, did you ever come across something like that where you know people were trying to somehow influence the results of the pentester, influence how you approached it and how did you? How did you approach that situation? Because I feel like, as a security professional, right, you're kind of it's like you're tied to these industry standards where you absolutely shouldn't do that. But it's, it's a, it's a war internally, right, between you and the organization to be like To kind of thread the needle, so to speak. Right, because the org may want it was a certain way, and then you may know you need it another way, right? So how do you? How do you balance that? If you've encountered that?
Speaker 2:Thank you for that Communication with what you're going to be doing and what the expectations are of the people that you're going to be Testing. So if they're going to gray box it and keep it very limited scope, and we'll have that communication with them. But we need to be clear about like, hey, if we were a Moistus adversary or a hacker, those they're not going to only focus on this tiny scope, they're going to focus on your entire platform. So I Don't know if this is the best phrase, but it's something I always tell people is no one likes to hear that their baby is ugly, so no one wants to think like, oh, we built this program and we thought it was great, and then we just had a company come in and have kid a bunch of different ways and show us all the holes in. And I think that that's always.
Speaker 2:Conversation changes on depending on what level of person you're talking to within the organization. If you're speaking to a security engineer who's responsible for essentially building and maintaining that security program, he may have a much different reaction than a C-cell or someone that understands that if you do get hacked and you do actually there's a loss of data or there's a breach or something like that, understands the how. The repercussions for that can be pretty detrimental, the conversation switches. So if you're speaking to an executive there, I'm going to understand and kind of empathize with you. They're going to say, yes, thank you for finding this. Like I can happen with that large law firm. There's the security engineering team. After we left Probably didn't have a very good conversation with their management team, but the management team from that law firm, because we did such a good job, ended up referring us into another really prestigious client.
Speaker 2:So I Think when you, when you're talking about how to kind of frame it, there's two ways. When you, when you go to scope something out, you have to be very clear about, like, what the scope is and and what they want you to look for. And then, if it's just a pointed part of this, you have to be very clear that says fine, we're happy to do that. However, like you should know that your entire tax surface is at risk, it's not just this one tiny part. And so if you can clearly communicate that to them and they still want you to focus on just a small part, to get a clean report or whatever their logic is for that, we'll do that.
Speaker 2:But we've done our due diligence and we've done our. We've done well by telling them what the actual risk is and then when you deliver the report results especially if it's something where we've kind of been able to hack them a bunch of different ways we typically just are very open and honest about it we go back and we show them. We're willing to show them. One of the things that we do when we pen test is we all of our pen testers are based here in the US and we actually open up all set up like a slack channel or Microsoft Teams channel or whatever, and as we're doing a pen test we're talking to the engineers telling them this is what we found, this is how we found it. So they don't just wait for the report and then it's not a surprise when they give it. So I think that softens the blow a little bit and they understand the process a little more. So it's a little bit easier for us to justify it when we're delivering that report and we could fill out whenever we Remuting.
Speaker 2:We also typically give our customers a two week window to do any remediations, so they can remediate within that two week window anything that we found and then we will issue not another report, but we'll issue an attestation letter to that report that says, hey, these were these vulnerabilities that were discovered on, as reflected in the report dated, whatever the data is. We went back and retested those as of the state, which again was never longer than two weeks, and they were all remediated and are no longer found with us. So there are some ways that you can kind of Help out the security team by giving them that window, as long as they're doing their Doing good work, by getting everything remediated and doing what they need to do, we're happy to kind of go back and attest to the fact that they put in the effort to fix these problems.
Speaker 1:Hmm, you know, do you think that you ever would have started the company if that exact you know didn't push you towards it right, and kind of show you like hey, there's another customer here. You know, you could start this company for I don't know thousand bucks, right, and you can make. You know, I'm just I'm just throwing out, you know, yeah.
Speaker 2:I think they knew that I was gonna start my own Company regardless, and I think that because we did, because I talked to them and again I've been this is a while from I used to sell Microsoft licensing to back in 2002, so I'd known these guys for years, and so I think that the fact that they knew that I wanted to do this and the fact that they, that I did such a Great job on their pentest they were looking to kind of be like, hey, we know Justin does good work.
Speaker 2:We know that he did this like we know that he wants to start his own company. Let's help them by giving him like a platform, pick the coffin, by giving them me, ultimately, one of the most what I would consider still the stare, most prestigious client, but one of their best clients to To do good work by them, that they, they definitely sped up the process, because I remember when they told me and I had to go home and make a website and get all my contracts together and they can have a week, they, they sped up the process, but I think it's something that I would have done. Actually, no, it's something I would have done regardless. I probably just wouldn't have had that, that helping hand.
Speaker 1:Yeah, it's, it's a. It's interesting, you know, when you start going down that path of, like, founding a company and going, it's a totally different stress, you know, like I Mean. For me I guess it's a lot less stress, right, because I'm not dependent on the success of the company, you know, to pay my mortgage, right. But it's a different kind of stress in terms of, you know, kind of knowing or defeating that impersonation, impersonation syndrome, right, because Now you're starting the company and you're the expert, right, by default. You're saying you're the expert in this space, whatever it might be. You know, did you face any of that when you started the company or did you already kind of move past that, you know, with your, your previous endeavors?
Speaker 2:So a little bit of both, I guess, to answer your question. So I think when I first started this company, I mean, I knew a lot about the industry still, and I knew what I was doing. I think one of the things that people get them up on, though, is they if you are the CEO of a cybersecurity company and someone asks you a Question, you have to be truthful. If you don't know the answer to that question, say hey, I don't know the answer to that question, but I'm gonna do some research, or I'm gonna ask around and I'm gonna come back to you and I'm gonna get you an answer and then follow through on that, and then people will actually respect you more when you do that, because they're gonna say, hey, like not always do people follow up.
Speaker 2:Sometimes people will just give a half kind of witted answer so that they can sound like they know what they're talking about. I think a lot of times, people can see through that. So I Didn't know everything from the start, but I recognized I didn't know everything from the start, and I was never gonna be dishonest to my customers, so I was always honest with them as the cloud security space started to evolve more and more and I would be with other executives, or I would go up to Silicon Valley and I knew with like these founders of like these well-funded kind of like Security security companies and I would meet with them.
Speaker 2:And then I realized there was a point in time where I was like I actually End the subject matter expert here, like I know what. I thought these people are coming to me Rather than me going to them, and this is someone kind of like said with film, someone who I would have idolized before in this industry or I would have thought of as being a subject matter expert. They're actually coming to me as the subject matter expert on this. And so there was really a point in time where that switched.
Speaker 2:So did I have imposter syndrome? I didn't, because I was always honest with my customers, right, I never tried to make them think that I knew something that I didn't, but I was honest and told them what I didn't know, something. We've fallen up on that. And then there was just a point in time that way I do, actually, from doing this for so long and how we're going on 10 years running this company, that I Actually am the subject matter expert and I don't need to think of other people as being man, I certainly don't feel any sort of imposter syndrome anymore.
Speaker 1:Yeah, it's. It's interesting how being honest with your customers can really alleviate a lot of that, a lot of that stress. You know, I feel like it's very easy to get into a mentality of you have to, you know, appo, uphold some some type of image or whatever it is. And I remember when I first started, you know, my consulting LLC, and I had a customer that was asking me, you know, about my experience around a certain you know project that they had going on and Things like that. And I told them very honestly like hey, I know what you're talking about and everything, but I'm not the right person to actually deploy, you know that that portion of the technology. I understand it 100%. I just don't have a technical expertise to actually do it because it's very code heavy. I'm not a developer to save my life, you know like there's other people out there that can do this a whole lot better than what I can give you.
Speaker 1:And I fully expected them to not give me the contract, to not accept the deal or anything like that. And for some reason they accepted it. And even after accepting it, I told them like, hey, I am probably not the guy, and it alleviated a lot of the stress, just being upfront with them and come to find out their requirements were a little bit different. It's a little bit lighter than what they were actually telling me and when we did the discovery session we were able to hash all of that out. But I've always found it valuable to be very upfront and even today my nine to five I'm very upfront with what my limitations are in the space, because not everyone is gonna be able to work in the cloud 100% with all of the different services that AWS launches in a year, right Like I think. Last year they launched something like 40 services. How can anyone keep up with that?
Speaker 2:We can't, it's impossible.
Speaker 2:And so I think the pressure that people feel to try to portray that they're a complete subject matter expert on all of this is irrelevant.
Speaker 2:And I think that when I look at when I hire people or when I'm working with, like, I appreciate a level of vulnerability and honesty, because then again I would always go to my customers and say, hey, I don't know that, but I will find out and I will come back to you.
Speaker 2:And then I would, I would research it, that I'd ask around and I would get the right answer, and that I'd come back to them, and then they would know that I was being honest with them, because I wouldn't have wasted all that time to figure out something and then come back to them with something that wasn't true. And so I find that, like you just showing a little again, kind of going back to the thing I learned in film, which is that we're all human, we all have vulnerabilities like we're all vulnerable to something, showing that you're a human but then showing that you're an honest human that cares about their best interests, which is what people will really appreciate, more than you trying to sound like you know what you're talking about, but it comes across as disingenuous.
Speaker 1:Yeah, that's a very good point. So you brought up previously how you identified SaaS as being kind of the future at that point in time, and whatnot. Are you still looking at the industry and actively looking at where it's going? And if you are, which I would totally assume that you are where do you think it's going? Where are those new security domains and areas going that people should be paying attention to in the next five years?
Speaker 2:So if you are a SaaS based company which means you've probably started a company relatively recently and you're not that are 20, 15 years old, I think obviously you're gonna be. The majority of your data will be based in the company. You'll be a SaaS based company. I think a lot of companies that are gonna be implementing data from their end users are gonna need to give you some sort of compliance standards. I think that the industry is shifting quickly with a lot of compliance platforms that are coming up and automating a big portion of what needs to be of the compliance and controls policies and procedures. So I think that's a big piece in the industry. You look at companies like Vantab that are out there right now and they're really killing it because they're automating this piece. So I think that is a big piece of it. I love everyone wants to talk about AI, right, that's the biggest buzzword right now and can you check? If you just mentioned AI in Silicon Valley, you'll find some extras that are willing to give you a massive audience in the industry. Ai is gonna be a threat. I don't. Again, I feel like everyone wants to talk about it because they wanna feel like they're on the map. I understand it, but we don't know what those threats are gonna be yet. We don't know how it's going to evolve. The only thing that I would say about AI is really, I'm sure the threats will evolve with AI, but similar defenses that's just the continual kind of way that we've continued to grow in the cybersecurity industry has grown. Is this? Threats evolve, so do the defenses. They may be growing much quicker with AI that's yet to be determined but I think the defenses will continue to grow. But outside of that, I mean I don't know, are we gonna have chatbot hackers? Maybe, but I think no one really can answer that question definitively, and so, whatever anyone tries to, I kind of smart, because I don't think anyone really actually knows. I think they just wanna think that they know. But yeah, so I mean, how AI progresses is gonna be a big piece of it really.
Speaker 2:And just overall cloud security, I think there's a huge, like I said back when I kind of focused on primarily cloud-based architecture in 2017. I viewed that as being the future of technology. I don't need a lot of companies that are starting up today that are inputting a lot of IBM mainframes or a lot of SQL servers on-prem, anything like that. So I think that securing the cloud, which is a whole different thing than securing an on-prem environment, is really something that people need to pay attention to in the future, and I can speak firsthand from saying there's a huge I don't think there's a huge shortage of cybersecurity professionals in the industry.
Speaker 2:I think there's a shortage of people that understand cloud security, because you may have worked in cybersecurity for the past 30 years, but your job was really patching that one SQL server in the office and that's the aspect of cybersecurity you worked on. When you have an architecture that's in the cloud, it's much more of a high-level overview of what you're working on, because a lot of the controls are already in place, because you don't technically own them AWS or Google or someone else does and so you have to look more around processes and stuff like that. So cloud security really big and really trying to find people to fill that talent gap, because there's not enough there right now, I think, are some things that I'm focused on really, and that security is gonna be changing over the next few years.
Speaker 1:Yeah, I actually have a friend I've known him for several years at this point and I was telling him back in like 2017, 2018, hey, you need to get into the cloud, get the basic AWS foundations, azure foundations, certification at least know the vocabulary like, because everything is going into the cloud and it's gonna transform how we do everything. And recently he kind of put it off and everything else like that right, didn't think it was that important or urgent for him to do that right. And so recently he got onto a phone call with the rest of his team and they started talking about AWS a lot more right, because their company is moving towards AWS and they're providing consulting services towards customers in the cloud and things like that. And he said he didn't understand a single minute of this hour long conversation. He said it sounded like they were just talking a foreign language. They had words that he had never heard before or anything like that, and that's very true.
Speaker 1:And now I am I'm studying to actually retake or re-up my AWS security cert. It's insane how the vocabulary changes just from three years. Three years ago I took it, passed the cert, got it. I understood the majority of the content on there, obviously, but there wasn't ever a vocab word, so to speak, that I didn't know what it was. Then I go back and I'm trying to prepare for this new exam.
Speaker 2:Hold me back just here.
Speaker 1:Yeah, it's like okay, I'm from square zero again. What is going on here? Did that much stuff change in the last three years that we have it's literally like 100 new words that you need to know what they are. I'm sitting here like did I select English for the test? Like, did I accidentally select German? Because this is insane.
Speaker 2:I think that a couple things like like technology in general just moves fast, but climate moves really fast. I also think that when you look at the testing that you were taking, I think that a lot of times the vocabulary and just kind of the way that they articulate things and tests they've tried to make them more than what they've used, sophisticated or challenging. So it may not be. It may be the same test, just with different words that they've just recently made up to fulfill that task. But yeah, I think that it's again.
Speaker 2:I love technology for all the acronyms and all the real words that it has in it and what I think they're like. Really, the actual changes over the past years that you've seen, especially from three years ago and your certification with AWS, they probably haven't dramatically changed. I would say that there has been some changes. Again to your point, there was 40 releases last year. They do have some changes, but I would say that the majority of what you're dealing with is probably the semantics in the test and how they've phrased and worded things to make it more confusing and even more challenging for people to find.
Speaker 1:You know what it is. Is they added? You know they didn't add that much brand new capability, right? What they did is they took existing capability and then they delineated it even further, right? So you know, cloud formation has been around for a long time.
Speaker 2:You know, if you don't know, just move your server out of your room and then it's in the cloud.
Speaker 1:Yeah, if you don't know cloud formation, you're probably not in AWS. You don't understand. You know anything in the cloud, right, okay? So I got that down and now when I go and take the test, there's like five or six new cloud formation dash something service that does a you know a smaller component of cloud formation and that's all it does. But it's not like you can just look at it and know what it does because you know the functionality of cloud formation. You know, like they have some weird lingo with it that now it's like okay, I need to learn this stupid vocab word that you know, does this thing that I've been doing for five years?
Speaker 2:You know, like I could tell them to learn more about this and to do it. So I think it's capitalism, yeah, yeah.
Speaker 1:How can we, how can we get the most from our customers Exactly? Or this one thing? Yep, that is. That's the truth. It's a very good point. You know, how do you, how do you recommend people learn the cloud? Right, and it sounds like a very straightforward answer, right, but it's not that straightforward, because if you go in AWS for just talking about AWS, because that's the most, I'm the most familiar with AWS, right, if we're talking about learning AWS, the first instinct is to go in AWS, create an account, start getting up you know some infrastructure or whatnot, using that quote unquote free tier right, I can't tell you how many times I've started a free tier account and deployed only free tier assets. To find out, I had the $300 bill you know, six months later.
Speaker 2:Right, that's not great.
Speaker 1:I can't even tell you the amount of times you know. Recently I guess relatively recently I've dove more into the cloud guru space, right, they learn about different topics. They have a sandbox environment set up right there for you. You don't have to worry about getting that random. You know $300, $400 bill six months down the line that you didn't even know was running in the environment, right. So how do you recommend people learn it best and quickest?
Speaker 2:So I think this is a really tough question and it's something that we've struggled with at Remetic because, again, this is relatively new. I don't have a huge pool of talent to pick from, so we have to train a lot of our staff in house and a lot of people. Everyone learns differently, like I always tell everyone, and one of the things I ask people during the interview is how do you learn? I'm a visual learner to see something or experience it. It's really up to that person and how best they learn. Are they going to need to, or do we need to, set up a test account for them and let them play around in it and understand it? Do they need to just go get the standard certifications that they get, because they'll just read it and retain it and they'll know it? Do they need to work with one of our more senior people and learn off of them? There's just different ways for everyone to learn and I think that it's not standard across the board. I wish there was like one sort of security, sort of standardized testing that we could just put everyone through and be like once you've graduated this, you're ready to go. You'll start working with Remetic customers, and it's not that simple. It really is something where we have to kind of customize training for each one, because we also hire people that come in with different levels of skill set. We have to kind of customize training for each one of those people. That's been something for us.
Speaker 2:Frankly, that's been one of the biggest issues we've had, especially over, let's say, the past five years, because we've gone through, ultimately, hyper growth We've been adding numerous customers every single month was to find talent, train talent and retain talent and keep them here.
Speaker 2:We always keep people here.
Speaker 2:We don't actually lose them, but find them and train them and, through that training process, realize that they want to stay here, they want to work in tech, and then they will.
Speaker 2:I think part of it is too. Everyone will learn differently, so they need to understand how they learn and they have to have really a desire or interest to work in technology, because then they're not going to care as much, they're not going to try as hard, they're not going to be as invested as if they don't care. If they're like oh, I took this job because I just needed a job, or this was just something that I thought paid well and it wasn't necessarily like aligns with my interests, then they're not going to really learn it because they're not going to have a passion for it. I think when we look for people that we want to bring on board a Rometic and train them. We want to understand that they don't how they learn, because then we can customize training for them, and we want to understand if they have a passion for security and technology, and if they do, then we can typically bring them on board and train them as they need to learn.
Speaker 1:Yeah, it's fascinating that you put it that way, right? Because I feel like a lot of companies are looking for you to be the expert day one and they're kind of looking for that unicorn and then they don't pay unicorn money and it's like, guys, if you want me to be a unicorn and I'm not a unicorn right now you need to be able to train me up to get to that level. And it's really refreshing to hear you say that. I've actually only heard maybe one other person or executive. Overall, I actually say that and practice it and that's actually how I got my start in IT.
Speaker 1:Overall, this guy literally took me from nothing. I could spell Linux but, god forbid, I had to look at a terminal. I could not figure it out for the life of me. And he was very patient, had great training resources around me and told me hey, if I give you all these resources and you still don't make it, maybe IT isn't the thing for you, but I think that it is and if you keep on learning, you keep on pushing yourself, you keep investigating this thing, it's going to work out, and I believe that it will. That's all that I needed in that situation and in that part of my life to really dive in and become what I became today. It's really refreshing to hear that, because there's a lot of people out there that do not have that same mentality, but they'll complain about the shortage in security.
Speaker 2:Then how are you going to fix it? Are you just going to keep complaining about it and expect it just to automatically change, or are you going to do something to try to fix that problem for your business yourself? I tend to veer towards those too, because I don't know how to do it.
Speaker 1:I used to work for a credit bureau and they had maybe the best pipeline I've ever seen where they had regular IT help desk people and if they expressed an interest in security, there was a very specific team that they went to. These are the people that are basically just IT support for security situations and from there all the other teams under the security umbrella would start identifying their strengths, their weaknesses and they would actually actively recruit and try and poach people from this team, that team's manager I'm good friends with him to this day. He said yeah, it's great for the people on my team, it is absolutely horrible for my team because we're constantly rotating people all the time I springboard for them.
Speaker 2:I springboard them to cybersecurity, yeah.
Speaker 1:He's like I'm over here with 30 people on my team on a good day, next week I'm losing two people. I got to replace those two people. My workload doesn't end just because some other team needs them, but it was a great environment, great pipeline, because you could go down a rabbit hole and you could say, maybe six months in. Oh you know what. I don't think that this thing is for me. Maybe the offensive cybersecurity is more for me, and there was five, six teams under the offensive side. So one of them would say, okay, come and work for us for six months and it's not a big deal. It was a fantastic way to kind of get started in cybersecurity, I felt.
Speaker 2:Yeah, now for the same. I mean I don't. I'm not as probably as big as that company was, I don't have huge departments and different aspect of cyber security, but we tell all of my employees that when we come, they come here and we train them Like I'm part of what I forget fulfillment. I'm just having employees not just having to work here to do the job but develop their skills, developing them. I receive the things.
Speaker 2:Those are the things that make me feel proud and so when I'm interviewing people to come work here, I Will frankly tell them I'll be like this is the role that we have you in, but like you are growing tremendously fast. So I don't want you to think that you're gonna be pigeonholed into this. If you come here and you are also on the side doing some other Learning into something else and you realize like you want to be a pentester, that's someplace I can place it pretty easily. But if there's other aspects within the industry that you want to work in and there's an opportunity for us to build out a Line of business around that, we're talking about doing. No, no detection response, actually as a service we're gonna be adding this year. So if there are people that are interested working as like a sock analyst.
Speaker 2:There's absolutely that opportunity to kind of grow and learn with the company and so, yeah, I think it's important to be able to hire people and let them know that like I want you to grow, I want you to continue to grow with the company and I think and it to the point you had before where you said your friend was losing people all the time to get that there's always churn.
Speaker 2:I've recognized that from the start with Rometic and I want my employees to always feel very appreciated here. So we're a startup where bootstraps start up, so I don't know that we, like I, can't offer equity to my employees or anything like that, because it's just the company's never gonna be worth on it and $50 million for them, right. But I make sure that we we have really competitive salaries in terms of where we're at. We offer really good benefits. So we do a lot of off-sites by fly the whole company together and just show them that they're appreciated, because I realized that, like, once you learn this skill, you will be poached because there is such a shortage of talent in the industry, and so I want my employees to really feel appreciated through working here.
Speaker 1:Hmm, yeah, that's, that's extremely, extremely important. You know I can't tell you the amount of times that I've worked for a company and, and you know, you just feel like a number, you know, you just feel like, you know, no one even knows that you're there and then, when layoffs are happening, you're, you're really just trying to, you know, make sure that, yes, you're online but you're not talking to anyone. You're trying to make sure that people forget about you and you know it's a, it's a mess, it's, it's not a good situation to be in, and I've always felt like the companies that really excel are the companies that actually Truly care about their people. You know, and you can see that. You know you can see that in the pay, you could see that in the retirement benefits, right. You could see that in the health care. I've never felt more underappreciated than when I get poor health care benefits, right. It's like man, these guys, these guys are like, really don't care.
Speaker 2:Because we feel the same way because of we pay for employees and our employees, family and stuff.
Speaker 2:So because I realized that and again, we're a huge company with a ton of funding I realized that, like that said, like I don't want my employees to ever have to stress out about, like medical bills yeah, you have a, you have a job here and I want you to be able to feel like you can focus on that and so any way that I can alleviate Other stresses in your life that you may have, so that you're able to focus on your job and, overall, just be a happier person. I want to do that and I think what I think about like health care and just the entire health care industry, it's, it's. I don't want anyone to have to Any of my employees to have to go to the hospital and then be like home and I know a hundred thousand dollars to this hospital. No, I'm super stuff. Like that's a stuff. Yeah, if there's something I can do to make one of the Romantic employees not have to deal with that, I want her person.
Speaker 1:Yeah, I feel like. I feel like we could have a whole other podcast about the health care system and how you know, like how, how you can go to a hospital because you're dying, right, you get the life-saving treatment and then you're hit with a two hundred thousand dollar bill.
Speaker 2:You know it's a have to be also poor because they have to pay for all of their bills. It seems awful, right.
Speaker 1:You know it's a. It's not, it's not fair, that's not how this should be working. You know, like my quick story, right, because I want to talk about Romantic Quick side story, right, I grew up fairly poor. My family was pretty poor, of course, growing up in that situation, you know, you don't think you're poor, you don't identify with that or anything like that, but we were Right. And one day my sister got really sick. She went to the hospital, found out her kidneys were failing, right, she's like 12 years old at this time. Immediately, you know, through, throughout, throughout, everything that she goes through got a, got a kidney transplant and everything like that right At the end of it is something like four hundred thousand dollars. How in the world could anyone ever pay for that? And just to begin to feel like they, can.
Speaker 2:They can begin to think about even how I'm having to pay back.
Speaker 2:I, just to keep their kid alive you know, yeah, I also didn't grow up with the with really any. I wasn't poor, but I would say I was. It was I didn't to your point, I didn't know that I was poor, but I didn't grow up with a lot and so I and I didn't really even have much until I started Romantic. Honestly, I was. I was very much paycheck to paycheck and Like the idea of having a four hundred thousand dollar burden on of healthcare burden it's just would be at that point in time for me would have been so deflating that I wouldn't even have known how to start to deal with that because it's like I'm never gonna get on top of this.
Speaker 2:So like, yeah, what, how do I even try? And so, yeah, I just I think again, it's as someone who is an employer, it is my responsibility. Unfortunately, it's my responsibility to I have to do these things for my employees because I want the best out of them and I want them to appreciate their jobs and appreciate working here, and so I want to make take all of those sort of like things that I can control, all of the stresses that I can control. I want to do my best to get those out of their lives so that they can focus on work and they can enjoy working here and feel like they're valued.
Speaker 1:Absolutely, you know, let's. Let's talk about Rometic, you know. So let's just start. You know, kind of, from the beginning, it sounds like you guys offer a lot of different services that are, you know, to be quite honest, pretty critical in the security space, right, so let's talk about. You know what you guys offer, what the areas of specialty you guys offer in the industry, and things like that.
Speaker 2:Yeah, so when I started the company, like I said, when I was working for that law firm and then they referred me to their clients, so I was just doing pen testing at that point in time, so it was just pen testing and we were and that's still kind of the heart of who we are. We divide, amazing. I'm really proud of the work that we do and I was doing contests for a lot of larger businesses and then I said I want to kind of adopt working with smaller businesses and then I want to do a lot of work with the industry. We do a lot of speed test or PCI scans, things like that. So there's the whole sort of like pen testing kind of aspect of the business. And then we do we work with a lot of like those compliance platforms that I mentioned out there, because we leverage those as kind of. We use them for compliance and to fulfill some of the controls that you need, but more times than not we use them as the baseline, as like the foundation of your security program and the source of truth. But we leverage those platforms and then we build and manage InfoSec and data privacy programs for our customers. So we typically take those platforms, leverage those as the baseline and the source of truth, do conduct risk assessments and then, based upon the risk assessment that we've conducted for our customers, we build a robust security program and then we continue to manage it and that's our CISO as a service offering, which is kind of it's now the biggest aspect of the business. But as part of that we offer PEN tests every year. We work our sort of offensive security program into their program, into the security program for them, and it's been great. I mean there's a lot of companies out there that will hire us to build the program for them and then they grow and we actually typically don't lose customers, even when they get big enough and they hire a CISO themselves, because they still need to leverage us for some of the things that if you're a CISO you're probably not wanting to do an access review over quarter or you don't want to go and review your policies, things like that. So they'll still kind of leverage us when they get to a larger point for some of the more administrative stuff. But yeah, the CISO as a service is really kind of the foundation and the rock of our business and that's it for me, allows me to have because again we're bootstrapped reoccurring revenue so I can forecast the growth of the business and I can scale accordingly, which is part of the reason I needed that sort of monthly retainer, because the PEN test that was just an up and down payment sort of thing, and so that's a big piece of it.
Speaker 2:And then we do other things too.
Speaker 2:So if you're going to be we're not an audit firm, I don't want to be an audit firm but if you want to get ISO 27, any ISO complaint framework complaint, you have to do what's called an internal audit, which is almost like a pre-audit, before you do your audit with the certifying body to make sure that you're ready to go into it. And the person that does that or the company that does that needs to be an independent third party. So if you built the program, you can't also do the internal audit because you're just auditing what you built yourself, and so that's another aspect of the business that we have as well. So it's really kind of centered around providing all of the services that you need to in terms of, like an offensive security program, PEN, testing, scans, all of that stuff, Coderviews, everything there around administrative and operational aspects of building the program, which is kind of the CISO as a service area of it as well. So we combine both of those to kind of create a robust security program offering for our customer.
Speaker 1:Wow, that is. That's really fascinating. It sounds like from my opinion, right. It sounds like you kind of approach the virtual CISO role from a different angle, or at least from an angle that I had never heard of or thought of before is kind of offloading those tasks to some extent. That kind of every security department as a whole kind of doesn't want to do like the access reviews, right, I've never talked to an IAM manager or an IT manager overall and heard that they want to do access reviews and that they're excited for it to identify all of the misusage of roles and accounts and groups in their environment. Right, it's a really interesting take on it that I think a lot of companies would actually benefit from a great deal, right? Is that what you're seeing as well? How did you even think of taking that spin on it? Or maybe it's just a native virtual CISO functionality or feature that I just didn't know about?
Speaker 2:So when I decided to kind of work with smaller SaaS-based businesses. So again, we were just doing pentests through about 2017, mostly big businesses in New York and two folds. One, I wanted to work with the future of technology, which I thought was cloud, which I was right. And I also again since I told you I didn't come from a lot of money I was doing these pentests where I would get a paycheck and then there would be nothing for two months, and then I'd get a paycheck and nothing for two months, and I was like I need some stability in my income to continue. That's how I just have to live, because I'm not used to big paychecks and then peaks and valleys. And so by doing that, I would go to the smaller businesses and I would offer them pentests, and typically startups didn't always have a lot of capital to pay for a pentest in one payment, so I bought them, spread that out over like a couple months.
Speaker 2:During that time period that they were paying me, they would come to me for tons of other services because there was no one else that could help them with this sort of stuff, and so that's. I kind of started to take all of that data in about what the services were that all these customers were asking us for. And then I realized that, like that's the program that I need to build as a CISO, as a service type of program that's based for these sort of cloud-based companies. And so again, when you're looking at their architecture or something like that, yeah, you can do, we have people that do some terraforming stuff like that here. But overall, a lot of the work that you're doing is more administrative, because all of the controls and things you're built in or you're just putting in sneak or you're putting in some sort of like intrusion detection system or you're monitoring that or managing that.
Speaker 2:But it just became more like taking everything that everyone wanted and then looking at the holes in the industry and then building a program out over that. So I didn't have this like early on I thought I would just do pentests. I didn't have this early on idea of like, okay, I'm going to do CISO as a service and this is exactly what it looked like. I really just looked at what the opportunities for in the industry, I analyzed that and then I followed that and I built programs out to make what we have today.
Speaker 1:Hmm, that's really fascinating. It's always interesting for me to see how everything kind of comes together and you know where different ideas come from. Right, because it kind of also influences you know how I make my own decisions and how I view different things. Right, like I start to get into that mentality of, oh, maybe I could dive into this a little bit more and offer it a different way, and whatnot. So it's always fascinating. Well, justin, you know our conversation has been fantastic. You know I really enjoyed talking with you today. Unfortunately, we're at the top of our time here, you know, but before I let you go, how about you tell my audience you know where they could find you, where they could find Rometic, if they wanted to reach out and learn more?
Speaker 2:Hey, you can. Just our website is wwwrometiccom and that's r-h-y-m-e-t-e-ccom. Or feel free to just email me. It's Justin J-u-s-t-i-nrendy r-e-n-d-e at Rometiccom, and I'm happy to answer any questions or help any of your listeners in any way I can.
Speaker 1:Awesome. Well, thanks everyone. I hope you enjoyed this episode.