¶ Intro / Opening
Welcome to the IT Matters podcast, where we explore why IT matters and matters pertaining to IT.
Welcome to the IT Matters podcast. Aaron, how're Doing great, Keith. I'm living the dream, excited for our you feeling today? guests today. I think we've got a great, great set of topics we have not covered before. In my in my personal life, and I guess in my interest this week, I'm waiting to see if they they found a real alien, the Mexican Congress reviewed what some people are saying is a fake
alien. Some people are saying it's remains from 2000 years ago, I saw someone post that it's actually just a cake underneath everything. So will there be aliens on Earth? It remains to be seen. Wonder what technology the aliens are using these days. That's that's what's new with me. How about you, Keith?
I haven't discovered any aliens yet. But this story is certainly picking up steam. I think our Congress actually is passing some legislation around this which is very interesting because it's not just the individuals that become that have have ideas about what they think is going on. But the US Congress is discussing it, which is a little more intriguing. And I'm excited to have my first Alien relationship so that all, that
We will see.
¶ Introducing our guest, Matt Huffman
But let's let's get us here today we have the pleasure of speaking with Matt Huffman, who hails from Milwaukee, Wisconsin, the land of the finest cheddar. If you're from England, close your ears. But the Milwaukee, Wisconsin is also known for its brilliant technological ingenuity. Matt spends his professional time saving the day serving as the IT manager or, Matt, actually helped me with pronunciation here, reindeers, reindeers?
Reinders.
Reinder, Reinders Inc., one of the Midwest's largest full service full service distributors of products for commercial green, the commercial green industry. He previously gained auditing experience with the Lamacchia group, and has extensive experience preparing SOC 1, SOC 2 audits, type one and two. And we're spending a lot of time today talking about tips and tricks to dramatically reduce the time invested in what is sometimes a pain, painstaking process and come up with a
successful result. So Matt, welcome to the podcast.
Thanks. Thank you for having me.
Before we begin, after a thorough review of the Reinders Inc, LinkedIn page, I am ready to submit my name just to participate in your lawn mower race that's advertised on the company profile. Are you looking for fresh blood?
Yeah, that one, you'd have to talk to the marketing people because that's new to me. We have so much going on here. I've been here about six months. We're currently in the middle of an ERP, ISM, and CSD rollout, oh and a new website, all this week. So busy busy.
Yet you're here with us. We really appreciate that.
Yeah, no, no worries.
Yeah, we certainly do. All right. Well, we'll table the lawnmower race for now. But if you do, if an opening does open up, I'm willing to travel. And I have most of my experience in my adult years. I have to do with a push mower but I can revert back to the riding lawnmower from when I lived in a small town a long time ago.
Yeah, we'll have to do it soon because it'll be snowblower races pretty soon here.
¶ How Matt came about his role
Yeah. Yeah, that's right. So Matt, can you tell us, share the audience a little bit about your background, history, how you came about being a sensei when it comes to reducing the audit, the time that's spent on audits and coming out with successful results?
Yeah, I was brought on board at a prior organization who was prompted to look into getting a SOC 2 by a potential customer and they looked internally and did not see that they had all the answers for that. And they were using MSP so they thought we need to bring someone in. I had no experience and they just thought we're bringing in our own guy, our sys admin. He will work with the facilitator of the audit and you know, get it done for us. And they gave me, you know, about six months, a lot of
leeway for that. And the auditors were, were very good, they had a lot of stuff in place, you know, I did have a consultant that I was using as well. So that first year, I got it done, you know, the audit took about 8 to 10 hours. And, you know, they, they taught me a lot, I learned a lot, and they kind of just said, like, you know, kudos to me for picking it
up and everything like that. The customer was no longer interested, they ended up using us anyways, they didn't really, you know, they were forward thinking, but it didn't matter to them, they just brought it up as maybe a discussion point. But the organization thought, hey, we're dealing with a lot of financials, let's keep this
going. So with that, knowing that I was going to have to do this again, I started looking at a lot of the stuff that I had to do, you know, and the, the type of audit that we were going to through was just a point in time audit. So they come in, and it's the type two, where they just come in, no SOC 2, type one, where they come in, and it's like on this day, everything was XY and Z. Whereas the type two is they give you a period of time, and all your examples, and all your samples all have to be
within that period and work. So knowing that I had to keep everything going, I started putting things out there as far as you know, reminders, upgrading documentation, always looking at policies and procedures. And the auditors were, were very good about allowing me to stay in touch with them and ask them questions. You know, when the new things were changing, they were letting me know, so I kind of get ahead of some of that.
And then over the years, really, it's it's set it and forget it, you start doing this stuff, and it becomes just sort of part of your job, you're building the documents. You know, some of my first policies were very crude and rudimentary, they might have been two or three bullet points. But over the years, you start learning to build and you find another document and Hey, I could use this for this and you start to you know, intermingle some of the wording and you poach from different things that
you see online. It's a lot easier nowadays with ChatGBT. I've just started using that for other smaller things, using it as a tool, less of an out of the box solution, which I think it has its place for things like that. But yeah, I ended up doing those audits for almost a decade and passing them and getting them down to only a couple hours, you know, the auditors were very happy when they saw our company come up to do because they knew it was going to be an easy fast job, and that
I'd have everything. Eventually, I parlayed that into a job as an auditor. And I saw how difficult and how bad a lot of clients were. And especially with it was hard for me to go to an organization and see that they had an IT team of 10 to 12 and they could not give me everything I needed where I knew like hey, I've done this, I could do this. But eventually, you know the love of IT and problem solving and turning an organization around brought me back to the field and to Reinders.
Matt, you, Matt shared with us before we actually jumped on and were recording that he listens to podcasts at 1.7x. So I sense efficiency in your life and the ability to condense down, which is great. I was also previously an IT auditor back, way back in the day, big four. And I did some SOC 1, SOC 2s, I was doing some of the SOCs work with post post Enron. And auditors have for years gotten a bad rap. And there's a lot of reasons why. What do you think makes a good
¶ What makes a good auditor
auditor?
One of the things that kind of surprised me, when I went was not a lot of the auditors for IT, have a full IT tech background. And that kind of threw me off when I would talk to these guys and they you know, they they have SISA you know, they've gone through something like that, or, you know, they, they might have a net plus or an A plus if you're lucky. But they have no tech background, no working, you know, ins and outs of the actual, you know, organizational environment and you know, the
day to day stuff. So that really threw me off. And it surprised me because I would see guys doing things like, you know, they could just do this or this and get away with it with this or that and, you know, find the ins and outs and that surprised me the most, you know, seeing that they weren't really full on IT people, where the organization would reserve those kind of people for their pentesting or for you know, their their MSP services. So that really threw me off from
that. The amount of searching and documentation and just the leeway that they give people. That was to me, like you said, I'm very efficient. So I'm just like, what are we doing here? Let's go.
Yeah, yeah, and I can empathize with you or sympathize whatever the, whatever the correct word is for the customer. But I remember asking for, I think we call them PVC lists or request lists like, here's, here's the number of things I need. And you knew on day one, how bad was that going to be. Because it was like, yeah, four weeks, we'll have this to you. It's like four weeks?
Yeah, and that next four weeks, and you might have two weeks where you're just waiting and waiting. And then now this next week, here's a big job, and they're ready. But now, so is the other client, and you're just like, Oh. Now you're extra swamped. And, yeah, that kind of stuff, I just, not my forte. You know, I like being busy in a good way. Having 80 hours of work of just searching documentation was not fun.
But would you agree? So you, you kind of said before that last statement, you talked about being prepared the documentation, having things ready. I think a lot of people
associate that with audits. But wouldn't you agree, that's kind of part of being a good in an organization that documents and has great process and control like, that's part of what makes the audit easier is if you're organized, and you document and you retain documents correctly, that makes audits easier, but I think people view audits as like, I get prepared and do all this stuff. You shouldn't have to if you're organized.
¶ Audit organization strategy
No, I mean, it's when you set, when you're doing this audit in the end, you're going to upload everything to a single folder. And you know, that's gonna be all your
evidence. You could copy that folder and make, you know, reminders on every piece of evidence that you've provided, you know, whether it's, Hey, this is a screenshot of an application, I just got to make sure this application runs weekly, I get this report daily, I create a work order or a change management, you know, I get this approved through this person, I get that approved through that person. And it's really just once you get it
going, it runs itself. But you have to recognize that and want to keep doing that. Like you said, I mean, it's it's not difficult, no audit is difficult, the auditor doesn't want to fail you, you know, they're there to work with you, when you talk to these auditors and you go over your controls.
That's one of the things that I learned, you know, through, you know, a few years in is, the control is really and you can, you can mold those and manipulate those to fit your, you know, maybe you don't want to go so tight on the screws for security. As long as you're able to mitigate and you know, have those risk appetites and things, you can you can loosen up a little bit and still meet the
control. But a lot of people when they see that might get frightened and think, Oh, I've got to have xy and z like, Well, no, you can have x and z and you just, you know, you mitigate y with this. And you just have to document it and show that.
Yeah, I tend to agree with you. Well, one other question on just like auditing in general, and like where we're at in 2023. You know, and my experience may be different, but I did a lot of the organizational level monitoring or auditing and general controls auditing. I know cybersecurity auditing is a totally different
beast. But like, with all the requirements now for continuous monitoring, logging, active remediation and review, do you think that some portions of audits are really not as valid anymore as they used to be because we have so much real time monitoring? Or do you still
¶ Changes within audit processes across decades
think that like some of that, like, log review controls and continued like, you know, signing off on things, do you still think that that's valid in 2023?
Yes and no, I mean, there's always going to be low hanging fruit, and you want to give the client you know, more bang for the buck so you want to keep that in, because if you really streamlined it, I think you would lose some of that. And then there's also, you never know what is going to be the attack vector. You want to be able to have that insight, you want to be able to have those policies, those procedures, because you don't know what tactics are going to
be used against you. So the more visibility into environment is not going to be, I don't ever find that being something that's going to be a negative. The one thing that I would say is that there are a lot of IT people out there who will stay in an environment where they're not getting, you know, the nourishment they need, and
they're okay with that. And to me, that's a I don't understand that, you know, I put value on what I do and what I bring, and, you know, it may not be here and it may not be there, but it's going to be somewhere and, you know, I'm always investing in myself and you know, we talked about those efficiencies. You know, I was at a spot where I feel like I could have coasted, I had it like I said running autopilot. And you know that could have been the end for me,
but it wasn't, it wasn't. I wasn't ready for that, you know, and here I am taking on a new challenge where I've got a place that is in the spot that needs a lot of help. And my goal is to get us audit ready. So if we ever did have any kind of audit, we're ready to go.
¶ Challenges in preparing for audits
Matt, what are some of the challenges that organizations face in preparing for SOC 1 or SOC 1, type two, SOC 2 audits? What are some of the basics of?
I've think it, it's like Aaron alluded to, it's that fear of an audit. I think you get, you get caught up in those headlights, and you start thinking, how am I going to do this? What am I going to do? And we've all been there, whether it be you know, on a school assignment or a project, it just seems so daunting and huge. And when you just decide to nibble around the edges, it takes forever, whereas, hey, I'm just gonna go right up the middle
with this thing. And sometimes it's like, oh, that was nothing. You know, it's, it's literally, you know, it's like, oh, we've got to get this giant security policy, well, not really. Start it small, your auditor is going to be able to, you know, you're going to have some time to send that to them and say, Here, here's this, and they're gonna give you some feedback and let you know what it's missing. And, you know, it's like anything, you take that feedback, and you
make the adjustments. And I think it's just, it's about tackling it. There's, you know, like I said, some of these IT, people, I mean, I've been on audits where they've, I've asked them about, you know, two factor. Well, we don't have that turned on. Well, why not? Well, they haven't sent me up for training for that. You don't need to train for that, you know, I mean, it's, it's pretty simple to set that up and turn
it on. And it's really it comes down to, I think there's still a lot of old school mentality out there with IT as well, a lot of keeping things to ourselves, you know, things are siloed. So there's, there's a big change coming, and you know, people are going to fall by the wayside, and other people are going to either grow and learn, and some
are just going to take off. So I think the fear is the biggest thing for the audits, the fear and the, the fear of the unknown, and like I said, it's really not unknown, it's starting small and it grows, you just keep going.
Yeah, that that makes a lot of sense. Have you noticed any technology trends in cybersecurity that can help organizations prepare and pass some security audits?
Yeah, there are some systems out there, software, I want to say. I took notes on a lot of these and I don't have them with me at the moment. Like ServiceNow will offer a lot of reports. You can get things out of you know, if you have enough visibility, you could use Lansweeper, or you could use NET RyX. You know, you can get reports out of anything, as long as you've got the got them fleshed right and configured to monitor what you need, send to who needs to approve them, who needs to do
what. You're, you're creating, and documenting, you know, tracking work orders is huge, you know, having those, you know, security incident categories, change management categories, having, you know, if you are a solo IT person, don't make all the decisions, you know, send that off to, you know, the CEO or the CIO to make that final decision, because then it shows, you know, there's, there's a process, you know, and, and it can just be
documented, you know. When XYZ happens, it goes through me, and then it goes to this person for approval. And it's as small as that sometimes you don't need a board and you don't need, you know, meetings every month and people to go through certain things it can, again, this has that flexibility and the controls where you can make some of that happen yourself. Yeah,
I love it. I mean, I just wish more people had this view because, I mean, I don't we don't get audited now but we work with a lot of customers and companies that are going through audits. And the ones that, I think the ones that view it as like I said a burden earlier, they don't understand the
purpose. And so what's interesting is like what you're basically talking about, it's just good IT and honestly, business practices of document, prepare, plan, remediate, work on fixing things, like that's just the whole point of an audit is just check in at a point in time and say, Where are we, right? So I love what you're saying. I've seen more recently and I'm curious, your thoughts
on this trend. We're seeing a lot of, especially in the cybersecurity auditing space, which, you know, for those of you who have not gone through it, the listeners out there, a lot of this is being driven from insurance at this point, cyber insurance questionnaires, maybe
audits. We're seeing, at least in in in some subsets of customers, using cybersecurity audits as a as a jump off point basically to ask for better processes, more investment in certain things and I think what we see is a lot that you mentioned, I forget if it was pre-recording or after we turned on recording, but you're working with a kind of turning around IT
and, and making it better. In that situation, one of the easiest ways to do that is show a bad audit, show a bad result and say, Hey, here's what we need to do to do that. And I'm curious, like what you think of that, that using an audit as that jumping off point? And then where do you go from there, when you do go to try to turn around and make things better?
Yeah, I think from the cybersecurity insurance, that too, a lot of people don't realize that the cyber, the insurance companies, they really don't know what they're doing as
well. You know, they're throwing a bunch of things on paper and when it comes down to it, and you have to call that in, that is when they're going to actually do their due diligence and look for something that you might be out of the loop on that you didn't know, that's not on that paper and really, really going back to them asking them the questions. You know, it's that's not a to me, those are
also controls. When we got that cyber insurance paperwork, I sent that back, I had questions I had, you know, what are you doing for this? What are you covering for that? What are you asking by with this question. But using, using that if you if you aren't part of an organization that is doing an audit, use that cyber insurance document as your audit, use that. Come back to the organization and be like, Look, they're saying this, which doesn't cover that, you know.
You might have an organization that decides, hey, you know, we're, we're selling widget ABC here, we want to throw in this little other tool that has nothing to do with the organization, but we think
companies will like it. But that company and that division is run by, you know, a family member and it's not following any of the rules and you want to make sure you have that locked in, you know, if you're going to say like, look, that's none of that is covered under our audit, and that is wide open, they're running their own devices, they're doing their own stuff.
Like, you have to be able to recognize that and you know, like you said, utilize that cyber insurance, to say like, look, we want to get this in place, we want to put these in place, we want to start building policies, procedures, software security. I think that is a good
jump off. And even, you know, one of the things that I would do too, is my my CIO at the time, I was, well not CIO, I have a CIO here, but the CEO and the COO, I would send them notifications every week, Hey look who got breached, look who got breached. And it didn't have to be big breaches, it was little breaches, because a lot of times you'll get that mentality from the C-levels and the execs like, well, we're only a $30 million company, why would
they come after us? Well, they're not coming after a $30 million company, they went to an IP range or a scope of IPs and they found what they could get, what was vulnerable. And a lot of times, you could be a pivot point. And I had to explain to them like we are, maybe they don't come to us, but we are a pivot point to all our clients who are larger than us. You know, so they, they need to see some things like that sometimes.
The number of stories out there around what you just said is incredible. The, "We're not big enough." For anyone listening, that is that is a completely invalid statement in 2023 and probably will be forever from now on because of AI and all the different reasons. Like people aren't targeting like a certain size company, they're targeting whatever's out there and they're targeting it because it's just part of a, like you said, it's a block of IPs or it's something
easy. One of our favorite topics on this podcast with just all of our guests is the theme around AI. You mentioned it earlier,
¶ Writing policies with ChatGPT
like writing policies with with ChatGBT or Bard. How should people consider using AI for you know, policies? What are some other ideas people can use AI for in helping them with audits?
Yeah, definitely. It's funny as I, I recently, probably in the last five months have turned around on AI. I was very proud of all my documentation that I created. I won an award at school for a paper that I wrote because of it, you know, they turn it into a system that will scan it for any kind of plagiarism. And, you know, you're allowed, you know, 10 to 30% based on citing and everything. I had a 0.0 so I was just like, oh, this is good, they're gonna flame out or it's
gonna be great. And it was good. So I was very proud of it, you know, I put a lot of work in. But then yeah, I got to a position like this again and I'm just like, you know, where were these emails? You know, you want to, you wish you'd go back and find your old stuff because you're like, I've spent so much time on it and I worded at it and so you make a rough draft and then it wasn't cutting it and I'm just like, Alright, let me give it a go. So I started throwing things into ChatGPT.
And, you know, whether it be an email telling everybody Hey, this is how we're going to start doing our phishing training or, you know, a small mobile device policy, you don't want to start, you know, you can finagle, you know, you can, it's, it's awesome what you can do. You can say, hey, less words, more words, put in three bullet points, take out five, you know, and it's, it really is a good tool, but what I do, you know, I haven't gone where it comes
right out of the box. I will create what I want, throw it in there, have it zhuzh it up, then I'll clean it up. And then, you know, I still I have the final oversight on it. So I think people need to use it like that, I think that's going to be the best way. I do see people using it for coding, I have not done any of that yet. For auditing, it's definitely good to, like I said the policies and procedures, I guess I really would have to look more to see what else I could do with it.
You know, I don't know if it does reminders for you, if you want to have ChatGPT, create some kind of scheduling, you could have it do something like that, you know, maybe put in your team, their skill set and see if they can do any kind of assigning. That would be a good, a good way to test it out as well.
You mentioned that you had tested it out with some of the, against some of the policies and procedures that you came up with. What did you notice that ChatGPT produced, compared to what your methodology had arose to?
Sometimes it adds a few things, it's a little more thorough, it could be too thorough, too in depth, too many steps. It will do that, you know, one of the things that I kind of liked from being an IT manager, and what I've done throughout my career, I feel like I remember what, I didn't grow up in computers. This is like my third career. You know, I've been in it for about 15-17 years now. You know, and I, I remember my first laptop I had
for school. I was in school for firefighting, and I've had that thing in a sleeve inside another sleeve in a backpack. Like it was my first computer, I, you know, didn't know what to do with it, I treated it with, you know, like gold. And you know, a year later, I'm pulling it apart and doing everything I can. So I still remember how it felt. And I remember, you know, looking at a computer not knowing what to
do. So I tried to break things down for my users, and I try not to get too far above their heads. And I want them to feel comfortable with technology. So that's one thing I've always done. And one thing that ChatGPT does, it doesn't know how to do that. So I do know how to myself tone it down and kind of put it in, you know, take out some of the, you know, the the buzzwords it likes to use and things like that or any like I said when it gets too far down any lane.
But to your point, I think like I mean, this isn't a question, this is a statement. When you know Keith and I interview a lot of customers about specific problems, broad, we talk to CFOs, CTOs, CIOs, all the way down to a system admin. Something that in this day and age like to me, it's like, I hear people and they're like, well, we don't have a policy for
that. I mean, at a minimum, put something into ChatGPT, write a policy, even if it's not the best, like you've got a lot of experience, put something in place so that you have it and you can at least go back and say like, I have this like my framework. Yeah. Yeah, like I mean, it's crazy. You can ask you, like you said, you can ask it to say, map to blank control and write a policy and just reference it and yeah check it but like, it's going to do it for you.
You could I mean, there is, I don't know if people know how to use it well enough, but like, you can tell it out the gate like, Hey, here's who I am. Here's my views on things, it's going to ask you a couple of things, you can load that in ahead of time so it starts to try to learn as you talk. But yeah, literally, you could say I need an MDM policy for 50 cell phones on Verizon, I would like to keep the users to using our devices, if they're going to use email on their own devices we're
going to lock it down. And you could just say what you want to say to it and it will put it where you want to go. It'll take you to that policy, it'll create it and then you know, obviously you'll read it over and you could even just write after you see it, less words, more bullet points, you know, friendlier, sterner, you know, you could do things like that and it's going to keep spitting it out till you
get what you want. You're like, I don't like that line, I don't like that line, but everything else is gold.
I know I'm using, I'm using ChatGPT on how to better communicate with my kid. No, I'm just kidding, I'm not.
But I coach my daughter's softball and I had it put together a practice schedule for us. I said, I need, you know, I need, give me 20 minutes of conditioning, give me 20 minutes of fielding. I knew I wanted to do a scrimmage and give me you know, 20 minutes of this and then you know it set everything up. It gave me the times it broke it down. And I knew all right, we're good. That's what we're gonna use.
That's awesome. I, Keith I know you probably have a question. Real quick, I want to transition back a second away from the AI conversation because we have this a lot and you have a lot of kind of interesting experience. Shifting back, you're an IT manager and you're doing you know, you're trying to help create better policies, procedures, make sure controls are in place for IT, have
efficient systems. What has made you, how has an IT auditor, that experience and dealing with audits made you a better IT manager one? And then two, for
¶ IT career paths for students
those students that are in college, because IT audit has always been something where there's a lot of jobs typically coming out of college. Like, would you still recommend students go to that? Is that a good career path to get where you're at? Just kind of share your thoughts on what makes you better at your job from your experience?
Yeah, one of the things I mean, it definitely reaffirmed my love of IT. You know, and it did show me that, hey, I am, I am that dude, I'm the guy that goes, you know and I keep going, I don't settle, you know, I'm always going forward. And, you know, a year of auditing, say, 100 different companies and IT departments, you see a lot, you don't see a lot of people like yourself, you
know. And then like I said, you see some of those issues and you're like, man, you could just do this, or you need to do that. Or you just tell them, you know, you guys got to do this, you know, and you're seeing all these holes, and no one's doing anything about it. And you realize there's a lot of bad IT out there. And, you know, this isn't what I want to see, I don't want to be in this negativity. So it definitely
reaffirmed my love. It made me realize that like, Hey, I like making changes, I like getting problems, I like to be hands on. I don't want to see a problem and just give someone an answer and that's it, I'm out the door. I want to be a part of that I want to see it to, you know, to the finish. As far as new people coming out of school, it really depends. You know, I mean, if you're in IT, I would not want to be in that because you're not going to get the full IT
experience. You know, as you're moving your way up in your career, and you need a stopping point, probably mid level, it'd be nice. But then I don't know, I think it takes a real special person to want to sit, you know, the, the best part of it was only about 5-10%, where you're really involved. I mean, there's so much documentation and so much, you know, the interviewings when you're interviewing other IT people is good to talk to them, to meet people, you know, I can do all
that all day. But there is a solid chunk where you are alone with a document, looking through controls, and you're looking through this, and you're looking at that. Does this meet this? And then finding the evidence and then waiting for it or requesting it. There's a lot of follow up there and a lot of stuff, if that's your if that's your forte, jump in, you know, feet first head first, whatever
you want to do. But if you're new, and you want to be in this and you have that inquisitive mindset and you're you know that IT tech detective, and you want to fix things, and you're a people pleaser. Like I have never been the IT guy was like, ugh users, like no, these are my people like I'm here to make them better. My goal is for everyone who ever leaves here to go, that was the best IT department I've ever worked with, you know. So that's always
my goal. So if if that's you, then, you know, probably not jump in there. But don't be afraid of it too.
What do you, do you guys hire graduate students from universities at your organization, have you had experience of that?
I did have a little turnaround here, you know, change of culture coming in. I did have one person right now who is still in school. And helping him and mentoring him has been rock steady. And actually I've got a new guy starting today as well, and I've had a new one start last week. So my team is now set. I've got people who have that same mentality and buy in as myself and we're ready to just, you know, I was done pulling this and I'm ready to just run with
this with everybody else. So I I look at it as any level if you're, if you're into it, like I'm going to be into it too. Like I run a local IT group. You know, I'm always looking to mentor people and help people and I think that was big for me early in my career. And I want to keep helping that because you know, it's, you know, read it, write it, do it, teach it that whole thing just keeps re-solidifying. And I always learn from them, they learn from me and I don't want to stop yet.
Like I said I'm not ready to cruise.
To those IT leaders that are looking to hire younger talent, particularly fresh out of college, what can they expect in a new generation? How do they, how do you motivate them? How do you, what skill sets should you look for? What gets them ticking and in sync with the organization? What do you say to that?
Yeah, that's that's a difficult one because you know, through the process of me hiring people, you know, the pandemic didn't help, a lot of people getting overpaid, a lot of people jumping around didn't help. So you got a lot of people with inflated ego thinking that they have the need that you
want. And me, I look for a particular personality trait, a particular, you know, I want someone who wants it, who's going to get it, who's going to put in the time, I'm looking for someone like me, and that's hard when you, you know, I inherited a group of people who were not. People who were the coasters who were, you know, the social loafing was the norm, you know, we get put on a group project
well the group will do it. And you know, if you have four people in the group, and all four think someone else in the group is going to do it, it's not going to get done. You know, I want people that are like, I'll just do it myself. Like, no, we'll put you in a team and you'll all get it done, but I think it's, there is a mentality out there with this younger generation that you know, they, they've earned it before they
work for it. They'll work hard after you pay them or, you know, they're not here to work hard, because they want that balance. And they don't know what the balance is yet, but they think it's earned and already given to them. Now, that's just my two cents.
Yeah, yeah, that certainly speaks to us. We hire, typically a younger audience as well at Opkalla. And it's, it's definitely a different mindset, we try to lean on the, the urge to try new things, and encourage that. For one, whenever ChatGPT came out, we encourage everyone to try to find ways to leverage this tool in your job. Yeah, from day one as an initiative. So I think the new and the fresh attracts, is attractive toward
the younger audience. And we certainly lean on those types of initiatives to encourage them to grow and develop, at least at least from our side of the organization, Opkalla.
¶ Matt's thoughts surrounding future tech
The question I have, for our listeners, we always ask about kind of future tech, and it feels like the last five or six guests have been, we've talked a lot about like generative AI, predictive AI, etc. I want to, I want to kind of exclude AI, it could be a tool that's sort of around AI and has some components. But from your perspective, as an IT leader, what tech are you most excited about over the next five years or so, that is not
specifically AI? I mean, I know it's hard to find one anymore, but like, what are you most excited about that you feel like it's gonna make a big change for you.
That's a good one. I'm not too keen on the cloud. I just, I feel like a lot of people are relying on that for security, thinking it's someone else's device, and they're not realizing that it's not. Maybe it's not tech, but maybe it's more of a process. Maybe I'm more excited that more people are going to start getting into security, and figuring out security. We're gonna start seeing a lot of, for that to happen, though, we're gonna see
a lot of bad too, you know. You can't have all the tightening and all the the figuring of things out and the good products without bad things happening. So I think we're gonna see a lot of stuff. We're gonna see a lot of people, you know, like this MGM thing, all the different sides of it coming out. I like that there's information, you know, that, you know, you're going to hear people, you know, I have older relatives, like, Oh, my God, these people hack that
company. It's like, well, that's not really what happened, you know, they were in the middle of negotiating with them. And the company kind of did it themselves a little bit. So it's, you're gonna see a lot of bad practices blamed on, you know, other people and other things. But being that we're in kind of an information age, who knows. I mean, kind of back to your early stuff, like, maybe we get some stuff released. And we figured out how to make that
paper thin saucer, right. Some of that technology, some of that no fossil fuel energy, and we all get jet bikes and stuff like that, that'd be nice. Motorcycle in the sky.
There we go. Perfect. I love it. That's, if that's the new tech we're looking forward to, I'm excited.
Yeah, I really don't think a lot about the future in that aspect. I just kind of roll with everything. And, you know, I do try to go to a lot of events and conferences and see what's coming out there and, you know, I get excited when I see it, you know. Pipe dreams, you know, I don't really chase that. You know, let me see what you have done. Let me see what's really coming.
Yeah, I think I couldn't agree more. We're coming up to about the end of the podcast, Matt. And one thing
¶ Matt's message to IT leaders
we like to do is ask if you could disseminate a message to the wider tech industry, could be about some personal advice that you have, it could be about a philosophy of going about work, could be about a lot of things. What would you tell an eager audience looking for advice, when it comes to how to be a more effective IT leader?
Definitely believe in yourself. You have to put yourself out there, you have to be your first fan, you have to be the one putting you out there and doing everything for yourself. Know your value. No one's gonna do it for you. So you have to definitely do that for yourself and invest in yourself, keep putting it back into you, it's going to come back and, and if it doesn't, you still invested in yourself, you
put that time in for you. So I definitely, always feel like, you know, continuing education, you know, keep tinkering with toys, and different, you know, little doodads and events, you know, not events, devices, and, you know, go to events, learn those things. To me, it's that. It's just putting back, you're gonna get back what you put in, you know what I mean. If you're a plant, keep watering yourself, keep keep out in the sun. Keep
doing that. Don't expect, oh, I got hired here, they're going to send me to an event, they're going to train me, they're going to do this. They're not going to do that. They don't care. I mean, unless you've got it worked in or you have a manager like me, who wants to send you somewhere. You can't always assume that. So do it yourself, get it done. Find those things that motivate you and keep you going.
I love that. That's great life advice in general. And it can be applied to any team, any individual, any career. I love it. Matt, this has been an awesome episode. Thank you for sharing all of your knowledge. For those listeners out there, what's the easiest way to connect with you?
Wherever you can find me. LinkedIn. I don't really like hang out on Facebook. I don't do the Tik Tok thing that much because you just get sucked down that hole for an hour or three. But no, LinkedIn, email, mhuffman@reinders.com. My personal email is mhuffman23@gmail.com, if anybody wanted to reach out to me. I'm an open book. I'm willing to talk to anybody, help anybody out, do stuff. So, all good.
Yeah, we appreciate it. This has been awesome. And you took time out of your day, which we appreciate and I know our listeners will appreciate it. So thank you, Matt, Keith, another great episode. To all our listeners out there thank you for joining us again on the IT Matters podcast. Remember to subscribe on your favorite podcast platform. Leave us a review. Hopefully it's five stars, although I know our jokes sometimes might bring a star
down. But please leave a good review for us and we hope you have a great rest of the day and week.
Thanks for listening. The IT Matters podcast is produced by Opkalla, an IT advisory firm that helps businesses navigate the vast and complex IT marketplace. Learn more about Opkalla at opkalla.com.